HackerOne Reports

## Summary: There's no CSRF protection in confirmation email resending feature as a result of which an attacker can trick the victim to receive a confirmation email unknowingly. In other features of the website, the content-type must be "application/json", and there is same-origin policy, which prevents CSRF, but in this …

Hello, I Found Cross-Site Request Forgery (CSRF) while adding new movie or series . Reproduction: - Login by any user. - Add [Name],[YEAR] and [STRING] for the movie in poc .

This bug was reported directly to GitHub Security Lab.

Description: There is possibility in /wp-admin/load-scripts.php script to generate large (~3Mb) amount of data via simple non-authenticated request to server. The vulnerability is registered as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389 Details: Detailed attack scenario is described for example here: https://baraktawily.blogspot.ru/2018/02/how-to-dos-29-of-world-wide-websites.html Affected URL: https://www.yelpreservations.com/blog/wp-admin/load-scripts.php?load=common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer How to fix: RewriteCond %{QUERY_STRING} ^.{1000,}$ RewriteRule ^WP-ADMIN/LOAD-SCRIPTS\.PHP$ - f add …

Hi, I would like to report DOM-based XSS in htmr. It allows attackers to insert malicious JavaScript payload into the page. # Module **module name:** htmr **version:** 0.8.6 **npm page:** `https://www.npmjs.com/package/htmr` ## Module Description Simple and lightweight (< 2kB) HTML string to react element conversion library ## Module Stats [6,877] …

The following URL is vulnerable to an open redirect (it will redirect to google.com): https://support.nordvpn.com/#/path///google.com vulnerable code: ``` <script> if (window.location.href.indexOf('#/path') !== -1) { console.log("document.URL", document.URL) window.location.href = document.URL.slice(window.location.href.indexOf('#/path') + 6); } </script> ``` ## Impact Users could get redirected to malicious domain.

Hi Team, We can get information about the users registered (such as: id, name, login name, etc.) and employees of NordVPN without authentication on https://www.nordvpn.com Vulnerable URL: https://nordvpn.com/wp-json/wp/v2/users/ Vulnerable URL: https://nordvpn.com/?rest_route=/wp/v2/users/ POC: Screenshots are attached --------------------------------------------------------------------------------------------------------------------------------------- Response 1: { "id": 1, "name": "21232f297a57a5a743894a0e4a801fc3", "url": "", "description": "", "link": "", "slug": …

## To reproduce 1. Create a new select attribute. 2. Add a select attribute option with value `<script>alert('XSS')</script>` and hit Save. 3. Edit the newly created attribute again and see XSS dialog. The vulnerability lays in the type_form.php file, see https://github.com/concrete5/concrete5/blob/develop/concrete/attributes/select/type_form.php#L40 ## Unauthenticated use The vuln can be pretty bad …

#Description: Most often Developers for their ease of use,leave API keys and some sensitive keys ,Tokens as hardcoded strings,which isn't really a good ideas as it can result in Leaks of sensitive information getting in Wrong Hands which indeed can results in Data theft and Tampering with how the application …

## Summary: I found a SSRF vulneranility in export template to email marketing platform (ActiveCampaign). ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. Login to your account in 1. Go to `https://my.stripo.email/cabinet/#/templates/` 1. Click on `Create your first mail` & select one template 1. …

**Summary:** I discovered a pdf file on ████████ that outlines various information corresponding to military members. It reveals information on date of birth, where they were born, marriage status, race, children/dependents, etc **Description:** I discovered what looks to be an internal file that outlines sensitive information on various service member …

It seems like the https://gratipay.com/~USER/emails/modify.json endpoint has some protection to prevent email flooding as seen here https://github.com/gratipay/gratipay.com/blob/master/gratipay/models/participant.py#L407 plus CSRF validation. However, it is possible to flood the server with multiple email requests as long as you send different email addresses. This might be a door to a DoS attack considering …

https://gratipay.com%[email protected] on clicking on this url this link will take to the google.com or any other malicious url. On seeing it will look like the link will take to the gratipay but onclicking the url it will redirect to the malicious site.Attacker with the help social engg. techniques will able …

**Desciption:** Username `1.0-payout` is not restricted. **POC URL:** Visit https://gratipay.com/1.0-payout/ and you will end up at my profile page. Regards Uttam

# Synopsis The form at https://www.apitest.io/request accepts (among others) the "url" parameter. This feature allows to reach internal services (like the OpenStack metadata server) or services running on loopback. # Identified services http://0x7f.1/ (nginx) => "If you see this page, the nginx web server is successfully installed and working. Further …

The `antispambot` function escapes some randomly selected characters from its first argument, for example: ``` <?php echo antispambot( '[email protected]' ); ``` This would print out: ``` exa&#109;p&#108;&#101;&#64;&#101;xa&#109;pl&#101;&#46;&#99;o&#109; ``` Since this returns HTML, developers are not going to use `esc_html` with the return value of `antispambot`, since that would double-escape the …

**Summary:** I noticed that HackerOne career pages loads it's application forms from Greenhouse.io via an iframe. The **gh_jid** parameter value is taken into the iframe element for the token parameter in the iframe URL (boards.greenhouse.io). Any html characters are escaped in order to avoid XSS (and possibly also to avoid …

# Vulnerability Description libcurl version 7.77.0 has a [Use-After-Free](https://github.com/curl/curl/blob/curl-7_77_0/lib/mqtt.c#L559) and a [Double-Free](https://github.com/curl/curl/blob/curl-7_77_0/lib/mqtt.c#L560) in `lib/mqtt.c` in the function `mqtt_doing` on [lines 556 - 563](https://github.com/curl/curl/blob/curl-7_77_0/lib/mqtt.c#L556): ```c if(mq->nsend) { /* send the remainder of an outgoing packet */ char *ptr = mq->sendleftovers; result = mqtt_send(data, mq->sendleftovers, mq->nsend); free(ptr); if(result) return result; } ``` …

Hi all, I had lots of tests for bug bounty in my test store "trstore-3.myshopify.com" (created about 4 years ago) and then one of your developers noticed that a stored cross-site scripting payload in my staff name fired in another your internal panel. I have attached the email sent to …