Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2016/06/04 3:14 p.m.137 views

Uber: Header Injection

Hi Uber , I would like to report an issue on the domain http://m.uber.com Upon testing some back and forth requests to this domain , I figured out that it is possible to inject arbitrary content into the Headers of the requests . Upon increasing the size of the payload in the header , it leads to...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2014/02/13 7:22 p.m.137 views

Yahoo!: Yahoo YQL Injection?

Thank you for your submission to Yahoo’s Bug Bounty program. While we recognize the effort that you put into the research and writing of a report for us to evaluate, but this functionality is working as designed. We appreciate your adherence to responsible disclosure guidelines and look forward t...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2024/12/15 9:52 p.m.136 views

PlayStation: sys_fsc2h_ctrl kernel stack free

The sysfsc2hctrl kernel function can lead to a kernel stack free vulnerability. The vulnerability is caused by a race condition involving multiple threads accessing a local stack buffer. This could potentially result in a privilege escalation...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2023/05/10 7:6 p.m.136 views

U.S. Dept Of Defense: DOM-XSS

A DOM-XSS vulnerability was found on a subdomain of a website, which could allow an attacker with access to the Siteminder CA to perform a cross-site scripting attack and cause information leaks, privilege escalation, and/or denial of service. The vulnerability was assigned CVE-2013-5968 and a...

4.3CVSS6AI score0.02622EPSS
Exploits0
Hacker One
Hacker One
added 2020/12/10 5:52 a.m.136 views

Stripo Inc: No rate limiting for confirmation email lead to huge Mass mailings

this Report based on 997070 Issue Description No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions then their will be no rate limit set. vulnerable has registred in...

Exploits0
Hacker One
Hacker One
added 2020/11/24 2:25 p.m.136 views

Glassdoor: Reflected XSS at https://www.glassdoor.com/ via the 'numSuggestions' parameter

Hi there, I have found the xss vulnerability at: https://www.glassdoor.com/ via parameter: numSuggestions Summary: Affected Parameter: numSuggestions Browsers tested: Firefox, Chrome, Edge latest version Steps To Reproduce: Go to:...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2020/11/04 9:59 p.m.136 views

GitHub Security Lab: [Java] CWE-927: Sensitive broadcast

This bug was reported directly to GitHub Security Lab...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/08/29 9:36 p.m.136 views

Valve: [Half-Life 1] Malformed map name leads to memory corruption and code execution

A stack overflow takes place when map names with malformed names are listed which can be used to execute arbitrary code. I made a Proof of Concept that executes gnome-calculator on Linux. This was tested on Half Life 2018-08-29 on Linux, Ubuntu 18.04. To reproduce: - Extract the attached zip-file...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2018/08/14 3:56 a.m.136 views

Chaturbate: Stats Token doesn't expire after deactivating account

The hacker found that the stats token, that a user can use to access their own account information, does not expire when an account is deactivated. This was resolved so the view could not be used after deactivation. Application has a feature Authorize your 3rd party stats that provides users a wa...

3.1AI score
Exploits0
Hacker One
Hacker One
added 2017/05/30 9:50 p.m.136 views

Mixmax: Possible Subdomain Takeover

None of the weakness categories really fit this so I apologize for that. The subdomain sales.mixmax.com points to 151.101.16.229, a webflow.io proxy server. Because it 404s, this leads me to believe that a subdomain takeover is possible through the webflow service as whatever this is pointing to ...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2016/10/26 4:30 a.m.136 views

GitLab: Read files on application server, leads to RCE

The GitLab export upload feature contains a vulnerability that allows an attacker to read arbitrary files on a GitLab instance. This vulnerability is caused by the behaviour of JSON.parse, your error handling, and the possibility to reference a symbolic link in a GitLab export. When I started...

4CVSS6.3AI score0.05388EPSS
Exploits39
Hacker One
Hacker One
added 2015/09/15 8:11 p.m.136 views

ownCloud: owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)

owncloud.com appears to be vulnerable to CVE-2015-5477 based on the running version of BIND. This allows attackers to launch Denial of Service attacks against owncloud.com which would result in the owncloud server to stop responding and even reboot. It is recommended to upgrade to the latest...

7.8CVSS7.4AI score0.91284EPSS
Exploits12
Hacker One
Hacker One
added 2023/04/13 2:3 a.m.135 views

Internet Bug Bounty: CVE-2023-28755: ReDoS vulnerability in URI

A ReDoS vulnerability was discovered in the URI component of the Ruby programming language. The vulnerability allowed attackers to cause an increase in execution time for parsing strings to URI objects, resulting in high resource consumption, reduced performance, and denial of service. The...

5.3CVSS7AI score0.02637EPSS
Exploits0
Hacker One
Hacker One
added 2021/07/16 1:21 p.m.135 views

Glassdoor: Reflected XSS on https://www.glassdoor.com/job-listing/spotlight

Summary: The application is vulnerable to reflected cross-site scripting attacks on the /job-listing/spotlight URI in the callback parameter. Affected URL or select Asset from In-Scope: https://www.glassdoor.com/job-listing/spotlight Affected Parameter: callback Vulnerability Type: see list below...

1AI score
Exploits0
Hacker One
Hacker One
added 2020/12/23 6:42 p.m.135 views

GitHub Security Lab: CPP: CWE-191 into experimental this reveals a dangerous comparison

This bug was reported directly to GitHub Security Lab...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/09/04 1:38 p.m.135 views

BugPoC: Reading arbitrary files via running arbitrary python code

Summary: Reading arbitrary files via running arbitrary python code Steps To Reproduce: 1. Go to Python POC and execute arbitrary code to read arbitrary files Recording: F976069 I have stopped testing further. Users can run arbitrary python code. Please do let me know If anything is unclear. Impac...

4.9AI score
Exploits0
Hacker One
Hacker One
added 2020/07/12 9:41 p.m.135 views

Automattic: Denial-of- service By Cache Poisoning The Cross-Origin Resource Sharing Misconfiguration Allow Origin Header

Summery: The wp-json implementation on some WordPress websites I've tested is vulnerable to Denial-of-service where by an attacker can provide an arbitrary origin header in the request, which is then echoed back in the response via the Access-Control-Allow-Origin header, which is cached and serve...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/06/26 11:49 p.m.135 views

GitHub Security Lab: Golang : Add MongoDb NoSQL injection sinks

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/25 2:40 p.m.135 views

Open-Xchange: Null pointer dereference in SMTP server function smtp_command_parse_data_with_size

Sending the following bytes to the SMTP server induces a NULL pointer dereference...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/11 2:12 p.m.135 views

Visma Bug Bounty Program: SSRF in img export

The researcher has found a SSRF vulnerability in the application's image export functionality. The app would take all the html as input and generate an image based on that. By manipulating the html code and adding a src tag, it was possible to trigger a SSRF...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2019/08/21 7:18 p.m.135 views

Nextcloud: potential RCE and XSS via file upload requiring user account and default settings

potential RCE and XSS via file upload requiring user account and default settings Requirements 1. User account that can upload files NO admin 2. User account name on creation usually the same as on creation/displayed name 3. data directory inside of nextcloud server folder suggested by...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2017/11/09 6:8 p.m.135 views

Semrush: Cross-origin resource sharing

Issue:Cross-origin resource sharing: arbitrary origin trusted The application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain. The application allowed access from the requested origin https://hhgdhgjgbrg.com Since the Vary: Origin...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2014/07/19 8:40 a.m.135 views

Mail.ru: cloud.mail.ru: File upload XSS using Content-Type header

Можно еще вот так сделать. POST /upload/B1BA0E3F65D7EAA994C0EA6386E014EB569EA5E1.html?fileapi14057587543286 HTTP/1.1 Host: cloclo9-upload.cloud.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.9; rv:28.0 Gecko/20100101 Firefox/28.0 Accept:...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2024/01/02 7:22 a.m.134 views

HackerOne: Server Side Request Forgery (SSRF) in webhook functionality

Server Side Request Forgery SSRF vulnerability found in webhook functionality. Attacker able to bypass anti-SSRF protections by using IPv6 address mapped to IPv4. This allowed unauthorized access to internal AWS EC2 metadata instance...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/01/10 3:37 p.m.134 views

EXNESS: Double forward slash breaks server-side restrictions & allows access to prohibited services from a partner account

A vulnerability was discovered where making an API call with double/multiple forward slashes broke server-side restrictions imposed upon a partner account, allowing unrestricted access to the autorebates facility, which was otherwise unavailable to the partner account...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/07/25 8:31 p.m.134 views

U.S. Dept Of Defense: XSS due to CVE-2020-3580 [███.mil]

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...

2.6CVSS1.7AI score0.85439EPSS
Exploits2
Hacker One
Hacker One
added 2021/07/19 6:20 p.m.134 views

curl: CVE-2021-22945: UAF and double-free in MQTT sending

Vulnerability Description libcurl version 7.77.0 has a Use-After-Free and a Double-Free in lib/mqtt.c in the function mqttdoing on lines 556 - 563: c ifmq-nsend / send the remainder of an outgoing packet / char ptr = mq-sendleftovers; result = mqttsenddata, mq-sendleftovers, mq-nsend; freeptr;...

5.8CVSS0.1AI score0.06216EPSS
Exploits1
Hacker One
Hacker One
added 2021/05/04 6:57 a.m.134 views

Sifchain: Private RSA key for Vagrant exposed in GitHub repository

Summary: The private RSA key used for SSH on Vagrant is exposed in sifnode GitHub repository. Steps To Reproduce: 1. Visit this link which shows the privatekey file used for your Vagrant virtual machine Suggested solution Remove the private key from the repository. Even though you remove it, it...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/17 11:44 a.m.134 views

Mail.ru: Stored XSS that allow an attacker to read victim mailboxes contacts in mail.ru and my.com application

Mail.ru Mail IOS app was vulnerable to local files access on some iOS versions due to cross-application scripting if malcrafted SVG attachment is viewed by user Write-up is here...

2AI score
Exploits0
Hacker One
Hacker One
added 2020/05/06 9:37 p.m.134 views

BTFS: misconfigured CORS let to HPP and SOP bypass

Hello team, I found a bug on your website that let me bypass the SOP policy. Hope you fix it, everything is in the video https://www.youtube.com/watch?v=PYsU350S-s4 Impact The attacker my direct a victim to a phishing page of www.bitterrent.com/login and he/she will be convince to enter their ema...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2020/04/03 12:14 p.m.134 views

Internet Bug Bounty: mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full (CVE-2020-7065)

PHP bug report made public by the maintainers at the time of writing: https://bugs.php.net/bug.php?id=79371 Mitre CVE page: https://vulners.com/cve/CVE-2020-7065 Link to the release notes: https://www.php.net/ChangeLog-7.php7.4.4 Impact One of impacts is that the issue allows an attacker to...

6.8CVSS7.2AI score0.04764EPSS
Exploits1
Hacker One
Hacker One
added 2019/06/26 8:19 p.m.134 views

Node.js third-party modules: Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function

Hi Guys, It's been a while : I would like to report Command Injection in pm2.import function when tar.gz archive is installed with a name provided as user controlled input. Due to lack of proper validation of tar.gz archive filename, this vulnerability allows to inject arbitrary commands and...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/12 2:21 a.m.134 views

curl: Windows Privilege Escalation: Malicious OpenSSL Engine

Summary: The curl windows binaries are built with OpenSSL libraries and have an insecure path for the OPENSSLDIR build parameter. This path is set to c:\usr\local\ssl. When curl is executed it attempts to load openssl.cnf from this path. By default on windows, low privileged users have the...

4.4CVSS1.2AI score0.00717EPSS
Exploits0
Hacker One
Hacker One
added 2018/04/25 5:3 p.m.134 views

Nextcloud: OAuth2 Access Token and App Password Security Vulnerability

The OAuth2 endpoint of the Nextcloud server was not following RFC6749. The server did not perform required verification of provided data. And the server did not properly rotate and expire access tokens. In case of a compromised OAuth client this could lead to unauthorized access. After working...

5.8CVSS2.6AI score0.01657EPSS
Exploits0
Hacker One
Hacker One
added 2016/09/08 3:44 p.m.134 views

Boozt Fashion AB: Instance of Apache Vulnerable to Several Issues

Issue Description The researcher identified that the remote host is vulnerable to several denial of service vulnerabilities, however due to the nature of these issues the researcher did not attempt to generate a proof of concept. The information about these issues is based upon the version of...

1.1AI score0.85744EPSS
Exploits7
Hacker One
Hacker One
added 2016/07/21 11:4 p.m.134 views

Starbucks: Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in

I found an open JMXInvokerServlet/EJBInvokerServlet and normally I should be able to get a shell just by doing that. However I think due to some egress filtering on the box I've been having issues getting a shell to run. Invokers: https://card.starbucks.in/invoker/EJBInvokerServlet and...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2014/05/08 2:24 p.m.134 views

Mail.ru: XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use)

Искал, своими методами, урлы с возможными уязвимостями. Используя google dork: site:mail.ru inurl:ajaxcall, нашёл вот такой: https://e.mail.ru/cgi-bin/lstatic?ajaxcall=1&x-email=oblaka63%40mail.ru&get=balloon&name=14&lang=ruRU&SpamBallonExp=0&SettingsOn=1&staticDomainName=imgsmail.ru Сразу привлё...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2024/03/14 2:38 p.m.133 views

curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS

The Curl library had a security vulnerability where the certificate name check was bypassed when connecting to a host via its IP address. This could have potentially introduced spoofing attacks or unauthorized access due to unverified server certificate. The issue affected Curl with MbedTLS from...

6.5CVSS6.4AI score0.06377EPSS
Exploits4
Hacker One
Hacker One
added 2022/03/31 6:27 p.m.133 views

IBM: SQL injection in URL path processing on www.ibm.com

A blind SQL injection in URL path processing on www.ibm.com was reported to IBM, analyzed and has been remediated. Thank you to @asterite. Blind SQL injection was present in URL path processing on www.ibm.com. An interesting thing is that the vulnerability was present in, essentially, any path, o...

1AI score
Exploits0
Hacker One
Hacker One
added 2022/03/30 12:47 p.m.133 views

curl: CVE-2022-22576: OAUTH2 bearer bypass in connection re-use

Summary: A cached connection authenticated with the OAUTH2 mechanisms can be reused by a subsequent request even if the bearer is not correct. This affects SASL-enabled protcols: SMPTPS, IMAPS, POP3S and LDAPS openldap only. An application that can be accessed by more than one user such as a...

5.5CVSS1.5AI score0.01914EPSS
Exploits1
Hacker One
Hacker One
added 2021/07/27 11:4 a.m.133 views

UPchieve: blind sql on [ https://argocd.upchieve.org/login?return_url=id= ]

Summary: i have discoverd a blind sql on your site login page which i confirmed using two scenarios to confirm its existance. Steps To Reproduce: add details for how we can reproduce the issue use the following payloads this one retured a 200 ok response confirming sql vulnerability existance...

8.3AI score
Exploits0
Hacker One
Hacker One
added 2021/04/18 3:45 a.m.133 views

PortSwigger Web Security: RCE in 'Copy as Node Request' BApp via code injection

Description Copy as Node Request is a burp suite extension that allows users to copy requests as Node.js code. Due to improper sanitization of cookie, it's possible to inject arbitrary Node.js code in copied text, which may lead remote code execution with a significant amount of user interaction...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/08/24 10:4 p.m.133 views

Node.js third-party modules: [bl] Uninitialized memory exposure via negative .consume()

Module module name: bl version: 4.0.2 npm page: https://www.npmjs.com/package/bl Module Description A Node.js Buffer list collector, reader and streamer thingy. Module Stats 8 660 595 weekly downloads Vulnerability Vulnerability Description If user input even typed ends up in consume argument and...

6.4CVSS0.2AI score0.02123EPSS
Exploits1
Hacker One
Hacker One
added 2020/06/11 3:30 a.m.133 views

h1-ctf: [H1-2006] CTF Writeup

H1-2006 CTF Writeup I am fairly new to CTFs - this is just my second CTF after H1-415 CTF, at which I didn't get far at all. I think the most valuable thing I can do for anyone who comes across this writeup, is to describe exactly what I was thinking at each step along the way, including all my...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/15 6:50 p.m.133 views

Razer: Source Code Disclosure

The tester discovered a PHP file with source code exposed. There was no known exploit...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2020/01/31 10:26 p.m.133 views

GitHub Security Lab: CodeQL query for finding LDAP Injection (CWE-90) vulnerabilities in Java

This bug was reported directly to GitHub Security Lab...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2019/08/14 9:14 a.m.133 views

Algolia: subdomain take over at recommendation.algolia.com

Description hello sir, your subdomain recommendation.algolia.com cname is recommendation.us and recommendation.us is for sell which can lead to subdomain take over steps to reproduce 1. check the cname of recommendation.algolia.com 2. see that the cname "recommendation.us" is for sell using looku...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/03/29 10:45 a.m.133 views

Mail.ru: RCE on shared.mail.ru due to "widget" plugin

Confluence widget connector vulnerable to CVE-2019-3396 was available on shared.mail.ru...

10CVSS1.5AI score0.99913EPSS
Exploits20
Hacker One
Hacker One
added 2019/02/13 6:50 p.m.133 views

Internet Bug Bounty: CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host

description here: https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html PoC: https://github.com/q3k/cve-2019-5736-poc Some more links: https://seclists.org/oss-sec/2019/q1/119 https://access.redhat.com/security/cve/cve-2019-5736 Impact It allows to escape from container t...

9.3CVSS8.6AI score0.9857EPSS
Exploits33
Hacker One
Hacker One
added 2018/03/21 10:53 p.m.133 views

Zomato: [Zomato Android/iOS] Theft of user session

Hi, I'd like to report a bug which allows to theft user data even without installing third-party apps. Activity xml is exported, and can be accessed by browser. When any WebView in a client app, or a browser meets a zomato://etc URL it will automatically launch Zomato app. File...

1.6AI score
Exploits0
Total number of security vulnerabilities5000