HackerOne: Ability to bulk submit reports via query named based batching

A vulnerability was discovered in the GraphQL API of the HackerOne platform. The vulnerability allowed an attacker to bulk submit reports via query-based batching, bypassing the intended limit of 500 reports. This was achieved by leveraging a Python script to generate a large number of reports in...

HackerOne: IDOR: Authorization Bypass in LockReport Mutation for public reports

An authorization bypass vulnerability allowed an attacker to lock any public report, potentially disrupting the reporting process...

HackerOne: Hackers two email disclosed on submission at hackerone hactivity

Sensitive information, including the email addresses of two hackers/reporters, was inadvertently disclosed in a video proof-of-concept POC on a HackerOne submission...

HackerOne: IDOR - Delete all Licenses and certifications from users account using CreateOrUpdateHackerCertification GraphQL query

All licenses and certifications in HackerOne could be deleted by changing the ID number in the CreateOrUpdateHackerCertification GraphQL query...

HackerOne: Support Tickets can be created on behalf of other users using spoofed email | Bypass of #2001913

A vulnerability allowed an attacker to create support tickets on behalf of other users by sending a fake email to [email protected]. This bypassed a previous fix implemented by HackerOne to prevent support tickets from being created via email...

HackerOne: Bypass of #2035332 RXSS at image.hackerone.live via the `url` parameter

A reflected cross-site scripting RXSS vulnerability was discovered on the image.hackerone.live website. The vulnerability allowed an attacker to bypass the fix implemented for a previous RXSS issue. By modifying the server's response to a HEAD request, the attacker could change the Content-Type a...

Missing password confirmation when creating app passwords

None...

Existance of calendars and addressbooks can be checked by unauthenticated users

None...

Users can delete external storage mount points

None...

Notes attachment render HTML in preview mode

None...

user_oidc app stores client secret unencrypted in database

None...

Issuer not verified from obtained token in user_oidc

None...

Advanced permissions not respected when copying entire group folders

None...

Internet Bug Bounty: (CVE-2023-32006) Permissions policies can impersonate other modules in using module.constructor.createRequire()

A vulnerability was discovered in Node.js that allowed permissions policies to impersonate other modules using the module.constructor.createRequire function. This could bypass the policy mechanism and enable the loading of modules outside of the defined policy. The vulnerability affected all user...

HackerOne: Able to see Bonus amount given to a report even if the bounty and Bonus is not visible to public or mentioned in {Report-Id}.json

A vulnerability allowed users to see the bonus amount given to a report, even if the bounty and bonus were not visible to the public or mentioned in the report's JSON file. This resulted in the exposure of confidential information...

HackerOne: Staff and Triage can modify the initial post of a report, including of already disclosed reports

The initial post of a report on HackerOne could be modified by program members and Triage, allowing them to change the information and potentially manipulate the narrative of the report...

HackerOne: Takeover of hackerone.engineering via Github

The hacker was able to take over the hackerone.engineering domain after a brief misconfiguration window on GitHub. They claimed the domain in their own repository while the DNS records were still pointing towards GitHub. The issue has been resolved and no malware was found on the site during the...

HackerOne: Bypass report submit restriction/ban using the API key

A vulnerability was discovered that allowed banned researchers to submit reports through API keys, bypassing reporting restrictions. By creating an API key after an account was banned from submitting reports, a researcher could still submit reports to programs without restrictions, potentially...

HackerOne: Unauthorized Ticket can be created by an Attacker in user's Helpdesk account

An unauthorized user was able to create tickets in any user's helpdesk account without authorization or knowledge...

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...