![]() |
|
HackerOne Disclosed Reports - 2026-07-14 - Printable Version +- Dark C0d3rs (https://darkcoders.wiki) +-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log) +--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports) +--- Thread: HackerOne Disclosed Reports - 2026-07-14 (/Thread-HackerOne-Disclosed-Reports-2026-07-14) |
HackerOne disclosed reports - 2026-07-14 - hashXploiter - 07-15-2026
Low
resolved Stored XSS on Trix Editor version latest (2.1.16) - Sanitizer BypassBug reported by jeeva was disclosed at July 14, 2026, 7:26 pm | Cross-site Scripting (XSS) - Stored A vulnerability was discovered in Trix Editor version 2.1.16 that allowed for a Stored Cross-Site Scripting (XSS) attack. The vulnerability arose from an unsafe interaction between Trix's custom DOMPurify configuration and its document serialization logic. The issue was caused by Trix's use of the "data-trix-serialized-attributes" attribute, which was not properly sanitized during the serialization process, allowing an attacker to inject malicious JavaScript code. The vulnerability was deemed a direct bypass of previously reported Trix Editor vulnerabilities.
Medium
resolved bedrock-mantle.api.aws accepts Bedrock API keys outside the IAM Deny, CloudTrail signal, and invocation logging AWS publishes for Bedrock keysBug reported by Sergio Garcia was disclosed at July 14, 2026, 6:52 pm | Insecure Default Initialization of Resource A second Bedrock API key-accepting service plane called "bedrock-mantle" was discovered. This plane was not described in AWS's customer-facing Bedrock documentation. As a result, the AWS-published security controls to detect and prevent Bedrock API key abuse failed to apply to the bedrock-mantle plane. Specifically, the IAM deny policy, CloudTrail detection signal, and model invocation logging configuration were all found to be ineffective against the bedrock-mantle plane. |