HackerOne Reports
Search through disclosed security reports
10,350 reports found
Showing 1961 - 1980
This issue is open https://bugs.php.net/bug.php?id=79099&edit=2 You can know the bug in the link ## Impact Memoey leak or rce
### Summary The Ruby having an Amazon S3 bucked named `http://rubyci.s3.amazonaws.com/` which lists some of their log files. Those logs having some informations to check the source code server side directories. ### Steps to Reproduce 1. direct to `http://rubyci.s3.amazonaws.com/` which having **READ** Permission to all Objects hosted in that bucket …
I would like to report Prototype pollution in klona It allows adding arbitrary property to Prototype while deep cloning an object # Module **module name:** klona **version:** <1.1.1 **npm page:** `https://www.npmjs.com/package/klona` ## Module Description A tiny (366B) and fast utility to "deep clone" Objects, Arrays, Dates, RegExps, and more! ## …
Report Submission Form ## Summary: Use of nginx.ingress.kubernetes.io/auth* annotations results in a file named {namespace}-{ingress}.passwd. If user knows the namespace and ingress of an ingress they want to compromise they need to be able to create a namespace that is some subset of {namespace}-{ingress}. Then they create an ingress with …
Hey, I spent some time reversing the mitigation of Rosetta Flash. This research helped me to discover a very interesting bug: Adobe Flash player uses "string searching" (similar to indexOf) over the entire response's "Content-Type" header value to match the "application/x-shockwave-flash" string. Once matched, the flash player will skip all …
## Summary: Xss vulnerability in mtn.bj in file name ## Steps To Reproduce: 1.Go to : https://www.mtn.bj/business/ressources/formulaires/plan-de-localisation-de-compte/?next=https://www.mtn.bj/business/ressources/formulaires/formulaire-de-souscription/ 2 - fill all inputs with any data 3 - in file upload upload a file with payload file name such as : "><img src=x onerror=alert(document.cookie);.jpg 4-the payload will executed in the page …
Итак, часть песен в приложении можно купить. Нажимая на кнопку купить, происходит запрос к серверу (обрезано, для удобства): GET /isDownloaded;jsessionid=DZSUq1yT_UMNFNcYk5-mZ10DGJbUCoNYFHRUcNNwINHoSrDkkkf4gInosiPimoqGaysNvWs7GV7fnOMGgfsbCA.hHaqWq9PyS8b9PmEoYf_cA?tid=90920917758231 В ответ получаем: {"title":"Ð¨Ð°Ñ ÐµÑезада","trackId":90920917758231,"price":10,"copyrightOwnerName":"Digital Project","isBought":false,"copyrightOwnerId":22,"image":null,"artist":"ÐаÑали"} Но, если нажать на любую песню, у которой доступно скачивание, и поменять во время первого запроса параметр tid на значение песни, которую хочется скачать, …
## Summary: Normally ███ ask users to verify their email during registration but i found a way to bypass this so than an attacker can create accounts with emails that are not his own abusing the intigrity of MTN. ## Steps To Reproduce: 1. Create an account with you owned …
## Summary: [visit this URL it will redirect you to http://bing.com. https://reviewnic.com/redirect.php?url=http://bing.com. Note: Attacker could change http://bing.com to http://evilsite-of-attacker.com and hence can steal user credentials.] ## Impact: [URL Redirection or Invalidate Open Redirect are usually used with phishing attack or in malware delivery, it may confuse the end user on …
Acronis
•
IDOR on www.acronis.com API lead to steal private business user information
Medium
$100
Closed
## Summary Hi acronis team, i found an endpoint : `www.acronis.com/en-us/api/v1/lead/id:929-HVV-335&token:_mch-acronis.com-<integer value>` that is vulnerable to IDOR. with this vulnerability an attacker can steal private info such as company name, user name and surname, telephone number etc... ## Steps To Reproduce 1. once logged in into account.acronis.com go to : …
## Summary fr1.vpn.zomans.com points to an AWS EC2 instance at 52.47.57.107 that no longer exists. I was able to take control of this IP address and run my own EC2 instance. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers …
**Bug Bounty Report** ### Summary A SQL injection vulnerability was discovered in the User-Agent parameter of the website `https://██████████/`. This vulnerability allows an attacker to inject SQL commands through the User-Agent HTTP header, potentially leading to unauthorized access to sensitive data stored in the backend database. ████ ## Impact - …
##Description I discovered previously unidentified instance https://████/ (███████) in ██████████ network, vulnerable to the CVE-2018-0296 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0296) ##POC ``` curl -i -k "https://████████/+CSCOU+/../+CSCOE+/files/file_list.json" --path-as-is ``` ███ We can disclose user sessions by quering /sessions: ``` curl -i -k "https://████/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" --path-as-is ``` ##Suggested fix Updating to the latest version should fix the …
##Description I discovered previously unidentified instance https://██████████/ in ██████████ network, vulnerable to the CVE-2018-0296 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0296) ##POC ``` curl -i -k "https://██████/+CSCOU+/../+CSCOE+/files/file_list.json" --path-as-is ``` █████████ We can disclose user sessions by quering /sessions: ``` curl -i -k "https://████████/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" --path-as-is ``` ##Suggested fix Updating to the latest version should fix the issue. …
Hi team, Summary: ====================== I noticed that when activating 2FA by sms, you can also use that 2FA activation code, to use as an authentication code when logging in. Steps: ========================= 1, Go to: https://accounts.shopify.com/accounts/36430415/security and log in 2, Activate 2FA by sms for the account and save the code …
PayPal
•
RCE via npm misconfig -- installing internal libraries from the public registry
Critical
$30,000
Closed
**Summary:** Improper input validation allows pinning of arbitrary messages (in private channels), leaking the message content back to the sender. **Description:** Message pinning was found to lack input data validation, so that arbitrary messages can be pinned and leaked back to an unauthorized client. ```javascript Meteor.methods({ pinMessage(message) { if (!Meteor.userId()) …