HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 201 - 220
When `curl_easy_duphandle()` is used to duplicate an easy handle it is possible to inject cookies into that duplicated handle if a file `none` exists in the current working directory. ## PoC / Steps to reproduce: 1. Open 2 terminals 1. compile F2699218 1. in terminal 1: `nc -l -p 8888 …
**Summary:** Hello HackerOne security team :-) For a while now I have been monitoring H1 js files. I've just noticed some new GraphQL queries about `HackerOne Copilot`. While this feature has not yet been released, the vulnerability must be fixed. `DestroyLlmConversation` GraphQL mutation is vulnerable to IDOR. ### Steps To …
**Dear Nextcloud Team –** I have identified a formula injection vulnerability [1][2] in the CSV export feature of the *Forms* App. I am aware that the Forms app is not part of this bug bounty program but was advised to disclose it via hackerone anyway. **Description.** When a (n Excel-/Calc-) …
### Summary: Gitlab allows its user to exercise their GDPR rights (Right to Access/Delete) user data by sending an email to [email protected] however gitlab team doesn't ask for security question(i.e Date Of Birth) before deleting the user account moreover doesn't authenticate the incoming emails from their instance which allows an …
## Summary: [add summary of the vulnerability] ## Steps To Reproduce: - Go to Company > Buddies-to-Be > Custom variables - Add malicious code: `" onmouseover="confirm(document.domain)" a="` {F915718} - Go to Company > Messages > Blank email - In the WYSIWYG editor select `Custom variables` - Malicious code executed {F915719} …
Rust's regex crate guarantees a linear time complexity with regex length for compilation of untrusted regexes. However, existing mitigations for known malicious regexes are based on memory usage and, as such, do not mitigate repetitions of empty sub-expressions. For example, the following payload triggers such an issue: ```re (?:){4294967295} ``` …
The following URL is vulnerable to an open redirect (it will redirect to example.com): https://█████?redirecturl=https://example.com I hope you know the impact of open redirect and more info refer ## Impact User can be redirect to malicious site.
There is Reflected Cross site scripting issue at the following url: https://█████ Proof Of Concept https://████████?█████=%22onfocus%3d%22alert(document.domain)%22autofocus%3d%22&█████████████████████=Search ████ Best Regards @pelegn ## Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript on the victim behalf ## System Host(s) ████████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce …
There is Reflected Cross site scripting issue at the following url: [https://█████/████](https://██████████/██████████) Proof Of Concept https://████████/███████?text=&███=%22%3E%3Csvg/onload=alert(1)%3E████ ███████ Best Regards @pelegn ## Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript on the victim behalf ## System Host(s) ██████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce …
There is Reflected Cross site scripting issue at the following url: https://██████████/██████ Proof Of Concept https://████████/█████████████████=%22%3E%3Csvg/onload=alert(1)%3E█████████ █████ Best Regards @pelegn ## Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript on the victim behalf ## System Host(s) ██████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce …
I have found a subdomain of `███████` to be vulnerable to takeovers via a CNAME to unclaimed domain. I have claimed this domain and redirected them to a blank page to prevent a bad actor from doing so in the meantime, and hosted a POC file at obscure URLs. These …
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
**Summary:** There is a critical information disclosure at https://████████/rserver/rdPage.aspx?rdReport=db_Dashboard&rdShowModes= **Description:** As you can see in the video the https://████████/rserver/rdPage.aspx?rdReport=db_Dashboard&rdShowModes= loads a page with a debug this page functions enabled, which gives the user access to server side information such some sql structure, the path to the webroot plus some other …
Hi there, Similar to this report submitted to Hackerone itself: https://hackerone.com/reports/575 You also are vulnerable to email spoofing. Steps to reproduce: 1- Go to https://emkei.cz ( A Fake Mailer ) 2- Set the from to parameter as [email protected] or any other name, and send it. 3- The email is sent …
I have found and reported an out of bounds memory read in PHP: https://bugs.php.net/bug.php?id=73825 It affected all three supported versions and has been fixed with the latest updates: https://secure.php.net/ChangeLog-5.php#5.6.30 https://secure.php.net/ChangeLog-7.php#7.0.15 https://secure.php.net/ChangeLog-7.php#7.1.1
The following code causes mruby to use up all available memory: `class A redo rescue c end` Following the execution, we see the code in codegen.c jumping between CASE(OP_ONERR) and CASE(OP_JMP). CASE(OP_ONERR) uses realloc to double the size of mrb->c->rescue, and since it is stuck in an infinite loop between …