HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1301 - 1320
hello dear support I have found csrf to XSS on https://██████ my payload "><img src=x onerror=prompt``>;<video> url: POST ██████████ post data answer=A"><img src=x onerror=prompt``>;<video> ## Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which …
This one is similar to https://hackerone.com/reports/2795558, but I found the DoS vulnerability by putting an ampersand character beside repeated `;:` characters. This is the PoC that I used: ``` import django.utils.html from time import time print("=== django.utils.html.urlize('&' + ';:' * n) ===") for i in range(0,600000, 40000): start = time() …
## Summary: Dear Worldcoin, When using the iOS app i modified the dob on the app for an underage and the account got locked, and the app wouldnt allow me to do anything but talk to support to request the account unlock, however, by using airplane mode, theres another option …
**Description:** I have found out that on the https://www.███████ domain, you initiate POST request in order to look up for case studies, the parameter keyword on the request, allows the usage of bad characters such as < " ', although XSS payloads are pretty secured, HTML injection is an option. …
Critical full compromise of jarvis-new.urbanclap.com via weak session signing
Critical
$1,500
Closed
## Summary Hi there, I discovered that jarvis-new.urbanclap.com uses a weak Flask session key. Because Flask sessions are signed with a static secret, if this secret is known to an attacker then they can modify the session state. In this case, we can modify the Redash `user_id` for the session …
## Summary The current default CSP header in Rocket.Chat prevents inline script execution, which can be bypassed by importing a script file uploaded via the Rocket.Chat file upload. ## Description The default CSP header blocks execution of inline-scripts. When a HTML injection vulnerability occurs though, that restriction can be bypassed …
## Summary: Brave browser is not following proper flow for redirection. Browser is directly redirecting to the site that is present in redirect parameter without confirming from the main site server. I have found this vulnerability and this is affecting Facebook. Facebook use ```l.facebook.com/l.php?u=<redirect_site>``` for redirection and when server gets …
## Summary: Ownership check is missing for attachments. ## Steps To Reproduce: 1. Open mail app 2. Compose a new message 3. Attach some file 4. Send message 5. Copy the xhr request and modify the attachment ids 6. See that local_message_id is changed for a different user When you …
Hi Team! I found a security issue in ███████. An attacker could login as a any user without registration in the page and above all it can change the session of a victim and authenticate him as any user. The problem is at the endpoint ██████████ which, thanks to the …
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended …
Hi Team ! Unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. The vulnerability is registered as CVE-2018-6389. WordPress allows users to load multiple JS files …
I sent the following report to Apache Tomcat Security Team. They confirmed the report and assigned CVE-2024-24549. I'd like to ask if this is eligible for a bounty. I'd like to report a DoS vulnerability in Tomcat. I tested 10.1.18 and 11.0 (tomcat:latest and tomcat:11.0 docker images respectively) and it …
Hi, I found the following Cache Poisoning vulnerability: 1. Send the following request: ( this will poison `/test.js` into redirecting to `https://youst.in/test.js`) ```http GET /test.js?cb=1 HTTP/2 Host: design.glassdoor.com Sec-Ch-Ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: …
## Summary: I have researched availabilities for XSS attacks and i found it in messages. You should be authorized for this and approved by admin. To do this, you just need to make a post on the forum, which I did as the first step. I was able to steal …
##Summary Hello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on `https://raebilling.mtn.co.za`. ##Steps To Reproduce * To reproduce, launch this request with BurpSuite * This request to the `https://raebilling.mtn.co.za/wls-wsat/CoordinatorPortType` will trigger sleep for 15 seconds (same applies for 20 secondes, 40 seconds): ``` POST …
I found A lot of credentials for your domain on the Telegram bot: https://t.me/HaveIBeenHacked_Bot While the exact sources of the leaked data are unknown, the volume of exposed information is substantial. This report is submitted for your review to assess and mitigate the exposure of user credentials, including emails and …