Lucene search
K
HackeroneMost viewed

15365 matches found

Hacker One
Hacker One
added 2017/05/03 1:58 p.m.261 views

HackerOne: www.hackerone.com website CSP "script-src" includes "unsafe-inline"

Summary: The HTTP header of the hackerone.com website includes an unsafe CSP parameter for "script-src". Description: The hackerone.com website https://www.hackerone.com has a Content-Security-Policy configured, as pointed out on the Bug Bounty page of their program: We utilize a strict Content...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/13 9:54 p.m.260 views

curl: Credentials forwarded to HTTP after HTTPS→HTTP same-port redirect — url_set_data_creds uses scheme-blind comparator

Hi all, The recent creds: hold credentials refactor — commit 8f71d0fde5 2026-05-11 https://github.com/curl/curl/commit/8f71d0fde5 — introduced a credential-leak regression on HTTPS→HTTP same-port redirects. -u user:pass and --oauth2-bearer both end up in cleartext after a 302 from https://h:N/ to...

5.7CVSS6.7AI score0.01595EPSS
Exploits2
Hacker One
Hacker One
added 2021/05/27 10:32 a.m.259 views

Internet Bug Bounty: 1-byte heap buffer overflow in DNS resolver

Official announcement: http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html A security issue in nginx resolver was identified, which might allow an attacker to cause 1-byte memory overwrite by using a specially crafted DNS response, resulting in worker process crash or, potentially,...

6.8CVSS8.1AI score0.52838EPSS
Exploits10
Hacker One
Hacker One
added 2025/06/03 2:51 p.m.258 views

Lichess: ImageId Format Injection in Image Upload Endpoint

The image upload endpoint in the Lichess application did not properly validate the 'rel' parameter, allowing an attacker to inject special characters that broke the expected format of the generated ImageId. This could have led to parsing issues in other parts of the application that relied on the...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/10/10 9:40 p.m.258 views

Ian Dunn: SSRF Possible through /wordpress/xmlrpc.php

Hello, I have found a SSRF in iandunn.name through the xmlrpc.php API. I understood you've said about this endpoint in the past making up junk reports, but this is on a function which isn't disabled by disabling the endpoint, as I can prove with a Proof-Of-Concept. There is a function using...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/01/22 7:38 p.m.257 views

Aiven Ltd: 0-day Cross Origin Request Forgery vulnerability in Grafana 8.x .

Disclaimer To triage, please note that this is still a 0-day that was alerted to Grafana already, in order to make sure the client is safe I report this issue now, please make sure to not spread it further or leak it, as the best interest is to let you be aware and safer from any potential attack...

6.8CVSS0.4AI score0.02283EPSS
Exploits0
Hacker One
Hacker One
added 2020/06/11 2:43 p.m.257 views

U.S. Dept Of Defense: (CORS) Cross-origin resource sharing misconfiguration

Description: Affected website: https://██████████/wp-json Impact Step-by-step Reproduction : 1. Send this request: javascript GET /wp-json HTTP/1.1 Host: █████████ Connection: close Origin: http://evil.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Windows NT...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2022/06/08 10:29 a.m.256 views

Internet Bug Bounty: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions...

5CVSS8.6AI score0.19008EPSS
Exploits1
Hacker One
Hacker One
added 2021/03/01 12:21 p.m.256 views

Mattermost: [mattermost.com] CORS Misconfiguration leakage of admin users

Sumarry : CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access. It's possible to get information about the users registered such as: id,...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/09/07 11:48 p.m.256 views

FormAssembly: scripts loader DOS vulnerability

1 vulnerability description WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor...

5CVSS0.1AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2018/10/12 9:3 p.m.256 views

U.S. Dept Of Defense: Unencrypted __VIEWSTATE parameter in a DoD website

Hi there i realise that the information passing to the server in the subdomain http://████████ can be seen without any encryption thought the VIEWSTATE Parameter. To reduce the change of someone interception the information the parameter should be encrypted due to the sensivity of the information...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2023/03/15 1:18 a.m.255 views

Internet Bug Bounty: UAF in OpenSSL up to 3.0.7

A use-after-free vulnerability was found in OpenSSL up to version 3.0.7 following BIOnewNDEF calls. This could result in a crash when the BIOpop function is called after BIOnewNDEF fails and improperly cleans up the BIO chain. The vulnerability impacts the public API functions...

7.5CVSS7.8AI score0.04494EPSS
Exploits0
Hacker One
Hacker One
added 2018/10/14 7:44 p.m.255 views

Chaturbate: Passive stored XSS at broadcast room

The hacker found that a specially crafted app names could insert a small amount of data into an A tag's href in the "Broadcaster is running these apps: " chat text. Because of the character limit this required multiple successive clicks on different app names, and in the example utilised the room...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2021/07/26 3:19 p.m.254 views

Rockstar Games: Brute Force against VMware Horizon

In this report, the researcher discovered a VMWare Horizon admin remote access login portal that was publicly accessible and not sufficiently protected against credential stuffing/brute force attacks. No user accounts were breached; all employees are required to use MFA to login through such...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2020/08/09 4:57 p.m.254 views

Brave Software: Cross-origin resource sharing misconfiguration (CORS)

Hi! In this report I want to describe High level bug which can seriously compromise a user account. If I am authorize on this site, I can steal user's sessions, some personal information or do some action. In my tests, I found the relevant vulnerability using different methods. I detected the COR...

Exploits0
Hacker One
Hacker One
added 2020/01/20 5:3 p.m.254 views

Node.js third-party modules: [klona] Prototype pollution

I would like to report Prototype pollution in klona It allows adding arbitrary property to Prototype while deep cloning an object Module module name: klona version: Hunter's comments and funny memes goes here F690469 Impact Denial of Service and possible Remote code execution by overriding object...

7.5CVSS0.9AI score0.04118EPSS
Exploits1
Hacker One
Hacker One
added 2017/01/10 1:38 p.m.254 views

FormAssembly: formassembly.com is vulnerable to padding-oracle attacks.

Dear Formassembly bug bounty team, Summary --- formassembly.com is vulnerable to CVE-2016-2107, allowing remote attackers to obtain sensitive information via padding-oracle attacks. $ git clone https://github.com/FiloSottile/CVE-2016-2107.git $ go run main.go www.formassembly.com ... Vulnerable:...

2.6CVSS6.9AI score0.89058EPSS
Exploits6
Hacker One
Hacker One
added 2024/12/09 11:15 a.m.253 views

Brave Software: Incorrect security UI of files' download source on brave MacOS

The incorrect display of the download source in the Brave download alert was identified. Instead of displaying the actual source of the downloaded file, the browser displayed the referrer header value, which could have misled users into believing the file was from a trusted source...

6.1CVSS6.8AI score0.0035EPSS
Exploits0
Hacker One
Hacker One
added 2021/03/09 1:57 p.m.253 views

Acronis: Unrestricted file upload vulnerability in IMCE

Summary Steps To Reproduce POC 1. Go to "https://forum.acronis.com/" and creat user 1. Click on edit profile and go to Signature click on inser image usig imce file manger 1. Now upload php file and bypass to add .gif in the endpoint Recommendations...

6.5CVSS1.1AI score0.01108EPSS
Exploits0
Hacker One
Hacker One
added 2020/01/21 2:36 p.m.253 views

h1-ctf: [h1-415 2020] @_bayotop h1-415-ctf writeup

TL;DR: Thanks for the challenge! 1. Abusing account recovery via QR codes to get access to [email protected]. 2. Blind XSS in /support/review/ including CSP bypass. 3. Missing input sanitization on name parameter when POSTing to /support/review/. 4. Access to remote debugging port on local...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2019/10/14 12:47 p.m.253 views

QIWI: Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int

Summary This report describes a combination of two separate vulnerabilities in two separate services. This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the company's internal network. Vulnerability 1 Jira at https://jira.tochka.com is vulnerabl...

10CVSS0.1AI score0.99913EPSS
Exploits22
Hacker One
Hacker One
added 2017/12/23 8:21 a.m.253 views

Brave Software: Torrent Viewer extension web service available on all interfaces

Summary: When files are downloaded via the Torrent Viewer, a local web service is spun up that allows the user to download the files. This web service listens on all interfaces, allowing anyone in the network to view what files are being downloaded, and download them from the user. This mostly...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2023/08/30 2:10 p.m.252 views

Daimler Truck: Default credential to login at site management panel

Summary: Hi Team During recon on shodan I came across an IP pointing towards lre.daimlertruck.com Here is the shodan link https://www.shodan.io/host/20.219.79.49 On port 8443, there was a login panel at https://20.219.79.49:8443/Site/ and using default credential admin admin I was able to login...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 6:2 p.m.252 views

Chaturbate: CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS

Hi there, There's a CSS injection here: https://chaturbate.com/embed/admin/?bgcolor=%7D%7Bbackground:red&tour=nvfS&disablesound=0&campaign=iNSGX body, divmain, div.content, div.block, div.section margin: 0px; padding: 0px; body min-width:800px; div.content width: 100%; body background:...

1AI score
Exploits0
Hacker One
Hacker One
added 2020/12/01 8:53 p.m.251 views

curl: CVE-2020-8286: Inferior OCSP verification

cURL in /lib/vtls/openssl.c does not check that the certificate serial number in the stapled OCSP response matches the serial number of the certificate it is trying to validate the peer certificate. This results in a passed validity challenge even when connecting to a site that has had its...

5CVSS0.1AI score0.04575EPSS
Exploits1
Hacker One
Hacker One
added 2020/08/15 2:8 a.m.251 views

U.S. Dept Of Defense: ███ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability

Summary: ████████ is vulnerable to Read-Only Path Traversal Vulnerability as described at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 Description: Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization...

5CVSS0.6AI score0.99992EPSS
Exploits24
Hacker One
Hacker One
added 2020/06/13 8:41 a.m.251 views

Glassdoor: 2FA bypass by sending blank code

Summary: █████████. This is a failure in null check of the entered code. In simple terms, the 2FA while logging in can be bypassed by sending a blank code. This could be because of incorrect comparison of entered code with true code. A pre-validation may be null check before comparing the codes...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2020/04/10 6:34 a.m.252 views

BlockDev Sp. Z o.o: Blind SSRF at https://chat.makerdao.com/account/profile

Blind SSRF at https://chat.makerdao.com/account/profile...

Exploits0
Hacker One
Hacker One
added 2021/09/15 4:51 p.m.250 views

UPchieve: No Rate Limiting for Password Reset Email Leads to Email Flooding

There is "No Rate Limiting" implemented in sending the Password Reset Email. Thus, attacker can use this Vulnerability to bomb out the Email Inbox of the victim. Affected URL : https://hackers.upchieve.org/resetpassword Steps to Reproduce: 1. Log In to : https://hackers.upchieve.org/ 2. Go To :...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/09/09 8:28 p.m.250 views

Shopify: Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog

Hello, run in loop requests with X-Forwarded-Host: yourhackerzsite.com - after some time You will notice in response yourhackerzsite.com F981839 now remove X-Forwarded-Host - there still be our url: F981841 i've logged to my VPS to verify this bug and downloaded poisoned page...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/09/21 1:46 a.m.250 views

Razer: OTP token bypass in accessing user settings

The tester was able to determine that the OTP token used by Razer ID was not being properly verified against the specific user which would allow an adversary to replay their own OTP token against a different user. If the adversary also had been able to obtain the user's login and password through...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2017/01/10 5:23 a.m.250 views

Pornhub: IDOR - Access to private video thumbnails even if video requires password authentication

The researcher discovered an IDOR path which allows the user to few content and images from a password protected videos...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2023/03/08 6:10 p.m.249 views

curl: CVE-2023-27537: HSTS double-free

A double-free vulnerability CVE-2023-27537 existed in libcurl's HSTS HTTP Strict Transport Security implementation due to a lack of exclusion control when processing HSTS with multi-threading. This could lead to a use-after-free UAF issue when other threads access entries. An attacker could explo...

5.9CVSS7.3AI score0.01856EPSS
Exploits1
Hacker One
Hacker One
added 2020/07/09 6:20 a.m.249 views

Nextcloud: Full path disclosure vulnerability via Upload .htaccess file

Hello Security team, i foud Full path disclosure vulnerability via Upload .htaccess file see POC video. Thankz Impact Sensitive File/Folder Information...

1AI score
Exploits0
Hacker One
Hacker One
added 2023/02/15 9:14 a.m.248 views

Internet Bug Bounty: CVE-2023-23915: HSTS amnesia with --parallel

Multiple transfers in parallel using curl's HSTS cache saving feature resulted in the cache file being overwritten by the most recently completed transfer, causing a later HTTP-only transfer to the earlier hostname to not get upgraded properly to HSTS, leading to a bypass of intended security...

6.5CVSS6.7AI score0.00861EPSS
Exploits0
Hacker One
Hacker One
added 2020/01/04 9:46 p.m.248 views

U.S. Dept Of Defense: Public instance of Jenkins on https://██████████/ with /script enabled

Summary: An Amazon instance was found on https://█████/ running Jenkins. On analysing the SSL certificate, I reported here to the DoD. Description: On checking the SSL certificate, the details show: Issued to and Issued By records: CN: █████ OrganizationO: █████████ Organizational Unit OU: ███...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/05/03 12:6 p.m.247 views

Rockstar Games: LFI and SSRF via XXE in emblem editor

This summary is provided by the researcher who submitted this report, @alexbirsan . About one year after I started messing with the emblem editor, I finally found a full SSRF and LFI. I was able to extract text files from the server and HTTP responses by rendering them on my crew emblem. For thos...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2021/12/22 1:20 p.m.246 views

Internet Bug Bounty: Buffer overflow in req_parsebody method in lua_request.c

Software Versions ------------------- Ubuntu - 18.04 32-bit Apache 2.4.51 32-bit Description ------------- This bug is present in "reqparsebody" method of modules/lua/luarequest.c file. Below mentioned lines of code cause this bug. cpp ... sizet vlen = 0; ... ... vlen = end - crlf - 8; buffer =...

7.5CVSS9.4AI score0.97108EPSS
Exploits4
Hacker One
Hacker One
added 2020/06/05 10:11 p.m.246 views

GitHub Security Lab: CodeQL query to detect JNDI injections

This bug was reported directly to GitHub Security Lab...

1AI score
Exploits0
Hacker One
Hacker One
added 2020/01/22 5:2 p.m.246 views

h1-ctf: [h1-415 2020] I found Joberts missing file!

The key is: h1ctfy3s1mc0sm1cn0w My writeup is available unpublished at: https://p4fg.github.io/h14152020/ I might edit some styling but the main contents is there. The twist of my writeup is that tried to give a detailed account of EVERYTHING to allow new hackers to follow along my discoveries an...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/12/30 7:16 a.m.246 views

LocalTapiola: OpenSSL Padding Oracle Attack (CVE-2016-2107) on viestinta.lahitapiola.fi

Hello Lahitapiola Security Team, I would like to make two reports: 1. Subdomain viestinta.lahitapiola.fi is vulnerable to CVE-2016-2107 . 2. All the Lahitapiola domains/subdomains in scope of bug bounty have weak cipher suites and are susceptible to various SSL related attacks. Subdomain...

2.6CVSS7.1AI score0.89058EPSS
Exploits6
Hacker One
Hacker One
added 2015/11/02 5:58 p.m.246 views

HackerOne: HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com

The subdomain info.hackerone.com is vulnerable to HTTP header injection. I'm aware that you are only interested in critical issues affecting this subdomain. However, you may be interested in this issue as a vulnerability in this domain may affect the domain hackerone.com. The vulnerability is a...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2020/04/09 9:57 p.m.245 views

GitHub Security Lab: CPP: Out of order Linux permission dropping without checking return codes

This bug was reported directly to GitHub Security Lab...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/04/09 8:17 p.m.245 views

Imgur: Sourcemaps and Unminified Source Code Exposed on Pages

Hello, I'm not sure if this was actually meant to be made public on purpose, but I was looking through some of the sources that were loaded and found out the following: https://imgur.com/ - See ██████ s.imgur.com - desktop-assets - js contains multiple minified JS files as one would usually expec...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/01/06 3:44 p.m.245 views

HackerOne: ImageMagick GIF coder vulnerability leading to memory disclosure

Hello Hackerone Security Team, Well,we are aware of Imagemagick Gif parsor method to collect the pixels and then we can recover it to gain server information. https://github.com/neex/gifoeb However,it has no impact on hackerone since it's immune to gif files uploading functionality. So, ,gif...

4.3CVSS7.8AI score0.19193EPSS
Exploits4
Hacker One
Hacker One
added 2021/10/13 12:36 p.m.244 views

MariaDB: Path Traversal CVE-2021-26086 CVE-2021-26085

These vulnerabilities were found with https://trickest.com https://trickest.io CVE-2021-26085: ===================== https://jira.mariadb.org:/s/123cfx//;/WEB-INF/web.xml CVE-2021-26086: ===================== https://jira.mariadb.org/s/cfx//;/WEB-INF/web.xml Video explanation: -------------------...

5CVSS5.9AI score0.99999EPSS
Exploits12
Hacker One
Hacker One
added 2021/04/15 10:27 a.m.244 views

Glovo: Moodle XSS on evolve.glovoapp.com

Cross Site Scripting XSS / Moodle XSS Summary : Cross-site scripting XSS is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2020/01/23 4:45 a.m.244 views

h1-ctf: [h1-415 2020] h1ctf{y3s_1m_c0sm1c_n0w}

Summary: add summary of the vulnerability Account takeover was possible because of the email validation used - [email protected] could be registered, but when the the system created the recovery QR code the extra symbols would get stripped leaving us with a valid recovery QR code to log into...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/10/20 8:41 p.m.244 views

DuckDuckGo: DOM XSS on 50x.html page on proxy.duckduckgo.com

Hi, I read the report about DOM XSS on 50x.html page https://hackerone.com/reports/405191. I decided to check some other subdomains to be sure. This link still executes javascript: https://proxy.duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alert%27test%27;%3E The following...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/12/15 7:9 a.m.244 views

X (Formerly Twitter): Sub Domain Takeover at mk.prd.vine.co

Hey It looks like the EC2 Instance at mk.prd.vine.co has been stopped and now it has been assigned to someone else Proof of Concept 1. http://mk.prd.vine.co/ few days back didn't have port 443 open but now it does have an open port 443 Response 400 Bad Request 400 Bad Request awselb/2.0 So it loo...

6.9AI score
Exploits0
Total number of security vulnerabilities5000