HackerOne Reports

Hi The requestes using non secured `HTTP` do not automatically upgraded to HTTPS , The impact of this an attacker can laucn a MITM attack and steal users information. ## Impact Data sent over HTTP, is being transmitted in plain , sniffers can see it , edit it , poison …

## Summary: This issue affects Taskcluster's worker code and not just this instance but I did not see an easy way to report the vulnerability as well since I was unsure if this would qualify for the Mozilla Client bug bounty. The task cluster definition attempts to escape parameters that …

**Summary:** `napi_get_value_string_latin1`, `napi_get_value_string_utf8`, `napi_get_value_string_utf16` are vulnerable to buffer overflows, partially due to an integer underflow. **Description:** `napi_get_value_string_latin1`, `napi_get_value_string_utf8`, and `napi_get_value_string_utf16` behave like this: 1. If the output pointer is `NULL`, return. 2. Write `min(string_length, bufsize - 1)` bytes to the output buffer. Note that `bufsize` is an unsigned type, so …

### Overview### The Nebula clients for Darwin and Windows call relative paths in "exec.Command" to "ifconfig" and "route" executables on Darwin, and to "netsh" on Windows. These commands are entered using relative paths, not absolute paths (such as /sbin/ifconfig). When a binary is run with a relative path, the system …

**Summary:** iOS app crashed by specially crafted direct message reactions **Description:** Twitter does not properly sanitize direct message reactions, making it possible for arbitrary reaction text to be shown to the user via the message preview in the direct message list. Special characters such as `\r` and `\n` are not …

35 days after reading https://irssi.org/2017/05/12/fuzzing-irssi/, I was able to trigger a heap-use-after-free in irssi 1.0.2. Timeline: Report to vendor: 16 June 2017 Acknowledge by vendor: 16 June 2017 Fixed by vendor: 7 July 2017 Advisory: http://seclists.org/oss-sec/2017/q3/80 Patch: https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206 ``` ./irssi < test001 CAP LS NICK root USER root root /dev/stdin …

## Intro "Back to the Crayons" __Type of issue__: Core CMS issue __Level of severity__: External Attack Vector __Concrete5 version__: 8.2.0 RC2 rev. 32c9daf352645d4fafedb7b956e7f2de4e153ab3 (July 8th) ## Summary There is __Stored XSS__ vulnerability in Private Messages 'Reply' feature, when original message is quoted in reply content (this is by default). …

34 days after reading https://irssi.org/2017/05/12/fuzzing-irssi/, I was finally able to trigger a null pointer dereference in irssi 1.0.2. Timeline: Report to vendor: 15 June 2017 Acknowledge by vendor: 15 June 2017 Fixed by vendor: 7 July 2017 Advisory: http://seclists.org/oss-sec/2017/q3/80 Patch: https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206 ``` ./irssi < test000 CAP LS NICK root USER …

## Intro "The Crayons of Madagascar" __Type of issue__: Core CMS issue __Level of severity__: Internal Attack Vector __Concrete5 version__: 8.2.0 RC2 rev. 32c9daf352645d4fafedb7b956e7f2de4e153ab3 ## Summary There is Stored XSS vulnerability in User Groups->Group Details ```Name``` field. This vulnerability might be used to perform internal attack against other concrete5 users …

Due to improper validation of user before generating an API-KEY and improper measures taken at the time of password reset, it is possible to generate a parallel session at the attacker's end. Proof of concept video is attached to confirm the vulnerability and to demonstrate the Impact of this _logical_ …

# Summary --- The `size` parameter located on images is vulnerable to DoS. By modifying the parameter's value an attacker can cause the application to work very slowly. # Description --- The issue is located in the `get_image_url()` function in `gratipay/models/team/__init__.py` and can be exploited by replacing the `small` or …

Hello, there's a dom based xss vulnerability affecting all pages under the domain https://www.grab.com/. This vulnerability wasn't properly patched so I managed to bypass the regular expressioned that was added into the function. Vulnerable code: ```` var stripHtml = (function () { var div = document.createElement('div'); return function (html) { …

**Summary:** Hello, I have found a way to use hackbot's automated duplication answers to reveal redacted data via brute force. This is restricted by the length of the report and number of radacted items. For short report with little content and just 1-2 redacted texts this is rather easy to …

Hi, There was issue in -> https://hackerone.com/reports/115748 We have found similar one but in next steps Affected request ============================ ``` POST /vidgif/upload HTTP/1.1 Host: imgur.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://imgur.com/vidgif/video/between/56.72/9.71?url=http%3A%2F%2Fwww.onirikal.com%2Fvideos%2Fmp4%2Fbattle_games.mp4 Content-Length: 127 Cookie: SESSIONDATA=%7B%22sessionCount%22%3A3%2C%22sessionTime%22%3A1499684317408%7D; IMGURUIDJAFO=7450708ff93583b3772a3048e340856d59cef648c4dab74c825a83be56c807ab; _ga=GA1.2.1311247514.1499605938; …

Hello, i want to report the vulnerability found, Since the following activity `com.application.zomatomerchant.home.HomeSalt` has `exported="true"` it can be exploited by another application. ###Application Information Application: [Zomato for Business](https://play.google.com/store/apps/details?id=com.application.zomatomerchant) Package Name: `com.application.zomatomerchant` Version: `4.2.5` Version Status: Last Vulnerable class: `com.application.zomatomerchant.deeplink.SaltDeepLinkRouterActivity` ###Vulnerability Using a special intent, you can send a malicious url …