Lucene search
K
HackeroneMost viewed

15368 matches found

Hacker One
Hacker One
added 2020/06/09 9:2 p.m.176 views

GitHub Security Lab: CodeQL query for unsafe TLS versions

This bug was reported directly to GitHub Security Lab...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/04 2:20 p.m.176 views

MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]

Summary Hello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on https://raebilling.mtn.co.za. Steps To Reproduce To reproduce, try this request with BurpSuite This request to the https://raebilling.mtn.co.za/wls-wsat/RegistrationRequesterPortType will trigg...

5.8CVSS1.1AI score0.96015EPSS
Exploits9
Hacker One
Hacker One
added 2020/01/11 3:52 a.m.176 views

DRIVE.NET, Inc.: Same site Scripting

Same site scripting I have found an error of some misconfigured DNS in a subdomain of yours which causes same site scripting. PoC 1 Open a terminal and type ping localhost.drive2.ru You would see that it resolves back to 127.0.0.1 A screenshot has been attached Impact This may cause security issu...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/08/26 12:36 p.m.176 views

Legal Robot: Email Length Verification

Hi Team, Hope you are good. I found your website app.legalrobot.com vulnerable to this vulnerability. Bug: Improper authentication - generic Description: Dont know much about the websites that how they stored email address.Email addresses are stored as VARCHAR128 But here your website legalrobot...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2022/07/19 11:39 a.m.175 views

8x8: LFI via Jolokia at https://█.█.█.█:1293

@shuvam321 reported to us a single exposed host in the acceptance environment. The report demonstrated a Local File Inclusion via Jolokia, e.g.: https://█.█.█.█:1293/actuator/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/hostname No sensitive information has...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2022/06/10 6:54 a.m.175 views

Nextcloud: Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

Summary: Call to registerReceiver misses the broadcastPermission argument - no permissions will be checked for the broadcaster, which allows a malicious application to communicate with the broadcast receiver. Supporting Material/References: Screenshot Snyk report references to fixes in other repo...

6.8CVSS0.8AI score0.0083EPSS
Exploits0
Hacker One
Hacker One
added 2020/11/19 5:34 a.m.175 views

Omise: assets/vendor.js file exposing sentry.io token and DNS and application id .

Information Disclosure in javascript file...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/07/10 4:4 a.m.175 views

U.S. Dept Of Defense: SharePoint Web Services Exposed to Anonymous Access

Summary: Any unauthenticated/anonymous users are able to access the SharePoint Web Services .wsdl files for the ██████████ website. Description: The SharePoint installation for this particular site allows any user to access the spdisco.aspx on the web server which discloses the location of of all...

4.1AI score
Exploits0
Hacker One
Hacker One
added 2020/03/19 9:22 a.m.175 views

Myndr: Reflected XSS in https://blocked.myndr.net

Summary: Reflected XSS in Domain https://blocked.myndr.net Steps To Reproduce: 1. Go to the https://blocked.myndr.net. 2. Find the endpoint in the domain -https://blocked.myndr.net/?trg=1 3. Add the payload ?trg="alert1 4. You can see the pop up in your browser. Impact With the help of XSS, a...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2017/06/20 8:36 a.m.175 views

Internet Bug Bounty: ap_find_token() Buffer Overread

Versions Affected: httpd 2.2.32 httpd 2.4.24 unreleased httpd 2.4.25 Description: The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken to search past the end of its input string. By maliciously crafting a sequence of request...

5CVSS8.4AI score0.57472EPSS
Exploits1
Hacker One
Hacker One
added 2016/04/04 2:56 a.m.175 views

HackerOne: AWS S3 bucket writeable for authenticated aws users

Hi All, I know that hackerone-attachments is used for file uploads on reports and so I did a quick scan for similar buckets and found . While I can't confirm if you own it or not, it appears that it is publicly writable using the aws cli. When I tried to write to hackerone-attachments, I get: "mo...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2014/05/26 5:0 a.m.175 views

Sandbox Escape: Linux PI futex self-requeue bug

I hope I haven't messed something up... The issue exists when after blocking in futexwaitrequeuepi, q.rtwaiter is NULL but &rtwaiter on the stack has been added to various waiter lists by rtmutexstartproxylock. This is not supposed to be possible, because setting rtwaiter to NULL indicates atomic...

7.2CVSS0.6AI score0.37233EPSS
Exploits15
Hacker One
Hacker One
added 2022/12/21 12:50 p.m.174 views

U.S. Dept Of Defense: reflected xss in www.████████.gov

A reflected XSS vulnerability was discovered in a government website, allowing an attacker to execute malicious scripts on a victim's browser. The vulnerability could lead to cookie stealing, arbitrary requests, malware download, and defacement of the website. The vulnerability was triggered by...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2022/12/20 5:19 p.m.174 views

Reddit: CVE-2020-11022

Vulnerability description not provided...

6.9CVSS7.2AI score0.99019EPSS
Exploits7
Hacker One
Hacker One
added 2020/07/23 2:13 p.m.174 views

lemlist: CVE-2019-19935 - DOM based XSS in the froala editor

Summary: A stored XSS flow exist in the froala editor used in the web application. This can be trigger by using the code view of the editor Steps To Reproduce: 1. Start a new campaign 2. fill all the fieds and choose blank email template for the message 3. Switch to code editor view and inject "...

4.3CVSS6AI score0.01847EPSS
Exploits3
Hacker One
Hacker One
added 2020/03/18 11:53 p.m.174 views

Internet Bug Bounty: Cache Manager ACL Bypass

Summary: ACL Manager can be bypassed giving non authorized users to squid-internal-mgr. Possible to bypass other urlregex, but only focused on manager. with the hostname of the server running squid echo -e "GET https://jeriko.one%252f@:3128/squid-internal-mgr/activerequests HTTP/1.1\r\n\r\n" |nc...

7.5CVSS9.6AI score0.04151EPSS
Exploits0
Hacker One
Hacker One
added 2018/06/05 5:29 a.m.174 views

Mail.ru: DNS Misconfiguration

Your localhost.mail.ru has address 127.0.0.1 and this may lead to "Same- Site" Scripting. Here is detailed description of this minor security issue by Tavis Ormandy: http://www.securityfocus.com/archive/1/486606/30/0/threaded I can also ping the localhost network from mail.ru, as in the image...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/03/03 7:7 p.m.174 views

Node.js third-party modules: `http-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak

I would like to report a Buffer allocation vulnerability in http-proxy-agent. In setups where auth argument is user-controlled, it allows to: cause Denial of Service by trivially consuming all the available CPU resources extract uninitialized memory chunks from the server on Node.js This module...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/08/08 11:3 p.m.174 views

Snapchat: RCE/LFI on test Jenkins instance due to improper authentication flow

@nahamsec found a test Jenkins instance where they could login with any valid Google account. Once logged in, they gained the ability to execute arbitrary code via the Jenkins Script Console. This was a test jenkins instance with no access to source code or resources. Methodology Here is the...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2015/06/23 6:1 p.m.174 views

Pornhub: Publicly exposed SVN repository, ht.pornhub.com

After I found the subversion repository I visited the following location https://netreact.eu/hubtraffic I could see the usernames in the repo and the following weak credentials gave me access: stefan:123456 An attacker can commit code to this location which could be mirrored on the main site and...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2023/03/20 3:29 p.m.173 views

Internet Bug Bounty: CVE-2023-27537: HSTS double-free

A double-free vulnerability was discovered in libcurl's support for sharing HSTS data between separate handles, which could result in a use-after-free or double-free when two threads share the same HSTS data without proper mutexes or thread locks...

5.9CVSS6.7AI score0.01856EPSS
Exploits1
Hacker One
Hacker One
added 2020/05/04 3:44 p.m.172 views

Nord Security: Incorrect control of the trial period

The report by @corryl identified an issue with service expire time validation. A user was able to bypass the subscription period validation checks which in turn allowed a user to use our service for free for a certain time...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/12/04 11:34 p.m.172 views

Snapchat: Exposed Kubernetes API - RCE/Exposed Creds

@txt3rob found one of Snaps internal Kubernetes instances exposing an API endpoint without authorization to the public. With access to this API he was able to run arbitrary code/jobs as a cluster-admin and gained access to credentials with internal access to a significant number of instances...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2017/03/13 1:22 p.m.172 views

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

A remote code execution RCE vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign...

10CVSS2.7AI score0.99999EPSS
Exploits44
Hacker One
Hacker One
added 2023/02/21 11:13 a.m.171 views

Tor: Snowflake server: Leak of TLS packets from other clients

TLS packets from other clients were leaked to Snowflake clients due to a vulnerability in the Snowflake pluggable transport server. This issue allowed Snowflake clients to receive "ghost" packets at the KCP layer, containing TLS packets unrelated to the current session. The leaked packets include...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2022/08/16 3:2 p.m.171 views

Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag

Apache Airflow Docker's Provider shipped with an example DAG that was vulnerable to authenticated remote code exploit of code on the Airflow worker host. Vulnerability summary: In DAG script of airflow 2.3.3, there is a command injection vulnerability RCE in the script exampledockercopydata.py of...

6.5CVSS9.3AI score0.01602EPSS
Exploits0
Hacker One
Hacker One
added 2021/08/02 5:42 p.m.171 views

GitHub Security Lab: [Java] CWE-601: Add Spring URL Redirect ResponseEntity sink

This bug was reported directly to GitHub Security Lab...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2021/03/06 5:33 p.m.171 views

U.S. General Services Administration: PHP info page disclosure

phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. Step to reproduce: Go here: https://mysmartplans.gsa.gov/phpinfo.php An attacker can obtain information such as: Exact PHP version. Exact OS and its version. Details of the PHP...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/12/03 11:2 a.m.171 views

curl: Abusing URL Parsers by long schema name

Summary: There is known technique to exploit inconsistency of URL parser and URL requester logic to perform Server Side Request Forgery attack. Firstly it was presented by Orange Tsai at A New Era Of SSRF Exploiting URL Parser. Firstly I found the familiar issue at old versions of curl, but explo...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/02 11:38 p.m.171 views

Visma Bug Bounty Program: [IDOR]Ability to View/Delete/Edit (Forward to attachment archive) Email of other user if GUID is known.

Insecure Direct Object Reference IDOR vulnerability is discovered via a certain endpoint and the application exposes a reference to an internal implementation object which allows the attacker to perform unauthorized actions...

3.4AI score
Exploits0
Hacker One
Hacker One
added 2019/09/13 7:31 p.m.171 views

Lob: HTTP Request Smuggling on vpn.lob.com

Hi , vpn.lob.com is vulnerable to CL TE Front end server uses Content-Length , Back-end Server uses Transfer-encoding HTTP request smuggling attack. Steps to reproduce 1. Run the burp suite turbo intruder on the following request POST /auth/session HTTP/1.1 Host: vpn.lob.com User-Agent: Mozilla/5...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2015/01/19 1:54 p.m.171 views

Mail.ru: Heartbleed: my.com (185.30.178.33) port 1433

MacBook-Pro-Kirill:Pentest isox$ python heartbleed.py 185.30.178.33 -p 1443 defribulator v1.16 A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed CVE-2014-0160 Connecting to: 185.30.178.33:1443, 1 times Sending Client Hello for TLSv1.0 Received Server Hello for TLSv1.0...

5CVSS7.7AI score0.99999EPSS
Exploits87
Hacker One
Hacker One
added 2014/01/17 12:49 a.m.171 views

HackerOne: Information disclosure (reset password token) and changing the user's password

The user gets an e-mail with password recovery link, which includes reset password token. The user clicks this link and is expected to enter a new password twice. Before entering the password the user clicks a link to a picture https://xkcd.com/936/. When this happens, cross-domain referer leakag...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2020/11/02 8:4 p.m.170 views

Mail.ru: SQL injection delivery-club.ru (ClickHouse)

Some requests to clickhouse in delivery-club.ru were externally available potentially allowing SQL-like requests execution...

4AI score
Exploits0
Hacker One
Hacker One
added 2020/07/09 7:32 p.m.170 views

GitHub Security Lab: [javascript] CWE-020: CodeQL query to detect missing origin validation in cross-origin communication via postMessage

This bug was reported directly to GitHub Security Lab...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2020/05/29 5:51 p.m.170 views

GitHub Security Lab: Java: CWE-532 sensitive info logging

This bug was reported directly to GitHub Security Lab...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/05/27 12:20 p.m.170 views

Open-Xchange: Missing (or redundant) null check in `dcrypt_openssl_sign`

Function dcryptopensslsign in file src/lib-dcrypt/dcrypt-openssl.c has the following code if EVPPKEYbaseidkey-key == EVPPKEYRSA errorr = "Format does not support RSA"; return FALSE; and later if md == NULL if errorr != NULL errorr = tstrdupprintf "Unknown digest %s", algorithm; return FALSE; So,...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/07/07 2:50 p.m.170 views

Brave Software: Torrent extension: Cross-origin downloading + "URL spoofing" + CSP-blocked XSS

Summary: \378809 allows navigating to chrome-extension:// \378805 allows displaying alert windows on chrome-extension:// origin As I said in 378809, navigation to chrome-extension:// allows attacking dependencies/components of extensions. Brave has only 3 extensions installed by default w\o...

6AI score
Exploits0
Hacker One
Hacker One
added 2017/09/27 10:32 a.m.170 views

Bitwarden: Mailgun misconfiguration on email.bitwarden.com

Hi, While checking the subdomains i found that the subdomain email.bitwarden.com upon navigating downloads a file saying "Mailgun Magnificent API" And has the following DNS info DNS Records for email.bitwarden.com Hostname Type TTL Priority Content email.bitwarden.com SOA 899 ns-586.awsdns-09.net...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/04/05 12:9 p.m.170 views

Nextcloud: Design Issues on ( ███ ) Lead to show ( IPS of Users )

Hello , I know this Domain is maybe out of scope But it Connected to the main Website I have see it Cashable the Download IPS for Users Status. As I saw that You active statics awstats That show me Full access to Status on the website . POC...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/11/02 11:13 a.m.169 views

Mail.ru: [files.ucs.ru] ProFTPd mod_copy Arbitrary Read/Write

CVE-2015-3306 in opened to external network FTP server on files.ucs.ru...

10CVSS8.9AI score0.96803EPSS
Exploits21
Hacker One
Hacker One
added 2020/08/24 3:18 p.m.169 views

Node.js: `fs.realpath.native` on darwin may cause buffer overflow

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: The libuv's implementation of...

4.6CVSS0.2AI score0.00714EPSS
Exploits0
Hacker One
Hacker One
added 2020/06/04 8:41 p.m.169 views

GitHub Security Lab: gagliardetto: Query to detect incorrect conversion between numeric types

This bug was reported directly to GitHub Security Lab...

2.9AI score
Exploits0
Hacker One
Hacker One
added 2020/04/08 5:57 p.m.169 views

Helium: Hyperlink Injection on Email Invitation

DESCRIPTION Found an hyperlink injection of the name of Organization when the attacker invites the victim to his organization with injection hyperlink. STEPS 1. Add organization with the name of https://attacker.com and switch it. 2. Go to user and invite the victim using email. 3. victim will se...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/11/22 4:36 p.m.169 views

Bumble: The login of Hotor Not is Vulnerable to bruteforce.

I was able to validate that The Login of HotorNot is Vulnerable to BruteForcing . Steps to reproduce: 1. https://hotornot.com/signin 2.Use Burp intruder attack for BruteForcing 3.Send as many requests you want. Fix: Proper mitigation of BruteForcing should be done using Ratelimitng etc...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/05/31 6:50 p.m.169 views

Internet Bug Bounty: rpcbind "rpcbomb" CVE-2017-8779, CVE-2017-8804

Description: this allowed an attacker to easily disrupt a remote system through excessive memory consumption. Writeup: https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/ Demonstration video: https://www.youtube.com/watch?v=b38H3oEgrQw this video shows...

7.8CVSS7.7AI score0.81921EPSS
Exploits4
Hacker One
Hacker One
added 2014/06/10 12:12 a.m.169 views

HackerOne: Session not invalidated after password reset

After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. The automatic removal of existing sessions linked to a user whose password was changed is only the case if the session was initiated with the 'Remember me for a...

3.2AI score
Exploits0
Hacker One
Hacker One
added 2025/04/16 10:51 a.m.168 views

Informatica: [███] Cross-Site Scripting (XSS) via /ssl-vpn/getconfig.esp at GlobalProtect VPN Portal

A Cross-Site Scripting XSS vulnerability was discovered in the GlobalProtect VPN portal's getconfig.esp endpoint. The vulnerability existed because the application reflected user input from the user parameter in an XML response without proper sanitization. This allowed an attacker to inject SVG...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2023/03/09 6:9 p.m.168 views

curl: CVE-2023-27538: SSH connection too eager reuse still

A vulnerability CVE-2023-27538 existed in the SSH connection reuse feature of cURL library. The vulnerability allowed for connection reuse even when different SSH keys were used, due to a broken check for SSH key matching. The vulnerability could potentially lead to unauthorized access to sensiti...

5.5CVSS7AI score0.01162EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/09 2:0 p.m.168 views

curl: CVE-2021-22947: STARTTLS protocol injection via MITM

Summary: A man-in-the-middle can inject cleartext forged responses to future encrypted commands by pipelining them to the STARTTLS response. Steps To Reproduce: Use the attached test case within the curl test system. It is based on IMAP FETCH with explicit TLS. Upon test failure, the downloaded...

4.3CVSS7.7AI score0.02799EPSS
Exploits1
Total number of security vulnerabilities5000