HackerOne Reports

This bug was reported directly to GitHub Security Lab.

## Summary: It is possible load an arbitrary .css file. Bypassing the protections by adding the domain `https://www.glassdoor.com` in a parameter/path. ### Affected URL or select Asset from In-Scope: - https://www.glassdoor.com/api/widget/apiError.htm?action=employer-single-review&css=https://zonduu.me/example.css?http://www.glassdoor.com/&format=320x280&responsetype=embed&reviewid=3762318&version=1&format=320x280&responsetype=embed&reviewid=3762318&version=1 ### Affected Parameter: - css ### Browsers tested: - All ## Steps To Reproduce: - https://www.glassdoor.com/api/widget/apiError.htm?action=employer-single-review&css=https://zonduu.me/example.css?http://www.glassdoor.com/&format=320x280&responsetype=embed&reviewid=3762318&version=1&format=320x280&responsetype=embed&reviewid=3762318&version=1 It will inject …

The following URL is vulnerable to an open redirect (it will redirect to google.com) https://www.blackrock.com/authplatform/user/activate-success?redirectUri=https://google.com After clicking on "return to site" it will be redirected to the page Steps To Reproduce: Enter on this link https://www.blackrock.com/authplatform/user/activate-success?redirectUri=https://google.com Redirected to https://google.com ## Impact Phishing attacks to redirect users to malicious sites without …

## Summary: A vulnerability in the Tor Browser 78.11.0esr and below allows a local or physical attacker to view metadata about v2 domains, namely the exact timestamp that a user connected to a v2 onion address while using either the --log or --verbose command line options. A local or physical …

URL: https://█████ Parameter: ███ Attack Details JSON input █████ was set to -1 OR 3*2*1=6 AND 000159=000159 Tests performed: -1 OR 2+159-159-1=0+0+0+1 => TRUE -1 OR 3+159-159-1=0+0+0+1 => FALSE -1 OR 3*2<(0+5+159-159) => FALSE -1 OR 3*2>(0+5+159-159) => FALSE -1 OR 2+1-1+1=1 AND 000159=000159 => FALSE -1 OR 3*2=5 AND …

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. ## Impact Malicious JavaScript has access to all …

This bug was reported directly to GitHub Security Lab.

Hii team, I hope you are doing well. While conducting my research I found that there are some URLs that leads to disavowing some account without any authentication. It allows unauthorized users to disavow or dissociate an email address from an account without requiring proper authentication. Steps to reproduce: 1. …

**Description:** Any user can access the Administration section of the following URL: https://███ When the user goes to the following domain they are automatically logged in as "████████" which is a sys admin user on the application, this allows any user to upload files, add users, change permissions for users …

## Summary: It's possible to list all hidden files that are located within the TVAVirtual.com Sharepoint folder structure. ## Steps To Reproduce: 1. Navigate to TvaVirtual.com 2. Open the pages source code and notice that its build using sharepoint pages. 3. Confirm that you see a listing for /SiteAssets/Scripts/js.cookie.min.js. Click …

**Description:** i find in periscope.tv a parameter "create_user" allow to inject "loginissignup" cookie, when tested with crlf payload get response "**HTTP/1.1 504 GATEWAY_TIMEOUT**" ** Link Vulnerable:** https://www.periscope.tv/i/twitter/login?create_user=*payload*&csrf=*your_csrf_token* ## Steps To Reproduce: 1. go to https://www.periscope.tv/ 2. click to login 3. click create new account 4. choose twitter [ google & …

Hello Twitter Team #Summary This issue is mainly in the Periscope Android app against CSRF follow action using deeplink. #Description In normal Periscope Website, when we share a follow link like `www.pscp.tv/<user-id>/follow`, we get a response whether to follow a person or not, giving us an option, means CSRF protection …