Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2018/06/01 9:15 a.m.129 views

Node.js third-party modules: [markdown-pdf] Local file reading

I would like to report local file reading in markdown-pdf It allows to insert a malicious html code, which allows to read the local files. Module module name: markdown-pdf version: 8.1.1 npm page: https://www.npmjs.com/package/markdown-pdf Module Description Node module that converts Markdown fil...

2.1CVSS5.2AI score0.00501EPSS
Exploits1
Hacker One
Hacker One
added 2017/09/09 1:44 p.m.129 views

Gratipay: clickjacking on https://gratipay.com/on/npm/[text]

hi team .. i found clickjacking URL on https://gratipay.com/on/npm/here this clickjacking must be 3 characturs and must be 5 number this entered endpoint of URL .. please fixed soon https://gratipay.com/on/npm/text step respond 1- go to https://gratipay.com/on/npm/text 2 - check name or number...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/03/26 7:8 p.m.129 views

New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

Hi, I get in touch to report that cloud.newrelic.com is vulnerable to CVE-2014-3566 POODLE. Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM Man-in-the-middle attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network...

4.3CVSS5.2AI score0.99999EPSS
Exploits7
Hacker One
Hacker One
added 2016/12/14 7:59 p.m.129 views

GitLab: SSRF via git Repo by URL Abuse

Hi team , First things first, awesome work with As a poc i simply port forwarded port 4444 on my router and started simple HTTP server and listened on 4444 to check for incoming connections, by doing the steps mentioned above i got a GET request from 40.84.0.225 , images for the same are attached...

7AI score
Exploits0
Hacker One
Hacker One
added 2013/11/15 1:35 a.m.129 views

HackerOne: GIF flooding

Current limits --------------------- Image size: 1 MB Image dimensions: 2048x2048px File types: jpg/png/gif Another image hack --------------------- A GIF composed of 40k 1x1 images made Paperclip freeze until timeout. As attachments I sent the file composed of 40k images, and a screenshot of the...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2022/04/18 7:36 p.m.128 views

curl: CVE-2022-27774: Credential leak on redirect

Summary: Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL. Steps To Reproduce: 1. Configure for example Apache2 on firstsite.tld to perform redirect with modrewrite: RewriteCond %HTTPUSERAGENT "^curl/" RewriteRule ^/redirectpoc...

3.5CVSS6.8AI score0.01595EPSS
Exploits1
Hacker One
Hacker One
added 2020/11/22 12:4 p.m.128 views

Automattic: [intensedebate.com] XSS Reflected POST-Based

Summary: Hello, i have found a XSS Reflected POST-Based in https://www.intensedebate.com/ajax.php. Vulnerables URL : POST /https://www.intensedebate.com/ajax.php Vulnerables Parameters: $POST'txt'; Payload azertyuiop Steps to reproduce 1. Open the xss.html and will you see a javascript pop-up You...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/11/22 9:12 a.m.128 views

Khan Academy: Login page vulnerable to bruteforce attacks via rate limiting bypass

SUMMARY This report consists of two vulnerabilities. 1st vulnerability: I found out that there is a rate limiting in place after 25 failed attempts. Now that is good, but when i use other email address to bruteforce, The rate limit didnt preserve to the new email. This may looks like a minor issu...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/04/10 1:3 p.m.128 views

BTFS: frame injection on bittorrent.com

Hi team, headers.php is injectable. you can see on IE browsers. FULL URL : https://www.bittorrent.com/scripts/site/headers.php?=1586521900793&callback=%3ciframe%20src%3d%22http%3a%2f%2fgoogle.com%2f%3f%22%3e%3c%2fiframe%3e Impact fix them...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2020/02/12 10:51 a.m.128 views

CompanyHub: No Rate Limit On forgot Password Leading To Massive Email Flooding

Summary: No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. ...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2020/01/03 7:32 p.m.128 views

Starbucks: Account take over of 'light' starbuckscardb2b users

This issue was found on https://www.starbuckscardb2b.com, this website belongs to starbucks and its is a critical vulnerability so I am reporting this. Issue: An attacker can takeover the account of the victim by creating a new account by using victim's who is already registered email address...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2019/11/14 3:0 a.m.128 views

Stripo Inc: Bypass email verification and create email template with the editor

Description : The main goal to use the Stripo is to create an email templates with the editor that is available in the account. And you're not allowed to open it until you validate your email address. But by modifying the response , i was able to bypass the email verification. Steps To Reproduce:...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2019/03/19 7:2 p.m.128 views

Capital One: Apache server-status enabled

Apache /server-status displays information about your Apache status. If you are not using this feature, disable it. GET /server-status HTTP/1.1 Connection: keep-alive Accept: / Accept-Encoding: gzip,deflate Host: proxy-copp.capitalone.com User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2018/08/02 10:47 a.m.128 views

Node.js third-party modules: Code Injection Vulnerability in zombie Package

I would like to report a code injection vulnerability in zombie. It allows crawled websites to access privileged APIs such as the file system or child process. Module module name: zombie version: 6.1.2 npm page: https://www.npmjs.com/package/zombie Module Description Insanely fast, headless...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/03/15 11:6 p.m.128 views

Uber: Reflected XSS on multiple uberinternal.com domains

The base parameter of /oidauth/prompt on multiple uberinternal.com subdomains was not sanitized before being reflected into the page body, making it vulnerable to reflected XSS. Additionally, these pages were affected by a clickjacking vulnerability that made exploitation easier, since a click wa...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/03/06 7:4 p.m.128 views

Internet Bug Bounty: Exim off-by-one RCE vulnerability

Hi, I found an off-by-one in Exim MTA utility function. It was reported to exim and official patch has been released, assigned CVE-2018-6789. This bug affects all versions of exim. This bug is simple, but can be leverage to gain remote code execution, using skillful heap exploitation. Details are...

7.5CVSS9.7AI score0.82238EPSS
Exploits19
Hacker One
Hacker One
added 2017/07/12 3:49 p.m.128 views

Trello: Unpatched (https://hackerone.com/reports/221928)- Unviladate File Upload to XSS on trello-attachment Bucket

Report no: https://hackerone.com/reports/221928 is unpatched. Poc: https://trello-attachments.s3.amazonaws.com/59663070a9025afc4b32c7c6/596641e05abfc29b1bd67ff8/9c5258c6acf27ffdf5e80d5bfabbb83b/lol.svg XSS Link...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/07/12 9:21 a.m.128 views

Internet Bug Bounty: PHP INI Parsing Stack Buffer Overflow Vulnerability

Description: A stack buffer overflow exists in the latest stable release of PHP-7.1.5 and PHP-5.6.30 in PHP INI parsing API, which may accept network / local filesystem input. On malformed inputs, a stack buffer overflow in zendinidoop could write 1-byte off a fixed size stack buffer. On...

6.8CVSS8.8AI score0.03365EPSS
Exploits0
Hacker One
Hacker One
added 2017/06/21 3:42 p.m.128 views

Internet Bug Bounty: Roundcube virtualmin privilege escalation (CVE-2017-8114)

Description Password plugin in its virtualmin driver allows to an attacker, that has a valid username/password to login in his web panel, to execute malicious inputs. This could allow to an attacker to reset victim's password and in some scenarios getting a system shell. CVE CVE-2017-8114 Details...

6.5CVSS8.6AI score0.03471EPSS
Exploits1
Hacker One
Hacker One
added 2015/03/15 7:49 a.m.128 views

X (Formerly Twitter): HTTP Response Splitting (CRLF injection) in report_story

Hi, I would like to report a HTTP Response Splitting vulnerability in https://twitter.com/i/safety/reportstory that allows attackers to inject arbitrary headers and contents in the response. PoC:...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2022/01/07 7:51 a.m.127 views

Mattermost: Bypass Email Verification in Customer Portal

Hi team hope you doing well : i found a vulnerability OTP Bypass on https://portal.test.cloud.mattermost.com . Summery : I was able to use the otp that was sent to victim email and i used it in the attacker's email verify .when i tried this issue first time the server log me out , and second time...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2021/06/12 10:15 p.m.127 views

Zivver: ADB Backup is enabled within AndroidManifest

In this report, it was highlighted that the ADB backup feature enabled in the Android application could be used by an attacker with physical access to the victim's device to 'migrate' data from app storage on the phone and later possibly extract secrets from that backup. For this attack to succee...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2021/05/04 2:1 p.m.127 views

Sifchain: mongodb credentials leaked in github

Steps To Reproduce: add details for how we can reproduce the issue 1. Go to values.yaml file file. 2.Check from line 23: blockExplorer: args: mongoUsername: "mongodb" mongoPassword: mongoDatabase: "blockexplorer" env: rootURL: "http://localhost:3000" chainnet: "" genesisURL: "" remote: rpcURL: ""...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/08/11 6:17 p.m.127 views

GitHub Security Lab: LDAP injection vulnerability in Java

This bug was reported directly to GitHub Security Lab...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2020/07/02 5:11 p.m.127 views

WordPress: CSRF on comment post

Hi Wordpress, I just found an CSRF on comment post. It allow attacker make victim comments on a post. Steps To Reproduce: Attacker send to victim a link with content below: history.pushState'', '', '/' Video poc: F891759 Impact Attacker make victim comments on a post...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2020/05/08 11:43 a.m.127 views

DuckDuckGo: DOM XSS on duckduckgo.com search

Hello, The is a DOM XSS vulnerability on https://duckduckgo.com search through the norw parameter. PoC URL: https://duckduckgo.com/?q=a&norw=" Screenshot: F820482 Impact The attacker can execute JS code...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/04/24 9:0 p.m.127 views

Open-Xchange: Recursor accepts unsigned, empty NXDOMAINs in secure zones

Hi! This is a slightly edited version of the email I sent to the project's security contacts on 2020-04-21. Open-Xchange confirmed it and asked me to resubmit it here. --- Subject: Recursor may be accepting unsigned, empty NXDOMAINs in secure zones I can easily reproduce this against Cloudflare's...

5CVSS0.3AI score0.02434EPSS
Exploits0
Hacker One
Hacker One
added 2020/03/19 9:56 p.m.127 views

GitHub Security Lab: CWE-094 ScriptEngine in java

This bug was reported directly to GitHub Security Lab...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/12/13 7:2 a.m.127 views

RATELIMITED: Information Disclosure on https://theendlessweb.com/

Dear Team, I have found an Information Disclosure Vulnerabilities at https://theendlessweb.com/ Step to Reproduce: Step 1: https://theendlessweb.com/vendor/composer/installed.json Let me know if you need any additional information. Regards, Dhamu. Impact This file expose sensitive information tha...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/07/06 11:44 p.m.127 views

ok.ru: Cisco ASA Denial of Service & Path Traversal (CVE-2018-0296)

Unpatched CVE-2018-0296 in test Cisco ASA instance enter-test.odkl.ru...

5CVSS3.9AI score0.99903EPSS
Exploits18
Hacker One
Hacker One
added 2018/06/10 6:48 p.m.127 views

New Relic: Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation

After installing the Windows Infrastructure client as discussed in https://docs.newrelic.com/docs/infrastructure/new-relic-infrastructure/installation/install-infrastructure-windows-server I noticed that integration yml config files are not only loaded from the folder within Program Files, but al...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2017/06/26 10:39 p.m.127 views

arxius: another local file disclosure via ffmpeg

Summary The fix for https://hackerone.com/reports/242831 can be easily bypassed. It looks like you've banned file:// substring, which is not enough. Repro steps 1. Download genavi.py attached and run the script like this: python3 genavi.py /etc/passwd mustsandboxffmpeg.avi.mp4. 2. Visit...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/03/30 8:55 p.m.127 views

U.S. Dept Of Defense: Path traversal on ████████

Summary: The web application hosted on the "█████████" domain is affected by a path traversal vulnerability that could permit to an attacker to include arbirtary files that are outside of the restricted directory. Description: The affected handler is the "/html/js/editor/editor.jsp". This handler...

Exploits0
Hacker One
Hacker One
added 2023/12/02 2:35 p.m.126 views

CS Money: Authentication Bypass to (CVE-2023-2982)

An authentication bypass vulnerability was discovered in an older version of the WordPress plugin WordPress Social Login and Register Discord, Google, Twitter, LinkedIn...

9.8CVSS9.6AI score0.46947EPSS
Exploits4
Hacker One
Hacker One
added 2021/01/13 5:29 p.m.126 views

Nextcloud: Nextcloud Desktop Client RCE via malicious URI schemes

Nextcloud Desktop utilizes QT's QDesktopServices::openUrl to open URLs. This function invokes the OS'/Desktop environment's default application to handling the URI scheme and file extension. During the Nextcloud Add Account flow, the server's login website is opened within a native window/WebView...

6.8CVSS0.3AI score0.04698EPSS
Exploits1
Hacker One
Hacker One
added 2020/11/02 5:48 p.m.126 views

Brave Software: Brave Browser potentially logs the last time a Tor window was used

Summary: A vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode. A local, on-disk attacker could read the Brave Browser's "Local State" json file and identify the last time a Tor session was used, affecting the confidentiality of a...

2.1CVSS0.1AI score0.00409EPSS
Exploits1
Hacker One
Hacker One
added 2020/09/06 11:45 a.m.126 views

Mail.ru: Broken twitter link hijacking at https://games.mail.ru/pc/search/

Link on https://games.mail.ru/pc/search/ page was pointing to invalid twitter account...

1AI score
Exploits0
Hacker One
Hacker One
added 2020/06/10 10:8 p.m.126 views

GSA Bounty: Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint

Summary: Due to improper routes handling multiple malicious actions are possible. Attacker is able to call Class/Function/Param1/Param2 directly from source code. this may lead to call function that should be not accessible from GUI. Any Class from...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/02/20 3:58 p.m.126 views

Stripo Inc: Blind SSRF while Creating Templates

Blind SSRF While Creating Email Templates...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2019/07/18 4:21 p.m.126 views

Moneybird: Enable 2FA without verifying the email

Description : I able to add 2FA to my account without verifying my email Attack scenario : 1. Attacker sign up with victim email Email verification will be sent to victim email. 2. Attacker able to login without verifying email. 3. Attacker add 2FA. Impact the victim can't register an account wit...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2018/05/23 10:45 p.m.126 views

Open-Xchange: [XSS] content_disposition=inline in files

Hi. No filter for application/ when contentdisposition=inline PoC: - 1. Auth https://sandbox.open-xchange.com/ajax/share/021f28560fbe7d5b21f28d3fbe7d42379932c8eb965ee141/1/8/NTc/NTcvMzQ4 2. XSS...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2022/08/07 4:50 p.m.125 views

Adobe: Main Domain Takeover at https://www.marketo.net/

Resolved valid subdomain takeover report on Marketo. We appreciate the collaboration with the researcher...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2022/04/27 7:4 a.m.125 views

Internet Bug Bounty: CVE-2022-27774: Credential leak on redirect

Summary: curl/libcurl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL. Steps To Reproduce: 1. Configure for example Apache2 on firstsite.tld to perform redirect with modrewrite: RewriteCond %HTTPUSERAGENT "^curl/" RewriteRule ^/redirectpoc...

3.5CVSS7AI score0.01595EPSS
Exploits1
Hacker One
Hacker One
added 2021/08/02 5:41 p.m.125 views

GitHub Security Lab: [Java] CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

This bug was reported directly to GitHub Security Lab...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2021/05/08 12:50 p.m.125 views

Sifchain: Information disclosure on Sifchain

Summary: Hello Team, I have found user/admin usernames disclosed. Using REST API, we can see all the WordPress users/authors with some of their information. such as id, name, login name, etc. and employees of Sifchain without authentication on https://sifchain.finance/ Steps To Reproduce: You can...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2021/05/04 5:28 a.m.125 views

U.S. Dept Of Defense: SSRF due to CVE-2021-27905 in www.████████

Apache Solr is vulnerable to SSRF using the parameter "masterUrl". This issue is registered as CVE-2021-27905. Impact A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end syste...

7.5CVSS0.3AI score0.93053EPSS
Exploits5
Hacker One
Hacker One
added 2021/01/11 11:21 a.m.125 views

Stripo Inc: Bypass of #1047119: Missing Rate Limit while creating Plug-Ins at https://my.stripo.email/cabinet/plugins/

Summary: I have found a bypass for the report https://hackerone.com/reports/1047119 It seems that a proper fix was not issued therefore the issue still remains. Steps To Reproduce: 1. Create a Plug-In and capture the request. 1. Send this to Intruder 1. Follow the rest in the Video POC. POC Video...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/06/30 5:0 a.m.125 views

Snapchat: Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io

Researcher found valid jFrog credentials which were committed to a public Github repository of a Snap employee. This allowed access to internal Snap libraries/artifacts along with the ability to push updates to existing artifacts as well...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/06/16 11:52 p.m.125 views

U.S. Dept Of Defense: Subdomain takeover of ████

Summary: I was able to claim the subdomain: ████ using Microsoft Azure CDN profiles Description: Impact Platforms Affected: Subdomain Azure CDN Step-by-step Reproduction Instructions 1. Using dig, I was able to determine that the subdomain '███████' was vulnerable to takeover. The record showed...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2019/09/03 10:19 p.m.125 views

Node.js third-party modules: Trojan:JS/CoinMiner in npm files

Hello, I am a front end developer and use Vue.js and Visual Studio Code and have had an issue recently with scripts not running in my terminal so decided to fault find. All programmes that I can think of are up to date, and today I decided to do a full windows defender scan and found the above...

7.2AI score
Exploits0
Total number of security vulnerabilities5000