Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2018/03/21 10:53 p.m.133 views

Zomato: [Zomato Android/iOS] Theft of user session

Hi, I'd like to report a bug which allows to theft user data even without installing third-party apps. Activity xml is exported, and can be accessed by browser. When any WebView in a client app, or a browser meets a zomato://etc URL it will automatically launch Zomato app. File...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2018/02/05 3:10 p.m.133 views

Semrush: XXE in Site Audit function exposing file and directory contents

Summary: The Project Site Audit function is vulnerable to XXE when parsing sitemap.xml files. Description: The Site Audit function spiders a given website and performs analysis on the discovered pages. In order to improve website spidering the URL of a sitemap.xml file can be provided. If provide...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2016/01/21 4:41 a.m.133 views

HackerOne: Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session

Hi guys , I have found a way to use the open redirect vulnerability that zendesk refused to fix and we discussed it in 101146 to bypass intristial redirect. in 101146 , @bencode said : I tend to agree with Zendesk, we don't really see any security issues with it. We use our interstitial to warn t...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2014/07/22 6:14 p.m.133 views

Phabricator: Back - Refresh - Attack To Obtain User Credentials

Back - refresh attack is attack which enables an adversary to obtain application credentials by going by to previous page and re-submitting the expired-document. How to perform: 1. Register to https:///auth/register/ 2. Once registered, press "Back" on the browser window. Now you'll see the...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2022/01/12 10:2 a.m.132 views

MTN Group: Firebase Database Takeover in https://pulseradio.mtn.co.ug/

Summary: During my test , in one of the subdomain of mtn.co.ug I found firebase configuration disclosed in the source code along with apiKey and database URL . Exploiting this vulnerability attacker is able to upload malicious data in the firebase account of pulseradio.mtn.co.ug and see database...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/02/05 6:9 a.m.132 views

FetLife: Stored XSS via Angular Expression injection via Subject while starting conversation with other users.

The reporter pointed out that the Subject field for sending private messages using FetLife's onsite chat was vulnerable to a stored XSS exploit, allowing people to execute potentially malicious contents on the receiving end of the message...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2020/10/01 4:26 p.m.132 views

HackerOne: Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com)

The page located at https://sal.██████.com/list/Activity/hour/all/0/ suffers from a Cross-site Scripting XSS vulnerability when a user has set their hostname on their machine to an XSS payload. Vulnerable Page https://sal.██████.com/list/Activity/hour/all/0/ Victim IP Address ███████ Referer...

3.5CVSS0.3AI score0.00665EPSS
Exploits0
Hacker One
Hacker One
added 2020/08/04 7:51 a.m.132 views

U.S. Dept Of Defense: Reflected XSS in https://www.█████/

Hello Security Team, I would like to report the XSS vulnerability on your system. Steps To Reproduce: Visit the following POC link and move your mouse allover index page: https://www.████/Z%22onmouseover=alert%60%60%20%22/████████/█████.aspx 1. Tested on firefox browser: ███████ 2.Tested on googl...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/06/11 10:43 a.m.132 views

GSA Bounty: Limited LFI

Summary: Due to improper parameter sensitization local file inclusion is possible. LFI is limited as we were not able to truncate the end of string. Description: Application root is located at /var/www/dashboard/new/public Due to URL Manipulation we are able to raed file from...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/02/14 8:22 p.m.132 views

Mail.ru: [icq.im] Reflected XSS via chat invite link

Insufficient filtering in icq.im allowed reflected XSS via invite link...

3.5AI score
Exploits0
Hacker One
Hacker One
added 2018/10/03 10:19 p.m.132 views

Django: Email Spoofing Possible on djangoproject.com Email Domain

Summary: Due to lacking a SPF and DMARC record it is possible to spoof emails from djangoproject.com. This could potentially be used to trick employees, customers or clients via phishing emails. Description: Mail servers rely on both SPF and DMARC to properly deal with email spoofing. SPF shows...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/31 12:48 p.m.132 views

Semrush: Remote Code Execution on www.semrush.com/my_reports on Logo upload

The Logo upload in the report constructor at: https://www.semrush.com/myreports/constructor F340480 is passed through a not properly patched version of ImageMagick. You can use Postscript to get Ghostscript to run which in return allows to trigger arbitrary commands on the server, leading to Remo...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2018/05/03 10:10 p.m.132 views

Internet Bug Bounty: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability

Hi! CVE-2017-6074 1 is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes. The kernel needs to be built with CONFIGIPDCCP for the vulnerability to be present. A lot of modern distributions enable this option by...

7.2CVSS7.7AI score0.0596EPSS
Exploits13
Hacker One
Hacker One
added 2017/11/09 12:41 a.m.132 views

AlienVault : Puplic .htaccess/.htpasswd/.canvas files leads to password disclosure.

iam a big fan of fuzzing/bruteforcing after my last submission 288533 on http://data.alienvault.com, i decided to go further, after some bruteforcing i came across this directory which looked kinda interesting for me http://data.alienvault.com/snort/ when u try to access the directory you will ge...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/12 12:23 p.m.132 views

Semrush: Email Spoofing

Hey SemRush, It appears that spoofed email can be sent from 1 of your emails. The following email is vulnerable: [email protected] Information: Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2022/03/29 6:49 a.m.131 views

Palantir Public: SQL Injection at https://files.palantir.com/ due to CVE-2021-38159

A vulnerability was discovered in an Internet-facing asset files.palantir.com. A proof of concept POC was developed and used to validate the finding. The vulnerability was patched and resolved. Blog about this vulnerability published. You can read full detail here:...

7.5CVSS0.01891EPSS
Exploits0
Hacker One
Hacker One
added 2021/10/24 12:45 p.m.131 views

Omise: The endpoint '/test/webhooks' is vulnerable to DNS Rebinding

Summary: DNS rebinding attack is a method of switching the resolution of domain names as wished by the attacker. The aim is to lure the web app to a different IP address/host. In this attack, and particularly in our case, a malicious server will first perform a domain name resolution to the IP...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2021/08/02 5:42 p.m.131 views

GitHub Security Lab: [Python]: Add SqlAlchemy support for SQL injection query

This bug was reported directly to GitHub Security Lab...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2021/04/28 4:6 p.m.131 views

Ruby: imap: StartTLS stripping attack (CVE-2016-0772).

net/imap does not seem to raise an exception when the remote end imap server fails to respond with taggedresponse NO/BAD or OK to an explicit call of imap.starttls. This may allow a malicious MITM to perform a starttls stripping attack if the client code does not explicitly set usessl = true on...

5.8CVSS0.1AI score0.14524EPSS
Exploits4
Hacker One
Hacker One
added 2020/06/26 12:51 p.m.131 views

Open-Xchange: Null dereference or redundant null check in `mail_crypt_load_global_private_key` for plugin mail-crypt

In this function, we check once if errorr is not NULL in if enctype == DCRYPTKEYENCRYPTIONTYPEPASSWORD / Fail here if password is not set since openssl will prompt for it otherwise / if keypassword == NULL if errorr != NULL errorr = tstrdupprintf"%s: %s unset, no " "password to decrypt the key",...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/04 8:42 p.m.131 views

Node.js third-party modules: [Uppy] Internal Server side request forgery (bypass of #786956)

I would like to report Internal Server-side request forgery in Uppy It allows the attacker to easily extract information from internal servers Module module name: Uppy version:1.15.0 npm page: https://www.npmjs.com/package/uppy Module Description Uppy is a sleek, modular JavaScript file uploader...

5CVSS0.0119EPSS
Exploits1
Hacker One
Hacker One
added 2020/03/20 8:11 p.m.131 views

Staging.every.org: Flaw in Change Email https://youtu.be/MMvlcHIGs2A

See https://youtu.be/MMvlcHIGs2A...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/03/01 2:58 a.m.131 views

Shopify: CSRF on connecting Paypal as Payment Provider

Hi, I think there is a weak csrf protection on adding paypal as the payment provider, but the protection is not good. When user try to add paypal as payment provider, they will make this GET request...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/01/17 12:13 a.m.131 views

h1-ctf: [h1-415 2020] My writeup on how to retrieve the special secret document

Summary: An attacker without any privilege is able to retrieve the special secret document, hosted on the https://h1-415.h1ctf.com website. To do so, multiple steps are required : 1. The authentication must be bypassed to have a licensed account; 2. The support team portal is vulnerable to a blin...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/12/12 7:56 a.m.131 views

Semrush: Reflected XSS using Header Injection

Host : www.semrush.com Path : /billing-admin/profile/subscription/?l=de Payload : c5obc'+alert1+'p7yd5 Steps to reproduce : Request Header : GET /billing-admin/profile/subscription/?l=de HTTP/1.1 Host: www.semrush.com Accept: / Accept-Language: en User-Agent: Mozilla/5.0 compatible; MSIE 9.0;...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/06/23 2:27 p.m.131 views

Gratipay: Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain

Good evening team! This is a theoretical risk but I thought it was still worth reporting since every endpoint and any data flowing through inside.gratipay.com is unencrypted. POC https://inside.gratipay.com And every sub directory under inside.gratipay.com. Description Since the certificate is on...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/02/02 6:1 a.m.131 views

ExpressionEngine: Type Juggling -> PHP Object Injection -> SQL Injection Chain

Justin Kennedy identified a Type Juggling vulnerability in ExpressionEngine that allowed access to unserialize using user supplied data, ultimately achieving SQL Injection. The full details of this vulnerability can be found here:...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2016/05/14 6:39 p.m.131 views

LocalTapiola: Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)

Issue This report contains information about a vulnerability in NovaStor NovaBACKUP DataCenter backup software. Fix There is no immediate fix. LähiTapiola has internal network controls in place for mitigation. Reasoning The report is partially out of scope as the software in question is not...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2022/11/17 12:43 a.m.130 views

Internet Bug Bounty: CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example

airflow-2.3.3/airflow/exampledags/examplebashoperator.py has a command injection vulnerability. I can control the runid in the following codeexamplebashoperator.py,So I can inject custom commands. alsorunthis = BashOperator taskid='alsorunthis', bashcommand='echo "runid= runid | dagrun= dagrun "'...

6.5CVSS8.8AI score0.85653EPSS
Exploits2
Hacker One
Hacker One
added 2021/09/30 4:8 p.m.130 views

XVIDEOS: Script breaking tag (Forces website to render blank) (Informative)

Summary: This is a bug affecting core HTML and JS elements on the site via Search Steps To Reproduce: 1. Open https://www.xvideos.com 2. Click to search enter payload= "" without quotes 3. Hit enter or search, watch the page break and not load any content content is loaded in console, renders pag...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2021/07/26 4:29 p.m.130 views

Node.js: Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: "rejectUnauthorized: false"...

5CVSS0.1473EPSS
Exploits1
Hacker One
Hacker One
added 2021/03/01 9:37 a.m.130 views

curl: Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c

The application is generating cryptographic keys or key pairs using a short and inadequate length. This application is using the ECB Electronic Codebook mode of operation to perform encryption, which is considered semantically insecure. Vulnerable File name :- curlntlmcore.c Vulnerable line no. 2...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2020/07/26 5:36 p.m.130 views

Khan Academy: CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files

Insufficient CSV escaping could result in our site generating an unsafe CSV file for an end user under certain conditions. See the reporter's summary for more. Two CSV Injection Issues Was Discovered On Khan's Teacher CSV Export Function, That Could Allow Client Site Remote Code Execution, And...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/07/17 4:1 p.m.130 views

Mail.ru: Bypass OTP on contact back request at https://driver.city-mobil.ru/

It was possible to bypass phone verification for support call back request...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/05/24 1:2 a.m.130 views

Starbucks: Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE

neweq discovered that a temporary proof of concept site alipoc.stg.starbucks.com.cn was initially configured with default credentials for a brief period of time before being taken offline. @neweq — thank you for reporting this vulnerability and for confirming the resolution...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2019/10/13 9:29 p.m.130 views

Monero: Exploiting Network and Timing Side-Channels to Break Monero Receiver Anonymity

Summary: We present various examples of side-channel leakage in the communication between a Monero wallet and P2P node. Communication patterns and timing leak whether the wallet is the payee of a transaction that is sent into the transaction pool or mined in a block—thereby breaking transaction...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/15 4:40 a.m.130 views

Internet Bug Bounty: Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS

Hey, Chunked requests can trigger xss and html injection at any end point because the APRBRIGADEINSERTTAILbrigade, bucket is getting destroyed by other handlers. Affected versions: Any OS: Any https://bugs.php.net/bug.php?id=76 Prashanths-MacBook-Pro: prashanthvarma$ nc localhost 80 POST /lol.php...

4.3CVSS6.5AI score0.04103EPSS
Exploits1
Hacker One
Hacker One
added 2018/08/21 5:1 a.m.130 views

Grab: Leaking sensitive information on Github lead full access to all Grab Slack channels

Summary: Accidental leakage of secret keys in such code repositories is a real problem, after my report 387117, I decided to dig deeper than the previous report and looking to some random profiles in Github, and doing some dirty work I was able to access to the developer’s company’s internal chat...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/03 10:44 p.m.130 views

U.S. Dept Of Defense: SOAP WSDL Parser SQL Code Execution

Summary: SOAP WSDL Parser SQL Code Execution Description: It was possible to parse WSDL resources and read all functions from the SOAP Admin Panel, therefor i was able to repeat the sql query with a tampered request with my own custom SQL command. i was able to extract all the database names for...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2018/06/01 9:15 a.m.130 views

Node.js third-party modules: [markdown-pdf] Local file reading

I would like to report local file reading in markdown-pdf It allows to insert a malicious html code, which allows to read the local files. Module module name: markdown-pdf version: 8.1.1 npm page: https://www.npmjs.com/package/markdown-pdf Module Description Node module that converts Markdown fil...

2.1CVSS5.2AI score0.00501EPSS
Exploits1
Hacker One
Hacker One
added 2017/12/31 12:10 p.m.130 views

HackerOne: Invitation token leaks to https://bat.bing.com

Summary Invitation page contains iframes that points to https://b5s.hackerone-ext-content.com/!/invitations/ and https://a4l.hackerone-ext-content.com/!/invitations/. A GET request to these endpoints executes a script that points to https://bat.bing.com/bat.js. The corresponding request to bing...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/05/07 8:19 p.m.130 views

Ubiquiti Inc.: HTML Injection on airlink.ubnt.com

Hi I found an html injection vulnerability on airlink.ubnt.com Steps to reproduce: First go to: https://airlink.ubnt.com//ptp Next go on Save Simulation button and as simulation name put: "HTMLINJECTIONHERE and save it Now go on Open Simulation button and you will see html being executed : Your...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2016/12/14 7:59 p.m.130 views

GitLab: SSRF via git Repo by URL Abuse

Hi team , First things first, awesome work with As a poc i simply port forwarded port 4444 on my router and started simple HTTP server and listened on 4444 to check for incoming connections, by doing the steps mentioned above i got a GET request from 40.84.0.225 , images for the same are attached...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/06/25 11:41 a.m.130 views

Informatica: [oneclickdrsfdc-test.informatica.com] Tomcat Example Scripts Exposed Unauthenticated

Issue The consultant identified that there is an unauthenticated installation of apache tomcat installed on the affected host. This particular installation has the /examples directory exposed which contains several scripts that execute server side code, these scripts can also be leveraged to carr...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2024/02/23 11:0 a.m.129 views

Mars: CVE-2022-21371: Oracle WebLogic Server Local File Inclusion

A vulnerability was identified in Oracle WebLogic Server's Web Container component. Affected versions included ██████████, ██████████, ██████████, and ██████████. The vulnerability could be exploited by an unauthenticated attacker over HTTP, potentially leading to unauthorized access to critical...

7.5CVSS7.4AI score0.92331EPSS
Exploits6
Hacker One
Hacker One
added 2023/05/23 8:38 a.m.129 views

Internet Bug Bounty: CVE-2023-28319: UAF in SSH sha256 fingerprint check

A use-after-free vulnerability was found in libcurl's SSH server public key verification feature, affecting versions 7.81.0 to 8.0.1. When the verification check failed, libcurl would free the memory for the fingerprint before returning an error message containing the now-freed hash, potentially...

7.5CVSS6.6AI score0.02489EPSS
Exploits1
Hacker One
Hacker One
added 2023/04/17 4:54 p.m.129 views

curl: CVE-2023-28321: IDN wildcard match

An improper validation of a certificate with host mismatch vulnerability was found in curl/libcurl, which allowed an attacker to perform a man-in-the-middle attack. The vulnerability was caused by the use of wildcards for validation during TLS communication, even if the hostname is an IDN. This...

5.9CVSS6.7AI score0.0181EPSS
Exploits1
Hacker One
Hacker One
added 2021/08/06 5:7 p.m.129 views

Sifchain: SSH server due to Improper Signature Verification

I found that you are using golang.org/x/[email protected] which has a vulnerability that was fixed in this version golang.org/x/[email protected] but that vulnerability is: golang.org/x/crypto/ssh is an SSH client and server Version...

5CVSS7.4AI score0.21052EPSS
Exploits6
Hacker One
Hacker One
added 2021/05/19 12:7 p.m.129 views

Nextcloud: Webauthn tokens are not removed on user deletion

userA has an account on serverA 2. userA enables passwordless login webauthn and registers a key/device 3. userA is removed from the system 4. a new user comes along and gets assigned userA as id 5. the old userA tries to login with their key 6. the old userA can see all data of the new userA...

7.5CVSS1AI score0.01779EPSS
Exploits0
Hacker One
Hacker One
added 2021/01/19 5:9 p.m.129 views

Informatica: loing in to marketplace panel on enablement.informatica.com

hello dear support I have found the issue and you can log in in to panel with any password and username F1163976 url: https://enablement.informatica.com/marketplace/ F1163979 Impact Can gain access to admin panel...

0.7AI score
Exploits0
Total number of security vulnerabilities5000