HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 221 - 240
Hi, While experimenting with parser bypass techniques, I discovered that RDoc markup could be used to inject a stored JavaScript payload into a project `README.rdoc` file. Please note that this issue is separate to my earlier report #200565 (XSS with AsciiDoc markup), marked as duplicate. ## Steps to Reproduce 1. …
Hello __Team__ __Abstract__:- A Cross-Site Scripting vulnerability was found in the MailPoet Newsletters plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force …
Hello __Team__ __Description__:- business-blog.zomato.com is vulnerable to reflected XSS that stems from an insecure URL sanitization process performed in the file flashmediaelement.swf __POC__:- https://business-blog.zomato.com/wp-includes/js/mediaelement/flashmediaelement.swf?%#jsinitfunctio%gn=alert%60xss by dem0n%60 {F154224} __Fix__:- Update to WordPress to latest __Regards__:- Santhosh
Steps to reproduce: create index.html file with following content: <iframe sandbox="allow-scripts allow-forms" src="https://go.pushwoosh.com/register" width="1000" height="600"></iframe> Open index.html in browser Actual result: Pushwoosh viewed in iframe. Expected result: do not allow clickjacking Root cause: ``` var isInIFrame = (function () { try { return window.self !== window.top; } catch (e) { …
Description === **Vulnerable parameter:** user **Vulnerable script:** http://nutty.ubnt.com/github-btn.html **Vulnerable code:** ```js var params = function () { var vars = [], hash; var hashes = window.location.href.slice(window.location.href.indexOf('?') + 1).split('&'); for(var i = 0; i < hashes.length; i++) { hash = hashes[i].split('='); vars.push(hash[0]); vars[hash[0]] = hash[1]; } return vars; }() var user …
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
## Summary: https://play.mtn.co.za/ authenticates subscribers via OTP before their subscriptions to be changed. However, the request which sends the OTP also returns the OTP in the network response, allowing an attacker to manage a user's usbscriptions. ## Steps To Reproduce: 1. Visit https://play.mtn.co.za/ and open network inspector (e.g., in Chrome) …
## Summary: When adding a pack, a post request is sent to ```https://coda.io/internalAppApi/documents/[doc ID]/packs``` with data ```{"packId":[pack Id]}``` where doc ID is the id of doc user wishes to add pack and pack ID is the pack user wants to install. But this request is unrestricted and the user can …
## Summary: This is Denial of Service attack by using which an attacker can make an user unable to access nordvpn.com website. For more information you can read this article. [https://blog.innerht.ml/tag/cookie-bomb/] ## Steps To Reproduce: This will usually work on user's fresh session for which we can use inconginito tab. …
Hey guys, The flag is: `h1ctf{y3s_1m_c0sm1c_n0w}` I'll submit a well written writeup later today or tomorrow. I now have a lot of work to catch up thanks to this devilish ctf hehehe. Thanks Ben and the rest of the team for this awesome challenge. ## Impact Getting the flag
## Summary: There is a reflected XSS vulnerability on https://evernote.com, in the shared web note view, triggered through the ```view``` and ```ionUrl``` parameters of the ***/shard/s[SHARD_NUMBER]/client/snv*** endpoint. ## Description: When a user creates a note and shares it, it is stored in the following endpoint, being accessible by its ```GUID``` …