HackerOne Reports

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentFactory.retrieveOpportunityGenerators(). ------------------------------------------------------------------ II. Description Normally, retrieveOpportunityGenerators() should validates its parameter and returns error in AS3 level if anything goes wrong. If retrieveOpportunityGenerators() function is invoked directly with invalid parameter, some …

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.resolve(). ------------------------------------------------------------------ II. Description Normally, resolve() should validate its parameter with canResolve() and returns error in AS3 level if anything goes wrong. However, if ShimContentResolver is constructed with resolverType=0, then …

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ShimContentResolver.resolve(). ------------------------------------------------------------------ II. Description Normally, resolve() should validate its parameter with canResolve() and returns error in AS3 level if anything goes wrong. However, if ShimContentResolver is constructed with resolverType=1, then …

Hello, I just quickly took a glance, I am not entirely sure or didn't get a chance to test it but it seems there are some serious bugs. In */apps/user_ldap/ajax/wizard.php*: ```php 36: $action = (string)$_POST['action']; ``` and it is called in multiple places. including line 83 & 99. one being …

It is possible to enumerate UUID via invite code. During signup if we enter invite code then ```create``` request's response contains ```inviter_uuid``` . As invite codes are public so attacker can easily enumerate bulk UUID . Here is sample request :- ``` POST /signup/clients/create HTTP/1.1 X-Uber-RedirectCount: 0 X-Uber-DCURL: https://cn-geo1.uber.com/ User-Agent: …

Hey, This is not really an exploit or vulnerability but you might want to fix this in your CSS, or set a max length for a name etc. https://www.zomato.com/users/quotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquotquot-34888032/edit Also, if people do something like this as their name, the long urls also waste your bandwidth :[. Kind regards, Kenny …

Hello Team NextCloud, In reference report #217381 I've reported the DDOS attack via DNS Port at OwnCloud.. And it was successfully patched. But now same issue I got at ``` ci.nextcloud.com ``` Proof Of Concept: Here it is the nmap result of ci.nextcloud.com NMap Scan Results: ``` Starting Nmap 7.40 …

- I reported this last week through email, but I didn't receive any response so that is why I report this once more. - This is probably not considered as a real security vulnerability, but my customers would like to see this fixed, therefore I report it. Problem: It is …

HI I found that the site https://vpn.bitstrips.com/ is vulnerable to a CRLF Injection. By injecting a Carriage Return and Line Feed character, we are able to make the server issue a set-cookie header. GET Request : ``` https://vpn.bitstrips.com/__session_start__/%0aSet-Cookie:malicious_cookie1 Host: vpn.bitstrips.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0 …

##Summary your website allowing users to set their password to simple, at this time, i can set my password to 123456 Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords. you should make …

Hi, While testing i have noticed that , the hackerone invitation token gets exposed to google-anaytics.com How? Here look at the photo- ████████ We can see that the request payload is exposing the invitation token and its not filtered like this one- ███████ And this is what google does with …

Hi Mixmax team, Today I just found a Stored XSS on app.mixmax.com by adding a new enhancement. Just follow the steps below to reproduce this bug. **Vulnerable URL** [APP MIXMAX - Settings - Integrations & API](https://app.mixmax.com/dashboard/settings/integrations) **Payload** "><img src=x onerror=alert(document.domain)> **Steps to reproduce** - Go to the [Vulnerable URL](https://app.mixmax.com/dashboard/settings/integrations). - …

A reflected Cross-Site Scripting (XSS) vulnerability exists in the “Notes” functionality under the Edit Client section. When a user adds a new client and navigates to the "Edit Client" page, they have the ability to attach notes. However, if a malicious JavaScript payload is entered in the notes input field …

A reflected Cross-Site Scripting (XSS) vulnerability exists in the "Notes" input field under the Manage Tags section. When adding or editing a tag from the "Manage Tags" module in the client management panel, a user can enter arbitrary input into the Notes field. If this input includes malicious JavaScript (e.g., …

## Summary: Hello team , When i research I found domain vuln to downliad git repository and i will explain that. ## Steps To Reproduce: 1. Add DotGit extention on your browser 2. Now try to access to that domain https://curl.dev/ 3. You will show that extention is alert and …

> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! **Summary:** During the first …

Hi security team, **Summary:** It is possible to upload files to the server using the PUT method ## Steps To Reproduce: 1. I used the following request: ``` PUT /emitrani.txt HTTP/1.1 Host: ratelimited.me Content-Length: 10 Connection: close emitrani POC ``` Now a file exists at https://ratelimited.me/emitrani.txt with contents of the …

Hy # Module scrape-metadata https://www.npmjs.com/package/scrape-metadata ## Module Description a module used to scrape meta data contents from an article ## Vulnerability Description It was possible to embed malicious js code in metadata content read by scrape-metadata. When library reads such metadata, there was no sanitization performed. If output from scrape-metadata …

`net/imap` does not seem to raise an exception when the remote end (imap server) fails to respond with `tagged_response` (NO/BAD) or `OK` to an explicit call of `imap.starttls`. This may allow a malicious MITM to perform a starttls stripping attack if the client code does not explicitly set `usessl = …