Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2021/07/29 2:12 p.m.141 views

UPchieve: url redirection

Summary: the following url is vulnerable to redirect https://app.upchieve.org Steps To Reproduce: when you add @evil.com the user will be directed to evil.com https://[email protected] Impact Users could get redirected to malicious domain...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/02/18 2:15 p.m.141 views

U.S. Dept Of Defense: critical information disclosure

Description: hey all , I have found critical information through this endpoint ████ on ███████ DB credentials such as DBNAME,DBUSER,DBPASSWORD,DBHOST, etc.. Impact full access control on DB service on website System Hosts ███ Affected Products and Versions CVE Numbers Steps to Reproduce Go to...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/08/18 2:38 a.m.141 views

Solana BBP: i don't the important and it's impact . the affected asset: https://github.com/solana-labs/solana/blob/master/.buildkite/env/secrets.ejson

Summary: add summary of the vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1.i have browsed this source code of github: https://github.com/solana-labs/solana/tree/master/sdk 2. i have browsed the files and i found the file which called buildkite/env/secrets.ejson...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/06/19 9:43 p.m.141 views

Smule: No Rate Limiting On Phone Number Login Leads to Login Bypass

Hey Team, Introduction: A rate limiting algorithm is used to check if the user session has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame. Description: I was able to Bypass Authentication of any user by enumerating th...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/07/29 10:19 a.m.141 views

Chaturbate: Internal loop going to infinite for cb.setTimeout(func, msecs) for broadcast app.

Hi There, I am not sure about that this is vulnerability for @chaturbate or not but in my seeing i thought it can be vulnerable and attacker can use this vulnerability for exploitation on @chaturbate website with normal user so finally i decide to report. As i was just playing with Broadcast app...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/09/18 4:27 a.m.141 views

Trello: SSRF in account webhook (through API)

It was possible to create a webhook that pointed to the EC2 metadata address, http://169.254.169.254. While no data from that address would be returned, the webhook would be created successfully with a 200 status, indicating that proxy used by the webhook requests wasn't blocking access to that...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/01/26 7:30 p.m.141 views

HackerOne: Unintended HTML inclusion as a result of https://hackerone.com/reports/110578

Hi, I was just reading https://hackerone.com/reports/110578 and testing out the changes. I had previously noticed that the editor would take something like: test and turn it into : test In other words, the code would recursively look at what should be the title string and use the first single or...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2023/03/02 2:10 p.m.140 views

TikTok: Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/01/19 1:49 p.m.140 views

U.S. Dept Of Defense: Authentication Bypass Using Default Credentials on █████

An authentication bypass vulnerability was discovered on the admin console of █████████, allowing unauthorized access to the portal and its data using default credentials. The suggested mitigation is to change the credentials. No CVE numbers or affected product versions were mentioned...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2020/07/13 2:13 p.m.140 views

8x8: SQL injection (stacked queries) in the export to Excel functionality on Vidyo Server

An abandoned Vidyo server was found to be vulnerable to SQL injection and exposing access to the associated local database. The Vidyo server was retired...

3.5AI score
Exploits0
Hacker One
Hacker One
added 2019/08/29 3:22 a.m.140 views

X (Formerly Twitter): Periscope-all Firebase database takeover

Hello, I found one public Firebase database of periscope.tv and I can able to insert data to this database and i only used it once for the testing purposes, so other database queries also possible. Please follow the below link to check the inserted test data. Periscope-all Firebase URL :-...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/08/24 10:43 p.m.140 views

Khan Academy: Possible Subdomain Takeover

None of the weakness categories really fit this so I apologize for that. The subdomain learnstormindia.khanacademy.org points to 52.203.185.84 a webflow.io proxy server proxy-ssl.webflow.com. The CNAME entry in the subdomain is pointing to an external page service learnstormindia.khanacademy.org...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/07/03 3:5 p.m.140 views

Cloudflare: Private API key leakage due to lack of access control

The lack of access control on the https://mobilesdk.cloudflare.com/api/v1/ api allows for a remote attacker to access and steal a logged in user's private data. This can be done due to the lack of origin protection. An attacker can embed the config URI...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/06/06 11:28 a.m.140 views

Node.js third-party modules: XSS in express-useragent through HTTP User-Agent

Hello, I would like to report an XSS in express-useragent module due a lack of validating User-Agent header. Please note I already created an Github issue and asked for CVE CVE-2018-9863. I did not know about Node.js third-party modules on hackerone. Description express-useragent is simple...

6AI score
Exploits0
Hacker One
Hacker One
added 2018/04/25 3:54 p.m.140 views

Ed: Session Cookie Without Secure Flag,

Assigned to:-ED Assigned by:- Kirtikumar Anandrao Ramchandani Assigned on:- 25/04/2018 Bug overview:- Session Cookie without secure flag. Cookie Name:- gitlabsession Description:-Risk description: Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 8:53 p.m.140 views

Automattic: [app.simplenote.com] Stored XSS via Markdown SVG filter bypass

Hi, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript in the app.simplenote.com context. Proof of concept Before proceeding to reproduce this vulnerability, please log in to app.simplenote.com and create a new note with...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/04/10 2:57 p.m.140 views

Shopify: Force 500 Internal Server Error on any shop (for one user)

There is very strange behavior. If user open urls like below: - https://whashp.myshopify.com/?previewthemeid=11288717 - or https://lmfshp.myshopify.com/?previewthemeid=11290937 He got redirect to shop https://whashp.myshopify.com/ and 500 Internal Server Error response, and reload does not help i...

Exploits0
Hacker One
Hacker One
added 2021/10/15 5:46 a.m.139 views

Acronis: CVE-2021-40438 on cp-eu2.acronis.com

Hi team Summary CVE-2021-40438 on cp-eu2.acronis.com Steps To Reproduce...

6.8CVSS1.2AI score0.99999EPSS
Exploits5
Hacker One
Hacker One
added 2021/01/04 8:33 p.m.139 views

Doppler VDP: email spoofing on doppler.team

Summary: There is an Email Spoofing vulnerability on your domain doppler.team which allows an attacker to send an email with your domain namesuch as [email protected] and so on. Steps To Reproduce: 1. Go to http://emkei.cz 1. Fill "From Email" field to [email protected] or any other doppler...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/08/09 7:21 a.m.139 views

BugPoC: Solution for XSS challenge calc.buggywebsite.com

Summary: http://calc.buggywebsite.com/ is a angular site designed as a calculator. After observing the source code , there is iframe frame.html with functionality of displaying the data of postmessage in the webpage. js window.addEventListener"message", receiveMessage, false; function...

Exploits0
Hacker One
Hacker One
added 2020/03/26 4:26 p.m.139 views

Open-Xchange: Buffer over-reads in i_stream_zlib_read

This can be reproduced by a sample program using libcompression int mainint argc, char argv const unsigned char datadec; sizet sizedec; const uint8t data = argv1; sizet size = strlendata; struct istream testinput = testistreamcreatedatadata, size; const struct compressionhandler handler =...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2019/09/27 8:47 a.m.139 views

Razer: Accessible Druid Monitor console on https://api.pay-staging.razer.com/

The tester discovered a monitoring application was available on a remotely accessible administrative console in the Razer Pay staging environment, which could have been used to leverage information that could have compromised the server. The Razer Pay team removed this and other similar servers...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2019/05/18 3:49 p.m.139 views

X (Formerly Twitter): Periscope android app deeplink leads to CSRF in follow action

Hello Twitter Team Summary This issue is mainly in the Periscope Android app against CSRF follow action using deeplink. Description In normal Periscope Website, when we share a follow link like www.pscp.tv//follow, we get a response whether to follow a person or not, giving us an option, means CS...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/12/05 10:44 a.m.139 views

WordPress: code.wordpress.net subdomain Takeover

Hy Wordpress sec i found as it is posible to takeover this domain http://code.wordpress.net when you navigate it you will get this error msg: Warning! Domain mapping upgrade for this domain not found. Please log in and go to the Domains Upgrades page of your blog to use this domain. $ host...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2015/09/24 5:20 a.m.139 views

Zendesk: CSV Excel Macro Injection Vulnerability in export chat logs

Scenario: An attacker creates a name as =AND21 with a fake email and with random text in the message body. This is similar to a vulnerability recently found in zendesk.com as well. When a team member clicks export as csv and opens it instead of seeing =AND21 they see TRUE. Meaning that cell is no...

Exploits0
Hacker One
Hacker One
added 2023/02/15 9:12 a.m.138 views

Internet Bug Bounty: CVE-2023-23914: HSTS ignored on multiple requests

Multiple requests made using curl's HSTS functionality ignored the HTTPS protocol and used an insecure clear-text HTTP step instead. This was due to the state not being properly carried on, allowing the bypass of intended security controls. The vulnerability was assigned CVE-2023-23914 and had a...

9.1CVSS7.7AI score0.00858EPSS
Exploits1
Hacker One
Hacker One
added 2022/04/27 7:7 a.m.138 views

Internet Bug Bounty: CVE-2022-27775: Bad local IPv6 connection reuse

Summary: curl/libcurl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1. Set up a fake...

5CVSS7.4AI score0.02794EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/03 12:14 a.m.138 views

GitHub Security Lab: Java: Static initialization vector

This bug was reported directly to GitHub Security Lab...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2021/08/02 5:41 p.m.138 views

GitHub Security Lab: [Python] CWE-287: LDAP Improper Authentication

This bug was reported directly to GitHub Security Lab...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2021/04/23 1:41 p.m.138 views

New Relic: HTML Injection In Email In one.newrelic.com

Hi, There's a HTML injection vulnerability present inside emails sent from Newrelic when the name on the organization inviting user contains HTML. The html is stored in the backend database and when emails are sent invitation, the HTML is sent along with the rest of the email. Steps to reproduce:...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/12/28 5:39 p.m.138 views

Automattic: Unauthenticated access to webmail at maildev.happytools.dev leading to compromised wordpress site api.happytools.dev [RCE]

Summary: Dear Team, Today when I trying to find bugs on happy tools I have found 2 domains below for staging environment - https://maildev.happytools.dev - https:// api.happytools.dev Two websites above ssl certificate was expired. But you can adjust your date-time to 02/02/2020 or before that ti...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/11/05 9:11 p.m.138 views

Starbucks: Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg

ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg intended for image files permitted unrestricted file type uploads which could lead to a potential RCE. ko2sec's thorough analysis provided additional endpoints on other out of scope domains that shared this vulnerability. @ko2sec —...

2AI score
Exploits0
Hacker One
Hacker One
added 2020/05/19 5:0 p.m.138 views

Node.js: Child process environment injection via prototype pollution

Summary: prototype pollution causes polluted system environment for child processes. Description: This can be used to inject arbitrary --require flags to node.js child processes or in the case of current node.js versions it can be used to inject arbitrary JavaScript to child processes. In practic...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/04/15 7:6 p.m.138 views

U.S. Dept Of Defense: LFI with potential to RCE on ██████ using CVE-2019-3396

POC POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: ██████ Content-Type: application/json Content-Length: 174 "contentId":"12345","macro":"name":"widget","body":"","params":"url":"https://www.youtube.com/watch?v=wHEHYJpCkpg","width":"300","height":"200","template":"file://../" Thanks, Ben Impac...

10CVSS9.5AI score0.99913EPSS
Exploits20
Hacker One
Hacker One
added 2015/04/22 11:1 a.m.138 views

HackerOne: Missing spf flags for hackerone.com

I just checked for SPF records for the hackerone.com domain, and there are none, effectively allowing for spamspoof to originate from that domain. you can validate by testing yourself here: http://www.kitterman.com/spf/validate.html i want to show you an attack scenario An attacker would send a...

Exploits0
Hacker One
Hacker One
added 2021/12/17 2:57 p.m.137 views

Node.js: Node.js Certificate Verification Bypass via String Injection

This is a report on behalf of Google, who did not want to report through H1. --- Summary Node’s APIs for reporting certificate fields are ambiguous and allow bypassing certificate verification in some circumstances. Details In light of CVE-2021-3712, I’ve been looking at code which misuses...

5.8CVSS7.5AI score0.50445EPSS
Exploits2
Hacker One
Hacker One
added 2021/08/13 1:39 p.m.137 views

UPchieve: i can join without user and pass in this website https://argocd.upchieve.org/settings/accounts

Summary: i can see the Content Steps To Reproduce: the wbsite is not good 1. if i join this website i can see Content https://argocd.upchieve.org/settings/accounts Supporting Material/References: you most need good programmers https://argocd.upchieve.org/settings/accounts Recommendations for...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/09/14 5:2 a.m.137 views

Solana BBP: email spoofing

email spoofing Impact step 1:visit: https://www.kitterman.com/spf/getspf3.py step 2:in domain name, type:https://github.com/solana-labs/solana-program-library step 3: check SPF record, it will appear" No valid SPF record found" step 4:visit: https://emkei.cz/ step 5:type name as...

Exploits0
Hacker One
Hacker One
added 2020/08/28 10:27 p.m.137 views

WakaTime: Private leaderboard owner email disclosure when sending invites

Hi , the unVerify email disclosure when invite to any one on Leaderboards . Step .. 1- create account [email protected] . 2- not verify email . 3- go to Leaderboards . 4- check invite any email [email protected] . your friends. 5- your friends look inbox the waketime invite it say [email protected]...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/08/19 4:53 a.m.137 views

Dropcontact: API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation.

We didn't verified the API key when a new user was using his pipedrive free trial, so someone could take a key of another pipedrive which don't belong to him and make his free trial on this api key. Or launch a free trial on a pipedrive already connected to pipedrive...

2.9AI score
Exploits0
Hacker One
Hacker One
added 2020/06/28 5:16 p.m.137 views

DuckDuckGo: XSS on Videos IA

Failure found in the videos tab. A user was created on a website https://rutube.ru/video/83a4775f020b3fd68efd3dc9a73031e8/ one with the tag " . When we search DuckDuckGo for the video or user tag, we find a xss flaw in page...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/05/17 1:8 a.m.137 views

Starbucks: Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data

zlz and rhynorater discovered that by obtaining a valid authentication cookie and then combining that with a path traversal, this allowed access to restricted data. noapearson assisted by providing additional information post discovery. @zlz / @rhynorater / @noapearson — thank you for reporting...

3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/15 9:55 p.m.137 views

Nextcloud: Missing ownership check on remote wipe endpoint

On settings/user/security You can mark a device for wipe out that does not belong to you. Steps: 1. Create 2 accounts one for the hacker and one for the victim 2. On both accounts add devices with different names 3. On the hacker account, while intercepting with burpsuite, select the option to wi...

6.8CVSS1.7AI score0.01773EPSS
Exploits1
Hacker One
Hacker One
added 2019/11/19 12:42 p.m.137 views

Shopify: Shopify Stocky App OAuth Misconfiguration

@vulnh0lic noticed that a staff member without Apps permission was able to access the Stocky app. We determined that this was because of a bug in Stocky's OAuth authentication code, which allowed the user to be granted access to Stocky at the start of the OAuth process rather than the end. This...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/11/13 2:4 p.m.137 views

Starbucks: Bulgaria - Subdomain takeover of mail.starbucks.bg

nukedx discovered that the mail.starbucks.bg domain was pointing to a mail service from icn.bg and confirmed that icn.bg did not host this domain. nukedx successfully claimed the subdomain from icn.bg, configured login credentials through the web panel and setup a valid email server. nukedx then...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/12/26 1:46 a.m.137 views

X (Formerly Twitter): Changing email address on Twitter for Android unsets "Protect your Tweets"

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Verifying email address on...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/12/17 2:0 p.m.137 views

Kaspersky: URL Advisor component in KIS products family is vulnerable to Universal XSS

Summary In Microsoft Edge, URL Advisor UI is served as first-party content on every domain. So the XSS vulnerability I found in this UI automatically applies to all websites, it allows running code in the context of any domain. Description URL Advisor frame is located under...

Exploits0
Hacker One
Hacker One
added 2017/04/21 4:40 a.m.137 views

Nextcloud: Possible SSRF in email server settings(SMTP mode)

Description: vul address https://demo.nextcloud.com/xxx/settings/admin/additional,when you change smtp server address ,you will get some different hints. Reproduce steps: 1.Go to https://demo.nextcloud.com/xxx/settings/admin/additional,choose SMTP mode 2.Set server address to "172.17.1.0,then you...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2016/06/04 3:14 p.m.137 views

Uber: Header Injection

Hi Uber , I would like to report an issue on the domain http://m.uber.com Upon testing some back and forth requests to this domain , I figured out that it is possible to inject arbitrary content into the Headers of the requests . Upon increasing the size of the payload in the header , it leads to...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2014/02/13 7:22 p.m.137 views

Yahoo!: Yahoo YQL Injection?

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, but this functionality is working as designed. We appreciate your adherence to responsible disclosure guidelines and look forward t...

6.6AI score
Exploits0
Total number of security vulnerabilities5000