HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 521 - 540
Hello, An IV reuse bug was discovered in Ruby's OpenSSL library when using aes-gcm. When encrypting data with aes-*-gcm, if the IV is set before setting the key, the cipher will default to using a static IV. This creates a static nonce and since aes-gcm is a stream cipher, this …
kb.informatica.org is vulnerable to stored XSS as it stores user input in users' sessions, then reflects this input back inside a JavaScript block without adequate escaping. To replicate this issue, first store the payload in your session by visiting: https://kb.informatica.com/kbexternal/Pages/KBSearchResults.aspx?k=Support%20Console&fromsource=11171"%3balert(1)%2f%2f535 Then visit https://kb.informatica.com/faq/1/Pages/17033.aspx?docid=17033&type=external&isSearch=external This should trigger an alert, due to …
http://m.rubygems.org is this site under the scope for this bounty?
Upstream issue ---- https://bugs.php.net/bug.php?id=72968 Description ----- Exception when processing a long header string causes GS violation on Windows platform. ``` 0:000:x86> r;!exploitable -v eax=00000001 ebx=08a13020 ecx=00000007 edx=00000000 esi=00000003 edi=08a6116c eip=5221468b esp=0712e408 ebp=0712e418 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ucrtbase!abort+0x4b: 5221468b …
Hello Team, Hope you are doing great and enjoying a lot. This issue affected me directly and I was very amazed by it, so I felt it was important to report it in case it was not known. It is resulting unintended behavior: In addition to this report is very …
The following URL leaks the Private IP Addresses:- kubernetes.io/feed.xml The following Server’s Cluster RFC 1918 IP addresses were disclosed in the response: • 10.1.2.3 • 10.104.207.136 • 10.224.0.0 • 10.250.0.0 • 10.250.112.0 • 10.250.96.0 • 10.55.252.216 • 10.96.0.0 • 10.96.0.1 • 10.96.15.180 • 10.97.125.254 • 10.97.62.68 • 172.17.0.4 • 192.168.1.4 …
There exists a race condition in the beginning survey, allowing a user to get $100 in credit multiple times. In my example, I made 2 asynchronous requests, and was credited with $200. POC: 1. Create a new slack team. 2. Set your password, and find the account creation survey. 3. …
Scenario: *********** --> Installed nextcloud 10.0 locally and created "admin" account --> Installed nextcloud desktop client and andoid client I found session related vulnerability in nextcloud 10.0 where killing session in User(admin) --> Personal --> Sessions not actually killing sessions in desktop client Steps: 1) Logged into admin account in …
Hi , I managed to bypass the fix you deployed to the issue I reported in #159522. Apparently this is what the fix does: - Redirecting to `https://checkout.shopify.com/<exact_store_id> /` only is allowed. - For example: `victim.myshopify.com/account/logout?return_url=https://checkout.shopify.com/<victim_store_id>/` will work - but `victim.myshopify.com/account/logout?return_url=https://checkout.shopify.com/<attacker_store_id>/` won't work - `https://checkout.shopify.com/<store_id>` no longer follows the 302 …
Details: **Summary:** Cross-site Request Forgery in the `Integrations` (https://hackerone.com/[YOUR_TEAM]/integrations) feature for teams. **Description (Include Impact):** The `Integrations` flow is insecure, because it can be abused by CSRF. PoC: Request ``` GET https://hackerone.com/auth/slack HTTP/1.1 ``` Response ``` Location: https://slack.com/oauth/authorize ?client_id=2174110321.11522100978 &redirect_uri=https%3A%2F%2Fhackerone.com%2Fauth%2Fslack%2Fcallback &response_type=code &scope=incoming-webhook &state=379fd8f1baa8d80516e2f706f025057ad0ce2cca0bbbd56c ``` How can it be bad since …
Hi, I've found a Shopifu cdn domain here which had an instance of fastly setup but did not remove the dns record when the service was cancelled. a subdomain takeover similar to that of https://hackerone.com/reports/32825 could be possible. Vulnerable URL: http://genghis-cdn.shopify.io Page Response: ``` Fastly error: unknown domain: genghis-cdn.shopify.io. Please …
**Description** I have a script running on my server which gives me full control over a visitor's window object. This allows me to replace the user's legitimate mapbox.com session with my own Mapbox phishing form (not live). As you can see from the proof-of-concept video below, this vulnerability works cross-origin. …
Overview In computer networks, rate limiting is used to control the rate of traffic sent or received by a network interface controller. It can be induced by the network protocol stack of the sender due to a received ECN-marked packet and also by the network scheduler of any router along …
Overview == https://www.instacart.com/api/v2/zones is accessible by a regular Instacart user and seems to return sensitive information such as names, emails, phone numbers, money amounts and dates. ``` GET /api/v2/zones { "meta": { "code": 200 }, "data": { "zones": [ ... { "id": 73, "name": "████", "created_at": "2014-10-01T01:36:07.302Z", "updated_at": "2016-06-14T23:32:39.147Z", ... …
I was not the first to report this issue, but the fix languished for quite some time, since no one realized quite how bad it was. I wasn't aware of the original bug report and discovered the issue independently. I was the first to report the much more serious consequences …
I would like to report prototype pollution vulnerability in mpath. It allows an attacker to inject arbitrary properties on Object.prototype. # Module **module name:** mpath **version:** 0.4.1 **npm page:** `https://www.npmjs.com/package/mpath` ## Module Description {G,S}et javascript object values using MongoDB-like path notatio ## Module Stats 305,874 downloads in the last week …