Lucene search
K
HackeroneMost viewed

15372 matches found

Hacker One
Hacker One
added 2020/04/28 7:47 a.m.186 views

HackerOne: Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request

Summary: by sending a crafted request on ctf.hacker101.com a very long delay with a response of error 502 has been observed I suspect that if I made this request on multiple tabs on my browser concurrently, it may cause ctf.hacker101.com to crash thats why I haven't tried it. Description: By...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/02/06 5:55 a.m.186 views

Brave Software: DMARC RECORD MISSING

VULNERABILITY TYPE- DMARC RECORD MISSING. HOW TO REPRODUCEPOC-ATTACHED IMAGE:- 1.GO TO- https://mxtoolbox.com 2.ENTER THE WEBSITEbrave.org.CLICK GO. 3.YOU WILL SEE THE FAULTNo DMARC Record found 4.In the new page that loads change MXLookup to DMARCLookup I HAVE ALREADY INFORMEDD THEM.THEY TOLD TO...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/07/11 12:51 a.m.186 views

Roblox: Reflected XSS through multiple inputs in the issue collector on Jira

Note I put this as Medium because that's what the CVE is. This vulnerability is known and it's classified under CVE-2018-5230. Here's a link to the thread on it by Atlassian: https://jira.atlassian.com/browse/JRASERVER-67289 Description --------------------- I noticed when testing that your Jira...

4.3CVSS6.6AI score0.37611EPSS
Exploits0
Hacker One
Hacker One
added 2018/02/14 1:31 a.m.186 views

Mail.ru: blind XXE in autodiscover parser

Как воспроизвести: 1 Закинуть на сервер атакующего xml должен быть доступен на сервере атакующего по адресу /autodiscover/autodiscover.xml: Я сделал такой ответ при запросе любой xml'ки: obmhld.com/autodiscover/autodiscover.xml email settings SMTP 52.34.103.214 1191 off [email protected] yandex....

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/07/01 10:51 p.m.185 views

Kubernetes: Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces

Summary: Retrieving ingress-nginx serviceaccount token ingress-nginx allows adding custom snippets of nginx configuration to Kubernetes ingress objects. These snippets can be applied to either the relevant location or server blocks with the following annotations, respectively...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/09/17 3:49 p.m.185 views

Mail.ru: [sj.my.com] Source Code Disclosure /.svn/wc.db

Available SVN files for sj.my.com led to source code disclosure. sj.my.com is not currently covered by Bug Bounty program...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/07/02 1:44 p.m.185 views

Semrush: Post Based XSS On Upload Via CK Editor [semrush.com]

Summary: XSS Via Post Method When Upload via CKEditor Description: This XSS is execute by error message when upload some image on https://www.semrush.com/my-posts/api/image/upload/?CKEditor=text&CKEditorFuncNum=0&langCode=en Browsers Verified In: Firefox Steps To Reproduce: - This is POST based...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/02/14 7:15 p.m.185 views

Starbucks: Open Redirect on /account/signin?ReturnUrl

The attacker can redirect the victim just after the authentication. Open redirect on Login page: https://www.starbucks.com/account/signin?ReturnUrl= Steps to reproduce Go to Login Page. https://www.starbucks.com/account/signin?ReturnUrl=%2faccount%2fHome The paramter: ReturnUrl can be modified as...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/01/23 12:47 p.m.185 views

Node.js third-party modules: [html-janitor] Bypassing sanitization using DOM clobbering

Module: Name: html-janitor Version: 2.0.2 Summary: Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous XSS in case user-controlled input is passed to the clean function. Description: Proof of concept: javascript var myJanitor = new HTMLJanitortags:p:; var...

4.3CVSS5.8AI score0.01038EPSS
Exploits0
Hacker One
Hacker One
added 2021/03/10 11:6 p.m.184 views

GitHub Security Lab: [Java] CWE-598: Use of GET Request Method with Sensitive Query Strings

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/02 12:18 p.m.184 views

Visma Bug Bounty Program: Stored XSS when uploading files to an invoice

I've found a stored XSS from the fileupload. The parameter fileID is vulnerable and will be stored to the page. Steps To Reproduce Login Navigate to one of your invoices Upload some file and intercept the traffic Once you see the JSON payload like this "id":"abcabccabcabc","name":"file-name" modi...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/02/21 4:48 a.m.184 views

Alibaba BBP: SSRF / Arbitrary File Read on Alibaba Cloud Academy

Summary: Alibaba Cloud Academy certificate download function is vulnerable with SSRF bug. It can also read arbitrary file on the server. Steps To Reproduce: - Login to your https://edu.alibabacloud.com/ account - Click the url to Ping external...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/12/20 7:5 p.m.184 views

HackerOne: How the Bug stole hacking

In light of the season - here's a story I wrote for you: Every hacker down in Hackerone liked hacking alot, But the Bug who lived down in the source code, did not! The Bug hating hacking! The whole Bug-hunt season! Now please don’t ask why. No one quite knows the reason. It could be perhaps, that...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/10/17 11:14 a.m.184 views

Starbucks: JumpCloud API Key leaked via Open Github Repository.

Summary: Open Github Repo Leaking Starbucks JumbCloud API Key Description: Team, While going through Github search I discovered a public repository which contains Jumbcloud API Key of Starbucks. Repo: https://github.com/██████████/Project. File:...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/06/09 9:2 p.m.183 views

GitHub Security Lab: CodeQL query for MVEL injections

This bug was reported directly to GitHub Security Lab...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/04/04 7:29 a.m.183 views

Internet Bug Bounty: Use of uninitialized value in ftp_getrc_msg method of mod_proxy_ftp.c

This is a Security Bug Report for modproxyftp. This bug is present in ftpgetrcmsg method of modules/proxy/modproxyftp.c file. This is the line which causes this bug. c ... mb = aprcpystrnmb, response + 4, me - mb; ... If ftp server returns a response like "\r\n", which has 3 characters with...

5CVSS6.8AI score0.51951EPSS
Exploits0
Hacker One
Hacker One
added 2018/08/28 6:36 p.m.183 views

Grab: [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure

A deeplink feature was found missing validation that led to sensitive information disclosure. Once triggered, the deeplink would direct users to load any attacker-controlled URL within a webview. The impact was further escalated as the webview contain sensitive information. A temporary patch was...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2023/02/03 7:36 a.m.182 views

U.S. Dept Of Defense: Splunk Sensitive Information Disclosure @████████

A vulnerability in Splunk through version 7.0.1 allowed for information disclosure by appending a specific query to a URL, which could result in the exposure of sensitive information, such as license keys...

5.3CVSS4.9AI score0.98371EPSS
Exploits7
Hacker One
Hacker One
added 2019/12/05 10:21 a.m.182 views

Nord Security: Version problem in wordpress leads to the many vulnearability

Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting XSS Reference: https://wpvulndb.com/vulnerabilities/9230 Reference: https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b Reference:...

7.5CVSS6.4AI score0.4375EPSS
Exploits8
Hacker One
Hacker One
added 2019/10/14 11:2 p.m.182 views

curl: curl on Windows can be forced to execute code via OpenSSL environment variables

Preface: While I have an interest in security, I am not a professional security researcher, so please be forgiving of any lack of convention in this submission. The intent is to help improve security of the OpenSSL and curl projects, their consumers and end users. I will be sending this same...

4.4CVSS0.6AI score0.00717EPSS
Exploits0
Hacker One
Hacker One
added 2019/01/08 9:59 a.m.182 views

Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list

summary: A vulnerability classified as problematic has been found in OpenSSH 7.2p2. check INFO.pngAffected is an unknown function of the component Authentication. The manipulation of the argument Password with an unknown input leads to a information disclosure vulnerability Username. CWE is...

4.3CVSS0.88944EPSS
Exploits12
Hacker One
Hacker One
added 2018/12/20 3:15 p.m.182 views

U.S. Dept Of Defense: [██████] Cross-origin resource sharing misconfiguration (CORS)

Hi! In this report I want to describe High level bug which can seriously compromise a user account. If I am authorize on this site, I can steal user's sessions, some personal information or do some action. Steps for reproduce 1 Send this request GET...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2015/03/11 4:42 a.m.182 views

Whisper: CVE-2014-0224 openssl ccs vulnerability

your site is vulnerable to CVE-2014-0224 OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL...

5.8CVSS7.4AI score0.95326EPSS
Exploits9
Hacker One
Hacker One
added 2022/07/15 9:28 a.m.181 views

GitLab: Found Origin IP's lead to access to gitlab

@m-narayanan disclosed a known Origin IP / CloudFlare bypass issue, remediation for which was and is being tracked at https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/9945 The requested disclosure, then later requested it to be made private again...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/08/19 11:44 p.m.181 views

Solana BBP: Heap memory can be accessible through metrics.solana.com

Summary: Heap memory can be accessable due to misconfiguration in one of the sub-domains. While doing recon i ended up downloading heap memory file. Steps To Reproduce: 1.Open https://metrics.solana.com:8086/debug/pprof/heap 2. now you can see heap memory accessible through it Supporting...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/06/19 2:3 a.m.181 views

RATELIMITED: Source code disclosure at ███

Summary: Source code disclosure at ███████ Steps To Reproduce: POC: link download source code: ███████ Supporting Material/References: █████ ███████ Impact Source Code Disclosure Sensitive Information Disclosure...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2020/05/22 9:24 p.m.181 views

Nutanix: AWS S3 bucket writeable for authenticated AWS users

S3 bucket permissions were not configured correctly, allowing any authenticated AWS user to delete and write files. Nutanix didn't properly configure one of their S3 buckets permissions and inadvertently allowed any authenticated AWS user to delete and write files. An attacker could post a...

2.9AI score
Exploits0
Hacker One
Hacker One
added 2018/12/04 11:34 p.m.181 views

Snapchat: Exposed Kubernetes API - RCE/Exposed Creds

@txt3rob found one of Snaps internal Kubernetes instances exposing an API endpoint without authorization to the public. With access to this API he was able to run arbitrary code/jobs as a cluster-admin and gained access to credentials with internal access to a significant number of instances...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2018/07/26 9:5 a.m.181 views

MyEtherWallet: Development configuration file https://myetherwallet.com/

Vulnerability description A configuration file e.g. Vagrantfile, Gemfile, Rakefile, ... was found in this directory. This file may expose sensitive information that could help a malicious user to prepare more advanced attacks. It's recommended to remove or restrict access to this type of files fr...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2015/11/17 5:15 p.m.181 views

Coinbase: Transactions visible on Unconfirmed devices

Pusher authentication did not take device confirmation into account. This would allow an attacker with a valid session but an unconfirmed device to snoop on pusher updates like incoming transactions. This issue was in the coinbase event notification Pusher, which allowed me to read notification o...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2022/11/08 11:12 a.m.180 views

AMBER AI: Support Portal Takeover via Leaked API KEY

Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token. An API key & associated Email was Hardcoded into a JS file...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2021/05/12 6:22 p.m.180 views

Sifchain: No Valid SPF Records/don't have DMARC record

Hiii, There is any issue No valid SPF Records on https://sifchain.finance/ Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing ...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/06/04 8:41 p.m.180 views

GitHub Security Lab: CPP: Missing/incomplete TLS server certificate hostname validation

This bug was reported directly to GitHub Security Lab...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 6:11 a.m.180 views

Chaturbate: CSV Injection with the CSV export feature

Hi there, hope you are well, The "Download as a CSV" feature of does not properly "escape" fields. So that particular field is vulnerable to CSV injection. Steps of POC Step 1 : Go to any chat room and donate any token to some and in note insert =4+4. Step 2 : Now go to on this link and download...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/11/03 11:32 p.m.180 views

HackerOne: Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver.

Summary HackerOne allows bug bounty programs to integrate their reports queue with issue tracking tools such as Jira and Phabricator. By abusing a bug that I discovered in Ruby's native resolver, I am able to bypass the SSRF filter and could potentially scan your internal network. Vulnerability...

6.8CVSS7.7AI score0.02415EPSS
Exploits0
Hacker One
Hacker One
added 2017/07/08 9:23 a.m.180 views

Zomato: Bypass OTP verification when placing Order

Description Attacker was able to bypass the OTP verification needed while placing an order with a restaurant...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2023/08/29 1:45 a.m.179 views

U.S. Dept Of Defense: [██████] Reflected XSS via Keycloak on ██████

A cross-site scripting XSS vulnerability was discovered in Keycloak 8.0 and earlier versions. This vulnerability allowed an attacker to execute arbitrary script and potentially steal authentication credentials. The vulnerability was due to a lack of input validation, which allowed an attacker to...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2023/01/08 4:22 p.m.179 views

HackerOne: HackerOne Undisclosed Report Leak via PoC of Full Disclosure on Hacktivity

Sensitive report data, including report title, severity, program, and report ID, was leaked due to a mistake by a researcher and HackerOne. The leak occurred when HackerOne disclosed a report but did not redact the video proof of concept, which contained undisclosed reports reported by the...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/03/05 9:25 p.m.179 views

GitHub Security Lab: Java: Query for detecting JEXL injections

This bug was reported directly to GitHub Security Lab...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/03/21 6:12 a.m.179 views

Qulture.Rocks: Server Name disclosure

Hi, I found a Server Name disclosure Cowboy in the your web server's HTTP response! This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the Server! Request with Burp: GET / HTTP/1.1 Host: qa.qulture.rocks...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2014/04/07 10:5 p.m.179 views

Khan Academy: https://www.khanacademy.org/login open-redirect

Hi, I found a bypass in the redirects : https://www.khanacademy.org/login?continue=http://www.olivierbeg.nl won't work. https://www.khanacademy.org/login?continue=http:/www.olivierbeg.nl will work :- Best regards, Olivier Beg...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2025/07/13 8:12 p.m.179 views

8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services

The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2024/01/19 6:9 p.m.178 views

Internet Bug Bounty: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling (Client- Side Desync) (CWE: 444)

SECURITY CVE-2024-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data fr...

5.3CVSS5.8AI score0.14286EPSS
Exploits3
Hacker One
Hacker One
added 2015/03/05 4:18 p.m.178 views

Internet Bug Bounty: FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers

Many TLS servers, including those hosting sensitive websites such as www.nsa.gov and connect.facebook.net, support weak EXPORTRSA ciphersuites. By factoring their 512-bit ephemeral RSA keys, a network attacker is able to impersonate these websites to web browsers and more generally, to client...

4.3CVSS6.2AI score0.98685EPSS
Exploits0
Hacker One
Hacker One
added 2015/02/03 12:0 a.m.178 views

Internet Bug Bounty: Use After Free Vulnerability in unserialize()

Use After Free Vulnerability in unserialize Taoguang Chen - Write Date: 2015.2.3 - Release Date: 2015.3.20 A use-after-free vulnerability was discovered in unserialize with a specially defined object's wakeup magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary...

7.5CVSS8.5AI score0.12303EPSS
Exploits5
Hacker One
Hacker One
added 2014/04/05 11:51 p.m.178 views

Internet Bug Bounty: TLS heartbeat read overrun

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering th...

5CVSS7.6AI score0.99999EPSS
Exploits87
Hacker One
Hacker One
added 2023/05/10 11:36 p.m.177 views

U.S. Dept Of Defense: CVE-2023-29489 XSS in cpanel at [www.███] - Securado, Oman

A cross-site scripting XSS vulnerability was found on the cpanel application hosted on a website. The vulnerability allowed an attacker to steal cookies or hijack a browser session. The cpanel was not updated due to the disabled auto-update feature. The vulnerability was mitigated by enabling the...

6.1CVSS5.4AI score0.65533EPSS
Exploits7
Hacker One
Hacker One
added 2023/04/19 1:43 p.m.177 views

curl: CVE-2023-28322: more POST-after-PUT confusion

A vulnerability existed in libcurl that allowed an attacker to inject unintended data or cause a segfault by confusing the POST and PUT methods. The previous fix for this vulnerability was insufficient as it only corrected the CURLOPTPOST option, which is not always used when sending data with th...

9.8CVSS7.3AI score0.04325EPSS
Exploits2
Hacker One
Hacker One
added 2022/07/05 10:31 a.m.177 views

GitHub: Delimiter injection in GitHub Actions core.exportVariable

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...

4CVSS5.2AI score0.00559EPSS
Exploits0
Hacker One
Hacker One
added 2022/06/10 6:54 a.m.177 views

Nextcloud: Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

Summary: Call to registerReceiver misses the broadcastPermission argument - no permissions will be checked for the broadcaster, which allows a malicious application to communicate with the broadcast receiver. Supporting Material/References: Screenshot Snyk report references to fixes in other repo...

6.8CVSS0.8AI score0.0083EPSS
Exploits0
Total number of security vulnerabilities5000