Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2022/03/23 1:50 p.m.281 views

8x8: F5 BIG-IP TMUI RCE - CVE-2020-5902 (██.packet8.net)

@remonsec reported to us a vulnerability in F5 BIG-IP's Traffic Management User Interface TMUI, which exploited, could have led to RCE in undisclosed pages: CVE-2020-5902 We swiftly applied the fix to the F5 BIG-IP & restricted access further, which resolved the issue...

10CVSS1.8AI score0.99999EPSS
Exploits60
Hacker One
Hacker One
added 2018/09/08 12:8 a.m.281 views

Greenhouse.io: Subdomain Takeover on demo.greenhouse.io pointing to unbouncepages

Actuall this report is same as of this one:- https://hackerone.com/reports/38007 Subdomain takeover vulnerabilities occur when a subdomain subdomain.example.com is pointing to a service e.g. GitHub pages, Heroku, etc. that has been removed or deleted. This allows an attacker to set up a page on t...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/01/07 7:12 p.m.280 views

Doppler VDP: Stored XSS in [https://dashboard.doppler.com/workplace/*/logs] pages

Summary: I have found a stored XSS vulnerability in the following config setting page. https://dashboard.doppler.com/workplace//projects/example-project/configs/dev/logs When you invite other users to the workspace, the xss could be used to exploit other users also. Steps To Reproduce: 1 . Visit...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/10/13 7:28 p.m.280 views

HackerOne: 2020-10-09 Credential Stuffing Attack

Executive summary On October 4, 2020 and October 5, 2020, an attacker launched two credential stuffing attacks against HackerOne.com. On October 9, 2020, HackerOne’s Security team noticed the attack during their weekly audit of anomalies in their log aggregation platform, leading to the Incident...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2023/03/13 10:26 p.m.279 views

Internet Bug Bounty: Potential DoS vulnerability in Django in multipart parser

A potential denial-of-service vulnerability was discovered in Django's multipart parser, which could result in too many open files or memory exhaustion. This vulnerability was fixed in Django 3.2.18, 4.0.10, and 4.1.7 by limiting the number of file parts parsed via a new setting. The severity of...

7.5CVSS7.3AI score0.62575EPSS
Exploits0
Hacker One
Hacker One
added 2019/12/05 4:55 p.m.279 views

Nord Security: xmlrpc.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS)

Hi Team, The website https://www.nordvpn.com has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. URL:...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/03/08 8:46 p.m.279 views

Bime: Subdomain takeover due to unclaimed Amazon S3 bucket on a2.bime.io

I noticed BIME is primarily built on Amazon AWS, which spawned my interest. I started looking for DNS entries that were still pointing to S3 buckets that however no longer exist. It appears this was the case for a2.bime.io, which points to an Amazon S3 website bucket in the US East region. Steps ...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/09/21 9:40 a.m.278 views

U.S. Dept Of Defense: https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD

Hi team , while testing i found a host ip https://█████████ which belong to DoD ██████████.mil running web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending ...

7.5CVSS0.1AI score0.96595EPSS
Exploits4
Hacker One
Hacker One
added 2019/06/20 6:51 p.m.278 views

U.S. Dept Of Defense: https://█████████ Vulnerable to CVE-2018-0296 Cisco ASA Path Traversal Authentication Bypass

Summary: https://█████ is an ASA running software vulnerable to CVE-2018-0296 which allows a remote attacker to exploit a path traversal vulnerability and bypass authentication to sensitive files. The attacker can use this to enumerate the ASA VPN web directory structure and exploit privileged...

5CVSS2.1AI score0.99903EPSS
Exploits18
Hacker One
Hacker One
added 2016/03/21 7:41 p.m.278 views

Shopify: Bypassed password authentication before enabling OTP verification

When we enable Two step verification then shopify first ask for password then allow user to set OTP verification. Here i bypassed this password verification. Steps to reproduce the vulnerability. 1.To produce this vulnerability i created two account on shopify . For easy understand let give them...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/06/18 4:12 p.m.277 views

Gratipay: CSP Policy Bypass and javascript execution

Content Security Policy CSP is a computer security standard introduced to prevent cross-site scripting XSS, clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. CSP provides a standard method for website owners to declare...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/19 10:29 a.m.276 views

Node.js third-party modules: bunyan - RCE via insecure command formatting

I would like to report RCE in bunyan It allows arbitrary commands remotely inside the victim's PC Module module name: bunyan version: 1.8.12 npm page: https://www.npmjs.com/package/bunyan Module Description Bunyan is a simple and fast JSON logging library for node.js services: Module Stats 920,19...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2020/04/16 8:44 p.m.276 views

Nextcloud: Code injection possible with malformed Nextcloud Talk chat commands

Summary The Nextcloud Talk app allows system administrators to setup chat commands that can be executed in Talk using the "/command" syntax. Users can provide additional arguments to the commands, such as "/calc 1+1" or "/wiki Hello", which are passed to the underlying script using @exec. If...

6.5CVSS0.8AI score0.01668EPSS
Exploits1
Hacker One
Hacker One
added 2019/12/30 6:17 p.m.276 views

Genasys Technologies: Missing redaction on a disclosed report

Hi team, I wasn't sure if this worth a report, but I thought that you should be aware and HackerOne's support referred me to submit a report. I ran into a diclosed report where the reporter asked to redact his email but we can still extract his email and more info about his google account from th...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2021/05/06 7:48 p.m.275 views

Sifchain: wrong url in hackerone > goes to wix.com > unconnected

Summary: Hi there, this is a very small issue out of scope. Your current domain name in your hackerone program is wrong: http://sifchain.finance and moves to wix.com Steps To Reproduce: 1. Login as a researcher 2. Open the program from sifchain: https://hackerone.com/sifchain?type=team 3. click o...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2020/02/20 8:40 a.m.275 views

Razer: Reflected XSS on molpay.com with cloudflare bypass

The tester discovered a reflected XSS vulnerability on molpay.com which could allow an adversary to steal client side information such as a cookie. Razer Fintech thanks the tester for his clear report and PoC. Follow brutelogic for amazing bypass tips. Thank you for bounty @razer 🙏...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2021/07/28 7:30 a.m.273 views

U.S. Dept Of Defense: https://██████/ Vulnerable to CVE-2013-3827 (Directory-traversal vulnerability)

Description: Hi team, https://█████/ using older version of Oracle JavaServer which is vulnerable to CVE-2013-3827. POC: https://█████/████ References https://www.securityfocus.com/bid/63052/info https://www.exploit-db.com/exploits/38802 Impact Directory-traversal System Hosts █████ Affected...

5CVSS1.3AI score0.32441EPSS
Exploits0
Hacker One
Hacker One
added 2020/10/05 4:16 a.m.273 views

U.S. Dept Of Defense: External Service Interaction | https://█████████.mil

Description: I am able to trick web server ███████.mil into making DNS and HTTP requests to my vps server and burp collaborator. Walkthrough Section: 1. Create an account using the registration form https://████████.mil/█████/accounts/register/ ███████ 2. Provide the required information to creat...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2015/05/01 6:4 a.m.273 views

Dropbox: Race condition when redeeming coupon codes

Hello, there is a race condition when redeeming coupon codes in https://www.dropbox.com/coupons. Basically, it enables me to reuse one coupon code many times. Here are the steps to reproduce: 1. Get a coupon code. I bought mine on fiverr. 2. Go to https://www.dropbox.com/coupons and enter your co...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2020/01/18 3:49 a.m.272 views

BlockDev Sp. Z o.o: DoS of https://blog.makerdao.com/ via CVE-2018-6389

DoS of https://blog.makerdao.com/ via CVE-2018-6389...

5CVSS0.6AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2019/12/07 11:46 a.m.272 views

Unikrn: Staging Rabbitmq instance is exposed to the internet with default credentials

Description: RabbitMQ is an open-source message-broker software sometimes called message-oriented middleware that originally implemented the Advanced Message Queuing Protocol AMQP and has since been extended with a plug-in architecture to support Streaming Text Oriented Messaging Protocol STOMP,...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2017/02/06 6:51 p.m.272 views

Pornhub: Time Based SQL-inject in post-parametr login[username] [domain - youporn.com]

The researcher discovered a time based blind SQL injection on a POST login parameter...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2016/06/22 4:56 p.m.272 views

Pornhub: RCE Possible Via Video Manager Export using @ character in Video Title

The researcher identified that it was possible to inject arbitrary characters into video titles, that when exported via video manager would result in client-side code execution. The researcher was successful in getting a pingback from a meterpreter shell on the victim's machine. Essentially using...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/04 5:45 a.m.271 views

Ruby: Unintentional file creation caused at Tempfile with directory traversal

The Tempfile argument of basename can use ../ without escaping. Therefore, directory traversal may occur and unintended files may be generated. create file patern log vagrant@localhost $ ls . vagrant@localhost $ irb irbmain:001:0 require 'tempfile' = true irbmain:002:0...

5CVSS1.2AI score0.10552EPSS
Exploits0
Hacker One
Hacker One
added 2021/01/19 5:40 p.m.270 views

Enjin: Unrestricted Upload of File with Dangerous Type

The security researcher was able to execute CWE-434: Unrestricted Upload of File with Dangerous Type through a legacy API endpoint used to upload images. This file was directly upload to our CDN with the appropriate MIME time of the file...

2.7AI score
Exploits0
Hacker One
Hacker One
added 2019/08/28 1:53 p.m.270 views

Vanilla: XSS through chat messages

vulnerability name: cross site scripting through chat messages vulnerability description: cross site scripting is a vulnerability that allows an attacker to send malicious codeusually in javascript form to another user Because a browser cannot know if the script should be trusted or not, it will...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2019/04/20 7:49 a.m.270 views

8x8: Sensitive data disclosure via exposed phpunit file

Several domains with the development phpunit configuration files exposed without proper restrictions...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2018/08/17 9:49 a.m.270 views

Snapchat: Github Token Leaked publicly for https://github.sc-corp.net

Description : GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 7 hours Ago by user ██████ - Software Engineer - Snap Inc Issue & POC : You can find the leak in this link :...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/18 2:16 p.m.270 views

Valve: SQL Injection in report_xml.php through countryFilter[] parameter

An unvalidated parameter on an partner reporting page reportxml.php could be used to read certain SQL data from a single backing database. Blind SQL Injection && Akamai WAF Bypass. Wait for the write-up ;...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2015/05/30 8:47 p.m.270 views

VK.com: API: Bug in method auth.validatePhone

The bug is that auth.validatePhone does not validate the parameter "sid". In theory he should be in the format "2fa$userId$appId$hash", but to get the correct result send SMS/make call enough only "2fa$userId$anyText". For example, these requests will send a SMS:...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2022/10/11 4:30 p.m.269 views

curl: CVE-2022-42916: HSTS bypass via IDN

Summary: HSTS checks are bypassed if any character in the IDN convertNameprep to a '.' for example"。"UTF-8:E38082. I think there are other characters that become ".UTF-8:2E" as a result of converting with IDN. '。UTF-8:E38082' is converted to '.' so it doesn't matter if it's last or not. So the sa...

5CVSS8.3AI score0.01644EPSS
Exploits0
Hacker One
Hacker One
added 2019/10/02 9:29 p.m.269 views

Mail.ru: RCE Jira(CVE-2019–11581) [my-com.atlassian.net]

Hello, Summary i found the domain my-com.atlassian.net is vulnerable with RCE JiraCVE-2019–11581 via contact admin function POC - on page https://my-com.atlassian.net/secure/ContactAdministrators!default.jspa - use payload on Subject & Request details...

1AI score0.84621EPSS
Exploits2
Hacker One
Hacker One
added 2017/08/27 8:51 p.m.269 views

Legal Robot: Registration Allows Disposable Email Addresses

Hello LegalRobot, I'd like to report a nice little bug. As I already give a clear Title so I think u understand this.Simply LegalRobot allows disposable or temporary email address to register account. Let me know if u have any question Thanks Cheers Anas...

3.6AI score
Exploits0
Hacker One
Hacker One
added 2014/05/01 7:58 p.m.269 views

Coinbase: Bypassing 2FA for BTC transfers

Under advanced settings, users have the ability to protect their wallet by requiring two-factor confirmation when sending bitcoins. Personally, I have configured my account with the most secure option, which requires two factor confirmation when sending any amount of bitcoins. However, a flaw...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2024/12/09 11:29 a.m.267 views

U.S. Dept Of Defense: XSS vulnerability found in javascript code of https://███.mil

The XSS vulnerability was found in the JavaScript code of the website https://███.mil. The parameter "code" was not sufficiently sanitized, allowing the injection of malicious code. This vulnerability could have been exploited to execute arbitrary scripts in the context of the affected website...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/22 8:48 p.m.267 views

Chaturbate: Add non-existent room moderator

Description A broadcaster can add or remove a non-existent user as a moderator. This is submitted using the testbed as it wasn't possible to initiate a broadcast on the production site. Steps 1. As a broadcaster add a moderator to the broadcast attachment 1. 2. Observe the request sent to the...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/06/03 7:55 p.m.267 views

Mixmax: Blind SSRF due to img tag injection in career form

Hi, There is SSRF vulnerability due to img tag injection in career form. Attacker can inject multiple tags and perform multiple requests on remote hosts. POC 1. Visit https://mixmax.com/careers. 2. Click on Apply now. 3. Insert img tag in all the fields. 4. Click on Send Application. 5. Check...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/06/10 11:58 p.m.266 views

Ruby on Rails: Rack parses encoded cookie names allowing an attacker to send malicious `__Host-` and `__Secure-` prefixed cookies

The rack cookie parser parses the cookie string using unescape. This allows a malicious attacker to set a second cookie with the name being percent encoded. Typically it would be expected that we cannot trust cookies and in most cases that's true. However in a couple of cases certain expectations...

5CVSS0.4AI score0.02938EPSS
Exploits1
Hacker One
Hacker One
added 2020/01/22 10:20 a.m.266 views

h1-ctf: [h1-415 2020] H1-415 CTF Writeup by W--

H1-415 CTF Writeup Intro HackerOne kicked off this year's H1-415 CTF with the following tweet: F692033 Loading the target challenge website shows that the website is called My Docz Converter. A quick look at the challenge website shows that it allows users to register an account and then upload a...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/08/27 1:13 p.m.266 views

Chaturbate: Open redirect in securegatewayaccess.com / secure.chaturbate.com via prejoin_data parameter

Summary Hello, I have found that if there is a valid wegdigest parameter in the in the GET request to https://secure.chaturbate.com/post and other parameters are invalid, a Location header will be automatically constructor based on the contents of the prejoindata parameter. This allows someone to...

1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/29 10:19 a.m.265 views

Zomato: Self-Stored XSS - Chained with login/logout CSRF

NOTE! This report explains taking over an account in a single click by chaining stored XSS, WAF bypass, login and logout CSRF. Summary: Attacker can takeover someone's account by stealing their facebook / google login tokens chaining multiple vulnerabilities. Description: Attacker leaves a review...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/04/07 11:2 a.m.264 views

Node.js third-party modules: Pixel flood attack cause the javascript heap out of memory

I would like to report Pixel flood attack in jimp It allows flooding the memory and causing DoS by uploading a crafted image 5kb image, and the Jimp module will tries to allocate 4128062500 pixels into memory. Module module name: jimp version: An image processing library for Node written entirely...

4.3CVSS0.4AI score0.01077EPSS
Exploits1
Hacker One
Hacker One
added 2018/04/24 9:26 p.m.264 views

Mail.ru: api.icq.com / возможность написать кому угодно (даже icqsystem)

Можно написать на любой uin через api запрос сделав хитрую махинацию у нас есть запрос api.icq.net/im/sendIM ?t=1 &mentions= &message=0 &f= &aimsid=003.3533131881.4023885996%3A740645342 видим параметр ?t=1 попробовав отослать на неё сообщение Увы у нас не получится Но если в параметр добавить 0...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/02/22 4:43 p.m.264 views

Semrush: SSLv3 Poodle Attack on Ip Of semrush

Summary: POODLE SSLv3 bug on multiple servers Description: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka...

4.3CVSS5.1AI score0.99999EPSS
Exploits7
Hacker One
Hacker One
added 2023/03/03 1:43 a.m.263 views

U.S. Dept Of Defense: Unauthenticated Blind SSRF at https://█████ via xmlrpc.php file

An unauthenticated blind SSRF vulnerability was discovered on the xmlrpc.php file at a certain endpoint, allowing an attacker to send requests to external URLs and potentially conduct further attacks. Input validation and filtering are recommended to prevent such attacks in the future...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/12/21 8:51 a.m.263 views

Internet Bug Bounty: CVE-2022-43551: Another HSTS bypass via IDN

Curl versions 7.77.0 to 7.86.0 were affected by a vulnerability CVE-2022-43551 that allowed bypassing of the HTTP Strict Transport Security HSTS check, enabling attackers to trick curl into using HTTP instead of HTTPS. The vulnerability was caused by the use of IDN characters that get replaced to...

7.5CVSS7.4AI score0.1654EPSS
Exploits1
Hacker One
Hacker One
added 2021/03/05 6:13 p.m.263 views

Liberapay: Failure to Invalid Session after Password Change

Summary While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Reproduction Steps -Login with the same account in Chrome and...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/02/24 4:0 p.m.263 views

ecobee: CSTI on https://www.ecobee.com leads to XSS

Summary: Hi EcoBee team, the https://www.ecobee.com domain is vulnerable against angular injection via CSTI, that leads to XSS. Steps To Reproduce: 1. Go on https://www.ecobee.com/?s=x%20=%20%27y%27:%27%27.constructor.prototype;%20x%27y%27.charAt=.join;$eval%27x=alert/Mik/%27; 1. XSS executed...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/19 6:4 p.m.262 views

Internet Bug Bounty: Optionsbleed / CVE-2017-9798

Bug has been disclosed here: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html poc code: https://github.com/hannob/optionsbleed Apache is currently preparing 2.4.28, which will contain the fix, a patch is available in their svn repo...

5CVSS7.8AI score0.94999EPSS
Exploits9
Hacker One
Hacker One
added 2017/05/03 1:58 p.m.262 views

HackerOne: www.hackerone.com website CSP "script-src" includes "unsafe-inline"

Summary: The HTTP header of the hackerone.com website includes an unsafe CSP parameter for "script-src". Description: The hackerone.com website https://www.hackerone.com has a Content-Security-Policy configured, as pointed out on the Bug Bounty page of their program: We utilize a strict Content...

6.7AI score
Exploits0
Total number of security vulnerabilities5000