Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2022/01/12 10:2 a.m.132 views

MTN Group: Firebase Database Takeover in https://pulseradio.mtn.co.ug/

Summary: During my test , in one of the subdomain of mtn.co.ug I found firebase configuration disclosed in the source code along with apiKey and database URL . Exploiting this vulnerability attacker is able to upload malicious data in the firebase account of pulseradio.mtn.co.ug and see database...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/02/05 6:9 a.m.132 views

FetLife: Stored XSS via Angular Expression injection via Subject while starting conversation with other users.

The reporter pointed out that the Subject field for sending private messages using FetLife's onsite chat was vulnerable to a stored XSS exploit, allowing people to execute potentially malicious contents on the receiving end of the message...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2020/10/01 4:26 p.m.132 views

HackerOne: Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com)

The page located at https://sal.██████.com/list/Activity/hour/all/0/ suffers from a Cross-site Scripting XSS vulnerability when a user has set their hostname on their machine to an XSS payload. Vulnerable Page https://sal.██████.com/list/Activity/hour/all/0/ Victim IP Address ███████ Referer...

3.5CVSS0.3AI score0.00665EPSS
Exploits0
Hacker One
Hacker One
added 2020/06/11 10:43 a.m.132 views

GSA Bounty: Limited LFI

Summary: Due to improper parameter sensitization local file inclusion is possible. LFI is limited as we were not able to truncate the end of string. Description: Application root is located at /var/www/dashboard/new/public Due to URL Manipulation we are able to raed file from...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/08/14 9:14 a.m.132 views

Algolia: subdomain take over at recommendation.algolia.com

Description hello sir, your subdomain recommendation.algolia.com cname is recommendation.us and recommendation.us is for sell which can lead to subdomain take over steps to reproduce 1. check the cname of recommendation.algolia.com 2. see that the cname "recommendation.us" is for sell using looku...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/03/29 10:45 a.m.132 views

Mail.ru: RCE on shared.mail.ru due to "widget" plugin

Confluence widget connector vulnerable to CVE-2019-3396 was available on shared.mail.ru...

10CVSS1.5AI score0.99913EPSS
Exploits20
Hacker One
Hacker One
added 2018/10/03 10:19 p.m.132 views

Django: Email Spoofing Possible on djangoproject.com Email Domain

Summary: Due to lacking a SPF and DMARC record it is possible to spoof emails from djangoproject.com. This could potentially be used to trick employees, customers or clients via phishing emails. Description: Mail servers rely on both SPF and DMARC to properly deal with email spoofing. SPF shows...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/31 12:48 p.m.132 views

Semrush: Remote Code Execution on www.semrush.com/my_reports on Logo upload

The Logo upload in the report constructor at: https://www.semrush.com/myreports/constructor F340480 is passed through a not properly patched version of ImageMagick. You can use Postscript to get Ghostscript to run which in return allows to trigger arbitrary commands on the server, leading to Remo...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2018/03/21 10:53 p.m.132 views

Zomato: [Zomato Android/iOS] Theft of user session

Hi, I'd like to report a bug which allows to theft user data even without installing third-party apps. Activity xml is exported, and can be accessed by browser. When any WebView in a client app, or a browser meets a zomato://etc URL it will automatically launch Zomato app. File...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/12 12:23 p.m.132 views

Semrush: Email Spoofing

Hey SemRush, It appears that spoofed email can be sent from 1 of your emails. The following email is vulnerable: [email protected] Information: Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2022/03/29 6:49 a.m.131 views

Palantir Public: SQL Injection at https://files.palantir.com/ due to CVE-2021-38159

A vulnerability was discovered in an Internet-facing asset files.palantir.com. A proof of concept POC was developed and used to validate the finding. The vulnerability was patched and resolved. Blog about this vulnerability published. You can read full detail here:...

7.5CVSS0.01891EPSS
Exploits0
Hacker One
Hacker One
added 2021/04/28 4:6 p.m.131 views

Ruby: imap: StartTLS stripping attack (CVE-2016-0772).

net/imap does not seem to raise an exception when the remote end imap server fails to respond with taggedresponse NO/BAD or OK to an explicit call of imap.starttls. This may allow a malicious MITM to perform a starttls stripping attack if the client code does not explicitly set usessl = true on...

5.8CVSS0.1AI score0.14524EPSS
Exploits4
Hacker One
Hacker One
added 2020/06/26 12:51 p.m.131 views

Open-Xchange: Null dereference or redundant null check in `mail_crypt_load_global_private_key` for plugin mail-crypt

In this function, we check once if errorr is not NULL in if enctype == DCRYPTKEYENCRYPTIONTYPEPASSWORD / Fail here if password is not set since openssl will prompt for it otherwise / if keypassword == NULL if errorr != NULL errorr = tstrdupprintf"%s: %s unset, no " "password to decrypt the key",...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/04 8:42 p.m.131 views

Node.js third-party modules: [Uppy] Internal Server side request forgery (bypass of #786956)

I would like to report Internal Server-side request forgery in Uppy It allows the attacker to easily extract information from internal servers Module module name: Uppy version:1.15.0 npm page: https://www.npmjs.com/package/uppy Module Description Uppy is a sleek, modular JavaScript file uploader...

5CVSS0.0119EPSS
Exploits1
Hacker One
Hacker One
added 2020/03/01 2:58 a.m.131 views

Shopify: CSRF on connecting Paypal as Payment Provider

Hi, I think there is a weak csrf protection on adding paypal as the payment provider, but the protection is not good. When user try to add paypal as payment provider, they will make this GET request...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/02/14 8:22 p.m.131 views

Mail.ru: [icq.im] Reflected XSS via chat invite link

Insufficient filtering in icq.im allowed reflected XSS via invite link...

3.5AI score
Exploits0
Hacker One
Hacker One
added 2020/01/17 12:13 a.m.131 views

h1-ctf: [h1-415 2020] My writeup on how to retrieve the special secret document

Summary: An attacker without any privilege is able to retrieve the special secret document, hosted on the https://h1-415.h1ctf.com website. To do so, multiple steps are required : 1. The authentication must be bypassed to have a licensed account; 2. The support team portal is vulnerable to a blin...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2019/02/13 6:50 p.m.131 views

Internet Bug Bounty: CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host

description here: https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html PoC: https://github.com/q3k/cve-2019-5736-poc Some more links: https://seclists.org/oss-sec/2019/q1/119 https://access.redhat.com/security/cve/cve-2019-5736 Impact It allows to escape from container t...

9.3CVSS8.6AI score0.9857EPSS
Exploits33
Hacker One
Hacker One
added 2017/11/09 12:41 a.m.131 views

AlienVault : Puplic .htaccess/.htpasswd/.canvas files leads to password disclosure.

iam a big fan of fuzzing/bruteforcing after my last submission 288533 on http://data.alienvault.com, i decided to go further, after some bruteforcing i came across this directory which looked kinda interesting for me http://data.alienvault.com/snort/ when u try to access the directory you will ge...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/06/23 2:27 p.m.131 views

Gratipay: Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain

Good evening team! This is a theoretical risk but I thought it was still worth reporting since every endpoint and any data flowing through inside.gratipay.com is unencrypted. POC https://inside.gratipay.com And every sub directory under inside.gratipay.com. Description Since the certificate is on...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/02/02 6:1 a.m.131 views

ExpressionEngine: Type Juggling -> PHP Object Injection -> SQL Injection Chain

Justin Kennedy identified a Type Juggling vulnerability in ExpressionEngine that allowed access to unserialize using user supplied data, ultimately achieving SQL Injection. The full details of this vulnerability can be found here:...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2016/05/14 6:39 p.m.131 views

LocalTapiola: Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)

Issue This report contains information about a vulnerability in NovaStor NovaBACKUP DataCenter backup software. Fix There is no immediate fix. LähiTapiola has internal network controls in place for mitigation. Reasoning The report is partially out of scope as the software in question is not...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2021/10/24 12:45 p.m.130 views

Omise: The endpoint '/test/webhooks' is vulnerable to DNS Rebinding

Summary: DNS rebinding attack is a method of switching the resolution of domain names as wished by the attacker. The aim is to lure the web app to a different IP address/host. In this attack, and particularly in our case, a malicious server will first perform a domain name resolution to the IP...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2021/09/30 4:8 p.m.130 views

XVIDEOS: Script breaking tag (Forces website to render blank) (Informative)

Summary: This is a bug affecting core HTML and JS elements on the site via Search Steps To Reproduce: 1. Open https://www.xvideos.com 2. Click to search enter payload= "" without quotes 3. Hit enter or search, watch the page break and not load any content content is loaded in console, renders pag...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2021/08/02 5:42 p.m.130 views

GitHub Security Lab: [Python]: Add SqlAlchemy support for SQL injection query

This bug was reported directly to GitHub Security Lab...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2021/07/26 4:29 p.m.130 views

Node.js: Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: "rejectUnauthorized: false"...

5CVSS0.1473EPSS
Exploits1
Hacker One
Hacker One
added 2021/03/01 9:37 a.m.130 views

curl: Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c

The application is generating cryptographic keys or key pairs using a short and inadequate length. This application is using the ECB Electronic Codebook mode of operation to perform encryption, which is considered semantically insecure. Vulnerable File name :- curlntlmcore.c Vulnerable line no. 2...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2020/08/04 7:51 a.m.130 views

U.S. Dept Of Defense: Reflected XSS in https://www.█████/

Hello Security Team, I would like to report the XSS vulnerability on your system. Steps To Reproduce: Visit the following POC link and move your mouse allover index page: https://www.████/Z%22onmouseover=alert%60%60%20%22/████████/█████.aspx 1. Tested on firefox browser: ███████ 2.Tested on googl...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/07/26 5:36 p.m.130 views

Khan Academy: CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files

Insufficient CSV escaping could result in our site generating an unsafe CSV file for an end user under certain conditions. See the reporter's summary for more. Two CSV Injection Issues Was Discovered On Khan's Teacher CSV Export Function, That Could Allow Client Site Remote Code Execution, And...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/05/24 1:2 a.m.130 views

Starbucks: Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE

neweq discovered that a temporary proof of concept site alipoc.stg.starbucks.com.cn was initially configured with default credentials for a brief period of time before being taken offline. @neweq — thank you for reporting this vulnerability and for confirming the resolution...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2020/03/20 8:11 p.m.130 views

Staging.every.org: Flaw in Change Email https://youtu.be/MMvlcHIGs2A

See https://youtu.be/MMvlcHIGs2A...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/10/13 9:29 p.m.130 views

Monero: Exploiting Network and Timing Side-Channels to Break Monero Receiver Anonymity

Summary: We present various examples of side-channel leakage in the communication between a Monero wallet and P2P node. Communication patterns and timing leak whether the wallet is the payee of a transaction that is sent into the transaction pool or mined in a block—thereby breaking transaction...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/21 5:1 a.m.130 views

Grab: Leaking sensitive information on Github lead full access to all Grab Slack channels

Summary: Accidental leakage of secret keys in such code repositories is a real problem, after my report 387117, I decided to dig deeper than the previous report and looking to some random profiles in Github, and doing some dirty work I was able to access to the developer’s company’s internal chat...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/03 10:44 p.m.130 views

U.S. Dept Of Defense: SOAP WSDL Parser SQL Code Execution

Summary: SOAP WSDL Parser SQL Code Execution Description: It was possible to parse WSDL resources and read all functions from the SOAP Admin Panel, therefor i was able to repeat the sql query with a tampered request with my own custom SQL command. i was able to extract all the database names for...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2017/12/12 7:56 a.m.130 views

Semrush: Reflected XSS using Header Injection

Host : www.semrush.com Path : /billing-admin/profile/subscription/?l=de Payload : c5obc'+alert1+'p7yd5 Steps to reproduce : Request Header : GET /billing-admin/profile/subscription/?l=de HTTP/1.1 Host: www.semrush.com Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0;...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2016/06/25 11:41 a.m.130 views

Informatica: [oneclickdrsfdc-test.informatica.com] Tomcat Example Scripts Exposed Unauthenticated

Issue The consultant identified that there is an unauthenticated installation of apache tomcat installed on the affected host. This particular installation has the /examples directory exposed which contains several scripts that execute server side code, these scripts can also be leveraged to carr...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2024/02/23 11:0 a.m.129 views

Mars: CVE-2022-21371: Oracle WebLogic Server Local File Inclusion

A vulnerability was identified in Oracle WebLogic Server's Web Container component. Affected versions included ██████████, ██████████, ██████████, and ██████████. The vulnerability could be exploited by an unauthenticated attacker over HTTP, potentially leading to unauthorized access to critical...

7.5CVSS7.4AI score0.92331EPSS
Exploits6
Hacker One
Hacker One
added 2023/05/23 8:38 a.m.129 views

Internet Bug Bounty: CVE-2023-28319: UAF in SSH sha256 fingerprint check

A use-after-free vulnerability was found in libcurl's SSH server public key verification feature, affecting versions 7.81.0 to 8.0.1. When the verification check failed, libcurl would free the memory for the fingerprint before returning an error message containing the now-freed hash, potentially...

7.5CVSS6.6AI score0.02489EPSS
Exploits1
Hacker One
Hacker One
added 2023/04/17 4:54 p.m.129 views

curl: CVE-2023-28321: IDN wildcard match

An improper validation of a certificate with host mismatch vulnerability was found in curl/libcurl, which allowed an attacker to perform a man-in-the-middle attack. The vulnerability was caused by the use of wildcards for validation during TLS communication, even if the hostname is an IDN. This...

5.9CVSS6.7AI score0.0181EPSS
Exploits1
Hacker One
Hacker One
added 2022/11/17 12:43 a.m.129 views

Internet Bug Bounty: CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example

airflow-2.3.3/airflow/exampledags/examplebashoperator.py has a command injection vulnerability. I can control the runid in the following codeexamplebashoperator.py,So I can inject custom commands. alsorunthis = BashOperator taskid='alsorunthis', bashcommand='echo "runid= runid | dagrun= dagrun "'...

6.5CVSS8.8AI score0.85653EPSS
Exploits2
Hacker One
Hacker One
added 2021/08/06 5:7 p.m.129 views

Sifchain: SSH server due to Improper Signature Verification

I found that you are using golang.org/x/[email protected] which has a vulnerability that was fixed in this version golang.org/x/[email protected] but that vulnerability is: golang.org/x/crypto/ssh is an SSH client and server Version...

5CVSS7.4AI score0.21052EPSS
Exploits6
Hacker One
Hacker One
added 2021/05/19 12:7 p.m.129 views

Nextcloud: Webauthn tokens are not removed on user deletion

userA has an account on serverA 2. userA enables passwordless login webauthn and registers a key/device 3. userA is removed from the system 4. a new user comes along and gets assigned userA as id 5. the old userA tries to login with their key 6. the old userA can see all data of the new userA...

7.5CVSS1AI score0.01779EPSS
Exploits0
Hacker One
Hacker One
added 2020/10/19 6:9 p.m.129 views

GitHub Security Lab: Java: CWE-749 Unsafe resource loading in Android WebView leaking to injection attacks

This bug was reported directly to GitHub Security Lab...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2020/07/17 4:1 p.m.129 views

Mail.ru: Bypass OTP on contact back request at https://driver.city-mobil.ru/

It was possible to bypass phone verification for support call back request...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/02/06 2:15 a.m.129 views

U.S. Dept Of Defense: RCE on https://█████/ Using CVE-2017-9248

Summary: https://█████████/ is hosting an unpatched version of the Telerik DialogHandler Telerik.Web.UI.DialogHandler.aspx allowing for the machine key to be brute forced. The machine key can be used to access the DNN file manager to upload arbitrary files including ASPX giving a web shell and RC...

7.5CVSS0.75098EPSS
Exploits5
Hacker One
Hacker One
added 2018/09/15 4:40 a.m.129 views

Internet Bug Bounty: Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS

Hey, Chunked requests can trigger xss and html injection at any end point because the APRBRIGADEINSERTTAILbrigade, bucket is getting destroyed by other handlers. Affected versions: Any OS: Any https://bugs.php.net/bug.php?id=76 Prashanths-MacBook-Pro: prashanthvarma$ nc localhost 80 POST /lol.php...

4.3CVSS6.5AI score0.04103EPSS
Exploits1
Hacker One
Hacker One
added 2018/06/01 9:15 a.m.129 views

Node.js third-party modules: [markdown-pdf] Local file reading

I would like to report local file reading in markdown-pdf It allows to insert a malicious html code, which allows to read the local files. Module module name: markdown-pdf version: 8.1.1 npm page: https://www.npmjs.com/package/markdown-pdf Module Description Node module that converts Markdown fil...

2.1CVSS5.2AI score0.00501EPSS
Exploits1
Hacker One
Hacker One
added 2018/05/03 10:10 p.m.129 views

Internet Bug Bounty: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability

Hi! CVE-2017-6074 1 is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes. The kernel needs to be built with CONFIGIPDCCP for the vulnerability to be present. A lot of modern distributions enable this option by...

7.2CVSS7.7AI score0.0596EPSS
Exploits13
Hacker One
Hacker One
added 2017/12/31 12:10 p.m.129 views

HackerOne: Invitation token leaks to https://bat.bing.com

Summary Invitation page contains iframes that points to https://b5s.hackerone-ext-content.com/!/invitations/ and https://a4l.hackerone-ext-content.com/!/invitations/. A GET request to these endpoints executes a script that points to https://bat.bing.com/bat.js. The corresponding request to bing...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/09 1:44 p.m.129 views

Gratipay: clickjacking on https://gratipay.com/on/npm/[text]

hi team .. i found clickjacking URL on https://gratipay.com/on/npm/here this clickjacking must be 3 characturs and must be 5 number this entered endpoint of URL .. please fixed soon https://gratipay.com/on/npm/text step respond 1- go to https://gratipay.com/on/npm/text 2 - check name or number...

0.2AI score
Exploits0
Total number of security vulnerabilities5000