HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1701 - 1720
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
Details: If the `remove_unparseable` function receives a list of files with a command in the name of one of them, it will be executed. Just enough the name to match the pattern. The problem code: ```ruby def remove_unparseable files files.reject do |file, *| file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or (file =~ /tags$/i …
When the victim downloads files in nextcloud.A notification will be triggered. The content of the notification is "Downloaded".This notification is used to remind the user that the download is complete.The pendingintent in this notification is an implicit intent. At this time a malicious app with "BINDNOTIFICATIONLISTENER_SERVICE" permission can get the …
[Java] CWE-759: Query to detect password hash without a salt
Low
$1,000
Closed
This bug was reported directly to GitHub Security Lab.
This bug was reported directly to GitHub Security Lab.
## Summary: NOTE: This one need verification from the side of Shopify as we can't set up a real payment GW or check the logs of the test one When checking out in PoS and paying with credit card, it is possible to manipulate numbers in the end request to …
go to your account's chat page, stop the request and change the reddit session parameter, now leave the request and you will be able to access the test account's chat screen send the request to the repeater change the reddit session parameter and send it then you will see the …
## Intro: 12 days of challenges - some more challenging than others! This holiday CTF had all 12 challenges hosted on the website https://hackyholidays.h1ctf.com/ {F1129112} ## Challenge 1: I started by *significantly* overthinking all of the early challenges in this competition. When this CTF started the home page did not …
**Description:** Email enumeration vulnerability. Vulnerable api method: ```/api/v1/users.2fa.sendEmailCode``` ##Releases Affected:: * Rocket.Chat up to 3.10.5 Request for existing account: ``` POST /api/v1/users.2fa.sendEmailCode HTTP/1.1 Host: rocket-chat.local:3000 Referer: http://rocket-chat.local:3000/home Connection: close Content-Length: 36 Content-Type: application/json;charset=UTF-8 {"emailOrUsername":"[email protected]"} ``` Response ``` HTTP/1.1 200 OK X-XSS-Protection: 1 X-Content-Type-Options: nosniff X-RateLimit-Limit: 10 X-RateLimit-Remaining: 7 X-RateLimit-Reset: 1611804788737 …
Greetings, I am Mojtaba Zaheri, a doctoral candidate in Computer Science, affiliated with the [NJIT Cybersecurity Research Center](https://centers.njit.edu/cybersecurity/welcome/). Together with my doctoral dissertation advisor, Prof. Reza Curtmola, we are reaching out to perform responsible disclosure of a vulnerability present on the GitLab website. Please let us know if you have …
The following is from: https://hackerone.com/reports/1656627 ## Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report [1530898](https://hackerone.com/reports/1530898), which identified the combination`select` and `style` as vulnerable, my fuzz testing from today suggests that also `svg` and …
Rails ActionView sanitize helper bypass leading to XSS using SVG tag.
Medium
$2,400
Closed
In the specific configuration, it was possible to bypass HTML sanitization by using the `use` tag of the `SVG` element. In the `index.html.erb`: ```ruby <%= sanitize "<svg><use href=\"data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEzMzcnIGhlaWdodD0nMTMzNyc+CjxpbWFnZSBocmVmPSIxIiBvbmVycm9yPSJhbGVydCh3aW5kb3cub3JpZ2luKSIgLz4KPC9zdmc+#x\"/></svg>", tags: %w(svg use) %> ``` `use` tag allows to embed another base64 encoded `SVG` containing target XSS payload, base64 after decoding: ```svg …
The following is from: https://hackerone.com/reports/1654310 While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability suggested that this should fix it (see here: https://hackerone.com/reports/1530898). I built this app with …