HackerOne Reports

Hi Guys, **anywhere** allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript. **Module:** Running static file server anywhere. https://www.npmjs.com/package/anywhere **Description** To embed malicious ```<script>``` tag with JavaScript code to execute, ```/``` character is necessary. In all operating systems, ```/``` is not allowed …

Hi Team, Found that .svn repo is publicly accessible. We can verify it by loading https://support.wordcamp.org/.svn/entries in any browser. This is very dangerous as an attacker may download entire source code. More details about this vulnerability provided here: http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive By using https://github.com/anantshri/svn-extractor we can try to download entire svn repository …

Hi Guys, **angular-http-server** (https://www.npmjs.com/package/angular-http-server) contains Path Traversal vulnerability, which allows malicious user to read content of any file with known path. **Module:** A very simple application server designed for Single Page App (SPA) developers. (https://www.npmjs.com/package/angular-http-server) **Description** angular-http-server does not sanitize path in the correct way, so ```curl``` can be used …

##Description Hello. I discovered an Open redirect vulnerability on the `nl.wordpress.org`. ##Root cause The 301 Redirect contains full hostname, followed with `@` without trailing slash, when using: ``` GET /@google.com HTTP/1.1 Host: nl.wordpress.net User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate …

## Summary: XSS on watchdocs.indriverapp.com ## Steps To Reproduce: 1. Go to https://watchdocs.indriverapp.com/webview/v1/refresh-jwt?redirect=%22%3E%3Cimg%20src=faw%20onerror=alert(1)%3E 2. An alert window will popup {F2401964} ## Impact Allow executing js code on users browsers

**Summary:** The ██████████ website allows access to PII of all site users via faulty access control to the /██████ endpoint. ## Step-by-step Reproduction Instructions 1. Browse to ████████ and login or create an account. 2. Browse to ███████/████████. You will be able to access PII of all site users (click …

Hi Team, I hope you are doing well. Vulnerability Name :- Bypass Password of Shared Files due to Lack of Rate Limit Vulnerability Description :- Hi Team, I found a vulnerability in which I am able to bypass password protection of shared files due to lack of Rate limit. Vulnerable …

I would like to report Server-side Template Injection in lodash.js (_.template function) It allows the execution of code on the server # Module **module name:** lodash **version:** 4.17.15 **npm page:** `https://www.npmjs.com/package/lodash` ## Module Description The Lodash library exported as Node.js modules. ## Module Stats 26,664,631 weekly downloads # Vulnerability ## …

**Summary:** An adversary is able to view/modify requests and approvals via ████████/████████. ## Step-by-step Reproduction Instructions 1. Browse to █████ and create an account or sign in. 2. Browse to ███████/██████████. You can now view current/past requests. 3. Clicking on these requests seems to allow an adversary to update/create changes/send …

**Summary:** An attacker is able to share their dashboard with other █████████ users. When sharing their dashboard, the message is not fully sanitized for HTML characters before sending to the recipient. This allows the attacker to craft a believable spearphishing e-mail coming from an e-mail address owned by the ███████. …

This bug was reported directly to GitHub Security Lab.

## Summary: Upload Avatar option allows the user to upload image/* . Thus enabling the upload of many file formats including SVG files (MIME type: image/svg+xml) SVG files are XML based graphics files in 2D images. Thus, this opens up an attack vector to upload specially crafted malicious SVG files. …

## Summary: Curl fails to preserve file permissions when writing: - `CURLOPT_COOKIEJAR` database - `CURLOPT_ALTSVC` database - `CURLOPT_HSTS` database Instead the permissions is always reset to 0666 & ~umask if the file is updated. As a result a file that was before protected against read access by other users becomes …

Hello, I was looking at the change log (https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2) for CVE-2020-8185 and found another problem existed. https://github.com/rails/rails/blob/v6.0.3.1/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb#L21 ```ruby redirect_to request.params[:location] end private def actionable_request?(request) request.show_exceptions? && request.post? && request.path == endpoint end def redirect_to(location) body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>" [302, { "Content-Type" => "text/html; charset=#{Response.default_charset}", "Content-Length" => body.bytesize.to_s, …

Hello, I'm not sure if this was actually meant to be made public on purpose, but I was looking through some of the sources that were loaded and found out the following: * https://imgur.com/ - See ██████ * s.imgur.com -> desktop-assets -> js * contains multiple minified JS files as …

# Vulnerability __Affected Product__: `bigdecimal` extension in https://github.com/ruby/ruby __Affected Versions__: At least version 3.2.2, I didn't test any previous versions The current implementation of `BigDecimal#sqrt` in `ext/bigdecimal/bigdecimal.c` erroneously checks its parameter and allows users of the function to control how long it will run. This may lead to a DoS …

Maliciously crafted directories mirroring an ASAR file structure could be used to trick apps with ASAR integrity enabled into loading non-validated code. ## Impact This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS …