Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2023/03/04 2:59 a.m.221 views

Internet Bug Bounty: RCE vulnerability in apache-airflow-providers-apache-sqoop 3.1.0

A remote code execution vulnerability was found in the Apache Airflow Sqoop Provider before version 3.1.1, due to improper input validation in the libjars parameter, allowing attackers to execute arbitrary system commands on the machine performing the MR task...

9.8CVSS9.9AI score0.01895EPSS
Exploits0
Hacker One
Hacker One
added 2019/08/29 1:48 p.m.221 views

Internet Bug Bounty: Linux kernel: CVE-2017-7308: a signedness issue in AF_PACKET sockets

Hi! CVE-2017-7308 is a vulnerability I found in the Linux kernel caused by a signedness issue in AFPACKET sockets. It can be exploited to gain kernel code execution from an unprivileged process. The kernel has to be built with CONFIGPACKET for the vulnerability to be present. A lot of modern...

7.2CVSS7.9AI score0.17827EPSS
Exploits17
Hacker One
Hacker One
added 2017/01/18 6:23 p.m.221 views

Nextcloud: Nextcloud.com is vulnerable to SWEET32 attack

Researchers have found new attack against 3DES-CBC cipher in TLS,that they can decrypt customer data using a method called SWEET32 Birthday Attack. This Vulnerability has got CVE-2016-2183 and has cvss score 5.0 This vulnerability can be found manually by simply using nmap script nmap -Pn -p...

5CVSS6.8AI score0.95707EPSS
Exploits7
Hacker One
Hacker One
added 2023/07/27 7:20 a.m.220 views

Daimler Truck: Blind xss at https://homologation.omniplus.com/

Hello team, I have found a blind xss leads to admin panel exposed with cookie StepToReproduce 1- Navigate to https://homologation.omniplus.com/ 2- You will face a submit form contains 6 pages 3- At each input field you have to put your blind xss payload , for me I used xss.report just go there an...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/01/23 6:0 a.m.220 views

h1-ctf: [h1-415 2020] Chain of vulnerabilities leading to account takeover and unauthorized access of sensitive internal resources

Note: Please read this report as "An attacker taking over a customer's account" and not as "helping Jobert recovering his document" : Summary: Chaining following issues let's an attacker access sensitive information, 1. Exposure of customer email and regex logic error leading to account takeover ...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/08/23 6:10 p.m.220 views

GSA Bounty: Information disclosure (system username) in the x-amz-meta-s3cmd-attrs response header on federation.data.gov

Description Hi. I just noticed, that you are extended the scope for the bounty program. I looked to the first resource - https://federation.data.gov/ I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username:...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/06/21 11:35 a.m.220 views

Paragon Initiative Enterprises: Non-secure requests are not automatically upgraded to HTTPS

Non-secure requests to bridge.cspr.ng e.g. http://bridge.cspr.ng/ are not automatically upgraded to HTTPS. This is not something you would notice when you use the latest version of modern web browsers such as Google Chrome or Firefox, because bridge.cspr.ng is HSTS preloaded. When a domain is...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/06/07 11:28 p.m.220 views

Nextcloud: ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)

Hello Team NextCloud, In reference report 217381 I've reported the DDOS attack via DNS Port at OwnCloud.. And it was successfully patched. But now same issue I got at ci.nextcloud.com Proof Of Concept: Here it is the nmap result of ci.nextcloud.com NMap Scan Results: Starting Nmap 7.40...

7.8CVSS7.4AI score0.91284EPSS
Exploits12
Hacker One
Hacker One
added 2016/08/17 8:41 a.m.220 views

Mail.ru: [realty.mail.ru] XSS, SSI Injection

XSS === PoC Открыть с помощью Internet Explorer https://blackfan.ru/x?r=https://realty.mail.ru/%22--%3e%3csvg/onload=alertdocument.domain%3e/%252e%252e Request GET /"--/.. HTTP/1.1 Host: realty.mail.ru Connection: close SSI Injection === PoC Request-URI также попадает в SSI код GET //"-- HTTP/1.1...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/10/19 6:21 p.m.220 views

SHEIN: RCE via npm misconfig -- installing internal libraries from the public registry

The following node package has been installed on at least one shein owned build/development server directly from the public npm registry. https://www.npmjs.com/package/shineout-mobile This package should normally be downloaded from the internal shein registry, but a misconfiguration appears to ha...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2020/03/21 4:40 p.m.219 views

PlayStation: Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives

Summary Due to missing locks in option IPV62292PKTOPTIONS of setsockopt , it is possible to race and free the struct ip6pktopts buffer, while it is being handled by ip6setpktopt. This structure contains pointers ip6popktinfo that can be hijacked to obtain arbitrary kernel R/W primitives. As a...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2019/12/18 9:54 p.m.219 views

MTN Group: SQL Injection on cookie parameter

Summary: Hello team. It seams one of the parameters in the cookies is vulnerable to SQL injection. Below requests has the lang parameter in cookies. If you inject one quote mark like '. You get SQL error with the syntax. By injecting a second you have the error removed. I did not attempt to...

1AI score
Exploits0
Hacker One
Hacker One
added 2019/08/20 2:14 p.m.219 views

Internet Bug Bounty: mod_http2, memory corruption on early pushes (CVE-2019-10081)

HTTP/2 very early pushes, for example configured with H2PushResource, could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. Scenarios where an attacker may be ab...

5CVSS8.9AI score0.14563EPSS
Exploits1
Hacker One
Hacker One
added 2017/07/02 3:0 p.m.218 views

WakaTime: JSON CSRF on POST Heartbeats API

Thanks @sp1d3rs! WakaTime API used JSON for communications and supported cookie-based authentication/CSRF protection on https://api.wakatime.com. Usually, JSON is CSRF-safe, but only when requests with content-type other than application/json gets rejected or additional CSRF protection is in plac...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/08/26 1:18 p.m.217 views

MTN Group: Password reset token leak on third party website via Referer header [cloudivr.mtnbusiness.com.ng]

Summary: F1426175 It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the token and...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/02/24 3:52 p.m.217 views

U.S. Dept Of Defense: Blind Stored XSS on ███████ leads to takeover admin account

Hello Team, I am Hemant Patidar working as a security researcher and I found a bug in your site. Report of bug is as follows:- Vulnerable URL: https://████████/ Description: I have found that various field of the profile page is not properly configured to wipe out HTML tags and Javascript code...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2020/01/15 1:48 p.m.217 views

Kubernetes: No valid SPF record found

Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2016/03/17 8:24 a.m.217 views

New Relic: Insecure transition from HTTP to HTTPS in form post

Vulnerability description:- This form is served from an insecure page http page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target. This vulnerability affects:- /selfies/submit. attack details:- Form name: "form144" Form action:...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2021/03/22 10:15 a.m.216 views

HackerOne: Race condition allows to send multiple times feedback for the hacker

Summary: Hello team! We've found out that the program's should be able to send feedback only once per report which is very logical. However, the program user is able to send multiple parallels requests which will lead to the race condition situation and will send multiple feedback to the hacker...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2021/03/19 5:31 p.m.216 views

Rocket.Chat: Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution

Summary: The users.list API endpoint is vulnerable to NoSQL injection attacks. It can be used to take over accounts by leaking password reset tokens and 2FA secrets. Taking over an admin account leads to Remote Code Execution. Description: The users.list API endpoint takes a custom query via the...

7.5CVSS0.02265EPSS
Exploits1
Hacker One
Hacker One
added 2020/09/10 4:6 a.m.216 views

Shopify: xss triggered in "myshopify.com/admin/product"

I tried to make a product description and add the xss script in the paragraph. steps for reproduction 1. create a new product 2. enter xss in the product description paragraph, such as; nameproduct Impact xss can be triggered...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/30 3:22 p.m.216 views

Chaturbate: A 10GB file is reachable

Summary A file is 10GB is accessible on the following server: http://edge193.stream.highwebmedia.com:8080/. Steps To Reproduce: 1. Open the following link: http://edge193.stream.highwebmedia.com:8080/download Additional notes: I tried to download the file and analyze it, but after 20 seconds the...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/06/30 2:33 p.m.216 views

HackerOne: Blind SSRF on errors.hackerone.net due to Sentry misconfiguration

Summary: When setting up Sentry you should turn off "source code scrapping". If it is turned on, then server that has Sentry on it will make blind get requests everywhere controlled from outside via error reporting. Description: Hello Hackerone team. In your CSP I found ?sentrykey parameter, so i...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2025/04/07 9:59 p.m.215 views

hostinger : 1 Click Account Takeover via Auth Token Theft on marketing.hostinger.com

The vulnerability discovered in the marketing.hostinger.com subdomain allowed for one-click account takeover through the theft of authentication tokens. An attacker could exploit the whitelisted redirect functionality of the subdomain to steal a victim's authentication token, which could then be...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2024/11/27 4:13 p.m.215 views

TikTok: Unauthorized Access to TikTok Account [Private Videos] via API Endpoint

The vulnerability on a TikTok endpoint that allowed unauthorized viewing of videos from private accounts was discovered and reported by @datph4m. The issue was subsequently remediated...

7AI score
Exploits0
Hacker One
Hacker One
added 2022/10/14 1:29 p.m.215 views

MTN Group: Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]

Summary: Using REST API, we can see all the WordPress users/author with some of their information. Which can even be Personal information of employees/author. The file v2/users at: https://www.mtn.com/wp-json/wp/v2/users/ is enabled and this give the attacker many users names like: Amogelang...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/08/27 8:10 p.m.215 views

Uber: Google Maps API Key Leakage

Google allows developers/vendors to restrict the usage of these keys in several different ways, as can be read here: https://developers.google.com/maps/api-key-best-practices...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2021/08/03 4:11 p.m.215 views

Basecamp: Password reset link not expiring after changing password in settings

@blackbibin reported password reset link not expiring when password was updated from an active session, by going to the Account's Login & Security setting. We were only expiring password reset links when the password was updated through a password reset request. Now we expire password reset links...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2021/03/11 4:29 p.m.215 views

GitHub Security Lab: [Java] CWE-327: Add more broken crypto algorithms

This bug was reported directly to GitHub Security Lab...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/06/04 8:41 p.m.215 views

GitHub Security Lab: CodeQL query to detect open Spring Boot actuator endpoints

This bug was reported directly to GitHub Security Lab...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/05/08 7:45 a.m.215 views

Node.js: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests

Summary: Node.js is vulnerable to HTTP denial of service DOS attacks based on delayed requests submission which can make the server unable to accept new connections. Description: An attacker can open an arbitrary number of HTTP connections and keep the server busy by never completing the request...

5CVSS0.08794EPSS
Exploits0
Hacker One
Hacker One
added 2021/05/21 11:46 a.m.214 views

Open-Xchange: Command Injection via STARTTLS in SMTP

During our research into the security of email servers at Münster University of Applied Sciences, we found a command injection vulnerability related to STARTTLS in Dovecot. See the attached advisory for details. The vulnerability allows a MITM attacker between a mail client and Dovecot to inject...

5.8CVSS2.5AI score0.02837EPSS
Exploits0
Hacker One
Hacker One
added 2023/03/17 2:58 p.m.213 views

Internet Bug Bounty: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)

A vulnerability was found in Apache HTTP Server's modproxyuwsgi, affecting versions 2.4.30 through 2.4.55. The issue allowed special characters in the origin response header to truncate or split the response forwarded to the client, potentially resulting in security headers being ignored by the...

7.5CVSS8.6AI score0.02134EPSS
Exploits0
Hacker One
Hacker One
added 2020/01/12 5:42 p.m.213 views

8x8: Disclosure of Users Information On Wordpress Api [https://jitsi.org/]

Jitsi was running a default WordPress site that had not yet been hardened to prevent user enumeration via the API...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2017/08/25 9:10 a.m.215 views

New Relic: Internal Ports Scanning via Blind SSRF

Introduction: I found a Blind SSRF issue that allows scanning internal ports. How to reproduce: Go to https://rpm.newrelic.com/accounts//notificationchannels?type=WebhookIntegration F215718 Fill the input. In the web hook URL section, fill: http://:/. Send the request. Look up the response. If...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2016/12/03 8:23 p.m.213 views

LocalTapiola: /icons/README available on viestinta.lahitapiola.fi

Basic report information Summary: Informational message that the file http://viestinta.lahitapiola.fi/icons/README exists. Description: http://viestinta.lahitapiola.fi/icons/README exists. Domain: http://viestinta.lahitapiola.fi/ Browsers / Apps Verified In: any browser any client Steps To...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/02/10 1:0 a.m.213 views

Ruby on Rails: JSON keys are not properly escaped

Rails does not escape hash keys properly in tojson when generating json. Values are escaped as expected ruby irbmain:001:0 "a"="".tojson = ""a":"\u003c\u003e"" However keys are not: ruby irbmain:002:0 ""="a".tojson = """:"a"" This is because the json gem calls .tos on the keys here which...

4.3CVSS0.1AI score0.0278EPSS
Exploits0
Hacker One
Hacker One
added 2014/04/08 6:46 p.m.213 views

ReddAPI: Login page password-guessing attack

Hello team of Reddapi! Here to report a vulnerability on your site. Affected site: www.reddapi.com Vulnerability: Login page password-guessing attack Severity:Low. Vulnerability description: A brute-force attack is an attempt to discover a password by systematically trying every possible...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2025/02/27 10:56 a.m.212 views

XVIDEOS: Enable 2FA without verifying the email

A vulnerability in xvideos.com allows an attacker to register using victim email addresses which are unverified. This can be further exploited to enable two-factor authentication 2FA, permanently locking the victim out of their own email account. This results in a denial-of-service attack against...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/08/05 10:21 a.m.212 views

U.S. Dept Of Defense: CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.

Summary: The affected IP: █████ Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower. For example to read "/+CSCOE+/portalinc.lua" file. for example: ████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portalinc.lua&default-language&lang=../ Suggested...

5CVSS1.2AI score0.99992EPSS
Exploits24
Hacker One
Hacker One
added 2020/06/26 12:31 p.m.212 views

Kubernetes: Private IP addresses Disclosure

The following URL leaks the Private IP Addresses:- kubernetes.io/feed.xml The following Server’s Cluster RFC 1918 IP addresses were disclosed in the response: • 10.1.2.3 • 10.104.207.136 • 10.224.0.0 • 10.250.0.0 • 10.250.112.0 • 10.250.96.0 • 10.55.252.216 • 10.96.0.0 • 10.96.0.1 • 10.96.15.180 ...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2020/05/21 3:34 p.m.212 views

Node.js third-party modules: Bypass of SSRF Vulnerability

Bypass of SSRF report https://hackerone.com/reports/793704 Fix applied after reporting the actual report did not prevent from SSRF issue. https://github.com/TryGhost/Ghost/commit/47739396705519a36018686894d1373e9eb92216diff-3aa52b4b8c6e0fb8422de65648e35887R101 The function fetchOembedData only...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/05/11 11:33 a.m.212 views

Palo Alto Software: Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/

Summary: I came across this subdomain https://webtools.paloalto.com/ which took my attention, after a bit enumeration I found an endpoint which allows anyone to access PageSpeed Global Admin without any type of authentication. Vulnerable URL: https://webtools.paloalto.com/pagespeed-global-admin/...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/10/05 6:35 a.m.212 views

Liberapay: Full Path disclosure on 500 error

On manipulating cookie + parameter: gitHub 500 error returned with path disclosing of Python Files. Error Below: Traceback most recent call last: File "/opt/python/run/venv/local/lib/python3.6/site-packages/statechain.py", line 328, in loop newstate = functiondeps.askwargs File...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/09/07 11:24 p.m.212 views

MariaDB: scripts loader (denial of service) vulnerability

1 vulnerability description WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://wpwebsite.com/wp-admin/load-scripts.php?c=1&load=jquery-ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files...

5CVSS0.2AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2022/03/06 3:45 a.m.211 views

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding

Summary: The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. Description: When Node receives the following request: http GET / HTTP/1.1 Transfer-Encoding: chunked , identity 1 a 0 it...

6.4CVSS7.5AI score0.68796EPSS
Exploits1
Hacker One
Hacker One
added 2020/06/18 6:15 p.m.211 views

Mail.ru: SMTP Header Injection at http://abonement.ucs.ru

It was possible to abuse the functionality of abonement.ucs.ru to send messages to arbitrary e-mail via CRLF injection vulnerability...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2016/12/09 9:3 a.m.211 views

Quora: [controlsyou.quora.com] 429 Too Many Requests Error-Page XSS

Summary: XSS on the error page when the user makes too many requests. Steps To Reproduce 1. Make a lot of requests to get the error 429 2. Open PoC in FireFox https://controlsyou.quora.com/'-alertdocument.domain-' HTTP Response ... ga'set', 'dimension1', 'board-'-alertdocument.domain-''; ga'set',...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2021/05/18 12:31 p.m.210 views

Nextcloud: Admin audit is not properly logging unsetting of expiration date

In relation to https://hackerone.com/reports/1177353 1. Enable the audit log 2. Share a file 3. Set and expiration date So far all looks good in the log 4. Unset the the expiration date. 5. See a pretty useless log line Impact The audit log is used to get a full trail of the actions which is now...

2.1CVSS5.7AI score0.00355EPSS
Exploits0
Hacker One
Hacker One
added 2016/03/30 2:36 a.m.210 views

Uber: Pixel flood attack in https://riders.uber.com/profile

Hi, It is the exact issue described here: https://hackerone.com/reports/390 Where uploading lottapixel.jpg it causes your service to time out HTTP/1.1 504 Gateway Time-out Server: nginx Date: Wed, 30 Mar 2016 02:29:22 GMT Content-Type: text/html; charset=utf-8 Content-Length: 13928 Connection:...

0.2AI score
Exploits0
Total number of security vulnerabilities5000