HackerOne Reports

Hi Hackerone team, I am still able to access other program details etc. when i'm authenticated to HackerOne through SAML . I'm not sure if it's the same bug i reported earlier or there is some weak authorization check in place. PFA for more info i can access related to …

Hi Team, I want to report a File upload XSS in your Image upload functionality of Apps in mopub. Server doesn't check whether you are uploading a jpg/jpeg files and it upload the file on image.mopub.com . POC link : https://images.mopub.com/app_icons/126cb3308e1a464385a49c4c7aaeac56 Steps to reproduce : 1.Go to App settings and …

The correction for #868615, allows you to use new payload: ```js const ctx = window.open(location.origin+'/admin/themes', '_blank') const data = JSON.stringify({ message: 'Shopify.API.replaceState', data: {pathname: "abc:d../pages/xss#//"} }); ctx.postMessage(data) ``` ## Impact Abuse the active admin session to extract data as: - CSRF token. - Store config.

**Summary:** A DoD leaks credentials on a phpinfo() page. **Description:** https://███ publicly displays a phpinfo() page that leaks system information and credentials. ## Impact The impact is medium not only due to information leakage of numerous different details such as system information but also the leakage of domain credentials. USERDOMAIN …

This bug was reported directly to GitHub Security Lab.

### Summary #### Arbitrary file overwrite A new feature (download a directory of a repository) in GitLab 11.11 introduced some changes in `./internal/service/repository/archive.go` of Gitaly. ```go func handleArchive(ctx context.Context, writer io.Writer, in *gitalypb.GetArchiveRequest, compressCmd *exec.Cmd, format string, path string) error { archiveCommand, err := git.Command(ctx, in.GetRepository(), "archive", "--format="+format, "--prefix="+in.GetPrefix()+"/", in.GetCommitId(), …

Hello there, I hope all is well! I found a stored xss on https://app.crowdsignal.com/ Steps: * Go to `https://app.crowdsignal.com/dashboard` * Create a survey. * Go to `https://app.crowdsignal.com/quizzes/{survey-id}/question` * Add `Multiple Choice` * Click `Add media` button. * Select `Embed Media` * Paste this: `[dailymotion id=x8oma9]` * Insert it. * Open …

Hello there, I hope all is well! Steps: 1. Go to `https://intensedebate.com/signup` and create 2 accounts. 2. Login as victim and go to `https://www.intensedebate.com/edit-user-profile` 3. Click `Add Blog / Website` text and fill the form > click `Save Settings` button 4. Go to `https://www.intensedebate.com/edit-user-profile`, again and search `radMainSite` text in …

#Description i found an way to add data credits for free by doing race condition of transfering data credits using turbo intruder of burpsuite when created an account with only default 10000 data credits but i managed it to add for free without buying or purchasing #POC Steps (if Confused …

============================= #Form does not contain an anti-CSRF token ============================= -------------------------------------------------------------------------------------------------------------------- There are 15 instances of this issue ==> / /Z1336 /applications/ /auth/start/ /auth/start/ /book/phabricator/article/installation_guide/ /dashboard/ /dashboard/arrange/8/ /differential/ /diffusion/ /diffusion/commit/ /diffusion/commit/query/E1D1uHPOvfuP/ /feed/query/all/ /home/menu/view/245/ /maniphest/ -------------------------------------------------------------------------------------------------------------------- Issue Details ==> Cross-site Request Forgery (CSRF) is an attack which forces an end user to …

## Summary: [1. Detected Deserialization RCE: Jackson 1.1. https://lgtm-com.pentesting.semmle.net/blog/ [lgtm_short_session cookie] 1.2. https://lgtm-com.pentesting.semmle.net/internal_api/v0.2/getSuggestedProjects [apiVersion parameter] 2. Session token in URL 3. CSP: Inline scripts can be inserted 3.1. https://lgtm-com.pentesting.semmle.net/ 3.2. https://lgtm-com.pentesting.semmle.net/admin 3.3. https://lgtm-com.pentesting.semmle.net/admin%3Cscript%3Ealert(9876) 3.4. https://lgtm-com.pentesting.semmle.net/admin%3Cscript%3Ealert(9876)%3C/ 3.5. https://lgtm-com.pentesting.semmle.net/admin%3Cscript%3Ealert(9876)%3C/script%3E 3.6. https://lgtm-com.pentesting.semmle.net/blog 3.7. https://lgtm-com.pentesting.semmle.net/blog/ 3.8. https://lgtm-com.pentesting.semmle.net/blog/images/ 3.9. https://lgtm-com.pentesting.semmle.net/blog/images/announcing_project_badges/ 3.10. https://lgtm-com.pentesting.semmle.net/blog/images/bsides_wrap_up/ 3.11. https://lgtm-com.pentesting.semmle.net/blog/images/does_review_improve_quality/ 3.12. …

I reported this vulnerability through the official Apache HTTP Server security email on 2024-07-12, and received a CVE number on 2024-07-17. You can check detailed information from here: https://httpd.apache.org/security/vulnerabilities_24.html ## Impact SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTLM hashes to …

There is an invalid memory read on mruby when calling to `mrb_str_modify()` with a invalid `RString *` which causes a SIGSEGV and leads to denial of service. ## Sample The following code triggers the bug (attached as mrb_str_modify.min.rb): ```ruby def n if $0 end ""if 00end qqq=Proc.new{|*x|x.join} qqq.("",<<000,"", 000 "") …

Introduction ============ Certain invalid inputs (invalid Ruby programs) crash mruby and mruby_engine (including the parent MRI VM). The programs always involve the `||=` operator, loops and the `break` keyword. Proof of Concept ================ crash.rb -------- A ||= break while break 1. Save the above code as crash.rb 2. Run either: …

Let's look at WeaponList message parser code in the HLSDK: ``` cpp int CHudAmmo::MsgFunc_WeaponList(const char *pszName, int iSize, void *pbuf ) { BEGIN_READ( pbuf, iSize ); WEAPON Weapon; strcpy( Weapon.szName, READ_STRING() ); Weapon.iAmmoType = (int)READ_CHAR(); Weapon.iMax1 = READ_BYTE(); if (Weapon.iMax1 == 255) Weapon.iMax1 = -1; Weapon.iAmmo2Type = READ_CHAR(); Weapon.iMax2 = …

Vulnerable URL:- https://lgtm-com.pentesting.semmle.net/ #Summery Content Security Policy (CSP) is a client-side security model which allows developers to specify where different types of resources should be loaded, executed and embedded from. With CSP you can instruct the browser only to load javascript resources from a specific domain as well as block …

There are 4 instances of this issue: [+] /dashboard/panel/render/12/ [+] /dashboard/panel/render/22/ [+] /dashboard/panel/render/4/ [+] /dashboard/panel/render/6/ Issue background ==> Cross-site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application to which he/she is currently authenticated. With a little help of social …

Through this vulnerability, one can know the unencrypted user ID of all the profiles Steps to reproduce: 1. Login to your Bumble profile 2. In the SERVER_GET_USER_LIST API replace the folder ID 0 with 7. This folder contains all the profiles in your deck /which you have right-swiped on (screenshot …