HackerOne Reports

## Summary: ` --proto` in some circumstances ENABLES all protocols after being given `-all`, potentially leading to sending sensitive data over an unencrypted channel. ## Steps To Reproduce: `curl -Ivs --proto -all,-http http://curl.se` This command should result in `curl: (1) Protocol "http" disabled` but it actually succeeds. ## Supporting Material/References: …

HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate …

There is a stored Cross-Site Scripting (XSS) vulnerability in the LinkedIn Lead Gen Form, specifically in the Company Name and Product Name fields. The vulnerability allows attackers to inject specific HTML elements, enabling them to change the appearance of a page, which can lead to Phishing attacks via the `<a>` …

## Summary The login callback URL, https://learn.acronis.com/portal/, is vulnerable to Cross-Site Scripting (XSS) attacks. When a user logs in and is redirected to this URL, the redirectUrl parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript code. This code could be used to steal the user's session …

## Summary Reported vulnerability allows attacker for open/unknown redirect for victim user ## Steps to reproduce 1) Go to https://shopify.dev/concepts/shopify-introduction 2) Click on search 3) Type ``` POC ``` in search box and hit enter 4) Right click on first result displayed as ```POS``` and click on copy link address …

I find user reset password hash info and other security info on "/api/v1/[users.info](http://users.info)" note : I login on rocketchat with ldap account (my role : user) note: in request "[https://target/api/v1/users.info?username=[x]](https://target/api/v1/users.info?username=%5Bx%5D)" you should change usrname to userId 1- please login with user ldap account (role user) 2- send a request to&nbsp;[https://target/api/v1/users.list](https://target/api/v1/users.list)&nbsp;and …

I would like to report Pixel flood attack in jimp It allows flooding the memory and causing DoS by uploading a crafted image (5kb image), and the Jimp module will tries to allocate 4128062500 pixels into memory. # Module **module name:** jimp **version:** <=0.10.1 **npm page:** `https://www.npmjs.com/package/jimp` ## Module Description …

## Summary: Hey Shopify, When a store install ```shopify-data-exporter``` app to export various data of the store a link is sent to the store internal email. This internal email is disclosed via the below request to anyone ```json GET /?shop=your_store.myshopify.com HTTP/2 Host: shopify-data-exporter.shopifycloud.com ``` {F1779393} ## Shops Used to Test: …

## Summary: Blind SSRF reports on services that are designed to load resources from the internet is Out of scope but this is a Internal Blind SSRF report so should be a Valid find as I am reading the localhost not someone else server. I found a Blind SSRF issue …

A crafted HTTP2 request can trigger reference to request data from a memory pool after its destruction. This memory is subsequently used as input to an sprintf type function for constructing a string value. This unsafe memory access ultimately means that the r->the_request string is poisoned with unintended data. To …

Hello Sir/Mam , I was using the html editor in computer programming section , which allowed me to design a webpage. When i use the iframe tag , object tag and embed tag it show me the message that these tags are not allowed for security reasons(may be cause of …

The site has a security misconfiguration issue. The site accept weak passwords like "123" or "12345" or "abc12345" which can be guessed easily with the help of some auto attacks.

There should be an email verification when creating a new user. B/c i can make an account from others email address for example: az****@gmail.com Now when the real person, how own this email address cant make an account with his email address.

### Summary This javascript [function](https://gitlab.com/gitlab-org/gitlab/-/blob/85fbd72dc08bcedcb9fe80fad4df798e9527ded8/app/assets/javascripts/projects/settings/access_dropdown.js#L534) is vulnerable: ```javascript deployKeyRowHtml(key, isActive) { const isActiveClass = isActive || ''; return ` <li> <a href="#" class="${isActiveClass}"> <strong>${key.title}</strong> <p> ${sprintf( __('Owned by %{image_tag}'), { image_tag: `<img src="${key.avatar_url}" class="avatar avatar-inline s26" width="30">`, }, false, )} <strong class="dropdown-menu-user-full-name gl-display-inline">${escape( key.fullname, )}</strong> <span class="dropdown-menu-user-username gl-display-inline">${key.username}</span> </p> </a> …