Dark C0d3rs
HackerOne Disclosed Reports - 2026-07-02 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-07-02 (/Thread-HackerOne-Disclosed-Reports-2026-07-02)



HackerOne disclosed reports - 2026-07-02 - hashXploiter - 07-03-2026

Logo
Medium
resolved

Non-Production API Endpoints for the Amazon S3 Tables Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration


Bug reported by Nick Frichette (Datadog) was disclosed at July 2, 2026, 5:51 pm   |   Insufficient Logging

A vulnerability was discovered in the Amazon S3 Tables service where certain non-production API endpoints failed to log calls to CloudTrail. This allowed permission enumeration to be performed without leaving any trace in CloudTrail. Twenty-three endpoints were identified that exhibited this behavior, allowing privileged and non-privileged principals to determine the permissions of the accessed identity without generating any CloudTrail events.


Logo
Low
resolved

jitsi-meet: Prosody/Jigasi missing header whitelist in mod_filter_iq_rayo allows arbitrary SIP header injection and Caller ID spoofing


Bug reported by MRsheep was disclosed at July 2, 2026, 3:50 pm   |   Improper Input Validation

A vulnerability was discovered in the Prosody and Jigasi components of Jitsi Meet. The Prosody filter implemented an incomplete blocklist that allowed authenticated users with outbound-call privileges to inject arbitrary SIP headers, enabling Caller ID spoofing on outgoing SIP calls in environments where Jigasi operates as a trusted SIP peer.


Logo
Low
resolved

jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze`


Bug reported by zhixin was disclosed at July 2, 2026, 3:41 pm   |   Path Traversal

A path traversal vulnerability was discovered in the `/api/v1/uploads/analyze` endpoint of the jitsi-call-analytics backend. The vulnerability allowed unauthenticated users to write files within the configured `RTCSTATS_DOWNLOADS_PATH` directory. The issue was caused by the upload handler using user-controlled `file.originalname` directly in `path.join()` without sanitization, enabling attackers to include `../` sequences to escape the intended per-session UUID directory and write or overwrite files anywhere under the configured root path. The vulnerability was addressed by fixing the security issue in the file upload handler.


Logo
Medium
resolved

Yelp for Business: locked Email field silently editable via API


Bug reported by Saleh Elsayed was disclosed at July 2, 2026, 3:36 pm   |   Client-Side Enforcement of Server-Side Security

The Yelp Biz Android app's Account Information screen was found to have a vulnerability where the email field was presented as read-only with a lock icon, but could be silently modified via the API endpoint `POST /account/info/bio/v1`. The change was reflected immediately in the app's user interface as well as in the GraphQL API, without any current-password check or out-of-band email confirmation.


Logo
High
resolved

Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission


Bug reported by Hana was disclosed at July 2, 2026, 1:26 am   |   Client-Side Enforcement of Server-Side Security

A consensus reflection attack on unordered peer submission was discovered in Splatoon 3, allowing an in-match integrity bypass.


Logo
Medium
resolved

[Splatoon 3] Kick other players with NplnLogin message


Bug reported by Alex was disclosed at July 2, 2026, 1:25 am   |   Improper Access Control - Generic

A vulnerability was discovered that allowed players to kick other players from a Splatoon 3 game using an NplnLogin message.