Exceptions may have logged Encryption-at-Rest key content

None...

Lack of ratelimit on Richdocuments OCS endpoint

None...

Bugs-feed - A Local Hosted Portal Where You Can Search For The Latest News, Videos, CVEs, Vulnerabilities...

Bug's feed is a local hosted portal where you can search for the latest news, videos, CVEs, vulnerabilities... It's implemented as a PWA application so you can get rid of the explorer and use it as a desktop application. Navigate through different tabs and take a look to the latest bugs or search...

ASB-A-189402477

Hackerone bug id11876671187670...

XVIDEOS: Text injection or content spoofing on forbiden page

hello Team, while enumerating directories of xvideos.com i found that 403 forbiden directories are refleting on the page , so i created some custom words to change the mind of customers that the website is under construction so please visit attaker site. reproduction speps: domain : www.xvideos.c...

Untrusted Search Path in Nextcloud Desktop Client

None...

Critical Valve Bug Lets Gamers Add Unlimited Funds to Steam Wallets

A security researcher helped Valve, the makers of the gaming platform Steam, plug an easy-to-exploit hole that allowed users to add unlimited funds to their digital wallet. Simply by changing the account’s email address, the exploit allowed anyone to artificially boost their digital billfold to...

HackerOne: Leaked H1's Employees Email addresses,meeting info on private bug bounty program ████████

Summary: Dear Team, I am finding bugs on this private program █████████ and after logged in with provided credential. I have search some peoples in the list and I have seen Hackerone's employee account there. Looking at H1 personal stuff some sensitive information are exposed like email addresses...

HackerOne: Internal Gitlab Ticket Disclosure via External Slack Channels

@noneoftheabove was able to enumerate GitLab ticket titles and descriptions by posting links in a shared Slack channel. As part of HackerOne's investigation, it was determined that the misconfiguration could also be used to obtain the contents of exceptions from HackerOne's production environment...

HackerOne: Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback

Summary: Hi team, I noticed one possible information disclosure scenario related to My Feedback managed at https://hackerone.com/settings/feedback Description: In current scenario even after uncheck the option "Show this blurb on my profile" I can access the feedback using one one requestPOST...

XSS in Nextcloud Text application

None...

Lack of ratelimit on public DAV endpoint

None...

Filenames not escaped by default in controllers using DownloadResponse

None...

HackerOne: PII data Leakage through hackerone reports

Summary: I found PII data leakage through the HackerOne report. I found a link in one of the disclosed report that allow me to get the address and phone numbers of security researchers. Here I got the address and phone number of ████ ███ Vulnerability Name: PII data Leakage through Steps to...

CVE-2021-22201

creationtimestamp| type| source ---|---|--- 2021-07-05 10:31:36+00:00| published-proof-of-concept| https://t.me/HackerOne/3071 2022-07-04 22:13:31+00:00| published-proof-of-concept| https://t.me/CyberSecurityTechnologies/3538...

Command Injection

Overview gitlogplus is a Git log parser for Node.JS Affected versions of this package are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization. PoC by Rafal Janicki 1. Run npm i gitlogplus 2. Run mkdir gi...

HackerOne: Report Duplicate Detector can match deleted and draft reports, may disclose title and vulnerability information

When a Report is submitted on HackerOne.com, a feature called the Report Duplicate Detector helps program members and triagers find potential duplicates of the submitted report. This feature will match against all reports that were submitted to the program. When the feature was introduced, all...

HackerOne: Mishandling of hackerone clear background checks resulting in disclosure of other hacker's information

Summary: Mishandling of hackerone clear background checks resulting in disclosure of other hacker's information . Description: I received a hackerone clear invite for "█████" I am not █████. There appears to be some kind of off by one error or similar problem with the hackerone clear invites! fir...

Urban Company: Broken Link on Urban Company's Vulnerability Submission Form

Summary: - Urban Company has an unclaimed broken link on their HackerOne security page which can be claimed by any malicious user. And then later the malicious user can exploit this issue to deceive new researchers to submit their legitimate findings to the wrong hands. Steps To Reproduce: 1.Visi...

Malicious Android application can crash the Nextcloud Android Client

None...