HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1881 - 1900
**Summary:** Hey team, While editing our **Licenses and certifications** if we change the ID number we can delete other users **Licenses and certifications**. it simply can be done by editing the ID number in our graphql query. If change the ID from 1 to X possible range then we can …
**Summary:** Pull Request #12949 has security implications but it was not assigned a CVE by the Node team. It is being reported by Qualys as a 6.8 severity issue without a CVE. **Description:** Here is the commit and pull request - https://github.com/nodejs/node/commit/010f864426 https://github.com/nodejs/node/pull/12949 I'm reporting this as an employee of …
Hello everyone , here is my writeup : ## Intro First I decoded the QR Code of the [tweet](https://twitter.com/Hacker0x01/status/1045075889120268289) , decoding to `Here you go: 68747470733a2f2f68312d353431312e68316374662e636f6d` . Decoding the hex value we get the challenge URL : https://h1-5411.h1ctf.com ## Path traversal + local file read On the website I found …
Hi, Just found a CSRF in admin panel of gitlab instance to pause/resume runner. ## Steps to reproduce - http://{gitlab_instance}/admin/runners/:runner_id/resume - http://{gitlab_instance}/admin/runners/:runner_id/pause Video: ███████ password: `██████████` ## Impact Just found a CSRF in admin panel of gitlab instance to pause/resume runner.
> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! **Summary:** h1-5411-ctf write-up The …
**Summary:** It was possible to escalate to Remote Code Execution via different bugs such as local file read, php object injection, XML External Entity and Un-Pickling of Python serialized object. **Description:** Using local file read it was discovered that the php code was vulnerable to php object injection and a …
##Summary## Chaturbate.com provides the ability for its users when in chat to ignore other users in chat rooms via DM etc by adding their camhandle name to ignore_list via HUI Actually this is just a POST to `/chat_ignore_list/` getting as a parameter the `username` which is the *camhandle* name in …
Got the flag: flag{cha1n1ng_bugs_f0r_fun_4nd_pr0f1t?_or_rep0rt_an_LF1} Will submit the writeup as soon as I finalize it. ## Impact -
@erbbysam and I recently set out to beat the latest CTF challenge hosted by HackerOne. Here is a write-up with the process we took from start to finish. The h1-5411 CTF begins with a tweet from HackerOne: * https://twitter.com/Hacker0x01/status/1044974142150373378 {F351665} This leads to a website called the HackerOne Meme Generator: …
**Vulnerabilty** *Reflected xss* in (https://theacademy.upserve.com). **STEPS TO REPRODUCE** 1. Go to (https://theacademy.upserve.com/playlists/all-videos/). 2. Click on any video to watch from the playlist and capture the request in burp. 3. you have to capture the request to (https://theacademy.upserve.com/wp-admin/admin-ajax.php?action=load_player&video_id=5742677405001&player_id=B14h0D4OM&type=pc&post_id=2712) 4. then replace the video_id with this payload = r"><BODY%20ONLOAD=alert(1)>. 5. Then see …
PayPal
•
IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users
High
$10,500
Closed
## Summary: > \#395737 has shown that Brave supports `chrome://brave/<local_file>` URLs. > The Brave team introduced a patch which blocks navigation to `chrome://brave` and removed `chrome.remote.require` to prevent command execution on the machine. ### Navigation to `chrome://brave` via shortcut files > ~~From my understanding:~~ 1. Brave allows DnDing files 2. …
The slack binary from the Linux desktop application is no position independent executable: $ file usr/lib/slack/slack usr/lib/slack/slack: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped (pie executables report either "LSB shared object" or "LSB pie executable".) Position independent executables are required for …
## Summary: It's possible to navigate to the infamous 'chrome://brave' (and all other) privileged page from web, requiring only a single click. This is possible by opening popups with the 'noopener' attribute. ## Products affected: Brave: 0.24.0 V8: 6.9.427.23 rev: f657f15bf7e0e0c50a2b854c6b05edb59bfc556c Muon: 8.1.6 OS Release: 10.0.17134 Update Channel: Release OS …
## Summary: An attacker can get arbitrary data overflowed in the heap via Basic Authorization base64 blob. Even when basic auth isn't configured. ## Report sent to developers When calling HttpHeader::getAuth the field value will be base64 decoded. The call to the decode method doesn't ensure that the buffer decodedAuthToken …
## Summary: 'chrome://brave' can be navigated to using the middle mouse click (or normal click with CTRL held) IFF coming from a bookmark. I am also using a small bug to actually trick a user into bookmarking our crafted URL through drag and drop. ## Products affected: Brave: 0.24.0 V8: …
## Baby steps Earlier today a friend tipped me off about an ongoing CTF challenge that was being run by HackerOne and would get the first ten winners a ticket to participate in #h15411, which will be a live-hacking event happening in Buenos Aires. This immediately caught my attention and …
##EndPoint /affiliates/stats. doesnot verify the CSRF Tokens## ## Steps To Reproduce: 1. Login with the your account 2. Navigate to the URL https://chaturbate.com/affiliates/stats.. 3. Check the stats in default its todays date or this week in select period. 4. Intercept the request and change the parameter to whatever you want …
`doh_decode_rdata_name()` (`lib/doh.c`) frees an uninitialized pointer under certain conditions. If the remaining buffer length `*remaining` is <= 0, line 1033 is executed, `free()`-ing the uninitialized pointer `thename.bufr` (source below, from v.8.12.1; the bug is still present in master branch as of 3/11/2025): ``` 1020:static CURLcode doh_decode_rdata_name(unsigned char **buf, size_t *remaining, …