HackerOne Reports

### Hello there, I know that this is Non-critical issue but i want you guys to be aware of it. ###1.) I have found a Content Spoofing or Text Injection in This url [http://dl-origin.ubnt.com/](http://dl-origin.ubnt.com/) Go to this url [http://dl-origin.ubnt.com/has%20been%20changed%20by%20a%20new%20one%20https://www.ATTACKER.com%20so%20go%20to%20the%20new%20one%20since%20this%20one](http://dl-origin.ubnt.com/has%20been%20changed%20by%20a%20new%20one%20https://www.ATTACKER.com%20so%20go%20to%20the%20new%20one%20since%20this%20one) See the text injection in the attached picture {F157352} See text …

The patch of the report https://hackerone.com/reports/192896 you forgot to add here https://github.com/Shopify/mruby-engine

PoC ------------------- The following code triggers the bug (attached as mrb_vm_exec.rb): n s s k (h) GC.start ObjectSpace.each_object{|obj|obj[]} Debug - mirb ------------------- (gdb) r mrb_vm_exec.rb The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/x/Desktop/research/test/mruby/bin/mirb mrb_vm_exec.rb mirb - Embeddable Interactive …

> NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. ## Summary: As a user you expect the browser to not persist data after …

POC === 1. Under "Your Stuff" choose to "Create a Discussion/Ask a question" 2. Choose a space to submit your discussion/question. Any space will do. 3. Title your discussion with the payload `"><img src=x onerror=alert(1)>` 4. Choose "Post message" to publish. 5. View the message as any user. Under "Actions" …

## Open Redirect in scout24.greenhouse.io The **Scout24 Security Team** did a penetration test against `scout24.greenhouse.io` in order to verify how Scout24 relevant data is protected against common attack vectors. Basically we have tested the (web) application against [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) using industry common metholodogies. ## Reproduction steps * Visit https://boards.greenhouse.io/scout24 …

Hello, HTTP TRACE method is enabled on your server which should not be enabled. It can lead to cross site tracing ! I think this is not a critical issue but I thought I will still report because it is always better to fix it :) Cross site tracing: https://www.owasp.org/index.php/Cross_Site_Tracing …

## Summary: Hello, I found a Reflected Cross site Scripting (XSS) on http://h1b4e.n2.ips.mtn.co.ug:8080 . With this security flaw is possible rewrite the content of page, executing JS codes... ## Steps To Reproduce: How we can reproduce the issue: 1. Go to http://h1b4e.n2.ips.mtn.co.ug:8080/status%3E%3Cscript%3Ealert(31337)%3C%2Fscript%3E 2. We can see alert message 31337 {F1259889} …

**Description:** The following endpoint suffers from DOM Based XSS ``` https://████████/██████=javascript:alert(document.domain) ``` The ████████ param determines the content which will be displayed on the "Back to Search Result" button, eventually leading to RXSS. ## References ██████ ## Regards nagli ## Impact Executing javascript on the victims behalf ## System Host(s) …

**Description:** The `www.██████` endpoint is vulnerable to path-based reflected XSS which allows attackers to pass rogue JavaScript to unsuspecting users. ## Impact This flaw allows attackers to pass rogue JavaScript to unsuspecting users. Since the user’s browser has no way to know the script should not be trusted, it will …

> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! **Summary:** Open Redirect at …

# Vulnerability Overview When Burpsuite runs, it tries to load some DLLs in the path ```C:\Program%20Files```. Because the folder doesn't exists, it can be created **by a low-privileged user** which can inject arbitrary DLL into the process when another ** privileged user** runs Burpsuite. I have verified the vulnerability in …

## Summary: A path traversal vulnerability was discovered in the Lila project that allows an attacker to access arbitrary files on the server by manipulating user-supplied input to traverse outside the intended directory structure. This flaw could potentially expose sensitive files such as application source code, configuration files, or other …

### Summary of Impact On one hand we have this upgrade functionality that has this specific check [HasInflightPackets](https://github.com/cosmos/ibc-go/blob/e10bbbc47fb70e138a3369902d18586b3da95800/modules/core/04-channel/keeper/keeper.go#L712). It looks up channel's committed packets. And if there are any it won't set the channel into `FLUSHCOMPLETE`. In [handleFlushState](https://github.com/cosmos/ibc-go/blob/f5e1a4c33c01d355323ea368d8d63664180736e5/modules/core/04-channel/keeper/packet.go#L486), in [WriteUpgradeAckChannel](https://github.com/cosmos/ibc-go/blob/f5e1a4c33c01d355323ea368d8d63664180736e5/modules/core/04-channel/keeper/upgrade.go#L354) and in [WriteUpgradeConfirmChannel](https://github.com/cosmos/ibc-go/blob/f5e1a4c33c01d355323ea368d8d63664180736e5/modules/core/04-channel/keeper/upgrade.go#L484). And upgrade can't be fully completed if …

## Summary: [summary of the vulnerability] [Statement clarifying if an AI was used to find the issue or generate the report] ## Affected version [Which curl/libcurl version are you using to reproduce? On which platform? `curl -V` typically generates good output to include] ## Steps To Reproduce: [add details for …

English follows Japanese. ソニーグループ株式会社 様 この度，弊社製品のWH-1000XM5に深刻なセキュリティ脆弱性を確認いたしましたのでご報告いたします． セキュリティ研究者として，貴社製品の継続的なセキュリティと完全性を確保するために，このような発見を報告することは極めて重要であると考えます． # Sec.0 要約 - 本レポートは，貴社製品のWH-1000XM5に確認された認証不備の脆弱性を示します． - 本脆弱性をBluetoothの既存攻撃と組み合わせることで，容易にMitM攻撃を達成できます． - 報告者は，本脆弱性へのCVE番号の割り当てを要求します． # Sec.1 脆弱性の種類 認証不備 # Sec.2 脆弱性の詳細 悪意ある第三者（以後，攻撃者）WH-1000XM5とペアリングされたデバイスになりすますことで，WH-1000XM5が**ペアリングモードでなくても**，且つ**WH-1000XM5のユーザの操作を一切必要とせず**攻撃者デバイスと接続されます． Bluetoothパケットを確認すると，WH-1000XM5の再接続時の認証に不備があり，Secure Simple Paring（SSP）の再接続時プロセスに準拠していません． # Sec.3 影響を受ける製品 [WH-1000XM5](https://www.sony.jp/headphone/products/WH-1000XM5/) **NOTE** 本脆弱性は，WH-1000XM5に限らない可能性があります． # Sec.4 PoC 本セクションでは，PoCに必要なデバイスとセットアップ，そして本脆弱性を再現する手順を説明します． ## .4.1 PoC デバイス **Victim's Master Device** | Manufacturer | Model | Operation …