HackerOne Reports

hello dear suuport i have found issue on https://app.upchieve.org step 1 goto here https://app.upchieve.org 2 login into your account 3 goto here https://app.upchieve.org/contact (contact) 4 type Message and open burp HTTP request =========== POST /api-public/contact/send HTTP/2 Host: app.upchieve.org Cookie: __cfduid=d5286a2604ae20eb69c722f6666fe12c91618525779; connect.sid=s%3AJKSnG-mkXobDr_u1f2tfXEx0L6B9n7P5.Ovg6QT8%2BSt2xdbZDsJ94dryZYpCQcH9tSiythb36a7U; ph_JRMZGA_RF-346IQfReUvbuoVD3Q94BM7Jij8Nk4dQbA_posthog=%7B%22distinct_id%22%3A%226078bbee3e0d0e00246b7eec%22%2C%22%24device_id%22%3A%22178d7912801885-019acf5c037b948-4c3f237d-1fa400-178d791280280f%22%2C%22%24sesid%22%3A%5B1618525988362%2C%22178d7a7d32f75-065efd10c2d0dc8-4c3f237d-1fa400-178d7a7d331fa0%22%5D%2C%22%24initial_referrer%22%3A%22%24direct%22%2C%22%24initial_referring_domain%22%3A%22%24direct%22%2C%22%24referrer%22%3A%22%24direct%22%2C%22%24referring_domain%22%3A%22%24direct%22%2C%22%24user_id%22%3A%226078bbee3e0d0e00246b7eec%22%2C%22%24active_feature_flags%22%3A%5B%5D%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) …

## Summary: `https://my.stripo.email/cabinet/#/template-editor/.....` has the ff: code to make iframes more secure: ```html <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src data: *.firebaseapp.com *.stripe.com *.google.com *.facebook.com 'self'; style-src 'self' 'unsafe-inline' *; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.ampproject.org googletagmanager.com *.googletagmanager.com *.amplitude.com api.vk.com *.gstatic.com *.facebook.net *.google.com *.google-analytics.com *.stripe.com *.pingdom.net *.intercom.io *.intercomcdn.com *.stripo.email *.zscalertwo.net *.zscaler.com *.zscaler.net *.pinimg.com …

hello all :: I discovered that the application Failure to invalidate session after password changed . In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. url:: ==https://app.upchieve.org/== STEPS TO REPRODUCE: 1- create account in ==https://app.upchieve.org/== and login in two browser ==[firefox …

The process described in this page is not secure - no checksum / PGP signature is published and there is no way to check the download is legit: https://brew.sh/ "/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"" This can lead to supply chain attacks such as the one that just happened here: https://about.codecov.io/security-update/ …

Vulnerability:- ->User enumeration is possible through forgot password feature. steps to reproduce:- ->Go to the above selected domain and go to forgot password. ->submit random email and then intercept request by burp suit ->in response you will get { HTTP/1.1 500 Internal Server Error with {{"err":"No account with that id …

##Summary:- Hi team i found security issue on your website https://gateway-production.dubsmash.com ##Description:- I have found a "Content Spoofing/Text Injection" on one of the domain which is in scope https://gateway-production.dubsmash.com in which Using the link the attacker can trick any genuine user to go to the attacker's phishing site. ##Steps:- 1.visit …

## Summary: Hello, I found security vulnerability in your web application, another business logic. ## Steps To Reproduce 1. Go to https://stripo.email/templates/?utm_source=viewstripo&utm_medium=referral 2. Choose any premium template and click ```use in editor``` 3. Then sign in to save and it is in your templates ## Supporting Material/References: Down there is …

##Summary https://███████ is a Social Network Site belonging to US DoD. Membership is open to anyone, I have found a method to fully take-over any members' account by exploiting an IDOR bug in the `██████████` end-point. By changing the following values in the `POST` request to the affected end-point: `userName` …

##Summary https://██████ allows anyone to sign up and view other members profile. According to wikipedia, ███████ is part of US DoD "████████": ██████ I signed up with a regular account and noticed that by referencing users `████`, I can send thousands of "█████████" and also, using another end-point, view personal …

**Summary:** A user is able to complete a ████████ worksheets via https://██████████. This form allows a user to store multiple XSS payloads within, which will in turn allow the attacker to run malicious code in context of the legal personnel who view the request. ## Impact The attacker can have …

**Summary:** Hi team, I have come across an issue where I am able to view a HackerOne challenge scope before the challenge begins. The issue here being that I can get an understanding of what the in-scope assets are before a challenge starts, allowing myself to start researching and finding …

### Summary Hi, I found the new SCIM provisioning function allows any group owner in gitlab to create any user with verified email address. i.e. I can create user with email address [email protected], and gitlab.com will think [email protected] is verified already. This will bring problem to the client app that …

## Summary I've found a vulnerability which leads to a local privilege escalation starting from a non-admin user. When `True Image` client installs it drops 2 MSI files into `C:\Windows\Installer` folder. Since this folder (by default) is readable by anyone, a non-admin user can execute commands like `msiexec /fa installer_name.msi`, …

__A potential solution is attached as 0001-improve-bytesMatch.patch__ **Summary:** I was investigating for some low hanging fruits regarding performance bottlenecks in undici, when I found this potential security issue in undici, and thus in nodejs. First I wrote a benchmark for bytesMatch and saw the following result: ```sh aras@aras-Lenovo-Legion-5-17ARH05H:~/workspace/undici$ node benchmarks/bytesMatch.mjs …

Hello, I would like to report a vulnerability here, initially reported by me to the curl project. HackerOne report: https://hackerone.com/reports/2604391 CVE: CVE-2024-6874 Advisory: https://curl.se/docs/CVE-2024-6874.html Severity: Low ## Impact When converting the domain name of a URL from/to punycode with libcurl's URL API, libcurl reads past the bounds of a stack-buffer …

Hello, I would like to report a vulnerability here, initially reported by me to the curl project. HackerOne Report: https://hackerone.com/reports/2559516 CVE: CVE-2024-6197 Advisory: https://curl.se/docs/CVE-2024-6197.html Severity: Medium ## Impact By serving a specifically crafted TLS certificate, a malicious server can trigger a `free()` of a buffer located on the stack. This …