HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 721 - 740
It was identified that despite a logout action will be taken by the user at the com.shopify.ping application, the authentication token is not invalidated which allows fully recovery of the initially acquired session. More specifically, after the user provides the required credentials, an **access_token** will be fetched from the server …
## Description: On the https://doaction.org/ pages can be enumerated via 'p' get parameter, for example: https://doaction.org/?p=1657 redirects to https://doaction.org/event/ijebu-2019/ https://doaction.org/?p=1320 redirects to https://doaction.org/non-profit/test/ Using it I have enumerated almost 1000 unique endpoints and on some of them I found csv files with PII of users (Name,Email,Phone,Role,Organisation ). I suppose that …
## Summary: [Commit "schannel: support selecting ciphers"](https://github.com/curl/curl/commit/9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28) added support for selecting the ciphers with SCHANNEL. However, due to use of a static `algIds` array for ciphers in `set_ssl_ciphers` the last configured cipher list will override configuration used by other connections, leading to potential wrong configuration for them. This may have …
## Summary: i've found this subdomain ```soa-accp.glbx.tva.gov``` also is vulnerable to SQLI through /api/ path ## Steps To Reproduce: ```https://soa-accp.glbx.tva.gov/api/river/observed-data/GVDA1'+%2f*!50000union*%2f+SELECT+HOST_NAME()--+-``` hostname dumped ```https://soa-accp.glbx.tva.gov/api/river/observed-data/GVDA1'+%2f*!50000union*%2f+SELECT+@@version--+-``` Microsoft SQL Server 2017 (RTM-CU22-GDR) (KB4583457) - 14.0.3370.1 (X64) \n\tNov 6 2020 18:19:52 \n\tCopyright (C) 2017 Microsoft Corporation\n\tEnterprise Edition (64-bit) on Windows Server 2012 R2 Standard 6.3 …
I am happy to receive your invitation, and i will try my best to keep R3 secured. As this is my first report and can be considered as low severity and some companies even considered it as N/A, but as I see in your policy its not mention as out …
**Description:** Hi Team, While Doing Recon on U.s Government Sites, I Found below asset Belongs to U.S Government (Please Check its SSL certificate to confirm or Please check attached POC Video) █████████ https://███/ Attacker can execute Command Injection without Authentication. ## Impact Unauth RCE ## System Host(s) ███ ## Affected …
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and …
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact. ## Impact An undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential …
**Summary:** The endpoint at https://███████/admin/ authenticates the user to the administrator user. ## Step-by-step Reproduction Instructions 1. Navigate to https://███/ and youll notice you will need to log in. 2. Navigating to https://██████████/admin/ will show you admin malformed page, with the ability to "log out" As for now as we …
There is an issue that allows to retrieve any files from protected directory of application - ```/data/data/com.owncloud.android/*```. The issue is caused by exported activity ```com.owncloud.android.ui.activity.ReceiveExternalFilesActivity``` with intent filter ```android.intent.action.SEND_MULTIPLE``` that accepts URI of files for upload. Any 3rd-party application could start this activity and upload on server any files such …
It was observed that the application is vulnerable to cross-site scripting (XSS). XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at #1636345 q_23463 payload: %22%27%3e%3csvg%2fonload%3dconfirm(666)%3e ## Impact Cookie Stealing - A malicious user can steal cookies and use …
It was observed that the application is vulnerable to cross-site scripting (XSS). XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at #1636345 q_13794 payload: %22%27%3e%3csvg%2fonload%3dconfirm(666)%3e ## Impact Cookie Stealing - A malicious user can steal cookies and use …
http://now.informatica.com/en_data-integration-for-dummies_book_2642.html?source=Homepage The issue is located here. I will be including a video demonstrating this vulnerability Xss vector used: <svg onload=confirm(document.domain)>xs
Gitlab allows to import a project from Github. It imports also the labels whose colors are not sanitized. This leads to Stored-XSS. # Step to reproduce To reproduce, we need the following prerequisite: - Github does not allow neither to create arbitrary label colors. You can find in the attachment …
It was observed that the application is vulnerable to cross-site scripting (XSS). XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at #1636345 q_13779 payload: %22%27%3e%3csvg%2fonload%3dconfirm(666)%3e ## Impact Cookie Stealing - A malicious user can steal cookies and use …
## Summary: When fastify-static is mounted at root and registered the option `{ redirect: true }` (default of redirect option is `false`), the following line directly feed user's input which is `req.raw.url` to URL API without try/catch: https://github.com/fastify/fastify-static/blob/master/index.js#L439. A remote attacker can send a GET request to server with path …