HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1621 - 1640
[C#] CWE-759: Query to detect password hash without a salt
Medium
$1,800
Closed
This bug was reported directly to GitHub Security Lab.
When parsing `.rdoc_options` used for configuration in RDoc as a YAML file, RCE is possible from Object injection because there are no restrictions on the classes that can be restored. https://github.com/ruby/rdoc/blob/v6.3.0/lib/rdoc/rdoc.rb#L165 ```ruby def load_options options_file = File.expand_path '.rdoc_options' return RDoc::Options.new unless File.exist? options_file RDoc.load_yaml begin options = YAML.load_file '.rdoc_options' rescue …
## Summary: Hi there, this is a very small issue out of scope. Your current domain name in your hackerone program is wrong: http://sifchain.finance and moves to wix.com ## Steps To Reproduce: 1. Login as a researcher 2. Open the program from sifchain: https://hackerone.com/sifchain?type=team 3. click on the public url: …
## Summary: I discovered that it was possible to takeover ` test-cncf-aws.canary.k8s.io` by assigning a zone to that name with one of the following nameservers in Route53: ``` test-cncf-aws.canary.k8s.io. 3600 IN NS ns-265.awsdns-33.com. test-cncf-aws.canary.k8s.io. 3600 IN NS ns-687.awsdns-21.net. test-cncf-aws.canary.k8s.io. 3600 IN NS ns-1458.awsdns-54.org. test-cncf-aws.canary.k8s.io. 3600 IN NS ns-1825.awsdns-36.co.uk. ``` Once …
## Summary: No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information …
## Summary: CircleCI allows projects to configure whether builds will run as a result of a pull request from a fork, and also whether these fork PRs have access to the secrets stored in the parent repo's CircleCI settings. When both settings are enabled, and the repo associated with the …
### Description - There is an open redirect on /www/admin/campaign-modify.php?return_url= {F713773} - By using //// at the start of the link, you can bypass the open redirect filter. - example: `/www/admin/campaign-modify.php?clientid=&campaignid=&returnurl=%2F%2F%2F%2Fhackerone.com` ## Impact This vulnerability can be used for phishing attacks
Hey y’all! 👋 Hope all is well! ## Summary: I noticed that, if you send an anonymous tip through the Tumblr dashboard, you can be de-anonymized through the notes view on the blog network (& maybe elsewhere?). ## Platform(s) Affected: All platforms, but requires a blog that is served on …
## Summary: Cross-site scripting (XSS) is an attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Steps To Reproduce: 1. …
I do not see the end_to_end_encryption app listed here. But since you advertise it big on your website and in communication. And the clients (that also support it are covered) I assume this is part of the program as well. 1. userA has end to end encryption setup 2. userB …
I confirmed that the classes that can be generated by parsing the xml sent in the request or response by XMLRPC bundled in ruby are not restricted. https://github.com/ruby/xmlrpc/blob/v0.3.2/lib/xmlrpc/create.rb#L251 ```ruby if Config::ENABLE_MARSHALLING and param.class.included_modules.include? XMLRPC::Marshallable # convert Ruby object into Hash ret = {"___class___" => param.class.name} param.instance_variables.each {|v| ``` When converting …
I have confirmed that XSS occurs on the Action Text edit ui. XSS is triggered when attempting to edit the text in which the crafted values are stored. ### PoC Prepare the environment. ``` ❯ rails new -C -G -T text # => Rails 7.1.3.2, Ruby 3.2.3 ❯ cd text …
**Summary:** Typically, when an adversary gains access to stolen AWS IAM credentials they will [frequently](https://sysdig.com/blog/scarleteel-2-0/) test those credentials to see what access they have. They do this by performing API calls and seeing which succeed and which fail. There are even automated [tools](████████) to make this process easier. For defenders …
**Summary:** A vulnerability exists in the LinkedIn Premium support chat interface where unsanitized HTML input is rendered directly in the chat window. An attacker can exploit this by injecting malicious HTML such as clickable links, potentially leading to phishing or redirection attacks on LinkedIn support staff. **Steps to Reproduce:** 1. …
1. userA on serverA sets up end to end encryption on their android device 2. userA has some end to end encrypted data 3. userA removes their account on serverA from their android device (for whatever reason) 4. attacker (evil admin) obtains the device of userA 5. attacker (evil admin) …