HackerOne Disclosed Reports - 2026-07-15

0 Replies, 5 Views

Logo
Medium
resolved

Stored XSS in Rocket.Chat HTML File Export — Unauthenticated Entry via LiveChat


Bug reported by Denis Rostilov was disclosed at July 16, 2026, 5:02 am   |   Cross-site Scripting (XSS) - Stored

A vulnerability was discovered in the HTML file export feature of Rocket.Chat. The vulnerability allowed an attacker to inject arbitrary JavaScript code that would execute when the exported HTML file was opened. The root cause was that the application did not properly sanitize or escape user-supplied data before including it in the exported HTML. As a result, an unauthenticated attacker could leverage the vulnerability to perform actions such as data exfiltration and credential phishing.


Logo
Medium
resolved

Able to bypass authorization logic and gain more access then intended


Bug reported by v1c7 was disclosed at July 15, 2026, 4:35 pm   |  

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. The vulnerability was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, and 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.


Logo
Medium
resolved

Bedrock AgentCore Starter Toolkit Creates Gateway IAM Roles Without Confused Deputy Protections


Bug reported by Sergio Garcia was disclosed at July 15, 2026, 3:11 pm   |   Incorrect Permission Assignment for Critical Resource

The Bedrock AgentCore Starter Toolkit was found to create IAM roles for the AgentCore Gateway with trust policies that lacked certain condition keys. This enabled a cross-account confused deputy attack where any AgentCore workload in any AWS account could assume the victim's Gateway role. The role granted access to sensitive resources in the account, including secrets, KMS, Lambda, DynamoDB, and S3.


[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]



Users browsing this thread: 1 Guest(s)