HackerOne Reports

**Description:** There exists a reflected XSS within the logout functionality of ServiceNow. This enables an unauthenticated remote attacker to execute arbitrary JavaScript. ## References * https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1156793 ## Impact Steal cookies to account takeover. ## System Host(s) █████ ## Affected Product(s) and Version(s) ## CVE Numbers CVE-2022-38463 ## Steps to Reproduce …

**Description:** During my research, I found one of the host running ServiceNow vulnerable to CVE-2022-38463 . ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS in the logout functionality. ## Impact Attacker is able to steal victims cookies, redirect victim to attacker controlled domain, and perform various …

I have found multiple path transversal in *.torproject.org POC: [+] https://www.torproject.org/about/findoc/ [+] https://people.torproject.org/~infinity0/ [+] https://deb.torproject.org/torproject.org/ There are many many others which can be accessed by searching following in google: inurl:"index of" site:torproject.org I know that its out of scope of your bounty program but I thought I should tell you …

**Summary:** The website uses a WordPress plugin called Formidable Pro. I found an SQL injection in the plugin code. **Description:** The plugin allows the site admin to create forms to be filled by users. For this end it implements some AJAX functions, including one to preview (or actually just view) …

Dear sir, At first, i am very happy to report an issue. Before three months, i reported to wakatime and again i am reporting another issue now. Note:-This report is similar to #244614 which was previously reported at the start of this bug bounty program. Vulnerability:- ->If two password reset …

Hi, #Discription while searching for access control issues on shopify I noticed a subdomain of shopify https://themes.shopify.io which gave me the opportunity to install and download paid themes for free. #POC 1. go to https://themes.shopify.io/login and login 2. select one of the paid themes and press on ``buy theme`` button …

SUMMURY ================= i tested that all post request has CSRF token. During Author profile creation also a CSRF token is posted. Now when i removed this CSRF token , show s error like bellow ``` CSRF validation failed 0 /var/www/csprng/src/Cabin/Bridge/Controller/Author.php(52): Airship\Engine\Controller->post(Object(Airship\Cabin\Bridge\Filter\Author\AuthorFilter)) /var/www/csprng/src/Engine/AutoPilot.php(485): Airship\Cabin\Bridge\Controller\Author->create() /var/www/csprng/src/Engine/AutoPilot.php(315): Airship\Engine\AutoPilot->serve(Array, Array) /var/www/csprng/src/public/index.php(86): Airship\Engine\AutoPilot->route(Object(Airship\Engine\Networking\HTTP\ServerRequest)) {main} ``` …

Hello, **Summary:** Normally If user __(victim)__ set to private / protect their tweets in setting Tweet privacy, other people/user will not able to see their recent or their pass status/twits when they visit his/her __(victim)__ profile. people only can see their __(victim)__ profile images and information about __how many tweet …

Hi there, I found broken session bug on your website.Your website is unable to validate the session.That may lead takeover victims account. Reproduce: 1.Go to https://polldaddy.com and log into your account from two different browsers. 2.Now change password from any browser you already logged in 3.You will be still logged …

# Summary I just found that the Gratipay is vulnerable for adding used Primary Email Address to attacker account and Account takeover of the Gratipay. # Description I was looking at the source code of the application and I found that, "If the email address `[email protected]` is already added in …

Scenerio An attacker can include any arbitrary text using specially crafted tor project url. Reporting this but not sure if this is in scope (text injection not marked in exclusion list) Kindly mark it as informative in case if it is out of scope. Steps 1) Attacker distributed the below …

#Description it has been noticed that when a partner account user with `` manage shops `` permissions installs app in the one of the managed shops he can still be able to make changes to the shop through that app although his `` manage shops `` permissions were revoked on …

Hello team! While doing a preliminary recon on *.wordpress.org I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. ### High priority [.travis.yml](https://codex.wordpress.org/.travis.yml) configuration file with credentials ``` php maintenance/install.php testwiki admin --pass travis …

SUMMURY ======================== Here server dont check the owner of any comment. During Comment deletion it does not check whether the comment is created by user or not. so i can delete a comment of others user. STEP TO REPRODUCE ======================= 1. goto https://localhost:8080/blog/comments . 2. select any commnet which is …

**Description:** The host https://██████/ has /jenkins/script directory enabled that allows user to execute system command in the host. ## References https://hackerone.com/reports/768266 ## Impact Attacker can use the IAM credentials to manage various AWS resources, create and delete resources, read and write data in AWS services, create and manage other IAM …

Hello, Reddit! I hope you are okay in there. First of all, I want to say one thing, maybe you will not appreciate this report, but at least this report can help users from France to understand the content policy of Reddit, so that if you fix this problem, users …