HackerOne Reports

Hello Team, I would like to report internal path disclosure in response. I was trying for Stored XSS but got no luck in that process. I observed the responses, one of the responses showing file path with 500 Internal Server Error. ## Steps To Reproduce: 1. Go to cs.money and …

NO RATE LIMIT ON 2FA CAN LEAD TO ACCOUNT COMPROMISE! 1. Create account on vault.bitwarden.com if you don't have. 2.Setup 2FA via email 3.Logout and log in again. This time along with password you have to fill the 2fa code which is sent to the email. 4.Type Any Random number, …

content on a server is including Javascript content from an unrelated domain. When this script code is fetched by a user browser and loaded into the DOM, it will have complete control over the DOM, bypassing the protection offered by the same-origin policy. Even if the source of the script …

### Summary (Hi team, I accidentally found this bug. While reading one of hackerone public report (https://hackerone.com/reports/446238) about gitlab, I found a link posted by gitlab member which is related to internal tracking of the report. I clicked that link (https://gitlab.com/gitlab-org/gitlab-foss/-/issues/54220) and found one of the attachment. I am able …

# Vulnerability details The GFM renderer has the ability to cross-link issues between projects. When this project is private and the user doesn't have access, the link isn't made. This is good. However, when the private project has an external issue tracker set up, an attacker can extract the external …

Hi, The X-FRAME-OPTIONS header returned from https://www.periscope.tv is: ``` X-Frame-Options: ALLOW-FROM https://twitter.com/ ``` But Chrome doesn't support this value for the header: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet. Because of that, no value for X-FRAME-OPTIONS is set and all of the periscope.tv pages are vulnerable to Clickjacking. You can see for example my attached poc …

The bug report at: https://bugs.php.net/bug.php?id=72731

Hi, I just found that the post parameter "group_id" for a particularly crafted http request is being vulnerable to injection due to missing parameter sanitization. PoC: ``` POST / HTTP/1.1 Host: news.starbucks.com Connection: close Content-Length: 81 Cache-Control: max-age=0 Origin: https://news.starbucks.com Content-Type: application/x-www-form-urlencoded ACT=55&jsontree={"x":1}&site_id=1&group_id=1'-IF(1=1,SLEEP(1),0) AND group_id='1 ``` This query will result …

**Summary:** HTML Injection vulnerabilities on █████████ Air Base Site. **Description:** Search value are output without being escaped. HTML Injection via ```Category``` parameter http://█████████/News/Commentaries?Search=security&Category=%22%3E%3Cimage/src=%22//███████/sealift/2011/July/images/Gumbyleaning2.jpg Response HTML ``` <div class="dig_pager"> <a class="dig_pager_button dig_pager_current" href="http://█████████/News/Commentaries/Search/security?Category="><image/src="//████████/sealift/2011/July/images/Gumbyleaning2.jpg"><span>1</span></a> ``` ## Impact - By setting inappropriate contents, the impression of the organization deteriorates. For example, short URLs …

The bug report at: https://bugs.php.net/bug.php?id=69425

Hello, I have found an area where it may be possible to run certain HTML/JS scripts. TO REPRODUCE: 1. Go to documents 2. Upload anything and edit it 3. On the edit page in tags, enter code without a closing bracket ex. <img src=x 4. Click enter 5. It will …

**Summary:** The pages https://www.starbucks.com/account/card/addcard and https://www.starbucks.com/account/card/Balance do not properly enforce security controls to limit POST requests. This bug allows attackers to successfully hijack a loaded Starbucks card and transfer all the funds into their own account. Cards linked with auto-reload features could exponentially increase fraud. *NOTE: You will need to …

Explain ------------------ I downloaded "mruby-master" on 14/01/2017. PoC ------------------- The following code triggers the bug (attached as memory_corruption.rb): d b = Hash.new {|s,k| s[k] }[1] Crash - mirb - mruby ------------------- x@x:~/Desktop/research/mruby/bin$ ./mirb memory_corruption.rb mirb - Embeddable Interactive Ruby Shell *** Error in `./mirb': realloc(): invalid next size: 0x0000000000ecc250 *** …

#GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability] Taoguang Chen <[@chtg57](https://twitter.com/chtg57)> - Write Date: 2015.4.28 > A type-confusion vulnerability was discovered in GMP deserialization with crafted object's __wakeup() magic method that can be abused for updating any already assigned properties of any already created objects, this result in …

Greetings, While visiting https://logs.nextcloud.com/ , I noticed that this server use HTTP-Basic Authentication. {F152730} POC : ------ GET https://logs.nextcloud.com/ HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: br DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Authorization: Basic cmJjYWZlOnJiY2FmZQ== Host: logs.nextcloud.com Result : …

Using the default `json` library packaged with ruby, one can trigger a segmentation fault by submitting a string with a unicode escape sequence in the range between ` \ud800-\udbff` (https://en.wikipedia.org/wiki/UTF-16#U.2BD800_to_U.2BDFFF). This is can lead to a denial of service attack by segmentation fault and could be a possible point of …

Hello, ## Description: I have found a bug in your fix other my other report, #243609. I reported this in a new report as this is an error in the error message. When changing your username that starts with a `.` the error message is: `Username may only contain letters, …

SUMMARY ---------- Hello, I have found a permission problem in https://partners.shopify.com that allows a member with only "Manage apps" permission to get various show information and also list the staff account from inside that shop without having access the shop's admin area REPLICATION STEPS -------------- 1. Create a new partner …