HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1341 - 1360
Hello Team, During my research, I found multiple hosts to be vulnerable to Cisco ASA XSS CVE-2020-3580, This vulnerability targets the saml service within the VPN. It is triggered via a POST request to domain/+CSCOE+/saml/sp/acs?tgname=a ## References https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe ## Impact With this vulnerability, an attacker can for example steal users …
## Summary: If the Nextcloud server generates a secure random password (e.g. for sharing files), the validation is checked before the shuffle function str_shuffle() is called. In very rare cases it could happen, that a password is validated by HIBPValidator before str_shuffle(), but would not validate after shuffle. ## Steps …
Summary: ======== The HTTP header of the gratipay.com website includes an unsafe CSP parameter for "script-src". Description: ========== has a Content-Security-Policy configured the "script-src" parameter is set to "unsafe-inline", which allows injection of user passed values, which in result can be misused for Cross-Site Scripting attacks. Steps to Reproduce: ================ …
Hi, Summary ========= partners.uber.com website is not expiring the user's session immediately after logout. when user logout, the session not expired, and still can send request and the server respond response with OKAY __Steps to Reproduce:__ - Log into the website - partners.uber.com - Capture any request. For ex, profile …
Weblate is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. #POC: HTTP/1.1 200 OK Server: nginx Date: Tue, 23 May 2017 10:49:15 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Vary: …
Hello, I found an **Sensitive Information Disclosure**. A configuration file (e.g. Vagrantfile, Gemfile, Rakefile, ...) was found in this directory. This file may expose sensitive information that could help a malicious user to prepare more advanced attacks. It's recommended to remove or restrict access to this type of files from …
## Summary The logo image upload function in Nextcloud Server v12.0.0 does not validate the uploaded file, leading to XSS in certain circumstances. ## Vulnerable URL(s) Replace [server] with the IP address or hostname of your Nextcloud server. File upload - http://[server]/nextcloud/index.php/apps/theming/ajax/updateLogo XSS endpoint - http://[server]/nextcloud/index.php/apps/theming/logo ## Description A Nextcloud …
#SUMMARY: Related Report: #225833 Gratipay is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. Proof Of Concept #By Using cURL: curl -I https://gratipay.com The results See my attached photo. Above CSP …
Description: https://thisdata.com/customers/[user]/install/apis/[number]/reauthorize Does not have good browser cache management, allowing another user with access to the device to retrieve the API key. All of the thisdata.com pages do not have the cache management correctly configured, allowing the attacker to gain access to all of the information of the victim, but …
Shared file link - password protection bypass under certain conditions
Medium
$50
Closed
## Summary An unauthenticated remote attacker can bypass password protection on certain shared file types through the file sharing app's publicpreview.php function. ## Vulnerable URL http://[server]/nextcloud/index.php/apps/files_sharing/ajax/publicpreview.php?x=[width]&y=[height]&t=[share ID] ## Description Nextcloud users have the option to protect files shared via a link with a password. Recipients must enter the correct password …
Hi GitLab security team, ### Summary GitLab allows for public and internal projects to restrict the visibility of pipelines to project members only. Then, only project members should have access to the pipeline information. However, this can be bypassed. There is a internal endpoint (`:namespace/:project_name/merge_requests/:iid/pipeline_status`) on each merge request page …
## Summary: When an user uploads a private file, ex (Screenshot 1), where only he has access to. Using the "View transformations" function can generate different kinds of image transformations (Screenshot 2). But after the generation of that transformation for example clicking on the regenerate button next to profile. The …
**Summary:** ███████ ██████████ was updated today (03/04), which includes a backend rewrite. Unfortunately, the new site is insecure and allows a password to be reset given only a username. This allows access to payment records for any DoD employee given only their username, which is commonly known. Further, ███ is …
I would like to report Unintended Require vulnerability in `larvitbase-api` It allows loading arbitary non-production code (js files). # Module **module name:** larvitbase-api **version:** 0.5.3 **npm page:** `https://www.npmjs.com/package/larvitbase-api` ## Module Description REST http API base framework based on larvitbase (https://github.com/larvit/larvitbase) ## Module Stats 59 downloads in the last day 250 …
The key is: h1ctf{y3s_1m_c0sm1c_n0w} My writeup is available (unpublished) at: https://p4fg.github.io/h1_415_2020/ I might edit some styling but the main contents is there. The twist of my writeup is that tried to give a detailed account of EVERYTHING to allow new hackers to follow along my discoveries and failures, thoughts and …