HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 81 - 100
**Summary:** The web application hosted on the "█████" domain is affected by a carriage return line feeds (CRLF) injection vulnerability that could be used in combination with others. This issue could allow XSS via Cookie, bypass Double Submit Cookie csrf protection or Session Fixation on .█████████ domains web apps. **Description:** …
Currently, there is no email notification sent out when the account was deleted. I understand it asks for the password to delete but when an attacker somehow get's the credentials, he can only 'read' users data without alarming the user. It would stop him if he knows the user would …
The `@fastify/view` plugin, when used with the EJS engine and the `reply.view({ raw: <user-controlled-string> })` pattern, allows arbitrary EJS execution. This leads to Remote Code Execution (RCE) when an attacker can control the `raw` content passed to the view renderer. This vulnerability arises from the fact that Fastify trusts the …
**Penetration Testing Report: HTTP/3 Stream Dependency Cycle Exploit** --- # **0x00 Overview** A novel exploit leveraging stream dependency cycles in the HTTP/3 protocol stack was discovered, resulting in memory corruption and potential denial-of-service or remote code execution scenarios when used against HTTP/3-capable clients such as `curl` (tested on version 8.13.0). …
### Summary While doing the testing for the mobile app, I observed out that it is possible to bypass the authentication and gain unauthorized access to the user's account bu brute-forcing the PIN due to lack of login token expiry. The way affirm mobile login works is that, User inputs …
## Summary: `brave://` protocol was introduced as a replacement for `AsarProtocolHandler`(or something like that) in `brave/muon` after #375329. However, fix for #375329 introduced a new much severe bug that allows reading files from a user's device from the web. PoC is similar to #375329, but it uses `brave://` instead of …
Summary: The nextcloud windows desktop application utilizes a precompiled OpenSSL library called libeay32.dll. This OpenSSL library attempts to load c:\usr\local\ssl\openssl.cnf when the nextcloud windows application is launched. The c:\usr\local\ssl\openssl.cnf file does not exist. By default, on windows systems, authenticated users can create under the c: drive. A user with low …
## Summary: I've found an XSS on https://watchdocs.indriverapp.com/ ## Steps To Reproduce: 1. Visit https://watchdocs.indriverapp.com/webview/v1?phone=████████&token=██████████&service=cargo&locale=en&jwt=%22%3E%3Cimg%20src=raw%20onerror=alert(%22hackerone%22)%3E#/ 1. You'll get an XSS alert ## Supporting Material/References: ███ ## Impact Execute javascript on user browser
Hi Shopify team, In rich text editors (products, gifts, pages, etc) you allow *data:* URLs to be set as image sources, and I was able to store XSS in such image. While <img> won't execute script that is stored inside the SVG it points to, if one opens the image, …
**Summary:** Potential HTTP Request Smuggling exists in nodejs. Attacker can use two same header field make TE-TE HTTP Request Smuggling attack. **Description:** nodejs allow same header field in a http request. for example, we can send two `Transfer-Encoding` header field, even if one of them is false header field. But …
By doing some fuzzing against mruby, I spot this vulnerability, The source code should be compiled with AddressSanitizer, Here is the vulnerable code : ``` class NoMethodError < NameError def initialize(message=nil, name=nil, args=nil) @args = ar super message,&name end end class StopIteration < r :result end ``` ``` ./mruby_asan vuln1.rb …
## Summary: It is possible load an arbitrary .css file. Bypassing the protections by adding the domain `https://www.glassdoor.com` in a parameter/path. ### Affected URL or select Asset from In-Scope: - https://www.glassdoor.com/api/widget/apiError.htm?action=employer-single-review&css=https://zonduu.me/example.css?http://www.glassdoor.com/&format=320x280&responsetype=embed&reviewid=3762318&version=1&format=320x280&responsetype=embed&reviewid=3762318&version=1 ### Affected Parameter: - css ### Browsers tested: - All ## Steps To Reproduce: - https://www.glassdoor.com/api/widget/apiError.htm?action=employer-single-review&css=https://zonduu.me/example.css?http://www.glassdoor.com/&format=320x280&responsetype=embed&reviewid=3762318&version=1&format=320x280&responsetype=embed&reviewid=3762318&version=1 It will inject …
The following URL is vulnerable to an open redirect (it will redirect to google.com) https://www.blackrock.com/authplatform/user/activate-success?redirectUri=https://google.com After clicking on "return to site" it will be redirected to the page Steps To Reproduce: Enter on this link https://www.blackrock.com/authplatform/user/activate-success?redirectUri=https://google.com Redirected to https://google.com ## Impact Phishing attacks to redirect users to malicious sites without …
URL: https://█████ Parameter: ███ Attack Details JSON input █████ was set to -1 OR 3*2*1=6 AND 000159=000159 Tests performed: -1 OR 2+159-159-1=0+0+0+1 => TRUE -1 OR 3+159-159-1=0+0+0+1 => FALSE -1 OR 3*2<(0+5+159-159) => FALSE -1 OR 3*2>(0+5+159-159) => FALSE -1 OR 2+1-1+1=1 AND 000159=000159 => FALSE -1 OR 3*2=5 AND …