Hi team, I found an Iframe injection issue where I chained it and formed an XSS. I found the issue in the text editor area while ███████ing the account. There is a place in the registration area where we have to give a reason for █████████. We can write our reason and edit to show more beautifully.

May 21, 2018 - Hi Team, I would like to report HTML Injection in statics-server module. It is possible to inject malicious ```iframe``` tag via filename and execute arbitray JavaScript code. # Module **module name:** statics-server **version:** 0.0.9 **npm ...

A Cross-Site Scripting (XSS) vulnerability was found on a TikTok Ads endpoint via the "redirect" parameter. We thank @cancerz for reporting this to our team.

March 29, 2018 - I would like to report HTML Injection in buttle module. Due to lack of filenames sanitization, it is possible to inject malicious ```iframe``` tag via filename and execute arbitray JavaScript code. # Module **module name:** buttle **version:** 0.2.0 **npm page:** https://www.npmjs.com/package/buttle ## Module Description Simple static file (+ markdown) server.

January 25, 2018 - Hi Guys, **anywhere** allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript. **Module:** Running static file server anywhere. https://www.npmjs.com/package/anywhere **Description** To embed ...

April 16, 2021 - CSP includes `*.firebaseapp.com` , instead of just `stripo-app.firebaseapp.com` therefore allowing any users to include their own iframe by hosting it on google firebase > *correction: There is no such thing as iframe xss, this should be iframe injection :))*

July 30, 2021 - company.com -> parent window hackerone-jm.firebaseapp.com -> child (iframe) Well, iframes are naughty children, they can mess with their parents most of the time if not given proper counter-measures. I watch anime in pirated streaming sites, and one thing all of us will remember are those annoying pop-ups and redirects. This is what inspired my findings · From a simple iframe injection, I upgraded mine to an open redirect.

I would like to report HTML Injection vulnerability in ```sexstatic``` module. It is possible to use HTML in directory names, which might lead to run arbitrary JavaScript code in the browser. ## Module **module name:** sexstatic **version:** 0.6.2 **npm page:** https://www.npmjs.com/packag...

## Summary: [Insecure Frame (External)] ## Steps To Reproduce: [Vulnerability Details identified an external insecure or misconfigured iframe.] Remedy Apply sandboxing in inline frame For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.

April 4, 2022 - <html><head><title>test</title></head><body><iframe width=500 height=500 src="http://169.254.169.254/latest/meta-data/ami-id/"></iframe></body></html>

Several variations on an XSS in the CS platform, involving throwing a malformed error that caused the error buddy to interpret user-provided data as HTML. We now make sure to sanitize all of the messages passed from the iframe before using them.

Hi team, headers.php is injectable. you can see on IE browsers. FULL URL : https://www.bittorrent.com/scripts/site/headers.php?_=1586521900793&callback= ## Impact fix them

April 4, 2023 - ⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be...

It looks like your JavaScript is disabled. To use HackerOne, enable JavaScript in your browser and refresh this page

January 29, 2025 - ## **Summary:** The target website is vulnerable to Clickjacking, a web-based attack that tricks users into interacting with a hidden or disguised iframe. Attackers can exploit this vulnerability to manipulate user actions, potentially leading ...

Hello. I remembered that a couple of months ago I found an HTML injection vulnerability on myetherwallet.com, I sent it, but my message was ignored. Since you have the same interface, I decided to check this vulnerability on your site and it was reproduced. The vulnerability works both on ...

However, no escape is implemented which allows malicious user to embed executable JavaScript or HTML code (eg. to load HTML document into ```iframe``` element and execute JavaScript from within loaded file).

## Summary: Hi, I have found that search box on pressable.com is vulnerable for XSS attack and HTML Injection . ## Steps To Reproduce: 1. Visit https://pressable.com/knowledgebase/ 2. Put the...