HackerOne Reports

**Summary:** I have just gotten an email notification from my XSSHunter payload that my blind stored XSS has been triggered by an administrator on the █████████ site, in the following URL: ```javascript https://█████/████ ``` Admin IP address: ████████ User-Agent: █████████ Cookies: ```javascript ██████ ``` Injection Image: ███████ DB Creds exposed: …

Hi I found a XSS-R To reproduce the issue please click the poc link and then press the "verify email" button PoC: https://www.reddit.com/verification/asd',%20alert(document.location),%20%27 ## Impact With the help of XSS an attacker can steal your cookies, in many cases steal sessions, download malware onto your system and send a custom …

**Summary: [Summary the vulnerabilities]** I am surfing on the bb3jobboard.topechelon.com website. I found a sensitive data including authentication key written in public accessible javascript file. **URL Vulnerability** * https://bb3jobboard.topechelon.com/#!/search?page=1 ###Steps To Reproduce: * Open bb3jobboard.topechelon.com and add payloads javascript-fuzz * Directory sensitive is ``//job_board.js//`` parse this json files using jsonparseronline …

Hello ## Summary: I have found a no rate limit issue on the report functionality. When you enabled the report functionality on your site, you can set a number of reports before deleting the comment reported. By default, this functionality is unable, but if you enabled this and you set …

**Summary:** A ██████████ application called "████" has an old endpoint that accepts insecure/test ████████ credentials despite being a publicly-accessible IP. This endpoint also provides the ability to view information that may be FOUO, to exfiltrate information on registered personnel or contractors, to upload files, and to change configuration settings with …

Report Submission Form ## Summary: The Kubernetes repo and tool, [test-infra](https://github.com/kubernetes/test-infra), uses the insecure yaml.load() function to set or update the `Gubernator` configuration with a yaml file which allows for code injection. Vulnerable Line of Code: [https://github.com/kubernetes/test-infra/blob/master/gubernator/main.py#L36](https://github.com/kubernetes/test-infra/blob/master/gubernator/main.py#L36) [https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L35](https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L35) [https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L48](https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L48) Vulnerable Files and functions: main.py:get_app_config() update_config.py:main() ## Kubernetes Version: Latest version: …

## Summary: In imap and pop3, --ssl-reqd is silently ignored if the capability command failed. In ftp, a non-standard 230 response (preauthentication?) in the greeter message forces curl to continue unencrypted, even if TLS has been required. ## Steps To Reproduce: Use a parameterizable test server to fail capability command …

## Summary: A man-in-the-middle can inject cleartext forged responses to future encrypted commands by pipelining them to the STARTTLS response. ## Steps To Reproduce: Use the attached test case within the curl test system. It is based on IMAP FETCH with explicit TLS. Upon test failure, the downloaded file contains …

During an assessment made on a separate web-application using theirs customers to use Stripe for their payments, I detected a different behavior between account created using the standard interface and the account created using the connect portal. ## Classic User creation. Users can create their account using the classic interface …

Step to reproduce vulnerability:- 1) Create 2 account one account is for attacker and one is for victim 2) With attacker account go to https://www.evernote.com/secure/CloseAccount.action 3) Open your burpsuite and when you will press Deactivate your Evernote account you will see another popup of Before you go, we recommend... just …

This bug was reported directly to GitHub Security Lab.

I don't know where my xsshunter script is, but my script is enabled on your web. is on your web 1. https://devicemanager.shopifycloud.com/admin ## Impact xss is triggered

## Summary Hello, @acronis Team I hope you all doing well. during My recon, I found OPEN S3 BUCKET http://acronis.1.s3.amazonaws.com and this BUCKET has an ZIP file . and this file contains sensitive information about the internal system of Acronis. This Zip file Is from 2018. And it looks like …

Hi I have log file disclose admin password on https://www.devicelock.com/log.txt u can see md5 password in log file , ``` 2020-03-20 08:12:15 - main - <br>Module: change password (4.1.2)<br>change_password=yes;/forum/forum_auth.php;login=admin;md5=2bca2f877b7a727861b59f4a4039d2e9 ``` ## Impact this information (admin password) can lead to admin account takeover

# Description While testing wallet extension i generally try to test multiple endpoints, so 2 tabs were open of wallet on chrome-extension://ldinpeekobnhjjdofggfgjlcehhmanlj/popup.html So i tried to lock Wallet extension buti found that i can still use browser in 2nd tab, why i had already locked wallet, So there is a …

Hey team I found the admin panel at https://plus-website.shopifycloud.com/admin.php?_page=1 exposed without authentication ## Impact attacker can destroy and edit data

Hi Guys, **metascrapper** is vulnerable to Stored XSS via Open Graph metadata, if they are used in HTML without any sanitization. **Module:** A library to easily scrape metadata from an article on the web using Open Graph metadata, regular HTML metadata, and series of fallbacks. https://www.npmjs.com/package/metascraper **Description** Due to lack …

Hi Guys, **simplehttpserver** allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript. **Module:** 'simpehttpserver' is simple imitiation of python's SimpleHTTPServer and intended for testing, development and debugging purposes https://www.npmjs.com/package/simpehttpserver **Description** This issue is another example of lack of output sanitization. Here's source …

Hi Guys, **node-srv** contains Path Traversal vulnerability, which allows malicious user to read content of any file with known path. **Module:** Simple static node.js server. Supports Heroku and Grunt.js https://www.npmjs.com/package/node-srv **Description** ```node-srv``` does not sanitize path in the correct way, so ```curl``` can be used to retrieve content of any …