HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1381 - 1400
Hello team! You can bypass avatar subscriptions. Thus, without connecting a subscription - it's free. A list of all avatars is available at the address below, with a GET request: ``` :method: GET :authority: api.imgur.com :scheme: https :path: /account/v1/accounts/me/avatars?client_id=YOU CLIENT ID user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, …
Hi everyone :) I found a Reflected XSS on https://███████ via hidden parameter "████████" on the following authentication page : https://███████/██████████ ## Steps To Reproduce: - Use your favorite web browser - Go to : ``` https://███████/███████&███=TEST%22%3E%3Cscript%3Ealert(%27Reflected%20XSS%27)%3C/script%3E ``` An XSS is triggered ! The initial page was https://█████████/█████████ With a …
Hi everyone :) I found a Reflected XSS on https://█████/█████████via hidden parameter "██████████". ## Steps To Reproduce: - Use your favorite web browser - Go to : ``` https://█████/████████&██████=XXX%22%3E%3Cscript%3Ealert(%27Reflected%20XSS%20here%27)%3C/script%3E ``` An XSS is triggered ! The initial page was https://██████/guest/tls_sso.php With a little research, you can find a hidden parameter …
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users …
I was taking a look into a related report (https://hackerone.com/reports/298265) and I discovered that the https://boards.greenhouse.io/embed/job_board/js?for= endpoint doesn't throw errors when I try to pass in an array of `for` parameters like this: ``` https://boards.greenhouse.io/embed/job_board/js?for[]=twitter&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]=&for[]= ``` Instead, in the resultant JS, we can see that the HTTP parameters are escaped …
## Summary: The pending block queue holds the blocks that we have downloaded but have yet to verify, because of a few lax rules in the synchronization code it's possible to fill this queue past the limit. My PoC could get the queue to ~54 GB, slightly larger would be …
## Summary: By forging a highly nested JSON payload, and spamming it through a restricted RPC interface, an adversary can remotely lock monerod from syncing with the rest of the p2p network. This vulnerability apply to syncing node as well synced one (which then become outdated) Epee JSON parser allow …
# Summary The fix in report ████████ seems to prevent correctly an attacker from redirecting the request to another domain which was the main issue, however, there is still a way for that attacker to "poison" the cache usin the Amazon domain. I believe the regex used to parse the …
In the conncache.c file, the cpool_bundle structure incorrectly uses a pointer array (char *dest[1]) instead of a flexible array (char dest[]) to store string data, leading to a heap buffer overflow when calling memcpy in the cpool_bundle_create function. ## Impact # # Summary: The vulnerability is a heap buffer overflow …
**Summary:** An end point on ██████ allows an internal access to the network thus revealing sensitive data and allowing internal tunneling **Description:** OAuth Plugin allows you to provide a url that gives a snap shot of the web page. We can pass internal URLS and conduct SSRF. ## Impact Critical …
whisper.sh fails to protect the invite form from abuse from attackers. If a malicious individual wants to abuse this functionality, they could send repeated/automated requests to the same phone number or range of phone numbers that do no actually belong to himself. This would result in lots of arbitrary SMS …
## Summary: [Broken access control is the method of controlling which users can perform a certain type of action or view set of data. Broken access control is a vulnerability that allows an attacker to circumvent those controls and perform more actions than they are allowed to, or view content …
If a relative symbolic link is accessible to the Node.js process while the permission model is enabled, it can be redirected to a different target by renaming/aliasing it, which potentially allows the process to bypass restrictions imposed by the permission model. ## Steps To Reproduce: 1. Let's begin with a …
So this is two reports in one. Sort of. But they are the same issue, or at least related. 1. When you setup your nextcloud there is no password policy at all. There is the strength indicator. I get the password policy app is not yet active at that point. …
The login flow v2 is used by the desktop client. The attack vector assumes the attacker knows the recipient somehow and knows their username and email (or other way to contact them). In short it is following the steps from https://docs.nextcloud.com/server/21/developer_manual/client_apis/LoginFlow/index.html#login-flow-v2 (examples are also taken from there) 1. Attacker send …
## Summary: Hello, I found stored xss at module name with this payload ```"><div onmouseover="alert('XSS');">Hello :)``` ## Steps To Reproduce: 1. Add new container, it doesn't matter which is it 2. Paste this payload in the module name```"><div onmouseover="alert('XSS');">Hello :)``` 3. Update it then check the module name again in …