HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1561 - 1580
Hi, A STAFF with just `Settings` permission can only create 1 type of webhook called `Shop Update` as seen below. {F368739} Attempting to create a `Order Creation` webhook via burp proxy gives a 403 -Forbidden response with the message indicating that `You do not have permission to create webhooks with …
## Bounty Hunter Name: CyberQueenMeg ## About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where she has to take an …
**Summary:** Hello **Description:** ## Impact ## Step-by-step Reproduction Instructions 1. Go to https://███.mil/ and login using your credintials 2. Now Click on change password 3. First turn the intercept of burp to on and enter your secondary email id and password and click on register password. ``` <html> <!-- CSRF …
Hi team , while testing i found a host ip https://█████████ which belong to DoD (██████████.mil) running web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending a crafted HTTP request containing …
## Reflective Cross-Site Scripting (XSS) An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker to …
Source code disclosure: ---------------------------------- Summary: -------------------- Severity : Low Confidence : Tentative Host : https://nextcloud.com Path : /wp-content/themes/theme-package/dist/js/main.js Issue detail: ------------------------------------ The application appears to disclose some server-side source code written in PHP. Issue background: --------------------------------------- Source code intended to be kept server-side can sometimes end up being disclosed to …
**Description:** Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes, and various PHP applications may also include such a file by default. By accessing it, a remote attacker can discover a large amount of information about the remote …
## Summary Hello team! Synthetics recorder has a `quote` function to escape user-controlled input, but in one particular scenario the escaping isn't enough and a malicious website can inject arbitrary code in the recorder session. ## Description The `waitForNavigation` event calls `quote` within the context of a multi-line comment (`/* …
#Hi team there is Html injection when user add Description to event when public user search for published event #Step's * login to https://www.linkedin.com/groups/ * create event mark it as Public add <a href="https://malicious-site.com">Click me!</a> as Description {F2785963} * save change now navigate to ==Search== enter your event name * …
https://hackerone.com/reports/2148242 ## Impact cookie injection into a program using libcurl, if several conditions are met
a Blind Text Injection Differential vulnerablity was found on your site in the url :https://www.legalrobot.com/assets/icons a GET request made on GET /assets/icons/?v=9wr1emhXD568%3B'%20UNION%20SELECT%208%2C%20table_name%2C%20'vega'%20FROM%20information_schema.tables%20WHERE%20table_name%20like'%25 result up in vulnerablity
**Summary:** I have found a number of minor security vulnerabilities with no impact that when chained together will lead to an attacker being able to steal the current user's facebook access token provided for kitcrm.com **Description:** - In kitcrm.com, users register with their shopify account and the products in their …
Every text/javascript response gets executed. JQuery 1.10.2 is vulnerable and executes response received. https://assets.gratipay.com/jquery.min.js?etag=YoBy5yEtsejNrLIrIXUs2g~~ https://github.com/jquery/jquery/issues/2432