Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2020/12/26 9:55 p.m.115 views

WHO COVID-19 Mobile App: Internal API endpoint is accesible for everyone

Summary: It looks like the endpoint /internal/cron/refreshCaseStats as configured in cron.yaml https://github.com/WorldHealthOrganization/app/blob/master/server/appengine/src/main/webapp/WEB-INF/cron.yamlL3 is accesible for everyone. Since it is configured as a cronjob to run every 5 minutes and...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/11/20 7:38 p.m.115 views

HackerOne: Second-order SOQL injection through email and campaign name parameter in Salesforce lead submission

The HackerOne directory contains profiles of bug bounty and vulnerability disclosure programs that aren't managed on HackerOne. These profiles can be claimed by the organization that manages it. As part of this flow, they will need to enter an email address to confirm that affiliation with the...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/09/30 7:0 p.m.115 views

U.S. Dept Of Defense: [SQLI ]Time Bassed Injection at ██████████ via referer header

Hi the ████ was vulnerable to time bassed injection via referer header steps 1- copy the request to your burp suite : GET /DNCdb.php?alert= HTTP/1.1 Host: ███████ User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:81.0 Gecko/20100101 Firefox/81.0 Accept:...

Exploits0
Hacker One
Hacker One
added 2020/05/14 11:37 a.m.115 views

Mail.ru: [my.games] Stored XSS via untrusted bucket

Domain, site, application -- https://my.games/ Details -- If you check page source of https://my.games, you can notice that site gets static files scripts, styles, images using following URL declaration: https://my.games/hotbox/mygames/frontend/v3-6-13/img/share/main.png mygames here is a name of...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/26 5:8 p.m.115 views

Mail.ru: Stored xss on https://go.mail.ru/

Reflected XSS via GET parameter in go.mail.ru...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2019/09/18 9:34 a.m.115 views

Semmle: Worker container escape lead to arbitrary file reading in host machine [again]

Summary: After a successful build, LGTM allow user to view the file list. By default, only source code files and build config files are reserved lgtm.yml and .lgtm.yml. If there are both files in folder, LGTM will process lgtm.yml file and skip .lgtm.yml, but it still keeps both of files in...

Exploits0
Hacker One
Hacker One
added 2018/04/27 11:23 p.m.115 views

Mail.ru: XSS account.mail.ru in state JSON script

Domain, site, application -- account.mail.ru Testing environment -- Chrome Steps to reproduce -- Login and open...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2015/12/22 9:3 a.m.115 views

Shopify: HTTP-Response-Splitting on v.shopify.com

I discovered a HTTP-Response-Splitting issue on v.shopify.com Steps to reproduce: Call the following URL in any browser and catch the response e.g. with burp...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2014/03/03 9:46 p.m.115 views

OkCupid: https://www.okcupid.com/hidden-users CSRF vulnerability.

Hi, The html code below : Will make it possible to hide an user.. You can patch this by supplying a CSRF token : Best regards, Olivier Beg...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2014/02/19 12:0 a.m.115 views

Internet Bug Bounty: moderate: mod_deflate denial of service

A resource consumption flaw was found in moddeflate. If request body decompression was configured using the "DEFLATE" input filter, a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration...

4.3CVSS5.5AI score0.37156EPSS
Exploits0
Hacker One
Hacker One
added 2024/07/03 7:9 a.m.114 views

Internet Bug Bounty: important: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (CVE-2024-38475)

The Apache HTTP Server was found to have a vulnerability in modrewrite where improper escaping of output allowed attackers to map URLs to filesystem locations that were permitted to be served by the server but were not intentionally/directly reachable by any URL. This resulted in potential code...

9.1CVSS9.1AI score0.99957EPSS
Exploits1
Hacker One
Hacker One
added 2023/04/07 7:31 p.m.114 views

U.S. Dept Of Defense: Default Credentials on Kinetic Core System Console - https://█████/kinetic/app/

Weak default credentials of "admin/admin" were discovered on the Kinetic Core System Console application, potentially allowing attackers to identify underlying technologies and access sensitive information such as server logs and user data. The vulnerability was present in version 2.1.0-SNAPSHOT...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2022/12/14 9:17 p.m.114 views

Internet Bug Bounty: CVE-2022-23520: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)

The following is from: https://hackerone.com/reports/1654310 While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability...

5.8CVSS6.3AI score0.2914EPSS
Exploits2
Hacker One
Hacker One
added 2022/10/29 4:45 p.m.114 views

curl: CVE-2022-43551: Another HSTS bypass via IDN

Summary: I found an issue similar to CVE-2022-42916 again. Since the phenomenon is the same, I will describe the same as last time. HSTS checks are bypassed if any character in the IDN convertNameprep to a '.' for example"。"UTF-8:E38082. I think there are other characters that become ".UTF-8:2E" ...

5CVSS8.7AI score0.1654EPSS
Exploits1
Hacker One
Hacker One
added 2020/12/31 12:42 p.m.114 views

h1-ctf: First CTF ever!

Pretext Started looking into hacking this autumn and then found out HackerOne was doing a Christmas themed CTF. Further investigation showed that the deplorable Grinch might be up to no good again - Christmas is in danger! TLDR Lots of hacking took place, the Grinch was stopped, Christmas saved a...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2020/09/16 10:26 a.m.114 views

Stripo Inc: Public and secret api key leaked in JavaScript source

Summary: Summary the vulnerabilities I am surfing on the stripo website. I found a sensitive data including authentication key written in public accessible javascript file. URL Vulnerability https://staging.empleio.stripo.email/main.c1965c58f39a0f4aadc3.js Steps To Reproduce: Open...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/05/17 3:1 p.m.114 views

InnoGames: Impersonation and ticket id enumeration on support.innogames.com

A missing check for authorization made it possible to answer tickets owned by other users in their own name...

4.3AI score
Exploits0
Hacker One
Hacker One
added 2020/04/05 8:14 p.m.114 views

HackerOne: Reflected XSS on www.hackerone.com and resources.hackerone.com

Good day : I hope your doing as well as can be during these difficult times. I have found xss at 2 endpoints: https://www.hackerone.com/resources/ and https://resources.hackerone.com The payloads that work are here:...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/02/05 1:55 p.m.114 views

New Relic: Bypassing Protection Mechanism: Change of Account Name after Session Log out

The researcher illustrated a delay in session invalidation. This has not been added to our public policy to help prevent confusion...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/11/18 10:49 a.m.114 views

Bumble: Reflected XSS

The researcher has found an XSS when sending messages through our service...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2019/03/21 2:29 p.m.114 views

Semmle: All Burp Suite Scan report

Summary: 1. Detected Deserialization RCE: Jackson 1.1. https://lgtm-com.pentesting.semmle.net/blog/ lgtmshortsession cookie 1.2. https://lgtm-com.pentesting.semmle.net/internalapi/v0.2/getSuggestedProjects apiVersion parameter 2. Session token in URL 3. CSP: Inline scripts can be inserted 3.1...

Exploits0
Hacker One
Hacker One
added 2018/02/17 11:18 p.m.114 views

Phabricator: Window.opener fix bypass

Description Due to a recent reporthttps://hackerone.com/reports/306414 a fix was deployed in order to resolve the tabnabbing issue. However by using a line break the fix can be bypassed. Steps to reproduce 1 Browse to your Phabricator instance and create a new document. 2 Now paste in the followi...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/11/17 2:33 p.m.114 views

Kaspersky: Hard Coded username and password in registry

I was using a tool called RegShot to take a snap shot of the registry before and after installation in order to see what changes were being made in the registry and I discovered hard-coded credentials I have attached the full comparison details of the registry changes but these are the lines and...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2016/03/22 5:35 p.m.114 views

Uber: Reflected XSS on developer.uber.com via Angular template injection

developer.uber.com is vulnerable to reflected XSS via Angular template injection. The following url demonstrates the root issue using a trivial payload: https://developer.uber.com/docs/deep-linking?q=wrtz77 If you view the rendered source of the resulting page, you'll find the string 'wrtz49',...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2015/02/25 7:49 a.m.114 views

Mail.ru: scfbp.tng.mail.ru: Heartbleed

MacBook-Pro-Kirill:Pentest isox$ python heartbleed.py scfbp.tng.mail.ru defribulator v1.16 A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed CVE-2014-0160 Connecting to: scfbp.tng.mail.ru:443, 1 times Sending Client Hello for TLSv1.0 Received Server Hello for TLSv1.0...

5CVSS7.7AI score0.99999EPSS
Exploits87
Hacker One
Hacker One
added 2024/05/07 3:11 p.m.113 views

curl: Incorrect Type Conversion in interpreting IPv4-mapped IPv6 addresses and below `curl` results in indeterminate SSRF vulnerabilities.

Vulnerability description not provided...

8.1CVSS6.6AI score0.20459EPSS
Exploits4
Hacker One
Hacker One
added 2022/10/03 4:14 p.m.113 views

curl: CVE-2022-35260: .netrc parser out-of-bounds access

Summary: Curl expects the .netrc file to have space characters. So if there is no space character, it will do an out-of-bounds read and a 1-byte out-of-bounds write. This can happen multiple times depending on the state of the memory. Steps To Reproduce: curl --netrc-file .netrc test.local ".netr...

4.3CVSS7.8AI score0.01761EPSS
Exploits1
Hacker One
Hacker One
added 2022/06/14 4:11 a.m.113 views

Internet Bug Bounty: Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag

It seems to be a problem caused by a difference between the nokogiri java implementation and the ruby implementation. jruby9.3.3.0 nokogiri java, use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag code tags = %wselect style puts...

4.3CVSS6.2AI score0.2914EPSS
Exploits1
Hacker One
Hacker One
added 2022/05/15 1:56 a.m.113 views

curl: CVE-2022-32206: HTTP compression denial of service

Summary: Curl does not prevent resource consumption when processing certain header types, but keeps on allocating more and more resources until the application terminates or the system crashes, see below. The attack vectors include at least: - Sending many Transfer-Encodingwith repeated encodings...

4.3CVSS7.8AI score0.3197EPSS
Exploits1
Hacker One
Hacker One
added 2021/03/25 10:43 p.m.113 views

GitHub Security Lab: Java : Add query for detecting Log Injection vulenrabilities

This bug was reported directly to GitHub Security Lab...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/09/11 3:33 a.m.113 views

CS Money: Internal Path Disclosure

Hello Team, I would like to report internal path disclosure in response. I was trying for Stored XSS but got no luck in that process. I observed the responses, one of the responses showing file path with 500 Internal Server Error. Steps To Reproduce: 1. Go to cs.money and sign in through steam...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/07/22 5:17 p.m.113 views

lemlist: Stored XSS at [ https://app.lemlist.com/campaigns/cam_QRS5caF2ca7MJtiLS/leads ] in " LINKEDIN URL" Field.

Summary: Vulnerability : A. Type:- Cross Site Scripting Stored B. Description:- Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Summary : When you will login into the...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/18 7:24 p.m.113 views

Mail.ru: Sensitive information exposure via git commit

Token for a test ICQ bot account was leaked via git commit data for opensource Jira plugin...

2.9AI score
Exploits0
Hacker One
Hacker One
added 2020/06/15 10:43 p.m.113 views

Ruby on Rails: Untrusted users able to run pending migrations in production

Untrusted users able to run pending migrations in production There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-XXXX...

4CVSS2.7AI score0.02181EPSS
Exploits0
Hacker One
Hacker One
added 2020/04/24 1:24 p.m.113 views

Starbucks: CRLF injection on www.starbucks.com

The vulnerability allows setting arbitrary headers, and also enables response splitting which can then be exploited further. POC: curl -i 'https://www.starbucks.com/email-prospecttg9wh%0d%0aset-cookie:foo%0d%0a%0d%0a4t6uf?requesturl=/responsibility/global-report/policies' -d...

3.7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/19 6:17 p.m.113 views

Internet Bug Bounty: URN Request bypass ACL Checks

Summary: Attacker can bypass ACL checks gaining access to restricted HTTP servers such as those running on localhost. Attacker could also gain access to CacheManager if VIA header is turned off. Only lines with : will be readable though, and the response must be less than 4096 bytes or it'll...

6.4CVSS8.7AI score0.04302EPSS
Exploits0
Hacker One
Hacker One
added 2020/03/14 5:13 a.m.113 views

X (Formerly Twitter): character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error

Summary: If you are creating a new moment on https://twitter.com/username/moments you get redirected to https://twitter.com/i/moments/edit/moments-id. There you can set a title, a description and also you can add, if you want, a Tweet to your Moment. The title and also the description are...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/02/24 6:56 p.m.113 views

Nord Security: Reduced Payment amount while paying on Crypto Currencies

Summary: While the payment is made via Crypto Currencies on the site "https://join.nordvpn.com/order/", the amount can be reduced to 25.64 instead of the original amount, this can cause loss of revenue to the company. Even the BTC value reflects the reduced converted values, see the screenshot...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2019/11/02 8:29 p.m.113 views

Rocket.Chat: Clickjacking in the admin page

Summary: Hello Rocket.Chat, There is a clickjacking vulnerability in a very critical page which is the admin info page. For my installation, the URL https://penetrationtester.rocket.chat/admin/users was used for creating the PoC. Description: Clickjacking User Interface redress attack, UI redress...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/10/28 6:37 p.m.113 views

curl: Race condition with CURL_LOCK_DATA_CONNECT can cause connections to be used at the same time

Summary: We've seen race conditions when using CURLLOCKDATACONNECT in libcurl where sometimes two different threads using two different easy handles ends up sharing the same connection pointer at the same time. This causes UAFs and double frees when both threads are freeing items on the same...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/09 4:40 p.m.113 views

Gratipay: Information Disclosure on inside.gratipay.com

Hello @gratipay, By checking request headers I've been able to identify that inside.gratipay.com is running on Server: WSGIServer/0.1 Python/2.7.11. Request: https://inside.gratipay.com/assets/inside-gratipay.svg GET /assets/inside-gratipay.svg HTTP/1.1 Host: inside.gratipay.com User-Agent:...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/05 7:3 a.m.113 views

Snapchat: Stealing SSO Login Tokens (snappublisher.snapchat.com)

Description Attacker can steal SSO login tokens for snappublisher.snapchat.com by chaining different flaws in SSO and Snapchat’s Snappublisher tool. Detailed attack flow is as follows. Attack Flow 1.. Snapchat fetches a SSO LOGIN TOKEN from accounts.snapchat.com to login into different products o...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2016/06/08 4:31 p.m.113 views

Uber: Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)

Through the endpoint at /rt/users/passwordless-signup it is possible to change the password of any Uber user, given knowledge of their phone number or by just enumerating phone numbers until one is found that is registered with Uber - not too hard given the number of Uber users. I've tested this...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/05/27 4:1 p.m.113 views

drchrono: Stored XSS via AngularJS Injection

Hi All, I've found a stored XSS vulnerability via an Angular Template Injection in the messages referral address field. Description After visiting https://1337test.drchrono.com/messages/referrals/contacts/, you can enter new contact information. In the field for the address, if enter 55, when the...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2015/08/27 12:0 a.m.113 views

Internet Bug Bounty: Use After Free Vulnerability in unserialize() with SplDoublyLinkedList

https://bugs.php.net/bug.php?id=70366...

7.5CVSS8.4AI score0.46801EPSS
Exploits4
Hacker One
Hacker One
added 2025/02/11 8:22 a.m.112 views

Internet Bug Bounty: Possible DoS by memory exhaustion in net/imap

The net-imap gem implemented an IMAP client in Ruby. Versions prior to 0.3.8, 0.4.19, and 0.5.6 contained a vulnerability that could lead to denial of service by memory exhaustion. The vulnerability was caused by the response parser using Rangetoa to convert uid-set data without limiting the...

6.5CVSS6.9AI score0.00578EPSS
Exploits0
Hacker One
Hacker One
added 2024/06/03 2:51 p.m.112 views

Ionity GmbH: HTML injection in swagger UI

A vulnerability was discovered in the Swagger UI that allowed for HTML injection. This vulnerability existed because the application failed to properly sanitize user-supplied input before rendering it in the HTML context. An attacker could have exploited this issue to execute arbitrary scripts in...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2023/11/27 11:14 a.m.112 views

EXNESS: Unrestricted Access to Celery Flower Instance

The publicly accessible Celery Flower instance allowed unrestricted access, exposing sensitive information, and the ability to manipulate tasks...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/02/12 1:8 a.m.112 views

curl: CVE-2021-22876: Automatic referer leaks credentials

Summary: When using the --referer ';auto' feature the current URL is copied as-is to the referrer header of the subsequent request. The recommendation 1 is to strip these along with the URL fragment. I can imagine this may, in rare cases, result in unwanted/unexpected disclosure of credentials e....

5CVSS6AI score0.05301EPSS
Exploits1
Hacker One
Hacker One
added 2020/12/08 9:45 p.m.112 views

PortSwigger Web Security: HTML Injection in Swing can disclose netNTLM hash or cause DoS

The vulnerability is like a SSRF but on the client side, where an attacker can force an unsolicited hidden request made by Burp Suite when the victim performs some actions. During normal browsing to a website through Burp Suite Pro or Community, if the website makes a request with HTML code in a...

4.3CVSS0.01149EPSS
Exploits1
Total number of security vulnerabilities5000