HackerOne Reports

Hi As resolved in #229577, I could still confirm this works. A previously set password could be set as a new one. Shuaib.

Hello, ## Description: The username of an account can be set to `..`. This makes it impossible to view the public profile of this account. ## POC: I have claimed the username `..` on the demo.weblate.org site. It is impossible to view this account's public profile page. Here is the …

## Summary: Hi security team members, I found a reflected XSS on the URL ## Impact 1. An attacker can steal the victim's cookies. 2. An attacker can execute JS code. ## System Host(s) █████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce 1. Navigate to …

Hello, I understand this probably doesn't qualify as a vulnerability, but I figured it would be important to bring to your attention regardless. I ask that if you are to close this, you mark it as informative for the sake of signal, reputation, etc. as I mean no harm with …

Hi, There exists an SSRF vulnerability with the account webhook feature, allowing an attacker to verify the existence of the EC2 metadata url and enumerate URL's. POC: 1. Create a webhook at https://app.mixmax.com/dashboard/settings/rules with url `http://169.254.169.254/latest/meta-data/`. 2. Trigger this webhook by sending/receiving an email. Wait a few hours. 3. Note …

I have found a potential ReDoS vulnerability and reported it to the Rails team. **Also the patches of mine have been included**. You can find detailed information at the following link: - https://hackerone.com/reports/2585452 - https://discuss.rubyonrails.org/t/cve-2024-41128-possible-redos-vulnerability-in-query-parameter-filtering-in-action-dispatch/87699 - https://nvd.nist.gov/vuln/detail/CVE-2024-41128 There is a possible ReDoS vulnerability in the query parameter filtering routines of …

Hello team, First of all, your open report policy has improved me a lot. Your very caring team has motivated me a lot. A real bug bounty program. I hope I can contribute something to you with this report.Thank you. The application uses curl in a way that allows an …

## Summary: `cleanarg` helper func doesn't work, when credentials are provided without a whitespace to a short options flag, e.g. `-uUSER:PASS` vs `-u USER:PASS` or `-UUSER:PASS` vs `-U UUSER:PASS` ## Affected version ``` curl -V curl 8.12.1 (x86_64-pc-linux-musl) libcurl/8.12.1 OpenSSL/3.3.3 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.64.0 Release-Date: 2025-02-13 Protocols: …

We can add comments on any article from the the user's account Request POST /blogs/customer/archive/2016/05/06/starbucks-doubleshot-174-energy-coffee-makes-a-flavorful-foray-into-the-realm-of-spiced-coffee.aspx HTTP/1.1 Host: blogs.starbucks.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://blogs.starbucks.com/blogs/customer/archive/2016/05/06/starbucks-doubleshot-174-energy-coffee-makes-a-flavorful-foray-into-the-realm-of-spiced-coffee.aspx Cookie: CommunityServer-UserCookie2101=lv=Sat, 14 Jan 2017 08:58:35 GMT&mra=Sat, 14 Jan 2017 13:55:33 GMT; optimizelyEndUserId=oeu1484428996826r0.3642673872554443; optimizelySegments=%7B%22192119771%22%3A%22false%22%2C%22192128716%22%3A%22direct%22%2C%22192132656%22%3A%22ff%22%2C%222529560039%22%3A%22none%22%7D; …

**Summary:** I found a heap-buffer-overflow in the `doh_req_encode` function in `lib/doh.c`. The bug happens when curl processes a DNS-over-HTTPS request for a hostname that is an empty string. The code gets the string length as 0, then tries to access `host[len - 1]`, which becomes `host[-1]`. This is an out-of-bounds …

libcurl canonicalizes numeric IPv4 hostnames during URL parsing and redirect handling (example: 127.000.000.001 to 127.0.0.1). When a host-only cookie (no Domain= attribute) is set, it is stored in the cookie jar with the host string (127.0.0.1). On redirect, even if the Location: contains an alias host (127.000.000.001, 0x7f000001, 2130706433) The …

## Summary An Elevation of Privileges (EoP) vulnerability can occur in a Windows privileged process that uses CURLOPT_COOKIEJAR, CURLOPT_HSTS, or CURLOPT_ALTSVC. This vulnerability arises due to the differences in the implementation of the unlink function between Windows and Linux, as well as the behavior of MoveFileEx, which follows specially crafted …

Hi, This is a bypass of the fix on #229987. I could confirm that old link still works. Though you would need to use 2 browsers to pull this off ##Reproduction Steps 1. In Browser1, request a password reset - Load link sent to your email in the same browser …

Hello Team, **_Version:_** 8.2.0 **_Details:_** I have found a possibility of Server Side Request Forgery via file 'Replace' functionality. An attacker / malicious user is able to scan local network and able to enumerate open TCP ports. The root of cause of this vulnerability: - you are allowing to use …

There is no check for `name` field in `metadata.gz`. By assigning a maliciously crafted string like `../../../../../any/where` to the field, an attacker can create an arbitrary file out of the directory of the gem, or even replace an existing file with a malicious file. ## Proof of Concept 1: Create …

The service under https://oberlo-image-proxy.shopifycloud.com/ seems to work like a image proxy through the url GET parameter and it suppose to handle only images. █████████ When other content type than an image is present the service returns a 404 error to the user. ``` # curl -si https://oberlo-image-proxy.shopifycloud.com/?url=http://████ HTTP/2 404 date: …

Hi! This issue also exists at **Translations**. ####Link: https://demo.weblate.org/translate/hello/master/gl/?type=all ##Screenshots {F197895} {F197896} Shuaib.