HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 261 - 280
**Summary:** A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit [205f1e6](https://github.com/nodejs/node/commit/205f1e643e25648173239b2de885fec430268492). The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. **Description:** The function `possiblyTransformPath` calls `pathModule.resolve(path)`, where `pathModule` is the result of `require('path')`. Application code …
Unprivileged users were found being able to upload Avatar pictures under the behalf of other users. Attackers authenticated to the API trigger the `ufsImportURL` method with a different `userId` than their own, so that the other users avatar is changed. The effect of an exploit depends on the storage backend, …
> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! **Summary:** …
**Description:** XML-RPC on WordPress is actually an API that allows developers who make 3rd party application and services the ability to interact to your WordPress site. The XML-RPC API that WordPress provides several key functionalities that include: Publish a post Edit a post Delete a post. Upload a new file …
Hello,I discovered that one is able to create an unlimited number of albums Via /photo_videos/photoset/create/ Steps To Reproduce: 1.Login And Go to http://fr.chaturbate.co /photo_videos/photoset/create/ 2.Fill the form 3.Enable a proxy interception tool (e.g Burp Suite) 4.Click Save 5.Send the POST request made to /photo_videos/photoset/create to intruder 6.Set 500 or more …
Hi, I read the report about DOM XSS on 50x.html page (https://hackerone.com/reports/405191). I decided to check some other subdomains to be sure. This link still executes javascript: https://proxy.duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alert(%27test%27);%3E The following subdomains execute javascript as well: proxy1.duckduckgo.com proxy2.duckduckgo.com proxy3.duckduckgo.com proxy4.duckduckgo.com @cujanovic: I'm sorry for stealing. ## Impact The attacker can execute …
**Summary:** CORS misconfig is found on niche.co as Access-Control-Allow-Origin is dynamically fetched from client Origin header with **credential true** and **different methods are enabled** as well. **Description:** Basically, the application was only checking whether "//niche.co" was in the Origin header, that means i can give anything containing that. For ex …
A crafted `playlist.txt` can be used to exploit a stack overflow vulnerability in `GameUI.dll` that can lead to arbitrary code execution. # Reproduction Place attached `playlist.txt` in game directory (`valve`, `cstrike`, etc.). The game will crash when it tries to play `Splash` track. # Exploitability The file can be sent …
I performed a GET request on Host www.data.gov in burp suite to a custom domain and the Response showed the x-amz-meta-s3cmd-attrs header with the user id as root and group id running as root. x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/ This represents information disclosure and also it is better not to run this as …
**Summary:** Cord server will display the error message if something isn't allowed to be used thus allowing xss **Description:** /scripts/ctredirector.dll allows users to call images or files. We can use the parameter @_FILE to dictate a file or url, if it fails it'll display the url into the page. We …
## Summary The script `rompager.php` does not restrict which hosts can be requested. Thereby, an attacker can send HTTP requests to localhost and other servers of the same local network segment, on port 80 and 7547. ## Description In `rompager.php`, the value of `CURLOPT_URL` is fully controlled: ```php <?php // …
**Summary:** I was able to discover contract numbers which leak out user names/emails/phone numbers nd other sensitive information. I took the time to assure that these contract id's wouldn't/shouldn't be easy guessable or known. **Description:** I discovered through google search query that I was able to access several Order/contract id's …
Open Redirect Vulnerability URL : https://www.omise.co////bing.com/?www.omise.co/?category=interview&page=2 Parameter Type : URL Rewrite Attack Pattern : %2f%2f%2fr87.com%2f%3fwww.omise.co%2f How to Reproduce 1. Intercept the below url using Burpsuite & send it to repeater https://www.omise.co/?category=interview&page=2 2. Use this attack pattern /%2f%2f%2fbing.com%2f%3fwww.omise.co 3. Now it will redirect to bing.com Below i will give u the …
##Summary An authenticated administrator can alter *Entries to display on frontpage* and *Entries to display in Feeds* in a way to perform a SQL injection and extract database records or access files on the underlying system. ##Description The function `serendipity_fetchComments` (implemented in `functions_comments.inc.php`) allows to obtain an array of comments …
## Summary: Navigation to protocol handler URL from the page opened using `window.open` is considered as a request from the opened page. Example: 1. The page opens `google.com` 2. The page changes opened window's location to `ssh://evil.com` 3. Request to open `ssh://evil.com` URL displayed at `google.com` **Combining this vulnerability with …
Hi team , ##Summary I found that when I can access from original ip to the web site ,.This disable Https secure connection. ##Description First I make DNS Lookup to find the ip adress `download.nextcloud.com has address 88.198.160.133` {F313820} Now When I open The website from download.nextcloud.com I see it's …
**Summary:** There exists a possibility that your Serendipity installation is vulnerable to a blind sql injection. **Description:** By sending specially crafted SQL commands to `/plugin/tag/` and timing how long it takes for the server to respond, it is quite possible that the blog backend is interepreting this as actual SQL …