HackerOne Reports

Open Redirect Vulnerability Hello , found open redirect in https://stage.test.dev-iam.xi.nutanix.com/api/iam/authn/v1/oidc/logout?post_logout_redirect_uri=. Go to https://stage.test.dev-iam.xi.nutanix.com/api/iam/authn/v1/oidc/logout?post_logout_redirect_uri=http://evil.com&id_token_hint=test curl -I "https://stage.test.dev-iam.xi.nutanix.com/api/iam/authn/v1/oidc/logout?post_logout_redirect_uri=http://evil.com&id_token_hint=test" HTTP/2 302 content-type: text/html; charset=utf-8 location: http://evil.com date: Wed, 13 Oct 2021 20:55:57 GMT x-envoy-upstream-service-time: 2 server: envoy ##Reference https://hackerone.com/reports/504751 https://portswigger.net/kb/issues/00500100_open-redirection-reflected ## Impact An attacker can use this vulnerability to redirect users to other …

###Summary: The issue occurs when inviting a user by their WakaTime ID. If a user has set their email to private, their email address still appears when they are invited using their ID. This contradicts the privacy settings and could lead to unintended email exposure. ###Steps to Reproduce: 1- When …

## Summary: This report details a memory leak vulnerability in libcurl that occurs when processing HTTP 3xx redirect responses containing a `Location:` header. Specifically, the memory allocated for the `Location:` header's value is not properly deallocated when the `Curl_easy` handle is reused for subsequent requests (e.g., when following redirects or …

These vulnerabilities were found with https://trickest.com https://trickest.io CVE-2021-26085: ===================== >https://jira.mariadb.org:/s/123cfx/_/;/WEB-INF/web.xml CVE-2021-26086: ===================== >https://jira.mariadb.org/s/cfx/_/;/WEB-INF/web.xml Video explanation: --------------------- ### Node EOF-RAW-DATA: - Found Jira hosts from various bug bounty programs convert to file ### Node SED-ADD-AT-BEGINNING: - Append https:// to every line ### Node PASTE-JIRA-PATHS - Converts Jira paths to file ### …

We noticed that the upload functionality contains the ability to upload files from remote server, however there are some mitigations against accessing the AWS Instance Metadata service. We've managed to bypass these mitigations using DNS rebinding and we've managed to fetch the AWS IAM keys when Concrete CMS is running …

Found CSRF Issue in https://www.legalrobot.com/beta/nl/ POST Request : POST /webhooks/beta HTTP/1.1 Host: app.legalrobot.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: https://www.legalrobot.com/beta/nl/ Content-Length: 107 origin: https://www.legalrobot.com Connection: close firstName=jdsfkds&lastName=dskfdsj&position=sdkdsj&company=skdjf&email=heeraj123%40gmail.com&language=Dutch Attacker can implement a form such …

**Hi,** While authenticating digits to my Fabric account i have noticed that the callback_url is not solid i.e. any sub domain or any path is accepted as callback_url with host as fabric.io. This issue can be exploited by leaking the authorization token to third party websites (websites mentioned on kit's …

Hi security , Description: I found user id in encrypted form from there profile url https://www.yelp.com/user_details?userid=<user id's> on intercepting request of add friend, complement and send message i can identify user id .. when i change identified user ID to other user's ID then request of add friend is send …

Good day, I hope it treats you kindly :) Legal Robot looks to use AWS hosting for your website. Description of issue: ===================== The Amazon Bucket (s3://legalrobot) has been configured to allow Public users access to browse all files on the server. This is a risk as described as it …

Hi, Only self-XSS, but thought I would report it anyway! I noticed the cookie "location" had some JSON in it, so I changed the city field to `<script>debugger</script>`, made sure it was encoded the same, then went to add a new location/change an existing location at https://www.yelp.com/profile_location. Making sure the …

Hey guys, **TL;DR:** Reflected XSS on `websummit.net/attendees/featured-attendees` as the `q` parameter is directly reflecting special characters in the `data-url` on the handlebars template section of the page, as opposed to URL encoding them. **Proof of Concept:** Visit [https://websummit.net/attendees/featured-attendees?q=rubyoob%27%3E%3Ciframe/onload=alert(document.domain)%3E%3C/iframe%3E](https://websummit.net/attendees/featured-attendees?q=rubyoob%27%3E%3Ciframe/onload=alert\(document.domain\)%3E%3C/iframe%3E]). I've tested this on all modern browsers (latest Chrome, Firefox and Edge). …

On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any password 4. Submit form 5. Result: The error message discloses, that the submitted E-Mail …

**Summary:** Due to an Insecure Direct Object Reference (IDOR) in adding recipients to a shared package on ██████████, an unauthenticated attacker can access all files uploaded to ████. As described on ██████████ website, this includes documents with classifications up to FOUO, including PII / PHI Privacy Act data, and documents …

# INTRODUCTION ## _I used an account to search for this vulnerability:_ id: 5407773 email: [email protected] ## _IP used:_ __2a01:e34:ec2a:9240:7d25:26c3:1449:bfe7__ ## _endpoint URL:_ https://www.semrush.com/content-paywall/api/accesslevel ## _Summary:_ CORS policy too permissive. # EXPLOITATION ## _Description of Security Issue:_ When we navigate on semrush we are led to make a request like …

General DROWN was responsibly disclosed to the OpenSSL team prior to the public disclosure. This OpenSSL blog post, by Viktor Dukhovni and Emilia Käsper, describes the vulnerability: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ This is probably a good opportunity to again thank everyone who helped with the disclosure process :-)

Hello, I've discovered a Denial of Service vulnerability in WordPress. My advisory can be found in the attachment in text format. If there are any questions please let me know, I'm happy to help. The vulnerability was discovered during a month long security project to find vulnerabilities in WordPress and …