HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1741 - 1760
Hi Team, I found an issue that your application is allowing user to set new password same as that of the old password. Steps to reproduce the defect -Firstly logged into the application with existing password (refer screenshot named : Original Password login Request)-Old password highlighted in screenshot -secondly now …
Hi there, Because of the limitation of the site, accounts may be locked down for 10 minutes. I found 2 ways to bypass this lock period. First one with the confirmation mail that we get when we sign on. If we get the token this way below, we can change …
I reported this bug to Mozilla approximately [9 months ago](https://bugzilla.mozilla.org/show_bug.cgi?id=1322307) and all versions of Firefox back to at least ESR45 and including current Nightly 57 builds are still vulnerable to this unpatched flaw. I've tested on Fedora 26, Debian 8, Windows 8 and Windows 10. Mozilla declined to award a …
## Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. # Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. ## First part: Web I started by …
Hi, previously reported xss https://hackerone.com/reports/107405 which is fixed, but i am able to bypass that fix. Payload for bypass : `<a href="javascript:alert(document.domain)">Click Here</a>` # Steps: - Login into Polldaddy account polldaddy.com - go to ___POLLS___ and create new poll - in answers. enter xss payload `<a href="javascript:alert(document.domain)">Click Here</a>` {F217173} - …
legalrobot allows an user to set email as password only by resetting password either by logged in and changing it into profile password changed succesfully but the user couldn't log in to the app.legalrobot.com because js checks with email and password and it states it couldn't be same also not …
Hello. A few days ago, I was looking at Roblox subdomains, and I noticed an unusual one called creatorforum.roblox.com. Upon further investigation, I visited it and saw that creatorforum.roblox.com's CNAME was a nonexistant Discourse website. I immediately reported to [email protected], and eventually talked to Antek Baranski on the [email protected] email …
## Summary: Hi team, I found this php file https://magazine.atavist.com/static/external_import.php , and there is a parameter called `scripts` on this php file. Basically, the endpoint prints value of `scripts` parameter to `<script src='$Value'>`. So we can import any script file like that : https://magazine.atavist.com/static/external_import.php?scripts=//15.rs Or we can write HTML tags …
## Summary: According to [DOD Websites](https://www.defense.gov/Resources/Military-Departments/DOD-Websites/), the [███████](http://██████████) is a potential in-scope target, and where I discovered an unauthenticated `GET` based reflected cross-site scripting vulnerability on the `██████████` subdomain. ## Steps to Reproduce: Visit the following URL; ``` https://█████/█████/████████=%22%20autofocus%20onfocus=%22alert(document.domain)%22&Z_MODE=&Z_CALLER_URL=&Z_FORMROW=&Z_LONG_LIST=&Z_ISSUE_WAIT= ``` The following generated in the page source; ``` ███████ VALUE="" …
## Summary: Sadly, fix for #390013 works only for web. Loading `brave://` from the `file://` origin allows reading local files on the device. > I said that fix could be insufficient 😈 `file://` and `brave://` both are local origins. That means it's possible to access `brave://` from `file://` and vice …
While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Steps to Reproduce: ---------------------- >Video PoC attached ###Step By Step: ->Login with the same account in Chrome …
Hi , I'm sure this repo on GitHub `https://github.com/Hacker0x01` belong to `Hackerone,inc`. I've found that your docs on it mention a Heroku app `breaker101.herokuapp.com ` which is no longer work and I could takeover it via HeroKu. >Suggested Fix : Remove this app name from your docs or I can …
Zomato
•
Possible to enumerate Addresses of users using AddressId and guessing the delivery_subzone
Medium
$1,500
Closed
**Description** The title may seem a bit confusing but I will try to make it as simple as possible. Let us dive into it. When we login to zomato.com and click on `Order Food`, We are redirected to the endpoint like `/mumbai/order-food-online?delivery_subzone=10159` where `mumbai` is the city and `10159` is …
# Summary: `https://search.usa.gov/help_docs` endpoint is vulnerable to SSRF via `url` parameter. The parameter is protected but can be bypassed using LF (%0A). # Steps To Reproduce: 1. Login to Search.gov and click `help manual`. 2. The following request was vulnerable. - Request ``` GET /help_docs?url=https%3A%2F%2Fsearch.gov%2Fmanual%2Faccount.html HTTP/1.1 Host: search.usa.gov User-Agent: Mozilla/5.0 …
**Summary:** A stack buffer overflow vulnerability affects "ext" field into "stylers.xml" configuration file. "isInList" function doesn't check boundaries on word[64] array. **Description:** Vulnerability src file: notepad-plus-plus/PowerEditor/src/MISC/Common/Common.cpp Vulnerability line: line 329 Variable affected: TCHAR word[64]; ## Steps To Reproduce: Notice: All this steps have been tested on 32-bits version of Notepad++. …
With crafted regex match, I have found a heap-over-flow in function Perl__byte_dump_string, which would lead to memory leak. * Reported to the [Perl security mailing list](https://rt.perl.org/Public/Bug/Display.html?id=132063) on 11 Sep 2017. * Confirmed as a security flaw by TonyC on 24 Feb 2018 * CVE-2018-6797 assigned to this flaw on 7 …
**Summary:** A stack buffer overflow vulnerability has been detected in XML parsing functionality on Notepad++. That's due to the fact that _invisibleEditView.getText function doesn't check buffer boundaries. **Description:** Vulnerability src file: notepad-plus-plus/PowerEditor/src/Notepad_plus.cpp Vulnerability line: line 1008 Variable affected: char encodingStr[128]; Function that overflows buffer: _invisibleEditView.getText ## Steps To Reproduce: 1. …