HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 21 - 40
Greetings, The application appears to be vulnerable to HTTP request smuggling due to a disagreement between the front-end and back-end server, where the front-end server uses the Transfer-Encoding header to determine content in the HTTP body, but back-end server uses the Content-Length header, which causes a desync. The following steps …
**Summary:** I found a .git repository on https://███████.mil/.git which discloses an API password for Yubikey on 2 different domains, together with full source code. **Description:** Fetching the git repository and decompressing the objects results in the ability to read the source code of the server, which includes an API password …
**Summary:** I found an “Improper Authentication” issue where the 2FA OTP generated by the Microsoft Authenticator app can be used for two-step verification in HackerOne. This is similar to the common issue where tokens remain usable after logout. This means that the OTP does not have an invalidation period even …
Greetings!, Hope Y'all good and fine. ## Summary: I would like to report another vulnerability very Similar to my other report in #975991 Due to lack of secure design, I was able to find the origin IPs behind Cloludflare WAF. The IPs I found belong to : 3d.cs.money ## Description: …
There is Reflected Cross site scripting issue at the following url: https://████████/█████ Proof Of Concept https://████/███?███=%22onfocus%3d%22alert(document.domain)%22autofocus%3d%22&submit=Search ███ Best Regards @pelegn ## Impact Cookies Exfiltration SOAP Bypass CORS Bypass Executing javascript on the victim behalf ## System Host(s) ██████████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce …
Hello Team #Description In the continuous series of 12 days, twelve flags were hidden inside Hackyholidays site - hackyholidays.h1ctf.com in which once we get all the flags, grinch can be stopped. This write-up will describe solving all the 12 days challenges. #Step To Reproduce + It all started when hackerone …
## Summary: An attacker could gain access to sensitive information about usernames, encrypted passwords, internal IP addresses and configuration data of internal services. ## Steps To Reproduce: - Go to https://zik.mtncameroon.net/common/queryconfig.action ## Remediation Configure the application to not reveal sensitive information to client. ## References https://cwe.mitre.org/data/definitions/200.html ## Impact A malicious …
By Adding some extra headers in the request I noticed that the user is redirected to a remote website. This can lead to stealing a user credentials (phishing) on a remote server. These headers can be added either using a MITM attack or by chaining with another vulnerability such as …
## Summary: I have found an official unclaimed s3 bucket of tendermint i.e. http://tendermint-packages.s3-website-us-west-1.amazonaws.com/ which is also used by many other blockchain companies and developers . ## Steps To Reproduce: 1. Create a s3 bucket with name tendermint-packages and us west1 region 2. Make the settings and change it as …
**Summary:** Happy Friday! The server at `██████` is vulnerable to CVE-2017-10271 "Oracle WebLogic Server Remote Command Execution". **Description:** The following request takes 12 seconds (12000 milliseconds) to complete: ``` POST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1 Host: ██████████ Content-Length: 423 content-type: text/xml Accept-Encoding: gzip, deflate, compress Accept: */* <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java …
##Summary: A sensitive internal security audit report file for cURL/libcurl—specifically cure53-curl-report-2016.pdf—was found to be publicly accessible via search engine dorking. This file includes detailed vulnerability findings, exploit vectors, code review observations, and remediation advice from the Cure53 audit engagement in 2016. The exposure of this report may aid malicious actors …
The following code triggers a use-after-free when mruby is compiled with ASAN, on this code path: https://github.com/mruby/mruby/blob/master/src/gc.c#L762 POC ```` va0ue0=[0,0,0,0] u=[] h=[] va0ue0.each do va0ue0.uniq!do va0ue0.zip va0ue0.each do v do% end end end end ``` ASAN output: ``` operac@hp2:~/testafl/mruby/mrubylast/mruby/bin$ ./mruby 07.min.rb ================================================================= ==7623==ERROR: AddressSanitizer: heap-use-after-free on address 0x62f00001a3d0 at pc …
The search query parameter is put into Javascript to set the localStorage item: https://marketplace.informatica.com/search-solr.jspa?q=%foo% ```javascript localStorage.setItem("searchTerm", "%foo%"); ``` Attempts to inject XSS payloads are blocked by redirection that removes special chars from the URL: ```http GET /search-solr.jspa?q=aaa%22bbb%27ccc%3Cddd%3Eeee HTTP/1.1 Host: marketplace.informatica.com HTTP/1.0 302 Found Location: https://marketplace.informatica.com/search-solr.jspa?q=aaabbbcccdddeee ``` However it turns out …
Hello, friends today when I was checking some sites I found this bug on your own website. ##Detalis XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application …
- Change the edit policy of a Maniphest Task - Attempt to comment on the the task with a user who doesn't have access ## Impact Given a few users I spoke to believe restricting the edit policy blocks comments, This allows an underpriveleged user to gain access to carry …
Hi! # Summary Multiple chained vulnerabilities lead to leaking secret documents. Improper sanitization in registration allows an attacker to create a QR recover code for any email address. This leads to an account takeover. Using that technique on jobert's account, attacker can access the support chat functionality. This endpoint, besides …