Lucene search
K
HackeroneMost viewed

15365 matches found

Hacker One
Hacker One
added 2017/12/02 10:5 p.m.243 views

RBKmoney: Information Disclosure - Composer.lock

Non-sensitive information disclosure via composer.lock...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2020/01/24 7:3 p.m.242 views

RATELIMITED: xss in /users/[id]/set_tier endpoint

Summary: add summary of the vulnerability Hello there ! I found an XSS since you forgot to add the json content-type response header right there: https://github.com/gtsatsis/RLAPI-v3-OOP/blob/508d3c610ccc9076753bdc81151a5e8d76871a3e/src/Controller/UserController.phpL93 The tier parameter is...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2018/10/03 12:23 p.m.242 views

Chaturbate: No rate limiting in changing room subject.

Before i shed more light on this: I noticed i can create over 200 apps but i don't really know how valid that was. I want to report that there is no rate limiting in changing room subject. Attacker scenrio: 1. Navigate to https://chaturbate.com/b/your username 2. Try to create a room subject and...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/06/19 8:43 a.m.241 views

Node.js: HTTP Request Smuggling due to ignoring chunk extensions

Summary: The llhttp parser in the http module in Node 16.3.0 ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS when a Node server is put behind an Apache Traffic Server ATS 9.0.0 proxy. Description: In the chunked transfer encoding format...

5.8CVSS7.6AI score0.02299EPSS
Exploits1
Hacker One
Hacker One
added 2016/09/15 4:8 a.m.241 views

IRCCloud: Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE

Summary ======== During my reconnaissance for your bug bounty program, I discovered an instance of nginx version 1.4.6 running at the IP address https://54.153.101.52. To locate it, I search for IRCCloud-related certificated and found the self-signed certificate for this server...

7.5CVSS9.6AI score0.09293EPSS
Exploits1
Hacker One
Hacker One
added 2020/12/30 7:2 p.m.240 views

h1-ctf: [h1ctf-Grinch Networks] MrR3b00t Saving the Christmas

Disclaimer: Certain things are a bit modified to set the pieces for the story. Also you can find the flags for all 12 challenges in file F1138300 , Now enjoy : █▀▄▀█ █▀█ ░ █▀█ █▄▄ █▀█ █▀█ ▀█▀ █░▀░█ █▀▄ ▄ █▀▄ █▄█ █▄█ █▄█ ░█░ saves the Christmas Episode - 0x00 Pil0t.py It was a gloomy clear night,...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/01/30 12:20 a.m.239 views

Showmax: Wordpress directories/files visible to internet

A misconfiguration caused two directories being listable in our marketing blog that's running on wordpress. As the domain is out-of-scope of our program and the uploaded files include marketing material, it had no serious impact...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2018/05/24 1:39 p.m.239 views

Node.js third-party modules: [exceljs] Possible XSS via cell value when worksheet is displayed in browser

Hi Team, I would like to report Stored XSS vulnerability in exceljs module. It allows to execute JavaScript code embeded in the XLS sheet when data from the sheet are displayed in the browser. Module module name: exceljs version: 1.4.6 npm page: https://www.npmjs.com/package/exceljs Module...

4.3CVSS0.00759EPSS
Exploits1
Hacker One
Hacker One
added 2018/04/22 11:39 p.m.239 views

Shopify: SSRF in Exchange leads to ROOT access in all instances

The Exploit Chain - How to get root access on all Shopify instances 1 - Access Google Cloud Metadata - 1: Create a store partners.shopify.com - 2: Edit the template password.liquid and add the following content: html...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/09/21 9:25 a.m.238 views

Solana BBP: Public and secret api key leaked via Solana BBP github repo

Sumarry: Most often Developers for their ease of use,leave API keys and some sensitive keys ,Tokens as hardcoded strings,which isn't really a good ideas as it can result in Leaks of sensitive information getting in Wrong Hands which indeed can results in Data theft and Tampering with how the...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/19 9:55 p.m.238 views

GitHub Security Lab: XPath Injection query in java

This bug was reported directly to GitHub Security Lab...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2013/10/31 8:55 p.m.238 views

HackerOne: Login page password-guessing attack

A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. hackerone.com page doesn't have any protection against password-guessing attacks brute force...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2023/12/01 2:31 p.m.237 views

Node.js: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)

A timing side-channel vulnerability in the crypto library's privateDecrypt API allowed attackers to remotely exploit and decrypt or forge signatures when processing encrypted messages...

7.4CVSS6.6AI score0.01302EPSS
Exploits0
Hacker One
Hacker One
added 2023/01/28 3:16 a.m.237 views

Stripe: Fee discounts can be redeemed many times, resulting in unlimited fee-free transactions

A fee discount offer on Stripe transactions could be redeemed multiple times, resulting in unlimited fee-free transactions. The vulnerability allowed the attacker to call the /ajax/acceptfeediscountoffer endpoint multiple times, applying the discount each time. The impact was unlimited fee-free...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/01/17 6:39 p.m.237 views

Bumble: Bumble API exposes read status of chat messages

Summary The Bumble app allows matches to chat with each other. In the mobile apps it is possible to see whether a message has been delivered the webapp does not offer this feature, but the read status of messages is never disclosed. However, by issuing a POST request to the API endpoint at...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2024/12/08 8:2 p.m.236 views

Flickr: Information Disclosure: .dockerignore file is publicly accessible

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/06/23 5:17 a.m.236 views

Courier: Logout page does not prevent CSRF

Summary: Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application. Steps To Reproduce: 1.Create a...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/07/30 8:51 a.m.235 views

Legal Robot: SSL BREACH attack (CVE-2013-3587)

Hello security team, The site legalrobot.com is potentially vulnerable to the BREACH attack. Allowing an attacker the ability to: - Inject partial chosen plaintext into a victim's requests - Measure the size of encrypted traffic - can leverage information leaked by compression to recover targeted...

4.3CVSS0.2AI score0.06049EPSS
Exploits2
Hacker One
Hacker One
added 2021/09/27 2:44 p.m.234 views

OneWeb: Vulnerable Jira Instance

Multiple information exposure vulnerabilites were identified in a Jira Server instance unauthenticated access to APIs and system browser functions. @lesleybw found multiple CVEs and exposures on a Jira instance owned by OneWeb 1...

5CVSS5.8AI score0.84771EPSS
Exploits10
Hacker One
Hacker One
added 2016/11/16 8:28 a.m.234 views

Bumble: Email Spoofing

There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other badoo email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email from badoo admin...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2016/05/12 10:25 a.m.234 views

Pornhub: [IDOR] Deleting other users comment

Hello, Normally you cannot delete comments if you post on someones stream and i have found a way to delete others comment. PoC: https://youtu.be/mxEE9vcxKA Let me know if you cannot reproduce it ! Thanks! Mikko...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2015/10/24 7:40 a.m.234 views

X (Formerly Twitter): IDOR- Activate Mopub on different organizations- steal api token- Fabric.io

Hello, There is an option to enroll your organization in fabric.io for mopub , but this particular end point is missing proper authorization checks allowing any user to steal API tokens. Vulnerable request ================ POST /api/v3/organizations/5460d2394b793294df01104a/mopub/activate HTTP/1....

6.7AI score
Exploits0
Hacker One
Hacker One
added 2021/04/07 1:59 p.m.233 views

GitLab: RCE when removing metadata with ExifTool

Summary When uploading image files, GitLab Workhorse passes any files with the extensions jpg|jpeg|tiff through to ExifTool to remove any non-whitelisted tags. An issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing f...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/06/29 6:53 a.m.233 views

ownCloud: SMB User Authentication Bypass and Persistence

Authentication Bypass ================== The external user authentication app in OwnCloud does not properly authenticate against an SMB server. In it's current implementation, the file owncloud/apps/userexternal/lib/smb.php, line 46-47 uses the command smbclient -L //host/dummy -Uuser%pass, where...

6.8CVSS8.6AI score0.04095EPSS
Exploits1
Hacker One
Hacker One
added 2020/08/17 2:12 p.m.232 views

InnoGames: Cache Poisoning via uppercase letters in invalid path

Summary of the issue Cache poisoning vulnerability appears in the request to innogames.com. The issue arises when language path parameter from the url gets processed on the backend to become lowercase. Then if a path provided in X-Forwarded-Host does not exist on the server, 301 response is...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/02/27 10:8 p.m.232 views

Nord Security: Arbitrary Set-Cookie via "?coupon=" due to semi-colon not encoded

Related to , the separator in the cookie header is semi-colon ; and this issue is caused by semicolon ; not encoded, so the attacker can arbitrarily manipulate cookies. Arbitrary set cookie will cause several problems like: - Session Fixation - Cookie Bomb Client-Side DoS - Etc Vulnerable Endpoin...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/12/13 10:7 p.m.231 views

Razer: Expired reCAPTCHA site key leads to Rate Limit Bypass and Email Enumeration

The tester discovered a configuration issue involving Google reCAPTCHA that would allow adversaries to enumerate valid email addresses for users. While minor, Razer appreciates the report and clear PoC...

3.5AI score
Exploits0
Hacker One
Hacker One
added 2019/10/23 12:7 p.m.231 views

Mail.ru: [iot-hackathon.geekbrains.ru] Tilda Subdomain Takeover

iot-hackathon.geekbrains.ru subdomain was delegated to tilda.cc service, which is vulnerable to takeover...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/10 9:47 p.m.231 views

Khan Academy: Cross site scripting (content-sniffing)

Your website may be vulnerable to cross site scripting attacks HTTP request: GET...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/08/16 9:28 a.m.231 views

Node.js: url.parse() hostname spoofing via javascript: URIs

Summary: Using url.parse in security sensitive checks is dangerous as an arbitrary hostname can be spoofed via javascript: URIs. Description: The original url.parse API is dangerous as it allows to spoof an arbitrary hostname via a javascript: URI: bash $ node -e...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2024/12/08 7:15 a.m.230 views

curl: Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4

Curl is a software that I love and is an important tool for the world. If my report doesn't align, I apologize for that. The Curlinetntop function is designed to convert IP addresses from binary format to human-readable string format, supporting both IPv4 and IPv6. It internally delegates to...

8.7AI score
Exploits0
Hacker One
Hacker One
added 2021/01/21 8:1 p.m.230 views

Enjin: Reset password policy isn't consistent with registration / change password policy.

The security researcher identified that the password policy on the reset password page wasn't consistent with the policy set forth on the registration and change password pages. The minimum characters, on the reset password page, was only for 6 characters whereas the other pages require a minimum...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/10 6:23 p.m.230 views

Pornhub: Reflect XSS on Mobile Search page

The user was able to exploit the 'search' parameter being reflected in the page body in order to execute reflected XSS within the context of Redtube. Many of developer confuse that adding slashes at double quotes can protect the xss. However, At the DOM, Adding slashes is not protecting XSS...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2017/02/18 8:36 p.m.229 views

Open-Xchange: SSL Certification Expired And TLS Vulnerability

I Found SSL Certification Expired at https://licenses.dovecot.fi/ I Found Vulnerability CVE-2016-2183 lists.dovecot.fi CVE-2016-2183 Description : A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover...

5CVSS0.2AI score0.95707EPSS
Exploits7
Hacker One
Hacker One
added 2023/10/10 4:25 a.m.228 views

curl: [Critical] Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet

Vulnerability description not provided...

9.8CVSS9.3AI score0.78483EPSS
Exploits6
Hacker One
Hacker One
added 2020/06/10 5:14 a.m.227 views

h1-ctf: [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool

H1-2006 CTF Writeup F859938 Summary: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2016/03/01 6:33 p.m.227 views

Pornhub: HTTP Track/Trace Method Enabled

Researcher identified that HTTP TRACE method was enabled...

Exploits0
Hacker One
Hacker One
added 2017/11/02 10:8 p.m.226 views

Internet Bug Bounty: Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse

Full background information is at krackattacks.com and all detailed information can be found in our research paper. Key Reinstallation Attack: 4-way handshake example We use the 4-way handshake to illustrate the idea behind key reinstallation attacks CVE-2017-13077. Note that in practice, all...

5.8CVSS6.7AI score0.04575EPSS
Exploits1
Hacker One
Hacker One
added 2021/08/02 8:1 p.m.225 views

Mail.ru: [ii.worki.ru ] emarsys subdomain takeover

hi team i am find a subdomain takeover vulnerbility in ii.worki.ru subdomain the ii.worki.ru which is delegated to emarsys.net , which is vulnerable to takeover. CName :- ████████ Name: ii.worki.ru Type:CNAME when you search https://ii.worki.ru it redirects to █████████ which is emarsys.net servi...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2020/01/22 4:10 a.m.225 views

h1-ctf: [h1-415 2020] Multiple vulnerabilities leading to leaking of secret user files

Hello, I'm just submitting both flags for CTF, will send my write up on hacker summary, since it's 7:00 am now :. Original flag for CTF: h1ctfy3s1mc0sm1cn0w Extra flag for unintended account takeover: h1ctfwtf1shapp3ningw1thth1ss1mulat1on Sincerely, @nukedx Impact By chaining multiple...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2022/02/09 12:21 p.m.224 views

TikTok: IDOR delete any Tickets on ads.tiktok.com

An IDOR Insecure Direct Object Reference vulnerability was found on TikTok ads, through the "draftorderid" parameter which could have allowed an attacker to delete the support tickets of other users. We thank @datph4m for reporting this to our team and confirming its resolution...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2020/01/21 11:32 p.m.224 views

h1-ctf: [h1-415 2020] finally

add or chars behind Joberts email, which leaks on the login page 2. register a new account using that email 3. sign out and use the recover feature with the just generated qr code. this will get you into Joberts account 3. head to /support and submit a blind XSS payload which extracts the...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2019/12/05 2:58 p.m.224 views

Nord Security: DoS of https://nordvpn.com/ via CVE-2018-6389 exploitation

There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details Detailed attack scenario is described for example here:...

5CVSS7.4AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2020/06/26 11:49 p.m.223 views

GitHub Security Lab: Java : CWE-548 - J2EE server directory listing enabled

This bug was reported directly to GitHub Security Lab...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/02/18 3:32 a.m.223 views

Shopify: xss stored

Se encuentra un xss en las notas del cliente se requiere inicio de session, se encuentra en el campo notas de cliente POC https://macken22jorg.myshopify.com/admin/customers https://macken22jorg.myshopify.com/admin/customers/2901321318444...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/02/03 6:0 p.m.223 views

Visma Bug Bounty Program: Unrestricted file upload when creating quotes allows for Stored XSS

An attacker is able to bypass the restrictions which limit user uploads to .PDF only. Utilizing this exploit an attacker can upload malicious content to the web server. First the system checks the MIME-Type, and if it fails too match Content-Type: application/pdf then the upload won't be processe...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2015/10/19 3:45 p.m.223 views

Whisper: Host Header Injection/Redirection

whisper.sh is vulnerable to host header injection because the host header can be changed to something outside the target domain ie. whisper.sh and cause it to redirect to to that domain instead see below. Attack vectors are somewhat limited but depends on how the host header is used by the back-e...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2021/01/19 12:51 p.m.222 views

Revive Adserver: Open redirect in ck.php and lg.php

An opportunity for open redirects has been available by design since the early versions of Revive Adserver's predecessors in the impression and click tracking scripts to allow third party ad servers to track such metrics when delivering ads. Historically the display advertising industry has...

5.8CVSS1.2AI score0.66141EPSS
Exploits3
Hacker One
Hacker One
added 2017/11/20 3:55 a.m.222 views

Nextcloud: SQL Injection found in NextCloud Android App Content Provider

Using Drozer, we identified com.nextcloud.client is vulnerable to Sql Injection here is output from drozer: dz run scanner.provider.injection -a com.nextcloud.client Scanning com.nextcloud.client... Not Vulnerable: content://com.nextcloud.android.providers.UsersAndGroupsSearchProvider...

7.5CVSS1.4AI score0.02019EPSS
Exploits0
Hacker One
Hacker One
added 2016/12/05 7:2 p.m.222 views

Pornhub: Unsecured Kibana/Elasticsearch instance

The researcher has found an insecure Kibana instance accessible to the public. A publicly accessible Kibana instance was identified. This vulnerability was discovered using the infrastructure monitoring platform BugLabs.me - http://buglabs.me...

0.9AI score
Exploits0
Total number of security vulnerabilities5000