HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 921 - 940
Any user with invite capabilities can take-over any account on Discourse
Critical
$1,024
Closed
## Description Users with a trust level of 2 and above on Discourse (being a member for 15 days,reading more than 100 posts and more - can be seen on: https://github.com/discourse/discourse/blob/b7386958edfb8215c99d90fde04521b3312d2ccd/config/site_settings.yml) can invite new users to join discourse by sending an invite request. However, there exists an endpoint which uses …
Hi Team, I was able to bypass verify Human dialog Box , while subscribing . Vulnerable request: ==================== ``` POST /subscribe/post HTTP/1.1 Host: stellar.us9.list-manage.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 264 Referer: https://stellar.us9.list-manage.com/subscribe/post?u=c001d97369b7a10d224c23867&id=563f658d41&SIGNUP=community Cookie: _AVESTA_ENVIRONMENT=prod; PHPSESSID=5kid70ckbbvfpshmvoc6m7vqr1 DNT: …
Good evening team! This is a theoretical risk but I thought it was still worth reporting since every endpoint and any data flowing through inside.gratipay.com is unencrypted. POC https://inside.gratipay.com And every sub directory under inside.gratipay.com. Description Since the certificate is only valid through *.herokuapp.com the domain is sending a warning …
## Summary Nextcloud Android client v1.4.3 has a globally available content provider which exposes the bcrypt password hashes for password protected shared files and folders. ## Description Android apps can use a content provider to handle storage and retrieval of data. Content providers that are exported allow any app on …
Hi, I just saw a report of #229483 This issue still persist. When i tried some Unicode characters like smilies etc. It is working perfectly by displaying the Error message on the same page that **Username may only contain letters, numbers or the following characters: @ . + - _** …
Hi, Password change is not notified to the account owner if its made from the account settings. This is very crucial as once the account is compromised, the attacker can change the password without giving any clue to the victim. Steps to reproduce the issue: 1. Sign in with a …
# Description *Password* plugin in its virtualmin driver allows to an attacker, that has a valid username/password to login in his web panel, to execute malicious inputs. This could allow to an attacker to reset victim's password and in some scenarios getting a system shell. # CVE CVE-2017-8114 # Details …
Hello, ##Description: The account settings page, https://demo.weblate.org/accounts/profile/#account, allows a user to set their username as a null character! A user intercepts the request using a proxy and changes the user name field to %00. ##Mitigation: I recommend you have filtering of null characters on your account settings page. Thanks!
> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! **Summary:** [add summary of …
CVSS ---- Low 3.1 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Description ----------- The Gallery plugin does not inform a user when password-protecting a file failed in combination with the Password Policy plugin. Because of this, files that the user will rightfully assume to be password-protected are actually publicly accessible. POC --- Prerequisite: Enable Gallery and …
It is possible to test for the satisfaction of certain assertions across origins by abuse of Content Security Policy. These could be assertions such as 'is the client logged into this website', or 'is the client logged in as this user', or 'does the client have access to these panels'. …
## Summary: The ```/kisallataim/ANIMAL_ID/delete``` API endpoint at **myroyalcanin.hu** is vulnerable to Cross-Site Request Forgery attacks. This vulnerability allows an attacker to delete a pet from the victim's account. (Sorry for my English, I'm French) ## Proof-of-Concept (PoC) ```html <html> <body> <form action="████"> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); …
## Summary: Hello Team, While testing it was observed that on **3d.cs.money** a DOS is possible via specially crafted request using only single request from single machine on search bar. Though I am aware of the Out of Scope policy "Any activity that could lead to the disruption of our …
## Summary: Hello team, I found an endpoint response all data relate to sell mode inventory that doesn't have improper authentication in the link: https://cs.money/load_sell_mode_inventory ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. Open directly the link: https://cs.money/load_sell_mode_inventory 2. Observe the result ## Supporting …
## Summary: There are three weaknesses in Brave's FIDO U2F implementation. * `u2f.register()` can be executed from cross-origin subframe by invoking [U2F.postMessage](https://github.com/brave/brave-ios/blob/e52c52495aa654584abe8172d689977756e6549d/Client/Frontend/UserContent/UserScripts/U2F.js#L264) directly * Then, FIDO related modals show the name of top frame origin (but not caller subframe) * The `version` parameter sent from the above `postMessage` is embedded …
Hi HackerOne Team, **Summary:** When you are a part of a program security team, you have a choice to show in your profile that you are a member of the sec team, you can also hide it if you don't want to show it to your profile, any team member …