HackerOne Reports

Host : www.semrush.com Path : /billing-admin/profile/subscription/?l=de Payload : c5obc'+alert(1)+'p7yd5 Steps to reproduce : Request Header : GET /billing-admin/profile/subscription/?l=de HTTP/1.1 Host: www.semrush.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c5obc'+alert(1)+'p7yd5 Overview : The payload c5obc'+alert(1)+'p7yd5 was submitted in the Referer …

## Summary The application exposes store ADMIN page at below URL and is accessible without authentication. ``` http://www.grouplogic.com/ADMIN/store/index.cfm ``` The ADMIN page provides several functionalities. Among them the below functionality is found to be vulnerable to stored XSS. - View and Edit Promo Code (http://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode) ## Steps To Reproduce 1. …

## Summary: Hello I found a critical vunerability in one of your site, where user can upload any file type as a profile picture (including php file) ## Steps To Reproduce: 1. Visit https://careers.mtn.cm and register as a user. 2. After successful registration, login and update your data. 3. When …

## Summary The store admin page is accessible without authentication at below URL: ``` http://www.grouplogic.com/ADMIN/store/index.cfm ``` The store admin page provides functionalities such as the following: - Add Edit Items - Search Products - Search Results - Search Orders - Orders Search Results - Add New Promo Code - Promo …

###Summary Hello, I would to like report this security flaw on https://mymtn.mtncongo.net. Using script nuclei i can found CVE-2021-44228. This is a critical issue cause as remote command execution. On my test i just retrive hostname of machine via nuclei script. (https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml) ###Steps To Reproduce How we can reproduce the …

Hi @judgeme! `code` Step to reproduce: 1. Go to Shopify admin and create product with name `">&#60;"><img src=x onerror=prompt(document.domain)> img src=x onerror=prompt(&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#100;&#111;&#109;&#97;&#105;&#110;)>` 2. Go to AliExpress Review Importer/Products and delete our product with name ` "><"><img src=x onerror=prompt(document.domain)> img src=x onerror=prompt(document.domain)> ` {F1544890} 3. Xss work=) P.S. Poc wideo attach …

## Summary The website at nps.acronis.com is vulnerable to CVE-2021-44228 ## Steps To Reproduce I used this [script](https://github.com/fullhunt/log4j-scan) to find this. It spins up an interact-sh server to receive the callback and send the payload in the query string and about 30 diffent headers. You can reproduce manually with curl …

Original report on the Ruby program: https://hackerone.com/reports/1444501 Advisort: https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ NIST entry: https://nvd.nist.gov/vuln/detail/CVE-2023-28755 CVSS: 7.5 high `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` as listed by NIST but frankly I disagree with the `UI:N` part, I won't mind the extra 2k if you go with NIST but it didn't feel right not to mention it :) I …

###Summary Hello, I would to like report this security flaw on http://mtn1app.mtncameroon.net . Using script nuclei i can found CVE-2021-44228. This is a critical issue cause as remote command execution. On my test i just retrive hostname of machine via nuclei script. (https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml) ###Steps To Reproduce How we can reproduce …

Summary: =========================== Hello @basecamp This is my first report on your program and I hope to end well :) . I was testing https://app.hey.com/ and I my account has been closed, so I back to the requests history, and I tried to send these requests even my account closed. and …

**Summary:** If you attempt to login at https://███.mil/sso/LoginRequest.do using a very long username, the application will respond showing a stack trace information with sensitive SQL data call information. This reveals too much information about SQL calls to the database. Please see the attached PoC video. **Description:** Login at https://██████████.mil/sso/LoginRequest.do using …

## Description: WordPress version: **5.0.3** BuddyPress version: **4.1.0** Users with accounts can send private messages containing rendered HTML to other uses, this includes being able to execute javascript code via elements such as scripts, iframe etc. The XSS is stored in the database and is triggered any time a user …

Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb. the following is POC Request: PUT /codeslayer137.txt HTTP/1.1 Host: ratelimited.me User-Agent: …

Summary: FFmpeg is a video and audio software that is used for generating previews and for converting videos. Your current installation allows HLS playlists that contain references to external files, which leads to local file disclosure. Steps to Reproduce: 1.Download the attached file. {F413554} 2.Go to https://www.flickr.com/photos/upload/ and upload the …

**Summary** It was found that although the `referrer-policy` header for https://hackerone.com/hacktivity was set to `strict-origin-when-cross-origin `, a request to https://www.hackerone.com/blog contains full url path of the the hackivity page as the `referer` header eg. `https://hackerone.com/hacktivity?sort_type=popular&filter=type%3Aall&page=1&range=forever`. The `www.hackerone.com` being hosted on a third party, this can lead to private url information …

Go to https://maps.zomato.com/php/staticmap?center=0,0&size=240x150&maptype=zomato&markers=180,180,pin_res32&sensor=false&scale=%&zoom=eval(2147483647+1)&language=en a map will be displayed Now increase the map size by 10x https://maps.zomato.com/php/staticmap?center=0,0&size=2400x1500&maptype=zomato&markers=180,180,pin_res32&sensor=false&scale=%&zoom=eval(2147483647+1)&language=en It will always timeout after waiting from 1-15 minutes POC video is attached. ## Impact Zomato Map servers can be bought down making map feature completely non functional and causing millions of dollars loss …

## Summary: PUBG's main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting (XSS). As per OWASP's definition: "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected …

simple send this POST request (no need any auth): `POST /api/v1/orders HTTP/1.1 Host: join.nordvpn.com Accept: application/json Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 179 DNT: 1 Connection: close` `{"payment":{"provider_method_account":"6xdxdd","parameters":{}},"action":"order","plan_id":653,"user_id":20027039,"tax_country_code":"TW","payment_retry":0,"is_installment":false}` will respond: `{"id":42615458,"user_id":20027039,"confirmation":{"id":23093398,"created_at":"2019-12-04 17:01:35","updated_at":"2019-12-04 17:01:35","type":"redirect_post","value":"{\"url\":\"https:\\\/\\\/www.coinpayments.net\\\/index.php\",\"parameters\":{\"cmd\":\"_pay\",\"reset\":1,\"email\":\"█████\",\"merchant\":\"e64a9629f9a68cdeab5d0edd21b068d3\",\"currency\":\"USD\",\"amountf\":125.64,\"item_name\":\"VPN order\",\"invoice\":\"49476958\",\"success_url\":\"https:\\\/\\\/join.nordvpn.com\\\/payments\\\/callback\\\/264cae0b89e44a7bd263431b68d1122d\",\"cancel_url\":\"https:\\\/\\\/join.nordvpn.com\\\/order\\\/error\\\/?error_alert=payment&eu=1\",\"want_shipping\":0}}"}}` change user_id to 23093782 and you will get: `{"id":42616121,"user_id":89495166,"confirmation":{"id":23093782,"created_at":"2019-12-04 17:16:14","updated_at":"2019-12-04 17:16:14","type":"redirect","value":"https:\/\/pay.gocardless.com\/flow\/RE000W16X7XH4JCXJZ623MS6H7W316N3"}}` change id to 89495247 (my test …