HackerOne Reports
Search through disclosed security reports
10,202 reports found
Showing 81 - 100
The following code triggers a use-after-free when mruby is compiled with ASAN, on this code path: https://github.com/mruby/mruby/blob/master/src/gc.c#L762 POC ```` va0ue0=[0,0,0,0] u=[] h=[] va0ue0.each do va0ue0.uniq!do va0ue0.zip va0ue0.each do v do% end end end end ``` ASAN output: ``` operac@hp2:~/testafl/mruby/mrubylast/mruby/bin$ ./mruby 07.min.rb ================================================================= ==7623==ERROR: AddressSanitizer: heap-use-after-free on address 0x62f00001a3d0 at pc …
The search query parameter is put into Javascript to set the localStorage item: https://marketplace.informatica.com/search-solr.jspa?q=%foo% ```javascript localStorage.setItem("searchTerm", "%foo%"); ``` Attempts to inject XSS payloads are blocked by redirection that removes special chars from the URL: ```http GET /search-solr.jspa?q=aaa%22bbb%27ccc%3Cddd%3Eeee HTTP/1.1 Host: marketplace.informatica.com HTTP/1.0 302 Found Location: https://marketplace.informatica.com/search-solr.jspa?q=aaabbbcccdddeee ``` However it turns out …
Steps to reproduce: create index.html file with following content: <iframe sandbox="allow-scripts allow-forms" src="https://go.pushwoosh.com/register" width="1000" height="600"></iframe> Open index.html in browser Actual result: Pushwoosh viewed in iframe. Expected result: do not allow clickjacking Root cause: ``` var isInIFrame = (function () { try { return window.self !== window.top; } catch (e) { …
Description === **Vulnerable parameter:** user **Vulnerable script:** http://nutty.ubnt.com/github-btn.html **Vulnerable code:** ```js var params = function () { var vars = [], hash; var hashes = window.location.href.slice(window.location.href.indexOf('?') + 1).split('&'); for(var i = 0; i < hashes.length; i++) { hash = hashes[i].split('='); vars.push(hash[0]); vars[hash[0]] = hash[1]; } return vars; }() var user …
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
## Summary: https://play.mtn.co.za/ authenticates subscribers via OTP before their subscriptions to be changed. However, the request which sends the OTP also returns the OTP in the network response, allowing an attacker to manage a user's usbscriptions. ## Steps To Reproduce: 1. Visit https://play.mtn.co.za/ and open network inspector (e.g., in Chrome) …
Hi! # Summary Multiple chained vulnerabilities lead to leaking secret documents. Improper sanitization in registration allows an attacker to create a QR recover code for any email address. This leads to an account takeover. Using that technique on jobert's account, attacker can access the support chat functionality. This endpoint, besides …
## Summary: When adding a pack, a post request is sent to ```https://coda.io/internalAppApi/documents/[doc ID]/packs``` with data ```{"packId":[pack Id]}``` where doc ID is the id of doc user wishes to add pack and pack ID is the pack user wants to install. But this request is unrestricted and the user can …
# CVE-2016-4796 OpenJPEG color_cmyk_to_rgb Out-of-Bounds Read Vulnerability ## 1. About OpenJPEG OpenJPEG is an open-source JPEG 2000 codec written in C language. It's widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at [GitHub](https://github.com/uclouvain/openjpeg). …
Please check: https://bugs.php.net/bug.php?id=73017
Hi, Through api-v2/items you can list all information of users (except email). As items are sequential, you can just make a script that crawls items from: https://www.olx.com.ar/api-v2/items/822200000 to https://www.olx.com.ar/api-v2/items/901858309 Example of sensible user information from random curl: ``` ██████████ ``` ``` █████████ ``` Example of random curl: ``` $ curl …
## Summary: This is Denial of Service attack by using which an attacker can make an user unable to access nordvpn.com website. For more information you can read this article. [https://blog.innerht.ml/tag/cookie-bomb/] ## Steps To Reproduce: This will usually work on user's fresh session for which we can use inconginito tab. …
## Summary: HTTP request smuggling vulnerabilities arise when websites route HTTP requests through webservers with inconsistent HTTP parsing. By supplying a request that gets interpreted as being different lengths by different servers, an attacker can poison the back-end TCP/TLS socket and prepend arbitrary data to the next request. Depending on …
Hey guys, The flag is: `h1ctf{y3s_1m_c0sm1c_n0w}` I'll submit a well written writeup later today or tomorrow. I now have a lot of work to catch up thanks to this devilish ctf hehehe. Thanks Ben and the rest of the team for this awesome challenge. ## Impact Getting the flag