+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-09-17 (/Thread-HackerOne-Disclosed-Reports-2025-09-17)
HackerOne disclosed reports - 2025-09-17 - hashXploiter - 09-18-2025
resolved
Critical Information Disclosure via /talos/api/v1/files/upload
Bug reported by Sameer Ali was disclosed at September 17, 2025, 7:09 pm | Inclusion of Sensitive Information in an Include File
A vulnerability was discovered in the file upload functionality, where uploaded files were first stored on the server before being sent to S3. Due to a configuration flaw, memory chunks from the server were included in some uploaded files. This issue was classified as critical and was addressed as a priority.
resolved
URL Scheme Validation Bypass in Shopify Mobile App Allows Javascript Execution
Bug reported by Franc Vian was disclosed at September 17, 2025, 3:23 pm | Forced Browsing
A vulnerability in the Shopify mobile application allowed bypassing URL scheme validation in the NavigationActivity component. Attackers could craft malicious URLs using `data:` or `javascript:` schemes to execute JavaScript code within the app's webview context.
resolved
MongoDB Query Logs & Schema Leak via Unauthenticated Endpoint
Bug reported by Sameer Ali was disclosed at September 17, 2025, 12:16 pm | LLM06: Sensitive Information Disclosure
MongoDB Query Logs & Schema Leak via Unauthenticated Endpoint
An unauthenticated health check endpoint was discovered that exposed basic system and infrastructure details.