HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 581 - 600
## Overview Counter-Strike: Global Offensive's UI is built of a framework called [Panorama](https://developer.valvesoftware.com/wiki/Dota_2_Workshop_Tools/Panorama) which is heavily influenced by modern HTML/CSS with JS capabilities. Because of these properties, the UI becomes easily vulnerable to different types of code injection, most notably XSS. Previously, it was discovered that a certain message-type sent …
###What is The Vulnerability? The Passcode can be bypassed by calling a MainLoginActivity which is com.owncloud.android.ui.activity.FileDisplayActivity , We have successfully bypassed the passcode and are redirected to the App's User Interface. of the user’s credentials: Android Version: 9 Non Rooted Device. ##How to Reproduce: 1.) Setup a Emulated Device Via …
> *NOTE*: I am still researching whether there is a possibility to deploy the exploit without user interaction. ### Summary GitLab provides a [rich representation](https://docs.gitlab.com/ee/user/project/repository/jupyter_notebooks/) for Jupyter Notebooks (`*.ipynb`). In turn, Jupyter Notebooks provide the possibility for [rich output via HTML](https://nbviewer.jupyter.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Rich%20Output.ipynb#HTML). Although most tags and attributes are stripped from the …
## Summary: If someone convinces someone to use `curl -OJ http://example.com/somefile.txt`, the Content-Disposition header can be used to create a .curlrc file if one doesn't exist (and one is running curl from the home directory). From that point on, the attack controls any argument to all curl invocations. Combine this …
## Summary: The issue here arises from the fact that curl by default has the option CURLOPT_FTP_SKIP_PASV_IP disabled by default. As a result, an attacker controlling the URL used by curl, can perform port scanning on behalf of the server where curl is running. This can be achieved by setting …
#SUMMARY This report consists of two vulnerabilities. #1st vulnerability: I found out that there is a rate limiting in place after 25 failed attempts. Now that is good, but when i use other email address to bruteforce, The rate limit didnt preserve to the new email. This may looks like …
An ssh-audit scan found that ssh.fr.cloud.gov supports sha1 for various purposes(including exclusively for MAC addresses), as well as arcfour. Both of these are outdated and known vulnerable. The algorithms used are also indicative of an outdated SSH version (OpenSSH 6 or Dropbear 2013). It's probably a good idea to upgrade. …
## Summary: This bug is related to wordpress.com. There is feature in wordpress.com which allow users to invite people. We have to enter email address to invite that particular person but the invite link and invite key is also available to the person who invited. This allow attackers to create …
#SUMMARY When reading the disclosed reports of your program, i see this one report #721341 . The reporter reported a lack of password confirmation when linking accounts. A fix was applied, adding password confirmation when linking account to other services. But i found a way to bypass this, The password …
## Summary: Hello, i have found a XSS Reflected POST-Based in `https://www.intensedebate.com/ajax.php`. Vulnerable(s) URL : ```POST /https://www.intensedebate.com/ajax.php``` Vulnerable(s) Parameter(s): ``` $_POST['txt']; ``` Payload ``` azertyuiop<<><img+src="x"/onerror="prompt(document.cookie)"> ``` ##Steps to reproduce 1. Open the xss.html and will you see a javascript pop-up You can also follow me into the video POC. Thank …
[Java]: CWE-200 - Query to detect insecure WebResourceResponse implementation
Medium
$1,800
Closed
This bug was reported directly to GitHub Security Lab.
## Summary: A cached connection authenticated with the OAUTH2 mechanisms can be reused by a subsequent request even if the bearer is not correct. This affects SASL-enabled protcols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). An application that can be accessed by more than one user (such as a webmail …
I would like to report file write in arbitrary locations via install command in `bower` It allows attackers to write arbitrary files when a malicious package is extracted. # Module **module name:** bower **version:** 1.8.4 **npm page:** `https://www.npmjs.com/package/bower` ## Module Description Bower offers a generic, unopinionated solution to the problem …
Hi NextCloud team, the `https://surveyserver.nextcloud.com` domain is vulnerable against `content spoofing` in the `forbidden page` due to the fact that the `request URI` is reflected without validation inside the aforementioned page. 1. Go on https://surveyserver.nextcloud.com/.htaccess%20because%20the%20webserver%20has%20been%20moved%20on%20http://evil.com%20and%20only%20an%20old%20version%20is%20present 2. Text injected successfully {F398692} ## Impact Insert arbitrary text inside the `forbidden page` via …
Hi there i found a vulnerable post that an attacker can execute csrf into the victim. Steps to reproduce: 1º login into your account and with burp on intercept the request off update profile. csrf1.jpg 2º Send the post request to the generator csrf poc and alter the details. <html> …
**Summery** Hey There are a open Redirect on your login panel **Platform(s) Affected:** Website ## Browsers Verified In [If Applicable]: * Chrome For Android * Firefox For Android ## Steps To Reproduce: 1. Go To This Url :- https://www.zomato.com/login?redirect_url=https://askdcodes.org 2. Then login there 3. boom you got Redirected to askdcodes.org …