Lucene search
K
HackeroneMost viewed

15365 matches found

Hacker One
Hacker One
added 2014/09/24 12:0 a.m.209 views

Internet Bug Bounty: GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. Original disclosure:...

10CVSS9.7AI score0.99999EPSS
Exploits130
Hacker One
Hacker One
added 2022/07/26 11:15 a.m.208 views

Uber: Golang expvar Information Disclosure

Package expvar provides a standardized interface to public variables, such as stack trace information and operation counters in servers...

3.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/11 7:34 p.m.208 views

GitHub Security Lab: Java: CWE-297 Insecure JavaMail SSL configuration

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/04/07 4:44 p.m.208 views

Open-Xchange: Blind XXE via Powerpoint files

Summary During the parsing of Powerpoint files it seems that it is possible to include XXE payload which will be executed on the Open-XChange server. I was able to identify which files exist on the server, and cause the server make arbitrary request to my own server, and I am pretty sure it is al...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2023/01/18 11:7 p.m.207 views

ownCloud: Remote Code Execution on ownCloud instances with ImageMagick installed

A vulnerability in ownCloud instances with ImageMagick installed allowed attackers to execute arbitrary code on the system by uploading a specially crafted file and knowing the file path of a previously uploaded file. The vulnerability was due to the usage of ImageMagick for preview generation fo...

7.9AI score
Exploits0
Hacker One
Hacker One
added 2022/04/21 3:20 p.m.207 views

curl: CVE-2022-27776: Auth/cookie leak on redirect

Summary: Curl can be coaxed to leak Authorisation / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side for example by redirecting to a...

4.3CVSS0.7AI score0.03425EPSS
Exploits2
Hacker One
Hacker One
added 2021/07/03 1:50 p.m.207 views

New Relic: Verification Link not expiring leading to Account Takeover.

@bbunnny reported that verification links that are sent out on account creation can be used to access a victim's account until those links have expired. As access to those links requires that an attacker have access to the victim's email, this issue is out of scope for our program...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2016/12/22 8:40 a.m.207 views

Zendesk: SMTP user enumeration via mail.zendesk.com

Several methods exist that can be used to ██████████ SMTP to enumerate valid usernames and addresses; namely VRFY, EXPN, and RCPT TO. mail.zendesk.com does not reply to EXPN or RCPT TO so we will concentrate on VRFY in this report. The VRFY command will request that the receiving SMTP server veri...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2016/06/24 5:50 a.m.207 views

Zomato: Clickjacking login page of http://book.zomato.com/

The login page on book.zomato.com http://book.zomato.com/account/login.aspx is vulnerable to a clickjacking attack. Reproduction steps: 1. Paste the following HTML into a text editor and save the file as .html 2. Open the file in a web browser 3. Note that the iframe appears with the login page...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2021/12/31 12:55 a.m.206 views

U.S. Dept Of Defense: ███ ████████ running a vulnerable log4j

Report Description: https://vulners.com/cve/CVE-2021-44228 Impact Probably arbitrary code execution System Hosts ███████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Browse to https://██████████/█████████https%3A%2F%2F███%2F 2. Enter a...

9.3CVSS0.1AI score0.99999EPSS
Exploits348
Hacker One
Hacker One
added 2021/03/04 9:27 p.m.206 views

GitHub Security Lab: Java : Add query to detect Apache Struts enabled Development mode

This bug was reported directly to GitHub Security Lab...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2020/10/31 6:24 p.m.206 views

Acronis: [acronis.secure.force.com] - Insecure Salesforce default/custom object permissions leads to information disclosure

Hi there, I know that this domain https://acronis.secure.force.com is not listed in scope but I thought it would be a good idea to share this finding with you because this endpoint is leaking internal information/meetings. Target: The Salesforce instance at https://acronis.secure.force.com...

Exploits0
Hacker One
Hacker One
added 2020/03/03 12:7 a.m.206 views

Node.js third-party modules: [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser

I would like to report a sandbox escape / code injection vulnerability in notevil. It allows an attacker to escape the intended sandbox and execute javascript code in the global context, meaning that he/she can achieve arbitrary command execution RCE when running in nodejs and cross site scriptin...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/12/21 3:32 p.m.206 views

Zomato: Free food bug done by burp suite

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: By this...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/12/19 1:25 a.m.206 views

Stripo Inc: stripo blog search SQL Injection

Summary: Sql injection of search parameters at blog search request Steps To Reproduce: 1. request https://stripo.email/blog/search/ 2. input search 1' AND SELECT 6268 FROM SELECTSLEEP5ghXo AND 'IKlK'='IKlK 3. See a very large response delay Supporting Material/References: See attached screenshot...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/08/29 2:8 p.m.206 views

Internet Bug Bounty: Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch

Hi! CVE-2017-1000112 is a vulnerability I found in the Linux kernel caused by a UFO to non-UFO path switch for UFO packets. It can be exploited to gain kernel code execution from an unprivileged process. This vulnerability was reported to [email protected] and linux-distros@ following the...

6.9CVSS7.7AI score0.20797EPSS
Exploits19
Hacker One
Hacker One
added 2016/01/25 1:1 p.m.206 views

Gratipay: grtp.co is vulnerable to http-vuln-cve2011-3192

vulnerability i have found! | http-vuln-cve2011-3192: | VULNERABLE: | Apache byterange filter DoS | State: VULNERABLE | IDs: CVE:CVE-2011-3192 OSVDB:74721 | The Apache web server is vulnerable to a denial of service attack when numerous | overlapping byte ranges are requested. | Disclosure date:...

7.8CVSS0.6AI score0.98945EPSS
Exploits17
Hacker One
Hacker One
added 2020/06/15 10:46 a.m.205 views

Shopify: GraphQL AdminGenerateSessionPayload is leaked to staff with no permission

@hiffley reported the ability to generate app tokens via the adminGenerateSession mutation in Shopify Admin, as a staff member with no permissions. This allowed for accessing a small subset of installed apps that are using this new flow including Shopify Email. Access was limited to the current...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2019/10/24 6:27 p.m.205 views

Internet Bug Bounty: CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm

The vulnerability exists in php-fpm because of missing bounds check in fpmmain.c. If the FastCGI variable PATHINFO is empty, the underflow happens when the code tries to calculate the value of the pathinfo variable. An invalid pointer in pathinfo leads to a single byte out-of-bounds write, which...

7.5CVSS8.1AI score0.9947EPSS
Exploits54
Hacker One
Hacker One
added 2018/06/18 12:8 p.m.205 views

Udemy: [engineering.udemy.com] - Subdomain Takeover (ghost.io)

Hi Security Team, Found that DNS record of engineering.udemy.com domain was pointing to inactive ghost.io instance. So when we visit https://engineering.udemy.com we will be notified that site doesn't exist. F310092 $ host engineering.udemy.com engineering.udemy.com is an alias for...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/10/27 7:22 a.m.205 views

InVision: CORS Man-in-the-Middle account compromise

Description ==================== The invisionapp application implements HTTPS correctly by redirecting any HTTP traffic to HTTPS; this prevents, for example, the person sitting in the same office or home as you, or someone on the same open-wireless network as you e.g. McDonalds or airport, from...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2022/11/03 6:18 p.m.203 views

XVIDEOS: Self-XSS on Suggest Tag dialog box

Summary: Stored cross-site scripting arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. vulnerable URL : https://www.xvideos.com/video57921571/friendb.ifd. Vulnerability Description : Application have a add ta...

5.3AI score
Exploits0
Hacker One
Hacker One
added 2020/09/12 9:34 p.m.203 views

Kaspersky: [Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service

Note! Thank you for your report. For the purposes of the further analysis of the vulnerability, that you kindly report to us, could you please fill all fields in square brackets. This information will help us to respond you more quickly and triage your report. Thanks a lot for your assistance...

2.1CVSS0.7AI score0.00217EPSS
Exploits0
Hacker One
Hacker One
added 2020/06/21 2:15 a.m.203 views

Ruby on Rails: Open Redirect (6.0.0 < rails < 6.0.3.2)

Hello, I was looking at the change log https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2 for CVE-2020-8185 and found another problem existed. https://github.com/rails/rails/blob/v6.0.3.1/actionpack/lib/actiondispatch/middleware/actionableexceptions.rbL21 ruby redirect...

4.3CVSS6.5AI score0.70717EPSS
Exploits1
Hacker One
Hacker One
added 2019/05/10 8:15 p.m.203 views

Shipt: Multiple Subdomain Takeovers: fly.staging.shipt.com, fly.us-west-2.staging.shipt.com, fly.us-east-1.staging.shipt.com

A researcher identified 3 different abandoned subdomain CNAME records that pointed to a 3rd party service fly.io that Shipt had recently stopped using. Upon receiving the report, the Shipt information security team responded quickly and resolved the issue by removing the stale DNS records...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2016/01/07 5:10 a.m.203 views

HackerOne: Signals get affected once reports closed as self

According to your documentation "https://hackerone.com/blog/introducing-signal-and-impact" Examples ActivityReputation Report Self close as N/A : 0 . its means Signals are not affected . But our case signal affected by self-closed reports Signals doesn't take the 0 baseline into consideration for...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2022/11/03 5:28 a.m.202 views

Linktree: Account takeover - improper validation of jwt signature (with regards to experiation date claim)

Some backend services did not properly validate JWTs. As a result JWT validation could be bypassed by setting the expiration date claim to a unix timestamp in the past, and abusing this for account takeover. The expiration date claim of the JWT token was not properly handled. I was able to bypass...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2021/11/22 9:44 a.m.202 views

Dropbox: Full Response SSRF via Google Drive

This researcher pointed out that HelloSign's Google Drive doc export feature had a URL parsing issue that could allow extra parameters to be passed to Google Drive API. By making use of an extra parameter in the Google Drive API, it was possible for researchers to force HelloSign to parse externa...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/07/24 5:12 a.m.202 views

U.S. Dept Of Defense: https://█████ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability

Summary: https://████████ is vulnerable to a Read-Only Path Traversal Vulnerability Description: Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization are not properly sanitized which allows for reading files within the webroot directory that are not intended...

5CVSS7.4AI score0.99992EPSS
Exploits24
Hacker One
Hacker One
added 2020/06/15 6:9 p.m.202 views

Shopify: Password reset link not expired at Stocky App

You can use password reset link to reset password multiple times. Steps: 1. Go to https://stocky.shopifyapps.com/users/forgottenpassword and Send the password reset link to your email. if this page doesn't appear you should add login details via this https://stocky.shopifyapps.com/preferences/use...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2019/12/19 2:26 p.m.202 views

Keybase: SOP bypass using browser cache

Summary An attacker has the ability to extract sensitive information from user's accounts, due to a CORS issue. On a minor note, this also is a cross-site leak as we can fingerprint what exact keybase user has accessed the attacker's website. Information disclosed:...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2014/03/02 7:24 a.m.202 views

Slack: State parameter missing on google OAuth

Hi, State parameter i.e anti-csrf token to prevent session hijacking attacks is missing on Google OAuth i.e...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2021/08/23 1:28 p.m.201 views

Tor: Information Exposure Through Directory Listing

Vulnerability description The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site. Link as POC: https://www.torproject.org/static/...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/05/07 8:48 p.m.201 views

Sifchain: Vulnerable javascript dependency at Main domain

Hello, Issue detail, Burp observed 1 outdated JavaScript libraries with 4 known vulnerabilities. Burp detected bootstrap version 4.0.0, which has the following vulnerabilities: CVE-2019-8331: XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2018-14041: XSS in...

4.3CVSS6.2AI score0.1686EPSS
Exploits4
Hacker One
Hacker One
added 2020/10/13 3:27 p.m.201 views

Uber: RCE via npm misconfig -- installing internal libraries from the public registry

The hacker spotted some orphaned references to Uber-branded Node.js library packages and claimed them on the public NPM registry to run their own proof-of-concept code. Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2020/08/20 9:47 p.m.201 views

GitHub Security Lab: Java: CWE-522 Insecure basic authentication

This bug was reported directly to GitHub Security Lab...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/08/02 5:13 a.m.202 views

Ruby on Rails: XSS by file (Active Storage `Proxying`)

Hello, I've seen similar issues with 407319 and 429868 occur with Active Storage's new File serving strategies Proxying. Commit is https://github.com/rails/rails/commit/dfb5a82b259e134eac89784ac4ace0c44d1b4aee. ruby...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/04/24 10:25 a.m.201 views

Ruby: Escape sequence injection vulnerability in WEBrick BasicAuth

WEBrick BasicAuth outputs any non-existing user name to logs without sanitizing. By exploting this, an attacker can inject malicious escape sequences to its logs. This issue is exactly the same as the old already-fixed vulnerability. How to reproduce: 1 Run this WEBrick server program in a...

9.3CVSS0.1AI score0.16412EPSS
Exploits0
Hacker One
Hacker One
added 2017/04/20 3:43 p.m.201 views

Pornhub: Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section

The researcher discovered a temporarily cached stored XSS using the playlist function of the website. I discovered a Reflected XSS under the PornHub playlists and reported it. Some time after, I noticed, that Reflected XSS using the pkey parameter of the playlist, e.g...

6AI score
Exploits0
Hacker One
Hacker One
added 2016/10/22 2:18 a.m.201 views

Starbucks: CSRF: add item to victim's cart automatically (starbucks.com - updatecart)

Steps: 1. Victim login their starbucks account first. 2. Attacker send a form/link to victim. 3. If victim click the form/link, An item would automatically add to victim's cart. 4. If victim do not find this item, he/she would pay for this item which can greatly influence your repuation. Attached...

3.6AI score
Exploits0
Hacker One
Hacker One
added 2023/01/25 7:4 p.m.200 views

Internet Bug Bounty: Argo CD reconciles apps outside configured namespaces when sharding is enabled

An authorization bypass vulnerability was found in Argo CD versions 2.5.0-rc1 and later, allowing a malicious user to deploy applications outside of the configured allowed namespaces when sharding is enabled. The vulnerability was triggered when an application was updated, and the controller...

8.5CVSS8.2AI score0.0078EPSS
Exploits0
Hacker One
Hacker One
added 2020/12/28 10:56 p.m.200 views

h1-ctf: Hacky Holidays Writeup

On December 12th, 2020, the CTF became live and the scope that we are allowed to attack was In Scope Domain - hackyholidays.h1ctf.com Our main motive was to infiltrate his network and take him down. The challenges appeared one by one till 24th of December. Here we will be going through all the...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/07/22 11:21 p.m.200 views

Yelp: JDBC credentials leaked via github

Summary: jdbc credentials found on a public github repo.though the repo belongs to yelp or not there is a doubt.I have found many more sensitive data on that repo.so kindly check the repo all together.sensitive data found publicly. Platforms Affected: website Steps To Reproduce: 1. visit the link...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/06/11 7:34 p.m.200 views

GitHub Security Lab: CodeQL query for SpEL injections

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/01/23 5:7 a.m.200 views

h1-ctf: [h1-415 2020] Spent a week and failed at solving the last step.

Summary: I found something interesting with Headless chrome debugging in the last step, I am sure I am going to solve this after trying very hard for about a week, I don't know when this CTF is going to end, that's why I am submitting a summary of how to solve this so that I can write the full...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/09 5:46 p.m.200 views

Starbucks: Subdomain takeover on developer.openapi.starbucks.com

Hi team, Summary: Subdomain developer.openapi.starbucks.com is vulnerable to subdomain takeover via Mashery service. The reason why it's worked unfortunately not fully clear to me. Details: Doing my recent research on starbucks.com subdomains, I stumbled upon http://developer.openapi.starbucks.co...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/05/14 6:14 a.m.199 views

8x8: Subdomain takeover of ████.jitsi.net

Summary █████.jitsi.net points to an AWS EC2 instance at 18.195.93.116 that no longer exists. I was able to take control of this IP address and run my own EC2 instance. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers or servers are pointing ...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/09 10:7 a.m.199 views

Pornhub: Unsecured Elasticsearch Instance

The researcher has found an insecure Elasticsearch instance accessible to the public. A publicly accessible server running Elasticsearch instance was identified, due to a firewall misconfiguration. The instance was only intermittently accessible because of round robin ordering. The instance...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2025/06/06 11:16 a.m.198 views

Lichess: Path Traversal Vulnerability in Lila Project

A path traversal vulnerability was discovered in the Lila project that allowed an attacker to access arbitrary files on the server by manipulating user-supplied input to traverse outside the intended directory structure...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/05/13 11:37 p.m.198 views

Sifchain: Path Transversal inside saveContracts.js

Reference: https://portswigger.net/web-security/file-path-traversal Directory traversal also known as file path traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data,...

7.1AI score
Exploits0
Total number of security vulnerabilities5000