HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1521 - 1540
This bug is Email html Injection present in name of workspace while creating ## Impact The input is unsanitized and vulnerable which led to html injection which may lead to phishing. when 2fa is applied it send mail with injected html
While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability suggested that this should fix it (see here: https://hackerone.com/reports/1530898). I built this app with Rails 7.0.3.1 by just running …
Description: It has been observed that the amazon s3 bucket which i believe belongs to GoCD as it contains data related to GoCD █████ documents and all is misconfigured as a result any unauthenticated users can access it without any restrictions Step-by-step Reproduction Instructions 1.Access following URL https://█████████.s3.amazonaws.com/ so the …
### Summary It's possible for an attacker to take over a dangling custom domain pointing to GitLabPages using `instanceX.gitlab.io' The problems arises when adding a custom domain to Gitlab Pages, without the domain being verified it still servers content (allowing 7 days before disabling it) ### Steps to reproduce I …
It's possible to take over subdomains that point to GitLab Pages. While adding a subdomain no verification of domain ownership is required. ## POC Steps 1. Go to http://george.ratelimited.me/ (tested in Firefox) {F3307364} ## Impact Attackers could perform several attacks like: - Cookie Stealing - Phishing campaigns. - Bypass Content-Security …
I would like to report a DoS in `json-bigint`. It allows to cause denial of service using very limited input (~70 bytes). # Module **module name:** `json-bigint` **version:** 0.3.1 **npm page:** `https://www.npmjs.com/package/json-bigint` ## Module Description > JSON.parse/stringify with bigints support. Based on Douglas Crockford JSON.js package and bignumber.js library. ## …
--- **Title:** Lack of Rate Limiting on Account Creation Endpoint **Description:** The **`/account/signinform/premium_tour_login`** endpoint on **██████████** lacks rate limiting, allowing attackers to automate the account creation process. This vulnerability can be exploited to generate a large number of fake accounts by automating requests using tools like Burp Suite's Intruder. **Endpoint …
Description ------------------- An attacker can inject a malicious script in to the filename which a victim tries to upload leading to XSS inside the administrators control panel. Two different "file to large" cases end up in interpolating the file name and appending it into DOM unsanitized leading to XSS. I …
Hello, HTTP TRACE method is enabled on your server which should not be enabled. It can lead to cross site tracing ! Cross site tracing: https://www.owasp.org/index.php/Cross_Site_Tracing ``` curl -X TRACE http://gip.rocks/ -vv * Hostname was NOT found in DNS cache * Trying 184.73.218.93... * Connected to gip.rocks (184.73.218.93) port 80 …
Hello team, ## Introduction Since you mentioned in the rules that all libraries listed on your github repositories are in scope, I decided to take a look at http://gip.rocks ## Problem: The application reads an image file and convert it into smaller formats, zip it and let the users to …
mongoose Hey! I think there is strange access rules for restricted file. ### Steps to reproduce: 1. Load by User1 file and set it access level "No one" (file Id for example 12) 2. Make wiki with text `{F12}` by User1 3. Edit new wiki page (change all text or …
Issue submitted: http://bugs.python.org/issue29398 xxlimited module exist only in Python3.6 compiled on Linux. Starting program: /usr/bin/python3.6 xlimited.py [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73d73f5 in PyArena_Malloc () from /usr/lib/libpython3.6m.so.1.0 (gdb) info reg rax 0x2000000000000000 2305843009213693952 rbx 0x4141414141414141 4702111234474983745 rcx 0xe 14 …
The uri GET parameter of Login.cgi is directly used (on login) to generate HTTP headers without sanitisation. An user could be tricked into logging into the device and then redirected to a malicious location or attacked through other HTTP Header injection attacks. Vulnerable code: if (isset($uri) && strlen($uri) > 0) …
mongoose mongoose mongoose Hi! I am testing typical local installation of Phabricator. Using the forgot password form it is possible to enumerate users emails because of message `There is no account associated with that email address.`. So attacker theoretically can figure out registered users emails and use that information later …
The multi-part body parsing in Rack and consequently Rails has a worse-than-linear performance relative to the number of parts in the request body. In small scale (i.e. non-disruptive) tests on a variety of Rails applications on the internet, including my own, GitHub.com, Heroku API, Instacart, Shopify, Bugcrowd, and others, it …