Account takeover of existing HackerOne accounts through SCIM provisioning

Bug reported by Boy Child was disclosed at July 17, 2025, 2:12 pm   |  

The SCIM provisioning feature in HackerOne's sandbox program was vulnerable to account takeover. An attacker could create a user with an email they controlled, import existing users, assign the victim account to the attacker's user, change the email parameter, and reset the password to gain access to the victim's account. The vulnerability existed due to issues with how the username and email fields were handled during the SCIM provisioning process.

Reflected XSS in "Cost Tracker" Notes Field

Bug reported by Rishail Hussain Siddiqui was disclosed at July 17, 2025, 9:08 am   |   Cross-site Scripting (XSS) - Reflected

The reflected Cross-Site Scripting (XSS) vulnerability was discovered in the "Notes" input field of the Cost Tracker section in MainWP (Version 5.4.0.11). Arbitrary user input in this field was reflected back and executed immediately upon saving, due to the lack of proper input sanitization and output encoding.

Reflected XSS in "Manage Tags" Notes Field

Bug reported by Rishail Hussain Siddiqui was disclosed at July 17, 2025, 9:07 am   |   Cross-site Scripting (XSS) - Reflected

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the "Notes" input field under the Manage Tags section. Arbitrary input entered into this field was reflected back and executed immediately upon saving, due to the lack of proper input sanitization and output encoding.

Reflected XSS in "Create Category" Functionality of Post Creation Module

Bug reported by Rishail Hussain Siddiqui was disclosed at July 17, 2025, 9:07 am   |   Cross-site Scripting (XSS) - Reflected

A reflected Cross-Site Scripting (XSS) vulnerability was identified in the "Create Category" feature of the post creation functionality. When a user entered a malicious JavaScript payload in the Category Name field, the input was reflected and executed immediately after submission. However, this XSS only executed in the attacker's own session and did not persist or affect other users.

HashDoS in V8

Bug reported by Mate Marjanović was disclosed at July 15, 2025, 10:49 pm   |   Cryptographic Issues - Generic

The V8 release used in Node.js v24.0.0 changed how string hashes were computed using rapidhash. This implementation reintroduced the HashDoS vulnerability, where an attacker who could control the strings to be hashed could generate many hash collisions without knowing the hash-seed.

Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Bug reported by was disclosed at July 15, 2025, 10:44 pm   |   Path Traversal

An incomplete fix has been identified for a vulnerability affecting Windows device names in the `path.normalize()` function in Node.js. The vulnerability allows path traversal protection to be bypassed on devices such as CON, PRN, and AUX.

Banned user still has access to their deleted account via HackerOne's API using their API key

Bug reported by MrMax was disclosed at July 14, 2025, 8:50 pm   |   Improper Access Control - Generic

The user's banned account could still be accessed using their previously generated API token, allowing them to perform actions such as retrieving reports, balance, earnings, payouts, weaknesses, and program information. This vulnerability was discovered and exploited on a test account.

Reflected XSS in "Client Notes" Field

Bug reported by Rishail Hussain Siddiqui was disclosed at July 13, 2025, 4:47 pm   |   Cross-site Scripting (XSS) - Reflected

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the "Notes" functionality under the Edit Client section. User input in the notes input field was not properly sanitized or encoded, allowing malicious JavaScript payloads to be reflected back in the application's HTML response upon submission. While this vulnerability was not directly exploitable by other users, it highlighted a potential entry point for more severe XSS vulnerabilities in the application.

Leaked reused password for a few Khan Academy users

Bug reported by Abdelrahman Tamer was disclosed at July 12, 2025, 10:31 am   |   Cleartext Storage of Sensitive Information

A large number of Khan Academy user credentials, including emails and passwords, were exposed through a Telegram bot. The exact source of the leaked data is unknown, but the volume of exposed information was substantial.