HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 441 - 460
Currently, there is no limit for summary length. I think, pushing a gem whose summary is huge, will make `gem search` unavailable. This is not Arbitrary Code Execution, but really easy to attack. According to CVSS v3.0 Calculator, the severity is High (7.5). ## How to attack 1) An attacker …
The issue is with the "Confirm via call functionality" While adding mobile number,the application does not verify the number that is being called back. A malicious user can change the number to any premium rate numbers which charge particular amount from the caller. It was further noticed that there was …
Hi, I discovered that there is no request throttling or limit on api key regeneration. Though theres a little change while making a total of 30 requests in a few seconds, server error occurred then it continued. ##Screenshot {F197872} In the screenshot `685` denotes a processed request and `6052` denotes …
## Summary: The curl windows binaries are built with OpenSSL libraries and have an insecure path for the OPENSSLDIR build parameter. This path is set to c:\usr\local\ssl. When curl is executed it attempts to load openssl.cnf from this path. By default on windows, low privileged users have the authority to …
Hello Security Team, I hope you are having a good day! The attacker can use the victim cookie to log in victim's account and if a victim clears her browser history victim can be logged out of her account but the attacker use the victim's previous session cookies and log …
As resolved in #229483, I can't see a fix in the Full name field. The issue persists. Though this time it shows the decoded character on the error page but its not saved. Screenshot showing this is attached below. {F197856} {F197857} Shuaib.
There is protection on https://github.com/nextcloud/server/blob/master/apps/settings/lib/Controller/AuthSettingsController.php#L122 that you must have recently entered your password to be able to generate a new AppPassword. However if an attacker would obtain access to your system (say you forgot to lock it when taking a quick bathroom break). They can abuse a route to just …
## Summary: By tampering with the POST request to the endpoint CreateOrUpdateSo5LineupMutation while editing a team you can change all football players to have the captain attribute to 'true'. This goes against the UI enforced logic of having only one captain per team, as this attribute gives the football player …
**Description:** hello team! the endpoint https://www.████████/852585B6003EBA25/Login.html?open There is a page to log in! however, it is possible to ignore this page using just a single quote ' let's go! 1: go to https://www.███████/852585B6003EBA25/Login.html?open 2: in the login field put a single quote ' 3: boom! Now you have access to …
## Steps To Reproduce: I read this security advisory https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g. It only clears authorization and cookie header during cross-domain redirect . {F3024496} As such this may lead to accidental leakage of "Proxy-Authorization" to a 3rd-party site. ```nodejs import { request } from 'undici' const { statusCode, headers, body } = …
Sorry I was not quite sure about the scope. This bug is not triggerable in the sandbox, because it does not use the Random class, but it is triggerable in mruby with the following piece of code: ```ruby $r = Random.new a = Object.new def a.to_int $r.rand end $r.initialize a …
## Summary Hi team & @jobert, I am not sure if it is by design. After disabling the account, the user will be forced to `Enable` his account after logging in. However, many of actions are implemented using GraphQL endpoint which bypasses account reactivation process before use. Since re-enabling the …
Reported to the project maintainer in October 2016. A specially crafted IPv6 packet could trigger a read outside of buffer in tcpdump. ``` ==27882==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000005724b5 bp 0x7ffe8e17a790 sp 0x7ffe8e17a788 READ of size 1 at 0x60400000e000 thread T0 #0 0x5724b4 in ip6_print /root/tcpdump/./print-ip6.c:296:4 #1 …
Hey, mongoose When the owner of a chat room gives any user Viewing Privilege, that user can then send messages to the room. As expected, there's no form to send messages when the user access the room since in theory it shouldn't be possible. However, messages via POST requests can …
__Hello ,__ I want to report that your website is using a vulnerable version of WordPress which is 4.7 (Released on 2016-12-06) . This Can be identified from the read me file located [here](https://yaman.olx.ph/wordpress/readme.html) , and that your website contains directory listing of the web-includes located [here](https://yaman.olx.ph/wordpress/wp-includes/)ز # Bugs in …
Reported to the project maintainers in 2016. The function sig_print() did receive a correct caplen parameter value but didn't use it correctly which could cause a read outside of buffer. Fixed by https://github.com/the-tcpdump-group/tcpdump/commit/409ffe94529df3d8bb8258bf99586f821756cb29.
Introduction ============ Provided PoC segfaults at mrb_vm_exec due to null pointer dereference. Proof of concept ================ Attached the poc. Crash report ============ ``` ./sandbox vm_exec.rb ./sandbox:20: [BUG] Segmentation fault at 0x00000000000000 ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu] -- Control frame information ----------------------------------------------- c:0003 p:---- s:0010 e:000009 CFUNC :sandbox_eval c:0002 p:0201 s:0005 E:001568 …