Writeups

Improper Access Control on www.target.example through /services/formcampaign via header "option" leads to unauthenticated read/write on the production marketing-campaign database

An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.

pyus3r

74

Stored XSS in public-share preview silently exposes the victim's entire drive

Stored XSS on a cloud-drive public-share preview endpoint that serves user-uploaded HTML as text/html on the main application origin with a permissive CSP. A single click on the share link executes attacker JavaScript with same-origin access to the victim's session, allowing the attacker to impersonate the victim against every drive API — exfiltrating collaborator PII, the full file tree, payment-system identifiers and five cross-service XSRF tokens, modifying account preferences, and silently turning every private file in the victim's drive into a public URL.

pyus3r

62

Blind POST SSRF via Web Push Notification Endpoint

HackerOne disclosed report --> https://hackerone.com/reports/3608558 by misop00p

hackerone-reports

18

V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)

HackerOne disclosed report --> https://hackerone.com/reports/3620748 by misop00p

hackerone-reports

4

V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)

HackerOne disclosed report --> https://hackerone.com/reports/3620753 by misop00p

hackerone-reports

3

POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

HackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops

hackerone-reports

5

HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API

HackerOne disclosed report --> https://hackerone.com/reports/3670955 by glferreira-devsecops

hackerone-reports

2

Liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link

HackerOne disclosed report --> https://hackerone.com/reports/3721519 by rox-11

hackerone-reports

0

ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection

HackerOne disclosed report --> https://hackerone.com/reports/3580511 by ksw9722

hackerone-reports

0

Critical Deadlock Vulnerability in Monero RPC Leading to Complete Node Paralysis

HackerOne disclosed report --> https://hackerone.com/reports/3307874 by rorkh

hackerone-reports

1

Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption

HackerOne disclosed report --> https://hackerone.com/reports/3625600 by bereza4321

hackerone-reports

1

Email Verification Bypass / Email Squatting via Client-Side `accounts.setAccountInfo`

gpk21

15