Lucene search
K
HackeroneMost viewed

15365 matches found

Hacker One
Hacker One
added 2019/11/22 4:36 p.m.168 views

Bumble: The login of Hotor Not is Vulnerable to bruteforce.

I was able to validate that The Login of HotorNot is Vulnerable to BruteForcing . Steps to reproduce: 1. https://hotornot.com/signin 2.Use Burp intruder attack for BruteForcing 3.Send as many requests you want. Fix: Proper mitigation of BruteForcing should be done using Ratelimitng etc...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/01/19 11:35 p.m.169 views

HackerOne: Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com

Greetings, I believe I may have found a way to bypass CSP on hackerone.com The issue lies here: img-src 'self' data: www.google-analytics.com As you can imagine, how can image tags be used maliciously here to this safe site? Well, as you know, on google-analytics.com we have the ability to host...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2014/06/10 12:12 a.m.168 views

HackerOne: Session not invalidated after password reset

After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. The automatic removal of existing sessions linked to a user whose password was changed is only the case if the session was initiated with the 'Remember me for a...

3.2AI score
Exploits0
Hacker One
Hacker One
added 2021/09/09 2:0 p.m.167 views

curl: CVE-2021-22947: STARTTLS protocol injection via MITM

Summary: A man-in-the-middle can inject cleartext forged responses to future encrypted commands by pipelining them to the STARTTLS response. Steps To Reproduce: Use the attached test case within the curl test system. It is based on IMAP FETCH with explicit TLS. Upon test failure, the downloaded...

4.3CVSS7.7AI score0.02799EPSS
Exploits1
Hacker One
Hacker One
added 2020/12/22 3:35 a.m.167 views

WHO COVID-19 Mobile App: DMARC and SPF records

If you are encountering this error of No DMARC Record found, this means that your domain does not have a published DMARC record. DMARC Records are published via DNS as a textTXT record. They will let receiving servers know what they should do with non-aligned email received from your domain...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2024/12/05 9:51 a.m.166 views

Internet Bug Bounty: CVE-2024-53908: Django Potential SQL injection in `HasKey(lhs, rhs)` on Oracle

CVE-2024-53908: Django potential SQL injection in HasKeylhs, rhs on Oracle was reported. The vulnerability was found in the direct usage of the django.db.models.fields.json.HasKey lookup on Oracle databases when untrusted data was used as an lhs value. Applications that used the jsonfield.haskey...

9.8CVSS7.5AI score0.01424EPSS
Exploits0
Hacker One
Hacker One
added 2020/06/22 11:26 p.m.166 views

Shopify: Open Redirect - www.shopify.com

Hello Shopify team, I found an open redirect in www.shopify.com Link: - https://www.shopify.com/plus/get-cdn-asset?asset=http://evil.com/? Vulnerable parameter: asset Impact - Open redirect that can lead to phishing and other type of attacks. Have a good day, zonduu...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/01/08 10:8 p.m.166 views

Ian Dunn: Dos https://iandunn.name/ via CVE-2018-6389 exploitation

Similar to 752010 Detail:- There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Detailed attack scenario is described for example here...

5CVSS0.5AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2017/08/17 4:53 a.m.166 views

Gratipay: Missing Certificate Authority Authorization rule

Hi Team, Summary Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2020/10/27 12:52 a.m.165 views

curl: Data race conditions reported by helgrind when performing parallel DNS queries in libcurl

While running binary built from curl git repo file "docs/examples/10-at-a-time.c" under valgrind specifically with the helgrind tool, reports race condition in getaddrinfo calls. Using the latest curl/libcurl from github repo. From the valgrind documentation "Helgrind is a Valgrind tool for...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/02/06 8:37 p.m.165 views

Pornhub: Reflected XSS in Meta Tag

The researcher reported a reflected XSS bug in a meta tag in the search bar. XSS found with @the-useless-one! All details here: https://the-useless-one.github.io/posts/2017/03/28/meet-beautiful-xss-in-your-area-a-youporn-bug-bounty-sfw/...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2021/03/10 11:6 p.m.164 views

GitHub Security Lab: [Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences

This bug was reported directly to GitHub Security Lab...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2021/01/20 9:29 p.m.164 views

Rockstar Games: phpinfo() on graph.rockstargames.com exposes sensitive information

In this report, the researcher identified a subdomain that was improperly made public while sensitive information was disclosed, including phpinfo. We were able to fix the deployment and remove the sensitive information, thus resolving the issue...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/12/26 10:19 p.m.164 views

h1-ctf: Hacky Holidays CTF Writeup

Greetings team Yay! Finally I made it to the end, thank you very much for launching this fantastic event, I had to review topics that I thought I knew, learned a lot and I am sure that I will continue learning with the community : F1130889 Hacky Holidays! P.S. I will put my writeup in my next...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/08/20 2:48 a.m.164 views

Shopify: Stocky App Administrator can create a backdoor admin account by using an existing POS User

Details The Stocky App has POS Users that are being created once a POS Staff logs in into the application from the Point Of Sale application on a mobile device. From the users management page located at https://stocky.shopifyapps.com/users there's no visible way to edit those POS users. Although,...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/07/21 8:46 p.m.164 views

GitHub Security Lab: Java: CWE-939 - Address improper URL authorization

This bug was reported directly to GitHub Security Lab...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2020/05/05 11:39 a.m.164 views

Brave Software: HTTP Request Smuggling

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being awa...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/23 10:59 p.m.164 views

Qulture.Rocks: Privilege escalation from member user ( editor ) to admin user

Qulture.Rocks has multiple levels of admins, where you could manage parts of the application. One of those levels had a wrong configuration, which did not blocked it from updating its level to a higher one. Our team worked rapidly to fix this issue, blocking said level of updating itself...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/01/23 6:16 a.m.164 views

Topcoder: Cross Site Scripting via CVE-2018-5230 on https://apps.topcoder.com

Hi, I found reflected xss on https://apps.topcoder.com via error message.. Payload : %3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm Vulnerable link : https://apps.topcoder.com/wiki/labels/%3CIFRAME%20SRC%3D%22javascript%3Aalert'XSS'%22%3E.vm Step to reproduce : Create an account...

4.3CVSS1.4AI score0.37611EPSS
Exploits0
Hacker One
Hacker One
added 2018/02/02 9:19 p.m.164 views

Semrush: Cross-origin resource sharing misconfig

Description An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/09/23 9:17 a.m.164 views

HackerOne: (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation

Summary: Login CSRF, Open Redirect, and Self-XSS Possible Exploitation through HackerOne SSO-SAML PoC - Go to █████; Use a browser window with clear cookies. Source-code: setTimeoutfunctiondocument.location.href = "https://hackerone.com/users/saml/signin?email=████&rememberme=true";, 5000; Impact...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2016/01/18 5:46 p.m.164 views

Trello: DOM based XSS via Wistia embedding

Hi, You are using Wistia to embed video at trello.com. However external script from fast.wistia.com vulnerable to XSS and allows to run malicious javascript on your side. vulnerable code: fast.wistia.net/assets/external/E-v1.js I found that parameter wchannel can be controled to load js from...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2023/03/03 7:13 p.m.163 views

curl: CVE-2023-27533: Telnet option IAC injection

A vulnerability existed in the CURLOPTTELNETOPTIONS option of the cURL library, which allowed an attacker to inject unintended TELNET commands to the telnet connection by escaping out of the telnet subnegotiation. This could allow the attacker to execute arbitrary OS commands on the target system...

8.8CVSS7.3AI score0.01993EPSS
Exploits1
Hacker One
Hacker One
added 2022/04/04 9:56 a.m.163 views

Aiven Ltd: Kafka Connect RCE via connector SASL JAAS JndiLoginModule configuration

Summary: When configuring the connector via the Aiven API or the Kafka Connect REST API, the attacker can set the database.history.producer.sasl.jaas.config connector property for the io.debezium.connector.mysql.MySqlConnector connector. This is likely true for other debezium connectors too. By...

2.9AI score
Exploits0
Hacker One
Hacker One
added 2021/09/12 10:49 a.m.163 views

PortSwigger Web Security: No Rate Limit On Regenerate Password on Portswigger

Introduction A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2020/06/11 5:9 a.m.163 views

h1-ctf: [H1-2006 2020] Bounty Pay CTF challenge

H1-2006 2020 Bounty Pay CTF challenge Hi there! This is my H1-2006 CTF writeup submission. First of all, thanks for the great challenge! This was my first H1 CTF that I played. I really enjoyed doing it and I learned new things solving this challenge. In my case, it was the demonstration that I...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/04/24 9:58 p.m.163 views

HackerOne: Potential stored Cross-Site Scripting vulnerability in Support Backend

HackerOne maintains an internal Support Backend system for employees. On the internal user profiles for hackers, a small overview is shown that lists the skills the user tagged their penetration tester profile with. Although the skills are currently managed by HackerOne and a user can only pick...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/05/27 12:30 a.m.163 views

Tor: Tor Browser: iframe with `data:` uri has access to parent window

Version: 7.5.4 based on Mozilla Firefox 52.8.0 Tested with standard security slider. However, it's likely to be possible with a higher security level. Summary In Tor Browser iframe with data:uri inherits the origin of parent window. That leads to iframe has access to parent window. PoC Iframe cou...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/04/16 7:48 p.m.163 views

Mail.ru: [web.icq.com] Stored XSS in link when sending message

Domain, site, application -- https://web.icq.com/ Testing environment -- Chrome Steps to reproduce -- 1 Enter a chat 2 Send the following message: https://www.google.com/"onmouseover="javascript:prompt" 3 Hover the link Actual results -- XSS prompt shows. Expected results, security impact...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2016/05/17 5:47 p.m.163 views

Ubiquiti Inc.: Read-Only user can execute arbitraty shell commands on AirOS

This vulnerability is very similar to 128750, but it avoid the solution applied to the last beta XM firmware. In this report is used the last beta XM firmware: XM.v6.0-beta9 Vulnerability The vulnerability resides in the function fetchCookies file remote.inc:117. Just like last time is a non...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2014/04/17 6:35 a.m.163 views

Yahoo!: readble .htaccess + Source Code Disclosure (+ .SVN repository)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2023/04/24 9:33 p.m.162 views

Reddit: Blind SSRF to internal services in matrix preview_link API

A vulnerability was found in the previewlink functionality of Matrix software used in Reddit's new chat system. The endpoint allowed for partially blind SSRF, enabling attackers to send GET requests and exfiltrate data about internal services. This could potentially lead to service enumeration an...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/08/20 9:47 p.m.162 views

GitHub Security Lab: [javascript] CWE-117: CodeQL query to detect Log Injection

This bug was reported directly to GitHub Security Lab...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/06/08 12:9 a.m.162 views

h1-ctf: [H1-2006 2020] CTF Writeup

Summary: The CTF's objective could be found in the following Twitter post: F858468 As outlined on https://hackerone.com/h1-ctf, all subdomains of bountypay.h1ctf.com are in scope. Doing subdomain enumeration revealed the following subdomains: api.bountypay.h1ctf.com app.bountypay.h1ctf.com...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2020/05/30 1:8 p.m.162 views

curl: curl overwrite local file with -J

Summary: curl supports the Content-disposition header, including the filename= option. By design, curl does not allow server-provided local file override by verifying that the filename= argument does not exist before opening it. However, the implementation contains 2 minor logical bugs that allow...

4.6CVSS7.6AI score0.01236EPSS
Exploits1
Hacker One
Hacker One
added 2020/05/07 8:2 p.m.162 views

Mail.ru: Time-Based SQL injection at city-mobil.ru

Bind time-based SQL injection in https://city-mobil.ru/ due to unsafe usage of GET parameter JSON SLEEP PROFIT! P.S. Detail summary coming soon.... possibly... watch at https://blog.deteact.com...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/12/05 11:20 a.m.162 views

Zomato: Zomato Map server going out of memory while resizing map image

Go to https://maps.zomato.com/php/staticmap?center=0,0&size=240x150&maptype=zomato&markers=180,180,pinres32&sensor=false&scale=%&zoom=eval2147483647+1&language=en a map will be displayed Now increase the map size by 10x...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/03/13 2:1 a.m.162 views

Starbucks: Subdomain takeover on svcgatewayus.starbucks.com

Hello, this is pretty serious security issue in some context, so please act as fast as possible. Overview: One of the starbucks.com subdomains is pointing to Azure, which has unclaimed CNAME record. ANYONE is able to own starbucks.com subdomain at the moment. This vulnerability is called subdomai...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2024/11/23 12:50 a.m.161 views

Mozilla: Denial of Access to Static Resources via Cache Poisoning on addons.allizom.org

A cache poisoning vulnerability was identified on addons.allizom.org that allowed an attacker to block access to static resources such as images and JavaScript files. The issue was exploited by processing the X-HTTP-Method-Override header, which was honored by the origin server and treated the...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2022/04/27 7:10 a.m.161 views

Internet Bug Bounty: CVE-2022-27776: Auth/cookie leak on redirect

Summary: curl/libcurl can be coaxed to leak Authorization / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side for example by...

4.3CVSS6.9AI score0.03425EPSS
Exploits2
Hacker One
Hacker One
added 2021/03/01 5:47 p.m.161 views

GitHub Security Lab: ihsinme: CPP add query for CWE-788 Access of memory location after the end of a buffer using strncat.

This bug was reported directly to GitHub Security Lab...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/11/16 11:25 p.m.161 views

ImpressCMS: Slack server disclose h1 private issue report

Summary ======= Upon browsing the https://www.impresscms.org/, one of the post include the public Slack Channel however the devel channel exposed some of the private h1 reports. Checking ImpressCMS hacktivity the issues that get resolved/reported are private which helps me to verify that the team...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/02/26 9:32 p.m.161 views

Starbucks: Minimal information disclosure of internal asset names and links which were not publicly accessible.

e4366eolywrgpidfbio discovered an application with links to internal Starbucks related resources. No public access to these resources was available, resulting in minimal information disclosure of host and resource names. @e4366eolywrgpidfbio — thank you for reporting this issue...

1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/29 7:4 a.m.161 views

Valve: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message

Overview Counter-Strike: Global Offensive's UI is built of a framework called Panorama which is heavily influenced by modern HTML/CSS with JS capabilities. Because of these properties, the UI becomes easily vulnerable to different types of code injection, most notably XSS. Previously, it was...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/01/19 6:0 p.m.161 views

U.S. Dept Of Defense: https://████████ Impacted by DNN ImageHandler SSRF

Summary: https://███████ runs DNN 8.0.0 to 9.1.1 and is impacted by CVE 2017-0929 allowing for a SSRF through the DNN ImageHandler. Origin servers will request any image file supplied by the attacker. This allows for internal NIPR sites to be mapped and accessed through a vulnerable host. The...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/08/01 1:12 a.m.161 views

Grammarly: Handling of `tracking` command allows making arbitrary blind requests with user's cookies from Grammarly Extension's origin

Summary: Attacker could trigger Grammarly extension's gnar.fetch command using a crafted page to perform XHR with cookies and any configurational params to any cross-origin resource. Description: Page could Init Grammarly popup editor no user gesture, helper Events have isTrusted property, which...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/04/05 1:10 p.m.161 views

Adobe: Parameter tampering can result in product price manipulation

Parameters set during the shopping cart checkout workflow are vulnerable to tampering. By intercepting POST requests and manipulating the XML payload, product prices could be set to arbitrary values. P.O.C Video URL: https://youtu.be/3VMlV7jyzg...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2014/08/18 4:4 a.m.161 views

Greenhouse.io: openssh-server Forced Command Handling Information Disclosure Vulnerability on blog.greenhouse.io

Summary of the issue: The authparseoptions function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorizedkeys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by...

3.5CVSS5.3AI score0.03672EPSS
Exploits0
Hacker One
Hacker One
added 2025/07/13 8:12 p.m.161 views

8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services

The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2024/09/16 4:20 a.m.160 views

mycompany VDP: This test report has been disclosed by 20_root.

This test report has been disclosed by 20root. ████...

7.1AI score
Exploits0
Total number of security vulnerabilities5000