HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1321 - 1340
##Summary The `/api/memberships/membershipID` endpoint on console.helium.com is open to anyone, including read-only users in an organization. This means that a read-only member can kick a manager, administrator, or even the owner out of an organization using this vulnerability. ##Steps to Reproduce: 1. Create two accounts, user 1 (admin), user 2 …
##Summary Hello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on `https://raebilling.mtn.co.za`. ##Steps To Reproduce * To reproduce, try this request with BurpSuite * This request to the `https://raebilling.mtn.co.za/wls-wsat/RegistrationRequesterPortType` will trigger Remote OS Command Execution: ``` POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1 Host: raebilling.mtn.co.za Content-Type: text/xml User-Agent: …
##Description: Hello, team! I found 2 vulnerabilities in your 2FA implementation: 1) There is a possibility to link 2FA to any other account if it wasn't set up before and user ID is known on the request /api/2fa. In order to do this, after performing a request for 2FA linking, …
**Description** Hello! Browsing through GitHub I found the following repository: ███ Looking for interesting keywords, the following file popped up: ███████ ``` package ru.indriver.jira.api object Constants { const val jiraHost = "https://indriver.atlassian.net" const val baseUrl = "$jiraHost/rest" const val token = "██████" ███ // const val token = "██████==" } …
## Summary: Hi Kirill, I wish you are fine today <3 I have a new bug today, leading to leak the phone number and the location of the customer how? When the **driver** submit an offer/price to the customer, something is getting created called ```“tender”``` ```“id”``` ██████████ Then alittle bit …
## Summary Due to the improper usage of the `PS1` environment variable in [`.bash_prompt` of dotfiles](https://github.com/iandunn/dotfiles/blob/16a432681077362f263cb926737ad5cca5df6307/.bash_prompt), a malicious repository can execute arbitrary commands when changed the current directory to it. ## Description The `PS1` environment variable of bash supports command substitutions. For example, setting `PS1` to `$(echo hello)` executes `echo …
## Summary: Hi first, some of my usernames have been leaked by endpoints https://alt.mtn.com/wp-json/wp/v2/users ## Steps To Reproduce: [The steps are as follows] 1. Open the subdomain https://alt.mtn.com 1. Add the path https://alt.mtn.com/wp-json/wp/v2/users/192 1. [You will notice the user information and you can also reveal many user names by changing …
**Description:** Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. …
**Description:** A file labeled with the following "Data is for intelligence purposes only and is not to be used for targeting. This data is classified as CUI. Controlled by: ██████████ ███████ " ## References https://www.spa.usace.army.mil/Portals/16/docs/business/smallbusiness/2021%20BOOH/B3-Cyber_Security.pdf?ver=B-E2odYFMUwjqankJCgFCA%3D%3D https://www.totem.tech/how-to-mark-controlled-unclassified-information-cui/ https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/21-S-0587_Cleared_CUI_Quick_Reference_Guide_Dec2020.pdf ## Impact Based on preliminary readings CUI marked files were to be treated …
PoC ``` https://videostore.mtnonline.com/GL/MyAccount.aspx?PId=126&CID=5&OprId=11%27><input%20onfocus=eval(atob(%27YWxlcnQoJ1hTUycp%27))%20autofocus> ``` Symbols <"/'> are not filtered that alloweds to inject HTML code. {F1353609} ## Impact XSS at videostore.mtnonline.com
PoC ``` http://nextapps.mtnonline.com/search/suggest/q/xss<img%20src=x%20onerror=alert()>1337 ``` Symbols <'/"> are no filtered that alloweds to inject HTML code. Response has content-type: text/html {F1353600} ## Impact XSS at nextapps.mtnonline.com
Hi, in the "Class Settings" page on khanacademy.org you can rename the class, but the string length check is not done on the server side. Throughout the experimentation I used an account with associated email "██████████" and where applicable, class ID ████. An attacker can save thousands of characters instead …
Improper handling of wildcards in --allow-fs-read and --allow-fs-write
Medium
$1,290
Closed
**Summary:** The permission model implementation does not process wildcards in the paths given via `--allow-fs-read` or `--allow-fs-write` correctly and may incorrectly grant access to paths that should be inaccessible. **Description:** There are two separate issues here: 1. The implementation silently ignores any text after a wildcard character (`*`), which appears …
Hi team I found a reflected xss via search query on ████████ that allows an attacker to execute Javascript code into victim's browser. ## PoC 1- Doing subdomain enumeration of ██████████, i found the following one: ████████ 2- On the search query i saw that is injecting inside an h6 …
Published Advisory: https://curl.se/docs/CVE-2022-27781.html Original Report: https://hackerone.com/reports/1555441 ## Impact Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.
I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :'( want money because father :'( {F181820} …
Hi there, I have found the xss vulnerability at: `https://help.glassdoor.com/GD_HC_EmbeddedChatVF` **Browsers tested:** Firefox, Chrome, Edge (latest version) ## Steps To Reproduce: Go to: `https://help.glassdoor.com/GD_HC_EmbeddedChatVF?FirstName=l0cpd%22};a=alert,b=document.domain,a(b)//` ## Supporting Material/References (screenshots, logs, videos): {F1352792} Regards, @l0cpd ## Impact The attacker can execute JS code.
**Summary:** In Node.js 20 and Node.js 21, the permission model protects itself against path traversal attacks by calling `path.resolve()` on any paths given by the user. If the path is to be treated as a `Buffer`, the implementation uses `Buffer.from()` to obtain a `Buffer` from the result of `path.resolve()`. By …
## Summary: Reddit.secure.force.com is Reddit SalesForce instance. Attacker is able to send attachments of disallowed filetypes to this server. The attacker is able to send malicious documents such as CVE-2022-30190 Follina to the victim. ## Impact: Attacker can send malicious files to whoever handles the form behind https://reddit.secure.force.com/adhelp ## Steps …