Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2015/11/19 4:6 p.m.41 views

HackerOne: Pre-generation of 2FA secret/backup codes seems like an unnecessary risk

If you manage to get a malicious script running in HackerOne, requesting https://hackerone.com/settings/authentication/edit and parsing out the two factor authentication form will yield either… - the 2FA secret key and backup codes that will be used if 2FA is enabled for the first time this sessi...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2015/11/12 9:24 p.m.41 views

Algolia: an xss issue

i found an xss issue here : https://www.algolia.com/explorer?index=test&tab=ranking i tried to put an xss payload " in index ranking so i put the xss payload in Ranking formula then hit save ...when it is being saved the xss payload is being stored that upon Indices xss payload executed p.s pleas...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2015/11/05 2:2 a.m.41 views

HackerOne: Cross-domain AJAX request

Hi, Two weeks ago, I found a Cross-domain AJAX request, but due to the fact that you uses a very strict Content Security Policy, I hesitated to send this. Today, I noticed that bug has been fixed. But this fix can be bypassed. This example not working now screenshot 1:...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2015/10/19 4:0 p.m.41 views

Whisper: SMS Invite Form Abuse

whisper.sh fails to protect the invite form from abuse from attackers. If a malicious individual wants to abuse this functionality, they could send repeated/automated requests to the same phone number or range of phone numbers that do no actually belong to himself. This would result in lots of...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2015/06/10 9:27 a.m.41 views

Mail.ru: Possible xWork classLoader RCE: shared.mail.ru

Ее похоже аффектит https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2014-05-21 classLoader пролетает, то есть фикса на уровне регулярок нет версия в уязвимом скоупе Я конечно попробую в выходные реально код исполнить, но по внешним признакам оно там есть Все версии меньше...

Exploits0
Hacker One
Hacker One
added 2015/06/01 10:3 p.m.41 views

VK.com: XSS on added name album on videos.

Hi Steps to reproduce: First go to : https://vk.com/video Next click on Add a Video After add a video from youtube and on title Field Insert TEST XSS And click save. Next after this go to https://vk.com/video again and you will see video with the name TEST XSS Click above TEST XSS and you will fo...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2015/02/13 11:7 a.m.41 views

Enter: Email Enumeration (POC)

HI i am opening the ticket again now i have a poc to show you First here is the issue again: 1.log in robocoin account go to settings 2.choose change my email 3.enter your pass 4.enter any email you want to check 5.if the email isn't registered a message appears sayingthe email is changed 6.if it...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2015/02/04 2:8 a.m.41 views

HackerOne: Insecure Direct Object Reference vulnerability

In the program portal, there is an option to add external people as participants in a bug report. The admin can then remove this person as well if needed. The request for removing an external reporter looks like: DELETE /reports//externalusers/ HTTP/1.1 Host: hackerone.com User-Agent:...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2015/01/21 5:37 a.m.41 views

X (Formerly Twitter): Flaw in login with twitter to steal Oauth tokens

Hey hi, Steps to reproduce: ============================================= I have been testing the twitter kit in fabric. I added login with twitter integration to my application. I pushed the application to my android phone , clicked login with twitter. entered my username and password. Searched ...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2014/11/21 1:39 p.m.41 views

X (Formerly Twitter): [Stored XSS] vine.co - profile page

Stored XSS via API request: While creating new account in Windows mobile app, i noticed this request: PUT /users/1147563919679037440 HTTP/1.1 avatarUrl=https%3A%2F%2Fvines.s3.amazonaws.com%2Favatarstrellis%2F2014%2F11%2F21%2F0B2EAE2EB811475639291495546881.3.4.jpg&username= it seems that the...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2014/09/27 4:34 a.m.41 views

Coinbase: Credit Card Validation Issue

Hi Coinbase, I'm not sure if this counts as a bug, but it definitely counts as a vulerability. The issue is in your credit card verification for instant purchases. The system does not or rarely check the validity of a credit card after it is added. This allows me to make instant buy purchases,...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2014/07/15 3:53 a.m.41 views

Automattic: Missing HSTS header in https://public-api.wordpress.com

Hi, Vulnerable Website: https://public-api.wordpress.com/oauth2/authorize?clientid=930&responsetype=code&blogid=0&state=05f9c401dedcb9b3f33d82e8b335d1128d24d4cbc4a73903374f952acdfd34f6&redirecturi=https%3A%2F%2Fvaultpress.com%2Flogin%2F%3Faction%3Drequestaccesstoken I tested the website using...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2014/06/29 10:13 a.m.41 views

jsDelivr: Using nmap revealing sensitive information

check this = http://prntscr.com/3xlww2 nmap scan result . Starting Nmap 6.46 http://nmap.org at 2014-06-29 15:34 India Standard Time NSE: Loaded 30 scripts for scanning. NSE: Script Pre-scanning. Initiating Parallel DNS resolution of 1 host. at 15:35 Completed Parallel DNS resolution of 1 host. a...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2014/06/27 12:30 p.m.41 views

Faceless: Tap Jacking Attack on Button Tags

UI Redressing Tap jacking attack may trick users into tapping a specifically crafted malicious App popup window e.g. toast view, making it a gateway for varied threats such as framing attack. Using this technique, a malicious App could potentially trick a user into making purchases, clicking on...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2014/05/29 7:2 p.m.41 views

Mail.ru: connect.mail.ru: SSRF

Можно лазить по внутренним ресурсам в сети mail.ru : POST /ajax?ajaxcall=1&funcname=perlfetchconnectpage HTTP/1.1 Host: connect.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.9; rv:29.0 Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, /...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2014/04/21 5:7 p.m.41 views

Mail.ru: Clickjacking

URL :- http://promo.calendar.mail.ru/ POC :- Clickjack test page Website is vulnerable to clickjacking!...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2014/04/07 3:45 p.m.41 views

Yahoo!: reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2014/03/22 10:54 a.m.41 views

Slack: Stored XSS in Slackbot Direct Messages

Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide as input then Slackbot will cause the data go inside the anchor tag ... so...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2014/02/16 1:0 a.m.41 views

Yahoo!: Flickr: Invitations disclosure (resend feature)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/13 11:33 p.m.40 views

curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0

The now-well-known CURLOPTSSLVERIFYHOST-bypass-when-CURLOPTSSLVERIFYPEER=0 defect exists in three of curl's TLS backends: rustls EXPERIMENTAL, mbedTLS, and wolfSSL DNS hostnames only. The documented contract at docs/libcurl/opts/CURLOPTSSLVERIFYPEER.md:57-59: The check that the host name in the...

5.8CVSS6.5AI score0.04888EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/17 7:52 a.m.40 views

curl: libcurl: Improper Authentication State Management on Cross-Protocol Redirects

Following the recent advisory for CVE-2025-14524, I conducted an investigation into how libcurl manages OAuth2 credentials during complex redirect chains. I have confirmed that while the library successfully protects traditional user credentials, it fails to clear OAuth2 Bearer tokens in the same...

5.7CVSS7.4AI score0.01595EPSS
Exploits2
Hacker One
Hacker One
added 2025/03/18 3:27 p.m.40 views

AWS VDP: Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints

The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2024/10/19 10:28 a.m.40 views

Internet Bug Bounty: [CVE-2024-47888] Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text

There is a possible ReDoS vulnerability in the plaintextforblockquotenode helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Carefully crafted text was found to cause the plaintextforblockquotenode helper to take an unexpected amount of time, possibly...

8.7CVSS6.7AI score0.00991EPSS
Exploits0
Hacker One
Hacker One
added 2024/04/17 1:32 p.m.40 views

Liberapay: Unsafe yaml load can lead to remote code execution

The YAML load function can lead to remote code execution vulnerability. The vulnerability allows the construction of arbitrary Python objects from untrusted YAML data, which can be exploited by an attacker...

8.2AI score
Exploits0
Hacker One
Hacker One
added 2024/03/26 4:32 p.m.40 views

U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ██████

The summary is as follows: A reflected cross-site scripting vulnerability was discovered in the search query functionality of the ████████ website. An attacker could execute arbitrary JavaScript code in the victim's browser by injecting malicious payload into the search query parameter...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2024/02/06 9:29 p.m.40 views

Publitas: Unauthorized Access to Offline Publication Cover Pages via SOURCE_DOCUMENT_ID

A vulnerability was discovered that allowed unauthorized access to offline publication cover pages by sending requests with specific source document IDs. This exposed cover pages and associated user and publication IDs that were intended to be private...

7AI score
Exploits0
Hacker One
Hacker One
added 2024/01/11 2:21 p.m.40 views

Enjin: Weak Email Verification: Newly Registered Users Can Bypass Email Verification Step and Log In

Newly registered users were able to bypass email verification and log in. This vulnerability has since been addressed...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/12/09 5:47 p.m.40 views

PortSwigger Web Security: CSP bypass on PortSwigger.net using Google script resources

A cross-site scripting vulnerability was discovered on PortSwigger.net. The site's content security policy allowed resources from Google's reCAPTCHA domain, which contains AngularJS. This could be abused to bypass the CSP and load arbitrary scripts from other domains. The issue allowed an attacke...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2023/10/03 12:6 p.m.40 views

U.S. Dept Of Defense: User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx

A vulnerability was discovered where any user could be automatically logged in as a system administrator on a web application. This allowed unrestricted access and privileges could be abused to modify user privileges, add or delete users, and upload files, jeopardizing the integrity of the...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2023/08/08 12:28 p.m.40 views

HackerOne: Able to see Bonus amount given to a report even if the bounty and Bonus is not visible to public or mentioned in {Report-Id}.json

A vulnerability allowed users to see the bonus amount given to a report, even if the bounty and bonus were not visible to the public or mentioned in the report's JSON file. This resulted in the exposure of confidential information...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2023/07/12 8:54 a.m.40 views

Internet Bug Bounty: unsanitized input goes to regex function leads to ReDos that make request hangs

An authenticated user could exploit a vulnerability in Apache Airflow versions prior to 2.6.3 by providing crafted input, causing the current request to hang...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2023/06/25 7:28 p.m.40 views

Automattic: Authentication bypass on JetPack SSO manager - Allows to access the administration panel of wordpress without user interaction

A vulnerability was found in the JetPack SSO manager plugin that allowed authentication bypass on WordPress sites using the plugin. By exploiting the plugin's account invitation and email verification features, an attacker could gain administrative access to WordPress sites with a user account...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2023/04/03 12:58 p.m.40 views

Reddit: RichText parser vulnerability in scheduled posts allows XSS

Hyperlinks were not being filtered on the server-side in Reddit's scheduled post feature, allowing an attacker to modify a request with a normal hyperlink that embeds a malicious link using a javascript scheme. This could result in an XSS attack if an admin clicked on the malicious link while...

6AI score
Exploits0
Hacker One
Hacker One
added 2022/09/28 2:45 p.m.40 views

Yelp: Subdomain Takeover on delivey.yelp.com

Summary: Subdomain takeover vulnerabilities occur when a subdomain delivery.yelp.com is pointing to a service Vulnerable url : delivery.yelp.com This is an verify Link. F1959331 Platforms Affected: website Steps To Reproduce 1. Create the Amazon S3 Bucket on this Name : delivery.yelp.com F1959320...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2022/09/26 5:58 a.m.40 views

GitHub: Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api

An incorrect authorization vulnerability was found in GitHub Enterprise Server that allowed GitHub Apps to gain access to and modify most organization-level resources that are not tied to a repository, regardless of granted permissions. This vulnerability affected all versions of GitHub Enterpris...

9.8CVSS9.6AI score0.01244EPSS
Exploits0
Hacker One
Hacker One
added 2022/05/25 12:26 p.m.40 views

Rocket.Chat: Regex account takeover

Summary: get admin reset token with authenticated user Description: normal user login can access to admin reset token and set a new password for admin user Releases Affected: 3.18.5 3.0.5 Steps To Reproduce from initial installation to vulnerability: Add details for how we can reproduce the issue...

6.5CVSS1.3AI score0.01077EPSS
Exploits1
Hacker One
Hacker One
added 2022/05/23 8:44 p.m.40 views

GitHub Security Lab: [Java]: Flow sources and steps for JMS and RabbitMQ

This bug was reported directly to GitHub Security Lab...

2AI score
Exploits0
Hacker One
Hacker One
added 2022/03/30 8:27 p.m.40 views

GitHub Security Lab: [Java]: CWE-200 - Query to detect insecure WebResourceResponse implementation

This bug was reported directly to GitHub Security Lab...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2022/03/22 3:38 a.m.40 views

Evernote: Reflected XSS in the shared note view on https://evernote.com

Summary: There is a reflected XSS vulnerability on https://evernote.com, in the shared web note view, triggered through the view and ionUrl parameters of the /shard/sSHARDNUMBER/client/snv endpoint. Description: When a user creates a note and shares it, it is stored in the following endpoint, bei...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2021/11/11 1:26 p.m.40 views

Evernote: [34.96.80.155] Server Logs Disclosure lead to Information Leakage

Summary: In this case server log is available for any in /server-status Steps To Reproduce: 1. Go to https://34.96.80.155/server-status/ and follow attack scenario's Attack Scenario's: Serg.io 1. User go to server and enter sensitive info that can be logged example : http://host/login?privatekey=...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2021/10/05 7:33 a.m.40 views

Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL

Summary: This report is similar to 1337178 In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL. Steps To Reproduce: 0. Setup burpsuite to proxy 1. Go to Nextcloud Deck and pick a board 2. Pick any...

5.8CVSS0.4AI score0.00897EPSS
Exploits1
Hacker One
Hacker One
added 2021/04/20 8:48 p.m.40 views

Nextcloud: Attacker can obtain write access to any federated share/public link

Hi mates, I stumbled across this with public links. But the same holds true for any federated share. I will try to describe the link scenario. At first I thought there were more steps and resharing was involved. But it really is very simples: 1. An attacker obtains a public link again plenty of...

6.4CVSS8.6AI score0.01849EPSS
Exploits0
Hacker One
Hacker One
added 2021/04/16 8:43 p.m.40 views

Mail.ru: [tanks.mail.ru] SSRF + Кража cookie

Введение: Этим прекрасным вечером решили начать движок форума vBulletin, ведь он стоит на 7 сайтах которые относятся к Ext.B, а награды Вы там подняли в 3 раза практически, звучит вкусно : Глаз упал на forumrunner, ведь там была sql-injcve 16 года ПРимерно за час была обнаружена SSRF, да не прост...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/03/31 8:24 a.m.40 views

Nextcloud: Leak arbitrary file under nextcloud android client privacy directory

Steps to reproduce: 1.install and login nextcloud android client 2.create a directory and set it 'shareable' 3.install the poc app "setresultcontactphotocrop" key code: EvilActivity public class EvilActivity extends AppCompatActivity final static String PRIVATEURI =...

4.3CVSS1.4AI score0.00881EPSS
Exploits1
Hacker One
Hacker One
added 2021/01/11 12:36 a.m.40 views

TikTok: Lack of rate limitation on careers site allows the attacker to brute force the verification code

An attacker could have potentially attempted to brute force the verification code needed to reset a candidate's password by leveraging a lack of rate limiting on the TikTok careers portal. We thank @iambouali for reporting this to our team and confirming the resolution...

4.1AI score
Exploits0
Hacker One
Hacker One
added 2020/11/30 3:27 p.m.40 views

Stripo Inc: No rate limit in email subscription

I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/09/26 12:29 a.m.40 views

U.S. Dept Of Defense: hardcoded password stored in javascript of https://████.mil

Summary: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://█████.mil. Description: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://███████.mil. To confirm...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/09/24 6:40 a.m.40 views

Zomato: Improper Validation at Partners Login

Timeline | Timeline | Action | |---|---| | Thu, 24 Sep 2020, 12:10 IST | Researcher submitted the report on H1 with initial severity as High. | | Thu, 24 Sep 2020, 12:32 IST | First response - we asked for clarification via demonstration on attack scenarios. Parallelly, we began our own...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/09/18 6:33 a.m.40 views

Shopify: Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner

I was playing a bit with the Point Of Sale application and it came to my attention that it is possible to navigate from the Point Of Sale Application up to the Plan & Permission in the admin. I am not sure if this is intentional, but since it leads to potentially take over a shop, I'm reporting i...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/05/31 8:37 a.m.40 views

h1-ctf: [H1-2006 2020] I made the CEO's bounty payment!

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ I will write the details in comment. Impact I have headache now...

2.1AI score
Exploits0
Total number of security vulnerabilities5000