HackerOne Reports

## Summary: RichText parser is not filtering links when editing scheduled posts ## Steps To Reproduce: 1. Create a new scheduled post with a link: {F2270188} 2. Intercept the request with Burp Suite/Other proxies and replace the link with javascript scheme payload: {{F2270195} 3. Navigate to scheduled posts and click …

https://bugs.php.net/bug.php?id=72114 Integer underflow in the fread/gzread length parameter allows to write an arbitrary null byte on 64 bit platforms. This was identified with the help of ASAN and a custom fuzzer. ``` (gdb) run gzread2.php Starting program: /home/operac/php/php-56/sapi/cli/php gzread2.php Program received signal SIGSEGV, Segmentation fault. 0x0000000000727b66 in zif_fread (ht=2, return_value=0x7ffff7fd7d00, …

Hi All, You have an angular injection vulnerability in the profile name fields on the onpatient site. If you add a value [[5*5]] in the first name or last name field, the expression will be evaluated and when the page is rendered, the first and last name will be 25. …

https://bugs.php.net/bug.php?id=72241 Absence of null character terminator causes unexpected zend_string length and leaks heap memory when using several intl functions that commonly receive user input: - locale_canonicalize - locale_filter_matches - locale_lookup - locale_parse - locale_get_primary_language This affected PHP version 5.5, 5.6 and 7.0, patch released today: http://php.net/ChangeLog-5.php#5.5.36

ads.reddit.com is an ads creating and managing application for reddit. The application has the feature to invite other members to the organization and give different roles at ad management. Testing around the role management functionalities, I have noticed that a user with the same email can get invited to the …

**Summary:** Regular expressions in the `validateInviteToken` route allows unauthenticated users to guess a valid invite token, that allows them to access a private channel or register accounts on a remote server with "Secret URL" registration method enabled. **Description:** The API route `validateInviteToken` passes an unauthenticated clients token bodyParam to the …

Hi All, I've found a vulnerability related to access the calendar when a user has no permissions. ##Vulnerability I've create a doctor's account with a user who has no permission. Browsing the site, I noticed a call to ```https://1337test.drchrono.com/wdcalendar/datafeed/105756?method=list&showdate=5%2F27%2F2016&viewtype=examroom&timezone=0&doctors[]=99120``` Using this URL via the account with no permissions appears to …

Supported versions: TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.0 RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (TLSv1.1: idem) TLSv1.2 RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA RSA_WITH_AES_128_CBC_SHA256 RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ---------------------- Server certificate(s): 4784741821c06e5af52b053fd6362db38c222df3: CN=*.drchrono.com, O=Drchrono Inc., L=Mountain View, S=California, C=US …

https://bugs.php.net/bug.php?id=72227 Invalid memory access while applying bicubic scaling on images. ``` Reading symbols from /home/user/php-7.0/sapi/cli/php...done. (gdb) b gd_interpolation.c:890 Breakpoint 1 at 0x81925a9: file /home/user/php-7.0/ext/gd/libgd/gd_interpolation.c, line 890. (gdb) b gd_interpolation.c:982 if i == 12 Breakpoint 2 at 0x81929fc: file /home/user/php-7.0/ext/gd/libgd/gd_interpolation.c, line 982. (gdb) r Starting program: /home/user/php-7.0/sapi/cli/php -n phuzz4.php Breakpoint 1, …

When a report is moved to a different program, all associated objects are either removed or copied to the new program. During an internal security review of the Custom Fields feature it was observed that this isn't the case for Custom Field Values. This means that even after a report …

**Description:** Hello Zomato team :) So after I found a new OSINT website ████ which fetch results from Pastebin website, I searched for "zdev.net" and I got this interesting result ██████████ {F443315} I logged in https://gazal.zdev.net/test.php after I decoded Base64 Authorisation ``` ███ ``` {F443316} I tried to pass the …

**Summary:** Invalid color code leads to DoS. **Description:** GitLab has some functions that allow users to specify color code. (e.g.: Labels/Broadcast Messages) All those functions are vulnerable to ReDoS. It seems that there is a problem with the [regex](https://github.com/gitlabhq/gitlabhq/blob/master/app/validators/color_validator.rb#L15) in [app\validators\color_validator.rb](https://github.com/gitlabhq/gitlabhq/blob/master/app/validators/color_validator.rb) to validate a specified color code. An attacker can …

## Summary: I am able to automate the get/post requests of the following api end-points with a python script which can lead to heavy load to server resulting in dos attack or buffer overflow. /internal_api/v0.2/getSuggestedProjects /internal_api/v0.2/getLanguages /internal_api/v0.2/getLoggedInUser /internal_api/v0.2/getSecuritySettings /internal_api/v0.2/getActiveOAuthGrants /internal_api/v0.2/getAccountEmails /internal_api/v0.2/getExternalAccounts /internal_api/v0.2/getAuthenticationProviders /internal_api/v0.2/getActivePRIntegrations /internal_api/v0.2/getProjectLatestStateStats /internal_api/v0.2/getBlogPosts /internal_api/v0.2/setUsername /internal_api/v0.2/savePublicInformation ## Steps To …

I would like to report Command Injection in listening-processes It allows an attacker to execute arbitrary commands. # Module **module name:** listening-processes **version:** 1.2.0 **npm page:** `https://www.npmjs.com/package/listening-processes` ## Module Description > A simple NPM module for retrieving pertinent info on processes which are listening on local ports, and for killing …

Hi Team, Bug type : Authentication bypass(Missing rate limiting) Description : While creating a account user needs to enter a email id and verification has been sent to his email ID.It is a 4 digits code.But there is no rate limiting enable while checking the verification on server side.So basically …

This issue was reported a while ago at: https://bugs.php.net/bug.php?id=70345 The report is now public, but for some reason I was not notified by email when the report was closed. I just remembered to check again today and noticed multiple code changes were made and the bug is now considered closed. …