HackerOne Reports

**Description:** Possibilité d'ajouter le même utilisateur que celui déjà inscrit dans les équipes. ### Steps To Reproduce 1. Aller sur https://hackerone.com/team_name/team_members 2. Observer les emails des utilisateurs. 3. Utiliser le même email que celui précédemment inscrit, mais varier les majuscules / minuscules . 4. On remarque qu'il est possible d'ajouter …

## Summary: Navigation to `chrome-extension` from the web is possible with #378805 (`ftp://` -> `chrome-extension://`). A blank page is created during navigation to `chrome-extension://` origin. Blank pages have "This page" title. It's possible to initiate `alert()` with a social-engineering content and "This page" title, that will be displayed on internal …

## Summary `http` and `https` pages are [disallowed from navigating](https://github.com/brave/muon/blob/master/atom/browser/extensions/atom_browser_client_extensions_part.cc#L289-L296) to `chrome-extension://` origin. However, `ftp` protocol isn't checked. Pages from `ftp:///` and `file:///` origin could navigate to `chrome-extension://` origin. ### Steps to reproduce: 1. Start ftp server (sample ftp server attached, `npm i ftpd && node ftp-server.js` 2. Open `ftp://localhost:7002/exploit.html` …

**Summary:** Due to an incomplete fix for CVE-2022-32215, the `llhttp` parser in the `http` module in Node v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). **Description:** [add more details about this vulnerability] We have identified that the root issue …

**Summary:** Typically, when an adversary gains access to stolen AWS IAM credentials they will [frequently](https://sysdig.com/blog/scarleteel-2-0/) test those credentials to see what access they have. They do this by performing API calls and seeing which succeed and which fail. There are even automated [tools](████████) to make this process easier. For defenders …

**Summary:** Typically, when an adversary gains access to stolen AWS IAM credentials they will [frequently](█████) test those credentials to see what access they have. They do this by performing API calls and seeing which succeed and which fail. There are even automated [tools](████) to make this process easier. For defenders …

# Summary Hello Lichess Team, I found a Server-Side Request Forgery vulnerability in the game export functionality. An attacker can make the Lichess server send HTTP requests to arbitrary URLs by manipulating the `players` parameter. This works on public endpoints that don't require any authentication # Description: The issue is …

## Summary: Hi! I decided to have another look at the Mozilla VPN Client, after #2920675 was set to resolved. When going over all commands in the inspector, I noticed the "live_reload" command can be used with remote files. When using this command, the remote file is downloaded to a …

**Summary:** Hi team , @jobert **Description:** Your engineers have created inscription - `You are participating in a private program for ████████. Please do not publicly discuss the program until the program goes public.` When a hacker creates a report in an external program with a private page, we will see …

Domain : cryptography.io Description: Content spoofing, also referred to as content injection, "arbitrary text injection" or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a …

In Django versions before 4.2.7, 4.1.13, and 3.2.23, I sent a POST request to the admin login page using Burp Suite, editing the request to send over 1 million invalid unicode characters to my local web server running Django. (I used: "¾") After submitting, a single request took 4.4 seconds …

## Summary: If the user has the post ID of a private post, they're able to use the timeline API to retrieve it, even though they don't have access ## Platform(s) Affected: API ## Steps To Reproduce: 1. Receive an Android push notification targeting a post (e.g. "Look at what …

#### Hi Dod & Hackerone Team i hope you are Doing Well Today :) #### Explaining: * i found That a User With a Member Permission in a Organization Can Create & View & DELETE API_KEYS #### Step To Reproduce: 1_ First Create 2 Accounts From Here `https://███` 2_ Log …

## Summary: I found that it is possible to inject a javascript payload during the PDF form creation process, which is then executed by the checklist application server. ## Vulnerable Software: Functional Administrative Support Tool (FAST) v1.0 ## Intro: ██████████ Administrative clerks create a dynamic action items by guiding a███ …

## Summary: SQL injection (SQLi) is a vulnerability in which an application accepts input into an SQL statement and treats this input as part of the statement. Typically, SQLi allows a malicious attacker to view, modify or delete data that should not be able to be retrieved. An SQLi vulnerability …

Hi ,I would like to report report a text injection and a miss-configuration of the 403 page which can be used in phishing. POC: https://demo.nextcloud.com//this%20website%20-----------------------------------------------------------------------------------------------------------------------------------------------------------------------%20thanks%20for%20visiting%20our%20website,becase%20we%27re%20having%20some%20problems%20we%20have%20been%20moved%20to%20this%20site%20http:/www.malicious.com%20please%20note%20that%20our%20website%20is%20no%20longer%20exist%20Fix%20: Just use a 403 page that don't include attacker text just as hackerone do or just as you do in your in other not found …

Hi, The users can be redirected to some other site which is in control of the attacker from http://ecommerce.shopify.com/accounts Let's say user is attacker asked victim to login from the here : https://ecommerce.shopify.com/accounts?return_to=%40evil.com/ When victim enters the password he is redirected to https://evil.com These can be controlled by the attacker …

I took a quick look at the business-blog.zomato.com wordpress installation, and found that it was quite outdated. (Version 4.2.4 as far as I could tell) A pretty famous XSS attack exists for Wordpress versions below 4.5.2 that allows for reflected cross site scripting. More details can be found here: https://wpvulndb.com/vulnerabilities/8488 …

The current ownCloud Windows Desktop client is prone to an arbitrary code injection vulnerability. The underlying issue is that the ownCloud desktop client tries to load QT extensions from C:\usr\i686-w64-mingw32\sys-root\mingw\lib\qt5\plugins. As any authenticated user on Windows is allowed to create new folders within C:, the expected folder structure can be …