HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1261 - 1280
hi security team, I was able to start up a bot numerous times. 1. Goto https://chaturbate.com/b/username 2. Choose a bot and capture the request. 3. Send to intruder and repeat the step numerous times. 4. I did this 196times 5.I was able to activate a bot numerous times 6. My …
**Summary:** Due to lacking a SPF and DMARC record it is possible to spoof emails from djangoproject.com. This could potentially be used to trick employees, customers or clients via phishing emails. **Description:** Mail servers rely on both SPF and DMARC to properly deal with email spoofing. SPF shows what servers …
**Summary:** Hi team **Description:** If the program is paused that we will not be able to send reports to this program and if we try to directly contact the link https://hackerone.com/external_programm_paused/reports/new we will be returned to the main page https://hackerone.com/external_programm_paused ### Steps To Reproduce 1. PoC ██████████ , ███████ 2. …
**Summary:** - SSRF stands for "Server-Side Request Forgery" in English. It refers to a security vulnerability where an attacker can manipulate a web application to make HTTP requests from the server side instead of the client side. This can allow the attacker to access internal and sensitive resources that are …
Hi Team, ### Summary: A program owner can enforce the hackers to setup the two-factor authentication before submitting new reports to their program here: https://hackerone.com/parrot_sec/submission_requirements (see below image) {F355169} The [Parrot Sec](https://hackerone.com/parrot_sec) program has this feature enabled to enforce the hackers to setup `2FA` before submitting reports. I removed my …
POST requests to endpoint `/roomlogin/<user>` are not limited in size. While the main website login endpoint correctly limits the size of request, this endpoint does not. This can be a mean to perform a DOS attack. ## Steps To Reproduce: 1. `<user>` has a password-protected stream. 2. Send a large …
> NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. ## Summary: This vulnerability was discovered in Brave's QR code scanner, which allows users …
#Description: * The permanently banned user account can't access any account features or reports and when accessing his profile he receives 404 not found so the account seems to be not signed or not found so the permanently banned user account must be can not access any HackerOne/account features anymore …
###Summary: Hello team, Found a reflected XSS on one your domains i believe https://nin.mtn.ng/nin/success?message=msg&nin= as the nin parameter is vulnerable. Please check the following PoC: Run the following command from a terminal: curl -ski "https://nin.mtn.ng/nin/success?message=lol&nin=<script>alert(1)</script>" | grep "alert" {F2446627} I reported this before in report #1737682 but it was closed …
Code inject via nginx.ingress.kubernetes.io/permanent-redirect annotation
High
$2,500
Closed
Report Submission Form ## Summary: The value of the `nginx.ingress.kubernetes.io/permanent-redirect` annotation will be not sanitized and passed into the nginx configuration. This leads into a code inject from any user that is allowed to create ingress objects. ## Kubernetes Version: v1.26.3 (minikube) ## Component Version: ``` ------------------------------------------------------------------------------- NGINX Ingress controller …
## Summary: I have identified that when sharing the Results with a password, the request (POST method) when entering a password has no rate limit, which can then be used to loop through one request. An attacker can brute-force for a password and can get a possibly a dashboard Results. …
Partial report contents leakage - via HTTP/2 concurrent stream handling
Medium
$2,500
Closed
**Summary:** The concurrent handling of HTTP/2 streams allows for a "timeless timing attack": instead of timing, the ordering of responses is used, making the attack resilient to network jitter. As the `/bugs.json` endpoint takes slightly longer to process when a query returns results, it is possible to reliably determine whether …
**Summary:** Hey team, I have discovered a way for any logged in user (attacker) to escalate his privileges to gitlab administrator if the real gitlab administrator impersonates attacker's account. **Description:** When the gitlab admin impersonates some user, he gets new `_gitlab_session` cookie and then clicking at `Stop impersonating` he gets …
**Summary:** [Undici uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a `multipart/form-data` request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. **Description:** If an attacker can access a few generated values of `Math.random()` and has control over one of the …
**Summary:** This is similar to https://hackerone.com/reports/127620 where the report Id of undisclosed report is visible on graphql query **Description:** The new hacktivity graphql query includes undisclosed reports, but part of the query result is the report id which is included in private information of undisclosed report. Also I'm trying to …
Hi Gitlab, **Summary:** I have found a inadequate cache control vulnerability in Gitter. **Description:** You can use the backspace button to get the full access to the account. There is no cache control and the browser saves sensitive information of a private chat room. This report is influenced by the …