+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-11-19 (/Thread-HackerOne-Disclosed-Reports-2025-11-19)
HackerOne disclosed reports - 2025-11-19 - hashXploiter - 11-20-2025
resolved
Lack of minimum value bid wheel verification on customer_bid in Rental Trips
Bug reported by Sameer Ali was disclosed at November 20, 2025, 5:46 am | Business Logic Errors
A missing validation on the customer_bid field when creating rental trips allowed passengers to submit arbitrary bid amounts, including very low fares. Proper validation was added to prevent unrealistic values.
resolved
Customer can cancel a individual booking in a batch, causing locking of partner.
Bug reported by Sameer Ali was disclosed at November 20, 2025, 5:32 am | Business Logic Errors
The vulnerability allowed users to update the status of individual trips inside a batch, even though only batch-level status changes were intended. By cancelling the single trip inside a one-parcel batch, the batch was placed into an inconsistent state, causing the assigned partner to become stuck in a booking they could not complete or cancel.
resolved
Existence of completed pods allows for bypass of Kubernetes NetworkPolicy
Bug reported by SavannaBungee was disclosed at November 19, 2025, 11:05 pm | Improper Access Control - Generic
resolved
Unrestricted setPerPage allows huge result sets / resource exhaustion / mass log retrieval
Bug reported by Dang Hung Vi was disclosed at November 19, 2025, 1:00 pm | Allocation of Resources Without Limits or Throttling
resolved
Username normalization missing allows visually indistinguishable accounts (Whitespace-Based Impersonation)
Bug reported by _dha was disclosed at November 19, 2025, 12:57 pm | Improper Neutralization of Whitespace
resolved
Stored-XSS in campaign name displayed in Banners modal
Bug reported by Dang Hung Vi was disclosed at November 19, 2025, 12:56 pm | Cross-site Scripting (XSS) - Stored
resolved
Stored-XSS in Banner Name field
Bug reported by _dha was disclosed at November 19, 2025, 9:36 am | Cross-site Scripting (XSS) - Stored
resolved
Reflected XSS in /admin/banner-zone.php (v6.0.0+)
Bug reported by Dang Hung Vi was disclosed at November 19, 2025, 9:36 am | Cross-site Scripting (XSS) - Reflected
resolved
Information Disclosure via Verbose Error Messages
Bug reported by _dha was disclosed at November 19, 2025, 9:35 am | Information Exposure Through an Error Message
resolved
IDOR Vulnerability in Banner Deletion
Bug reported by Vitaly was disclosed at November 19, 2025, 9:35 am | Insecure Direct Object Reference (IDOR)
resolved
Information Disclosure via “Add user” lookup in Account Management (User Access)
Bug reported by _dha was disclosed at November 19, 2025, 9:34 am | Exposure of Sensitive Information Due to Incompatible Policies
resolved
Stored XSS in Conversion Statistics via Tracker Name
Bug reported by Vitaly was disclosed at November 19, 2025, 9:33 am | Cross-site Scripting (XSS) - Stored
resolved
Stored XSS on inventory-retrieve.php
Bug reported by lu3ky13 was disclosed at November 19, 2025, 9:33 am | Cross-site Scripting (XSS) - Stored
A Cross-site Scripting (XSS) vulnerability was discovered on the inventory-retrieve.php and campaign-edit.php pages. The vulnerability allowed an attacker to inject malicious code that would be executed when the page was loaded.
resolved
Improper sanitisation of input in the settings could cause DoS
Bug reported by lu3ky13 was disclosed at November 19, 2025, 9:32 am | Business Logic Errors
A vulnerability was found in the settings functionality of the application where attacker-controlled values in the email_fromName and email_fromCompany fields were persisted and later rendered to pages without proper output encoding. This could have led to the execution of arbitrary JavaScript in the context of the application, potentially disrupting or replacing the page UI and effectively disabling the site for affected users.
resolved
Reflected XSS in account-preferences-plugin.php
Bug reported by lu3ky13 was disclosed at November 19, 2025, 9:32 am | Cross-site Scripting (XSS) - Reflected
A reflected cross-site scripting (XSS) vulnerability was discovered in the account-preferences-plugin.php file of the Revive Adserver 6.0.1 application. Untrusted input from the "group" query parameter was reflected without proper output encoding or context-aware escaping, allowing the injection of malicious JavaScript code into the resulting page.
resolved
Authorization bypass allows changing email address of other users
Bug reported by _dha was disclosed at November 19, 2025, 9:32 am | Improper Access Control - Generic
The Revive Adserver 6.0.0 was found to have an authorization bypass vulnerability that allowed changing the email address of other users without requiring the account password. The vulnerability was present in the admin panel endpoint /admin/agency-user.php, which accepted a POST request that updated a user's email without re-authentication.