HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 161 - 180
The search widget functionality at https://twitter.com/settings/widgets/new uses ██████████ to show search results. Issue here is that ████ seems to be caching the results, despite of no-cache request header and I can force ██████ to show me the cached results. So, if their is a user x who decides to change …
Upstream bug --------------- https://bugs.php.net/bug.php?id=73007 Fixed in PHP 7.0.11 and PHP 5.6.26 --------------- http://php.net/ChangeLog-5.php#5.6.26 http://php.net/ChangeLog-7.php#7.0.11 Patch ------- ``` http://git.php.net/?p=php-src.git;a=commit;h=20fa323d53257a776bd7551ce7bdb2261cfe5420 ``` Description: ------------ Big locale string causes stack based overflow inside libicu. PHP could prevent this issue limiting length of the locale to a valid value. Source code: https://github.com/php/php-src/blob/PHP-7.0.10/ext/intl/msgformat/msgformat_format.c#L98 ``` PHP_FUNCTION( msgfmt_format_message …
# PHP Integer Overflow in gdImageWebpCtx ## 1. Affected Version + PHP 7.0.10 ## 2. Credit This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. ## 3. Testing Environments + **OS**: Ubuntu + **PHP**: [7.0.10](http://php.net/distributions/php-7.0.10.tar.gz) + **Compiler**: Clang + **CFLAGS**: ``-g -O0 -fsanitize=address`` ## 4. PoC ``` <?php …
How to reproduce: - Create an account on any server running Nextcloud 13 or 14. - Open the personal settings. - Upload a large image as avatar (tested with a 4032x3024 PNG image of about 14.5 MB). - Keep the selected area in the popup and save the avatar. - …
Acronis
•
Acronis True Image Local Privilege Escalation via insecure folder permissions
Medium
$300
Closed
Note: This has been submitted via service desk earlier, and I got a call from Acronis customer service that it's up on H1 and I should submit it there as well. All of the Acronis LaunchDaemons (except the price helper) which can be found here: `/Library/LaunchDaemons/com.acronis.*` start an app / …
**Summary:** SSL certificate missing for page: http://rinkeby.chain.link/ which is letting an attacker to sniff sensitive information, in this case, user's testnet address as it is being transmitted unencrypted in clear text **Description:** http://rinkeby.chain.link/ missing SSL encryption, data sent over this address is leaking information to any malicious user and be …
hello dear support I found a Blind SSRF issue that allows scanning internal ports. on https://fleet-status.app.elstc.co from this issue, you can check the server port HTTP request =========== GET /api/v1/http/default/raw?regex=%22service.name%22:/s*%22(package-registry)%22&statusCodeMax=200&statusCodeMin=200&url=http://p8yfvg6nige7z2ndagpf3v181z7pve.burpcollaborator.net:22 HTTP/1.1 Host: fleet-status.app.elstc.co User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate …
Hi team, i found a sensitive file hosted on '████' that i think must be not public accessible due to the wording "████████" # Vulnerable Endpoint: ``` https://██████ ``` █████████ Regards ## Impact Sensitive information pubblicy accessible ## System Host(s) ██████████ ## Affected Product(s) and Version(s) ## CVE Numbers ## …
Hi team, i found a sensitive file hosted on '█████████' that i think must be not public accessible due to the wording "███████" # Vulnerable Endpoint: ``` https://█████████/████████ ``` ██████████ ## Impact Sensitive information pubblicy accessible ## System Host(s) ████████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps …
https://bugs.python.org/issue22928 https://access.redhat.com/security/cve/cve-2016-5699
**Summary:** The docker registry at https://██████ has no authentication in place and is therefore exposed to the public. This leads to full disclosure of all available docker containers, the possibility to upload docker container and manipulate and delete existing docker containers. **Description:** From https://www.acunetix.com/vulnerabilities/web/docker-registry-api-is-accessible-without-authentication/ : The Docker Registry HTTP API …
## Summary: Curl will reuse existing certificate for further TLS requests when following redirects. This is similar to `CVE 2022-27774` but with narrower impact, as the secret (private key) is not leaked. ## Steps To Reproduce: 1. Configure a site (`targetsite.tld`) to require client certificates for authentication 2. Have `client.crt` …
Similar to #85011, if you edit a Slowvote or Countdown object and include its own object ID in the description, then it will recursively include and prevent the page from loading. mongoose ## Impact Denial of Service. You can include the Slowvote or Countdown object on any other object to …
## Steps To Reproduce: 1. You need a web server, put {F1722320} to www 2. visit it: http://<host>:<port>/poc.html?x=${alert(1)} 3. click it 4. you will see the alert ## Supporting Material: {F1722333} ## Impact Cookie Stealing - A malicious user can steal cookies and use them to gain access to the …
If you go to /settings/, it correctly redirects to /settings/user/username/ and does not give you the option to change global default settings. However if you go straight to /settings/builtin/global/, any user can edit the global default settings. According to https://secure.phabricator.com/D16048, it's supposed to be an administrator panel. mongoose ## Impact …
**Summary:** The application is vulnerable to reflected cross-site scripting attacks on the /job-listing/spotlight URI in the callback parameter. Affected URL or select Asset from In-Scope: https://www.glassdoor.com/job-listing/spotlight Affected Parameter: callback Vulnerability Type: (see list below) XSS Browsers tested: Firefox ## Steps To Reproduce: 1. A malicious SVG HTML attribute is inserted …