Hello there,

Submit Feedback feature doesn’t filter submitted Text. So, Attacker can submit malicious script.

Attached is the PDF of how I managed to escalate privileges to staff/superuser privileges via a misconfiguration. Django Privilege Escalation – Zero To Superuser

This is from a private bounty. The internal —-private.com domain was out of scope so I was asked to stop testing once I found the bug. SSRF To Pivot Internal Networks

Background First off, I would just like to reference the following sites/authors/tools for helping guide me along this route and providing a sweet tool to make this easy: I ran into a JMXInvokerSer…

Note: I was at one point the top bug reporter for Yahoo! If they do this to me. They are very likely to do this to you. Yahoo Remote Code Execution CMS Yahoo Response: Hey Sean, Our committee finis…

This was on a private bounty program. I have redacted all the info related to the program. Enjoy! Out of Band XML External Entity Injection via SAML – redacted

Originally I just had default administrator credentials then I poked around for less than 10 minutes and found a configuration export which allowed me to export files with root privileges. Attached…

I initially found this issue on a bounty, however it was marked out of scope on a third party provider. It may be possible to turn this into a RCE. Since I had no reason to escalate since no paymen…

SSRF 1 This SSRF allowed me to view local files on the host as well as port scan internal hosts. Reading /etc/passwd using the file protocol. Brute-forcing for log files using BurpSuite Intruder: S…

This XSS was via embedly which controls the content-type response to image types. Luckily .svg was allowed. I used this blog to help create a .svg that contained XSS.   PoC: <?xml version=&…

JFrog Artifactory XXE

In Facebook Graph API as defined by the developer documentation, there are several access tokens, to authenticate against various API endpoints. User Access Tokenmake requests on behalf of the user, normally obtained via OAuth facebook.com/dialog/oauth Page…

Meta Rayban Stories has lower-level settings to change via the View (Assistant app) for example enable Assistant change inner LED notification level change volume Since the method for these settings are shared for other options defined in the firmware, it…

There is a XController that allows information to be returned about an Instagram user. This feature discloses the country of a private account. Even if this feature is an ad tool, this does not support the privacy of a private account. Additionally the owner…

There is a root GraphQL query that gives one access to numerous CrowdTangle API calls including one that lists the deleted objects for popular Facebook entities by date. Regular users shouldn’t have access to CrowdTangle this way. The data was of the form…