Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
•added 2016/08/31 8:8 p.m.•309 views

Algolia: Hyperlink Injection in Friend Invitation Emails

Description A user can change their last name to a URL in order to send email invitations containing malicious hyperlinks. Steps to Reproduce 1. Create a new Algolia account with the last name http://example.com. 2. Navigate to My Account Referrral 3. Send an invitation to an email address that y...

1AI score
Exploits0
Hacker One
Hacker One
•added 2021/06/24 9:34 p.m.•306 views

U.S. Dept Of Defense: ███████ - XSS - CVE-2020-3580

████ appears to be affected by the Cisco ASA XSS CVE-2020-3580, This vulnerablity is targets the saml service within the VPN. It is triggered via a POST request to /+CSCOE+/saml/sp/acs?tgname=a References...

2.6CVSS1.2AI score0.85439EPSS
Exploits2
Hacker One
Hacker One
•added 2019/01/04 1:49 p.m.•306 views

HackerOne: Cross-site Scripting (XSS) on HackerOne careers page

Dear HackerOne team, Summary: I found DOM XSS at endpoint https://www.hackerone.com/careers, but can not bypass CSP. It's work on IE and Edge. Steps To Reproduce - JS file is "Masonry js file", vulnerability code: javascript //Checking for potential Lever source or origin parameters var pageUrl =...

Exploits0
Hacker One
Hacker One
•added 2019/10/04 10:13 p.m.•305 views

Shopify: StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts

It seems that the service used for login purposes could be brute forced. the system fails when the password is incorrect, after some unsuccessful attempts the following message is shown: "data":"customerAccessTokenCreate":null,"errors":"message":"Login attempt limit exceeded. Please try again...

1.7AI score
Exploits0
Hacker One
Hacker One
•added 2019/08/23 1:38 p.m.•305 views

Internet Bug Bounty: mod_http2, read-after-free in h2 connection shutdown (CVE-2019-10082)

Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. This is made possible by a race condition in which nghttp2 maintains a reference to a stream after modhttp2 has destroyed it. This vulnerability has been fixed in...

6.4CVSS9.2AI score0.16549EPSS
Exploits0
Hacker One
Hacker One
•added 2019/01/30 7:12 a.m.•305 views

Mail.ru: Insecure Storage and Overly Permissive Google Maps API Key in Android App

Google API keys used in Cloud Mail.Ru for Android application were not properly limited in functionality...

2.2AI score
Exploits0
Hacker One
Hacker One
•added 2020/06/24 3:26 p.m.•304 views

IRCCloud: IDOR with Geolocation data not stripped from images

Vulnerable URL :- https://usercontent.irccloud-cdn.com/file/0wXMTrPu/hgjbk Vulnerability Discription: When an image is taken using a smartphone or camera certain metadata fields are often attached to it. These fields could include the model of the camera, the time it was taken, whether the flash...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2020/02/27 8:10 a.m.•304 views

X (Formerly Twitter): Reset password without knowing current password

Description Hi team, I found an interesting flaw in your password recovery mechanism that can get the ability of reset password without a valid token and knowing current password. I'm going to explain it here: In https://www.twitterflightschool.com/ domain if you try to reset your password from...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2015/09/07 11:57 a.m.•304 views

ownCloud: Webview Vulnerablity [OwnCloudAndroid Application]

Hi OwnCloud Team , Vulnerability Description: What is Webview?: We can load a remote URL or display HTML pages stored in our application within an activity using WebView. Internally it uses WebKit rendering engine to display web pages. It supports methods to navigate forward and backward, text...

9.3CVSS0.42623EPSS
Exploits6
Hacker One
Hacker One
•added 2020/11/06 3:23 p.m.•303 views

Acronis: CVE-2020-6287 https://redapi2.acronis.com

Hi team. Summary CVE-2020-6287 https://redapi2.acronis.com https://nvd.nist.gov/vuln/detail/CVE-2020-6287 SAP NetWeaver AS JAVA LM Configuration Wizard, versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute...

10CVSS0.1AI score0.94719EPSS
Exploits6
Hacker One
Hacker One
•added 2016/07/28 7:48 a.m.•303 views

Nextcloud: Bookmarks: Delete all existing bookmarks of a user

A logical bug in the bookmark app makes it possible to delete all the existing bookmarks of the user. Here are the steps to reproduce: - Create couple of valid bookmarks - Import a bookmark.html file that contains the line Bookmark. All the bookmarks of the user is replaced with blank url and...

7.5AI score
Exploits0
Hacker One
Hacker One
•added 2018/04/20 6:56 p.m.•302 views

Nextcloud: The session token in the URL

Hello team I found that tat the URL transport the Session token and it's a sentive information so Placing session tokens into the URL increases the risk that they will be captured by an attacker. fix Applications should use an alternative mechanism for transmitting session tokens, such as HTTP...

0.2AI score
Exploits0
Hacker One
Hacker One
•added 2021/05/04 8:5 a.m.•301 views

Sifchain: RSA PRIVATE KEY discloser

hi, https://github.com/Sifchain/sifnode/blob/4fb7523322f74e70600a10fff4dbdd42425c077f/ui/.vagrant/machines/default/virtualbox/privatekey disclosing RSA PRIVATE KEY. Impact might give access to sensitive data protected with this key...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2016/02/05 3:7 a.m.•300 views

New Relic: A Log in page does not properly validate the authenticity token at the server side

Description: POST /login?returnto=%2Foauthprovider%2Fauthorize%3Fresponsetype%3Dcode%26clientid%3D%252BvB2dkv4yOb37C00ACk%252B6A%253D%253D%26redirecturi%3Dhttps%253A%252F%252Frpm.newrelic.com%252Fauth%252Fnewrelic%252Fcallback%26state%3D2ea541fcd18aa27925ad8977848536106cbaf1bbb4611f90 HTTP/1.1...

7AI score
Exploits0
Hacker One
Hacker One
•added 2021/06/26 11:38 a.m.•299 views

Basecamp: Error Page Content Spoofing or Text Injection

Target: https://gopher.hey.com/ Description: Content spoofing, also referred to as content injection, "arbitrary text injection" or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle...

0.4AI score
Exploits0
Hacker One
Hacker One
•added 2020/05/28 2:33 p.m.•298 views

U.S. Dept Of Defense: xmlrpc.php FILE IS enable which enables attacker to XSPA Brute-force and even Denial of Service(DOS), in https://████/xmlrpc.php

Summary: Hello team, I have found a security vulnerability inhttps://███████/xmlrpc.php which lets attacker to: 1: XSPA or PortScan 2: Bruteforce 3:DOS and much more Description: Impact Step-by-step Reproduction Instructions █████████ 1: Go to https://██████/xmlrpc.php to check if it is enabled o...

0.2AI score
Exploits0
Hacker One
Hacker One
•added 2021/09/10 1:59 p.m.•297 views

U.S. Dept Of Defense: Information disclosure at '████████' --- CVE-2020-14179

Research conducted on ████████ indicates that the Atlassian Jira Server and Data Center instance allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint CVE-2020-14179...

5CVSS1.8AI score0.76042EPSS
Exploits1
Hacker One
Hacker One
•added 2022/03/14 7:3 p.m.•296 views

Internet Bug Bounty: Read and write beyond bounds in mod_sed

This CVE consists of several bugs in modsed, where overflows, truncation, uses after free and a logic error can allow a remote, unauthenticated attacker to read and/or write heap locations beyond bounds. See https://github.com/apache/httpd/commit/943f57b336f264d77e5b780c82ab73daf3d14deb and...

7.5CVSS10.1AI score0.50401EPSS
Exploits0
Hacker One
Hacker One
•added 2016/05/04 7:29 a.m.•296 views

Uber: OneLogin authentication bypass on WordPress sites

First, I'm sorry about reporting another WordPress bug my intention was just to check if WP-OneLogin stores any sensitive info that could be used to attack OneLogin on your other websites. Overview The .uber.com WordPress sites use OneLogin SAML-SSO instead of the normal WordPress login. The...

7AI score
Exploits0
Hacker One
Hacker One
•added 2021/12/02 2:8 p.m.•295 views

Django: Deserialization of potentially malicious data to RCE

Hello, Django Team! It's my first time working with you, hope it will be great! Note: I have not seen this issue neither in known vulnerabilities nor in documentation, so here I am. Summary Several type of caches in https://github.com/django/django/tree/main/django/core/cache/backends use python...

7.5CVSS0.3AI score0.07288EPSS
Exploits3
Hacker One
Hacker One
•added 2016/10/02 4:53 p.m.•295 views

Uber: password reset token leaking allowed for ATO of an Uber account

With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that...

0.4AI score
Exploits0
Hacker One
Hacker One
•added 2017/06/27 3:39 a.m.•294 views

arxius: Disclose of phpmyadmin

User doesn’t know how to pentest and just reports open ports and phpmyadmin then requests public disclosure. Whatever makes him happy. %00...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2020/08/19 7:58 p.m.•293 views

U.S. Dept Of Defense: Elmah.axd is publicly accessible and leaking Error Log for ROOT on █████_PRD_WEB1 █████████elmah.axd

Description: Hello, Security team, hope you are doing well. I found out that elmah.axd is publicly accessible on ████████ which is leaking error log which contain cookies and server code etc. Step-by-step Reproduction Instructions 1. Go to ██████elmah.axd and you will see the error logs. 2. Same...

0.3AI score
Exploits0
Hacker One
Hacker One
•added 2018/10/01 6:42 a.m.•293 views

Chaturbate: CSRF on change video thumbnail at https://chaturbate.com

Hi I noticed Changing video thumbnail option have the workflow with GET request and there is lack of csrf token on changing video thumbnail option,so if attacker somehow able to obtain the thumbnailid of victim's video then it can help attacker to inducing victim to change video thumbnail...

0.1AI score
Exploits0
Hacker One
Hacker One
•added 2022/05/17 5:28 p.m.•292 views

curl: CVE-2022-32207: Unpreserved file permissions

Summary: Curl fails to preserve file permissions when writing: - CURLOPTCOOKIEJAR database - CURLOPTALTSVC database - CURLOPTHSTS database Instead the permissions is always reset to 0666 & umask if the file is updated. As a result a file that was before protected against read access by other user...

7.5CVSS9.2AI score0.05481EPSS
Exploits1
Hacker One
Hacker One
•added 2021/07/09 8:24 p.m.•292 views

HackerOne: PII data Leakage through hackerone reports

Summary: I found PII data leakage through the HackerOne report. I found a link in one of the disclosed report that allow me to get the address and phone numbers of security researchers. Here I got the address and phone number of ████ ███ Vulnerability Name: PII data Leakage through Steps to...

0.8AI score
Exploits0
Hacker One
Hacker One
•added 2020/10/26 11:17 p.m.•292 views

pixiv: Bypass extension check leads to stored XSS at https://s2.booth.pm

In this report, a hacker identified a stored XSS in the header image upload function at https://manage.booth.pm/design/edit using Content-Type header manipulation. Upon file upload, the server failed to properly validate the provided Content-Type, accepting unintended values such as Content-Type:...

0.3AI score
Exploits0
Hacker One
Hacker One
•added 2019/08/28 12:18 a.m.•292 views

Internet Bug Bounty: Windows builds with insecure path defaults (CVE-2019-1552)

Advisory: https://www.openssl.org/news/secadv/20190730.txt Severity: Low OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable...

7.5CVSS6.9AI score0.01866EPSS
Exploits1
Hacker One
Hacker One
•added 2022/05/06 12:35 p.m.•291 views

Glovo: Django debug enabled showing information about system, database, configuration files

Summary: Hi team, This subdomain pulpo.it.glovoint.com is a Django application running with debug mode turned on DEBUG = True . One of the main features of debug mode is the display of detailed error pages to help developers. If your app raises an exception when DEBUG is True, Django will display...

6.4AI score
Exploits0
Hacker One
Hacker One
•added 2016/01/17 3:36 p.m.•291 views

Pornhub: [ssrf] libav vulnerable during conversion of uploaded videos

Researcher was successful in exploiting a vulnerability in the libav ffmpeg encoder in order to execute SSRF attacks...

4.3CVSS5.6AI score0.14621EPSS
Exploits3
Hacker One
Hacker One
•added 2025/04/02 10:40 a.m.•290 views

Internet Bug Bounty: Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli

The Apache Airflow Fab Provider before version 1.5.2 was affected by an insufficient session expiration vulnerability. When a user's password was changed using the admin CLI, the existing user sessions were not cleared, allowing logged-in users to continue accessing the system even after the...

8.1CVSS6.6AI score0.0092EPSS
Exploits0
Hacker One
Hacker One
•added 2024/09/16 5:57 a.m.•290 views

nullsec VDP: Test by HDR

Test by HDR...

7.1AI score
Exploits0
Hacker One
Hacker One
•added 2023/02/24 3:2 p.m.•290 views

Internet Bug Bounty: HTTP multi-header compression denial of service

A vulnerability was discovered in curl versions 7.57.0 to 7.87.0 that allowed a malicious server to insert an unlimited number of compression steps by using many headers, resulting in a "malloc bomb" and a denial of service attack. The vulnerability was fixed in version 7.88.0 by capping the numb...

6.5CVSS7.3AI score0.01703EPSS
Exploits1
Hacker One
Hacker One
•added 2021/05/10 11:50 p.m.•290 views

Sifchain: Email Spoofing on sifchain.finance

Summary: There is an Email Spoofing vulnerability on your domain sifchain.finance which allows an attacker to send an email with your domain namesuch as [email protected] and so on. Steps To Reproduce: Go to http://emkei.cz Fill "From Email" field to [email protected] or any other...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2016/07/17 12:23 a.m.•290 views

Nextcloud: The application uses basic authentication.

Basic authentication is enabled on file access requests ==================== Description --------------------- Basic authentication is enabled on the server if we request for the direct URL of a file. The issues of using Basic Authentication can be read here - OWASP: Basic Authentication. Though...

0.1AI score
Exploits0
Hacker One
Hacker One
•added 2021/11/18 9:56 p.m.•287 views

Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50

Hello Apache team, @fms and myself were able to bypass the latest patch for CVE 2021-41773 in the Apache 2.4.50. These are the payloads: 1 %%32%65%%32%65 2 .%%32%65 3 .%%32e 4 .%2%65 PoC Path Traversal GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1...

7.5CVSS9.2AI score0.99964EPSS
Exploits62
Hacker One
Hacker One
•added 2020/03/03 6:28 p.m.•287 views

Visma Public: HTML-injection in PDF-export leads to LFI

The researcher was able to extract contents of files using the pdf-generator in "Yearly Financial Statements". This was done by adding an IFRAME-tag inside the companyname. Once rendered in Yearly Financial Statements, it included the file the IFRAME was pointing to. In this POC it was /etc/passw...

2.8AI score
Exploits0
Hacker One
Hacker One
•added 2021/02/04 10:31 p.m.•286 views

U.S. Dept Of Defense: CRXDE Lite/CRX is on ██████ exposed that leads to PII disclosure

hi team , i found that aem is running on ████████ and CRXDE Lite/CRX is exposed to unauthenticated user that can lead to information disclosure POC ==== 1-visit https://██████//██████████ 2-go to query and search for admin then execute 3-go to this endpoint to retrieve the information...

7AI score
Exploits0
Hacker One
Hacker One
•added 2018/01/25 9:27 p.m.•286 views

Node.js third-party modules: [metascraper] Stored XSS in Open Graph meta properties read by metascrapper

Hi Guys, metascrapper is vulnerable to Stored XSS via Open Graph metadata, if they are used in HTML without any sanitization. Module: A library to easily scrape metadata from an article on the web using Open Graph metadata, regular HTML metadata, and series of fallbacks...

4.3CVSS5.7AI score0.00922EPSS
Exploits1
Hacker One
Hacker One
•added 2019/10/04 2:16 p.m.•285 views

Automattic: Stored XSS vulnerability in comments on *.wordpress.com

Summary: The SyntaxHighlighter plugin used in the comments section of .wordpress.com sites is vulnerable to stored XSS via a crafted payload. Platforms Affected: .wordpress.com SyntaxHighlighter is also an open source plugin which is affected by this vulnerability:...

0.7AI score
Exploits0
Hacker One
Hacker One
•added 2017/05/07 12:41 a.m.•285 views

Concrete CMS: Password Reset link hijacking via Host Header Poisoning

Summary Concrete5 uses the Host header when sending out password reset links. This allows an attacker to insert a malicious host header, leading to password reset link / token leakage. Impact The victim will receive the malicious link in their email, and, when clicked, will leak the user's passwo...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2021/12/15 10:30 a.m.•284 views

Judge.me : Log4j RCE on https://judge.me/reviews

Summary: CVE-2021-44228, also named Log4Shell or LogJam, is a Remote Code Execution RCE class vulnerability. If attackers manage to exploit it on one of the servers, they gain the ability to execute arbitrary code and potentially take full control of the system. What makes CVE-2021-44228 especial...

9.3CVSS3.3AI score0.99999EPSS
Exploits348
Hacker One
Hacker One
•added 2025/03/31 2:44 p.m.•283 views

AWS VDP: Non-Production API Endpoints for the Neptune Graph Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The non-production API endpoints for the Neptune Graph Service were found to fail logging to CloudTrail, resulting in silent permission enumeration. Specifically, seven non-production endpoints were identified that could be used with standard IAM credentials without generating CloudTrail logs. Th...

7AI score
Exploits0
Hacker One
Hacker One
•added 2021/11/14 11:54 p.m.•283 views

Internet Bug Bounty: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier...

7.5CVSS9.3AI score0.99992EPSS
Exploits173
Hacker One
Hacker One
•added 2020/01/13 9:25 a.m.•283 views

curl: Port and service scanning on localhost due to improper URL validation.

Summary: Generally web masters and developers protect user-accessible CURL from requesting forbidden domains so that the attacker is not able to access internal resources. It is usually done using regular expressions. Mostly addresses like 127.x.x.x, 192.168.x.x and "integer" notation of IP...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2018/01/22 8:29 p.m.•283 views

HubSpot: Reflected XSS and Server Side Template Injection in all HubSpot CMSes

Really I don't know why BugCrowd team closed my submission as N/A F337815 They mentioned that Not in Scope ?! So I reported it again in another submission But this Time I messaged the Security Company Directly and triaged and Fixed in 2 Days . Full Poc : I was found in this path /hcms/cta so this...

0.9AI score
Exploits0
Hacker One
Hacker One
•added 2021/05/12 11:42 p.m.•282 views

Sifchain: Wordpress Users Disclosure (/wp-json/wp/v2/users/) on sifchain.finance

Information: Using REST API, we can see all the WordPress users/author with some of their information. Step To Reproduce: You can get user info by entering below url in your browser: https://www.sifchain.finance/wp-json/wp/v2/users/ Results:...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2017/07/30 8:0 p.m.•282 views

Legal Robot: LUCKY13 (CVE-2013-0169) effects legalrobot.com

Hello security team, The site legalrobot.com is potentially vulnerable to the Lucky13. Reference: --------- https://bugzilla.redhat.com/showbug.cgi?id=907589...

2.6CVSS0.9AI score0.35584EPSS
Exploits1
Hacker One
Hacker One
•added 2017/06/30 5:32 a.m.•282 views

WakaTime: Forgot password link doesn't expire after used, only after some hours

Hi, Hope you guys are doing great. I want to report couple of issues regarding forgot password mechanism. 1st ISSUE: One thing I noticed that when password rest link is requested and user change its password, that reset link should expire immediately but in your case , used reset link can be reus...

7.3AI score
Exploits0
Hacker One
Hacker One
•added 2015/02/01 2:34 p.m.•282 views

Ruby on Rails: Explicit, dynamic render path: Dir. Trav + RCE

Possible Information Leak Vulnerability in Action View There is a possible directory traversal and information leak vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2016-0752. Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1,...

5CVSS2AI score0.95537EPSS
Exploits11
Total number of security vulnerabilities5000