HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 301 - 320
I would like to report sensitive information disclosure in `glance`. Similar to #486933 in ways # Module **module name:** glance **version:** 3.0.5 **npm page:** `https://www.npmjs.com/package/glance` ## Module Description a quick disposable http server for static files ## Module Stats **weekly downloads** 41 # Vulnerability ## Vulnerability Description The `glance` modules …
I was taking a peek at `takeapeek` module and found it is vulnerable to XSS via malicious injection in directory listing. It allows execution of arbitrary JS code. # Module **module name:** takeapeek **version:** 0.2.2 **npm page:** `https://www.npmjs.com/package/takeapeek` ## Module Description A simple static webserver with only one command. Heavily …
I found unused accessday.opn.ooo subdomain was delegated to wix.com and not claimed. ##Steps To Reproduce: - Visit http://accessday.opn.ooo/ - This domain pointing towards to WIX cdn, anyone can claim this subdomain ##Similar report: https://hackerone.com/reports/1256389 https://hackerone.com/reports/996956 https://hackerone.com/reports/1183296 ## Impact An attacker can claim this subdomain and abused for specific purposes
Summary: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information. Description: An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based …
**Summary:** There exists a reflected xss threat in https://blog.fuzzing-project.org/index.php?frontpage. **Description:** By setting the `serendipity%5bmultiCat%5d%5b%5d` POST input to `1'"()&%<%20><ScRiPt >prompt(1)</ScRiPt>` I'm able to trigger a JavaScript prompt box in versions of IE up to and including IE 11. ## Steps To Reproduce: This POST request should replicate the issue: ``` POST …
**Summary:** When setting up Sentry you should turn off "source code scrapping". If it is turned on, then server that has Sentry on it will make blind get requests everywhere controlled from outside via error reporting. **Description:** Hello Hackerone team. In your CSP I found ?sentry_key parameter, so it is …
**Summary:** Hello. Due to insufficient access controls and poor implementation of the registration at https://████████/████/login.cfm it was possible to register while privilege escalating to an administrator. **Description:** It was possible to tamper with the registration request at https://█████████/██████/screen_questions.cfm which is aimed to ███████ applications for education in order to sign-up …
Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation ## Summary This report is based on the scenario that email confirmation has been bypassed already, like shown in #791775. What happened in #791775 was, I was too excited and didn't take a step …
## Summary In #791775, I submitted a bug at Sunday 5pm Canada time, it was triaged two hours later, and I got the **temp** fix message at around 3am the next day in Canada time. Truly awesome, the next day I retested after the first fix, and found that I …
Report Submission Form ## Summary: A github clientID and clientSecret for an oauth app are being leaked on github ## Description While looking for anything that is interesting on github I a clientID and clientSecret for a github oauth app hardcoded. While they have been removed a long time ago, …
**Summary:** [add summary of the vulnerability] `fs.openAsBlob()` does not appear to be limited by the permission system. **Description:** [add more details about this vulnerability] Starting Node with `--experimental-permission` does not appear to restrict `fs.openAsBlob()`. ## Steps To Reproduce: Run the following code with `--experimental-permission` and do not grant is read …
**NOTE:** Please Don't close this Report as Informative/NA or Dup. Hello Reddit team regards, I got huge amount of Subdomain Takeovers at Reddit: Poc Video is attached. ## Impact Subdomain Takeovers at Reddit
**Summary:** [add summary of the vulnerability] The `--allow-fs-read` flag of the permission system does not prevent file watching. **Description:** [add more details about this vulnerability] Attackers can watch files that they don't have read access to. ## Steps To Reproduce: Run the following code with `--experimental-permission` and do not grant …
CVE-2023-28710 Apache Airflow Spark Provider Arbitrary File Read via JDBC
Medium
$2,400
Closed
In all versions of Apache Airflow Spark Provider (the verification version is 4.0.0), because the parameters are not effectively filtered, the attacker can pass in malicious schema parameters (including malicious JDBC url) when establishing a connection with SparkJDBCHook, so that when establishing When connecting, a malicious mysql server can read …
I would like to report a stored XSS in node-red It allows to execute javascript in the user's browser # Module **module name:** node-red **version:** v0.18.4 **npm page:** `https://www.npmjs.com/package/node-red` ## Module Description > A visual tool for wiring the Internet of Things. ## Module Stats 1,758 downloads in the last …
CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm
Critical
$1,500
Closed
The vulnerability exists in php-fpm because of missing bounds check in fpm_main.c. If the FastCGI variable `PATH_INFO` is empty, the underflow happens when the code tries to calculate the value of the `path_info` variable. An invalid pointer in `path_info` leads to a single byte out-of-bounds write, which can be leveraged …
In Nextcloud 17 there is the possibility to set up 2FA providers at login. A missing check allows the following steps 1) Enforce 2FA for all users 2) As a user, configure a 2FA provider (via settings or at login) 3) Log out 4) Log in again (password only) 5) …