HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1441 - 1460
## Summary: SQL Injection in ImpressCMS v1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to …
## Summary: [phpinfo() is a debug functionality that prints out detailed information on both the system and the PHP configuration.] ## Steps To Reproduce: Step to reproduce: 1. [Go here: https://41.242.90.8/info.php] An attacker can obtain information such as: Exact PHP version. Exact OS and its version. Details of the PHP …
## Summary: I hope you're having a good day. Before starting to describe this vulnerability, I would like to thank the HackerOne triage team for doing the difficult job of triaging all these issues. I observed an IDOR vulnerability in one of the endpoints in the Talentmap API. This vulnerability …
The bug I submitted at https://github.com/curl/curl/issues/9507 can have at least a few unintended security issues: Information Disclosure: this bug causes an HTTP PUT to occur when the user intends for an HTTP POST to occur. The user, who intended an HTTP POST, expects the POSTed information to come from CURLOPT_POSTFIELDS. …
## Summary: Hi Team, Hope you are doing great Sorare graphql Api has introspection enabled by default as per the policy it's meant to be public so they can facilitate their users with Graphql Playground. So https://api.sorare.com/federal/graphql is for the users and clients using the web application and https://api.sorare.com/graphql is …
Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive works to prevent that by setting the expiration time to a value that will always be evaluated as in the past.
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimOpportunityGenerator.configure(). ------------------------------------------------------------------ II. Description Normally, configure() should validates its parameter and returns error in AS3 level if anything goes wrong. If configure() function is invoked directly with invalid parameter, some …
Hi, I found a bug where a shared link of particular file can disclose all files of that folder. ###Steps to reproduce + Make a group( ```http://*/nextcloud/index.php/settings/users```) and a standard user in it. + Now goto any folder and change it to gallery view {F99993} + Invite that group which …
Hi We can bypass Avatar Upload image verification and extension uploading a php file or any other extension binding a valide jpeg image , there is no risk for the moment because the avatar is renamed to avatar_upload on the remote server , but it ll be nice to secure …
Hi, So lately I have discovered that CloudFront is not validating which user that connects a CNAME:d domain to a CloudFront Origin. This means that if I could find a domain that is still pointing to CloudFront, without being connected to any Origin as a Custom CNAME, I can actually …
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.configure(). ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platform used for authoring of vector graphics, animation, games and rich Internet applications (RIAs) that can be viewed, played …
I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentFactory.retrieveResolvers(). ------------------------------------------------------------------ II. Description Normally, retrieveResolvers() should validates its parameter and returns error in AS3 level if anything goes wrong. If retrieveResolvers() function is invoked directly with invalid parameter, some …
Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Hi All, I believe I've found a vulnerability on your sandbox site which allows attackers to view the details of listings that are unpublished. ##Description While creating a product, I noticed there is a call to https://sandbox.reverb.com/api/listings/65905/product_bundle which returns json details about the product. I've included an example response below. …
Hi, I noticed that the `redirect_uri` used to redirect users to any location on the page, passes in all data into a `header("Location..` without any validation. The problem is that PHP (current PHP-versions of Debian/Ubuntu, there seem to be a patch properly in place in other dists) actually built the …
Steps to reproduce 1. Login as user1 in firefox browser 2. Go to http://localhost/nextcloud/index.php/settings/personal 3. Go to other browser (chrome) and login as user1 4. Change the password in chrome Observe that the session in firefox still works
Hey! I found a token miss configuration flaw in Nextcloud 9.0.50 [Latest version], When we reset password for a user a link is sent to the registered email address but incase it remain unused and email is updated by user from control panel then too that old token [reset link] …
Using: https://vimeo.com/api/atv/clip/VideoID it is possible to get the title, description & download the file regardless on any privacy settings (this includes both setting the video to 'Only me' and using a password) For proof using my own video: https://vimeo.com/171116158 which has the password *gazza_hacker1* (as shown in the screenshot) - …