Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2016/08/25 1:49 p.m.103 views

Nextcloud: Expired SSL certificate

I would like to inform you that the SSL certificate for www.nextcloud.org is expired at: 24. August 2016 15:03 Thanks...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2016/05/05 3:5 p.m.103 views

Uber: Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com)

This issue has some relevance to most of my previous submissions so I thought it's clearer if I open a new ticket about it. I understood you've intended the various .uber.com WordPress sites to be isolated so that compromising them wouldn't impact Uber's internal network or user data. This has be...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/04/06 1:59 p.m.103 views

Uber: Enumerating userIDs with phone numbers

Fyi, this is my second account since the other one r0t is limited to 4 reports and they are all in triage. So about this issue, when a user is on a trip and invites other users to split the fare, the server responds with info about his number, like: Name, UserID and his picture, and info about th...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/03/01 4:30 p.m.103 views

Bumble: Password modification without knowing actual password & httpOnly bypass

Two issues: Session cookie is returned in HTML source code of /encounters page, which would allow an XSS attacker to steal it, even if httpOnly is activated. A secret value, present in HTML source code of some api.phtml pages, can be used to modify user's password without knowing actual one...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2016/02/25 6:15 a.m.103 views

Shopify: File name and folder enumeration.

Hello, An attacker can enumerate your sensitive files and folder such as configuration files name via the timezone parameter in cube.csv: GET...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/02/14 10:46 a.m.103 views

Gratipay: The POODLE attack (SSLv3 supported) for https://grtp.co/

Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM Man-in-the-middle attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie dat...

1AI score
Exploits0
Hacker One
Hacker One
added 2015/07/19 10:59 a.m.103 views

Zaption: Open redirect filter bypass

Hi , An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. its possible to bypass your redirect filter using :...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2015/01/21 10:7 p.m.103 views

Mobile Vikings: Insecure crossdomain.xml

Hi, https://mobilevikings.be/crossdomain.xml contains the following xml file: This will make any one able to receive content from https://mobilevikings.be/. More information about this issue is available here: http://gursevkalra.blogspot.nl/2013/08/bypassing-same-origin-policy-with-flash.html Bes...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2023/09/14 2:58 p.m.102 views

curl: CVE-2023-38546: cookie injection with none file

Vulnerability description not provided...

3.7CVSS7.6AI score0.06208EPSS
Exploits0
Hacker One
Hacker One
added 2023/08/29 5:31 p.m.102 views

Internet Bug Bounty: CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE

Apache Airflow Spark Provider before 4.1.3 was affected by a deserialization vulnerability that allowed remote code execution RCE. Attackers could exploit this vulnerability by configuring a malicious Spark server address through the Airflow UI, which would then manipulate the PySpark clients...

8.8CVSS9AI score0.01413EPSS
Exploits0
Hacker One
Hacker One
added 2023/05/02 1:31 p.m.102 views

inDrive: XSS on terra-6.indriverapp.com

A Cross-Site Scripting XSS vulnerability was discovered on the terra-6.indriverapp.com domain that allowed javascript code execution in users' browsers...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2023/02/28 6:6 p.m.102 views

Internet Bug Bounty: JWT audience claim is not verified

An improper authorization vulnerability existed in all versions of Argo CD starting with v1.8.2, allowing the API to accept certain invalid tokens due to the lack of validation of the audience claim in signed tokens. This could allow an attacker to use a stolen token intended for a different...

9CVSS8.9AI score0.00879EPSS
Exploits0
Hacker One
Hacker One
added 2021/11/17 4:39 p.m.102 views

Acronis: IDOR vulnerability (Price manipulation)

Target: acronis.cz Step to Reproduce 1.Go to acronis.cz 2.buy any product in this case i am going to buy this https://www.acronis.cz/produkt/acronis-cyber-protect-home-office/ for test 3.fill up details 4.go to burpsuite turn on intercept 5.click on buy now 6.check request in intercept change pri...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2021/07/16 10:17 a.m.102 views

Ian Dunn: Multiple server ssh usernames leaked in your github repository

hi security team,while searching on github,I have found multiple ssh usernames that belongs to your organization are exposed in the organization github repository STEPS TO REPRODUCE:- 1.Go to this repository. you will see the leaked multiple server ssh usernames...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2021/05/22 8:12 p.m.102 views

Clario: rXSS on https://mackeeperapp.mackeeper.com/landings/download-blue/

Summary: Founded XSS on https://mackeeperapp.mackeeper.com/landings/download-blue/ PoC https://mackeeperapp.mackeeper.com/landings/download-blue/?affid=b450fb80-0136-11eb-a01d-50cf6001b201-zzb&epayId=;alertdocument.domain;//&guid=xxx Impact An attacker can run any malicious javascript code on a...

1AI score
Exploits0
Hacker One
Hacker One
added 2021/02/14 5:5 p.m.102 views

GitLab: Stored DOM XSS via Mermaid chart

Prologue Gitlab supports Mermaid as part of GFM to allow users to generate diagrams and flowcharts from text. In version 8.6.0, Mermaid added a support of directives to add more control over stylesthemes applied to the diagrams. You can read more about how this works here:...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2021/01/24 10:53 a.m.102 views

FetLife: Stored XSS via `Create a Fetish` section.

The reporter pointed out that the fetish field for creating new fetishes on FetLife was vulnerable to a stored XSS exploit, after creating a fetish for which this exploit was used the contents would execute whenever people added the fetish to their profile and attempted to edit the fetish through...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2021/01/21 4:36 p.m.102 views

Revive Adserver: Reflected XSS on /admin/userlog-index.php

I found a reflected XSS attack on /admin/userlog-index.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...

4.3CVSS2.8AI score0.22064EPSS
Exploits2
Hacker One
Hacker One
added 2021/01/18 2:2 p.m.102 views

CS Money: Able to upload backgrounds before entering 2FA

Summary: Hi Team, I am able to see and use uploaded backgrounds and able to upload new ones without proper authentication of 2FA. I hope you remember this report 993786. Steps To Reproduce: 1. Login with a steam account and enable 2FA. 1. Now logout your account. Clear all the cookies. 1. Now aga...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/12/04 4:48 p.m.102 views

GitHub Security Lab: Java : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc

This bug was reported directly to GitHub Security Lab...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2020/11/13 1:54 p.m.102 views

Shopify: XSS stored in the Shopify Email app

step: 1、install app Shopify Email F1076928 2、Click General under Settings 3、Change phone number to 1234567" F1076939 4、Open shopify email app and create an email 5、Show phone number F1076940 6、watch the vedio poc for more information Impact store xss...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/09/23 3:49 p.m.102 views

CS Money: Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription

Summary: In website https://3d.cs.money you need to subscribe prime to have a custom background for skin F999661 But with this vulnerability, we can use custom background without any fee required Steps To Reproduce: add details for how we can reproduce the issue - Grab a build of skin - Save it...

Exploits0
Hacker One
Hacker One
added 2020/09/18 12:53 p.m.102 views

Stripo Inc: weak password poilicy in signup password leak to account takeover

Summary: add summary of the vulnerability i create account with weak password Steps To Reproduce: add details for how we can reproduce the issue 1.i create account with weak password qwerty123 2- account create done without validation 3- it should have protected users from attack and have policy...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/09/17 1:5 a.m.102 views

GitHub Security Lab: Java : add MongoDB injection sinks

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/08/01 3:56 p.m.102 views

Dropcontact: Unrestricted File Upload on https://app.dropcontact.io/app/upload/

hi team, I found Unrestricted File Upload Vulnerabilities on https://app.dropcontact.io/app/upload/. Steps To Reproduce: 1. Create an account in https://app.dropcontact.io/app/ 1. go to https://app.dropcontact.io/app/upload/ 1. try to upload html file , you will see message only : .csv, .txt, .xl...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/07/07 7:39 p.m.102 views

Kubernetes: Fake email from <any_name>@kubernetes.io to any other email

Hi, I just found an issue No Valid SPF Records in your mail server @kubernetes.io Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/06/04 4:13 p.m.102 views

Open-Xchange: Null pointer deference in call to `mail_get_flags`

run test suite on following input require "vnd.dovecot.testsuite"; require "fileinto"; require "imap4flags"; require "mailbox"; testset "message" text: Subject: Test message. Test message. . ; test "Flag changes between stores" fileinto :create "FolderA"; if not testresultexecute testfail "failed...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/03 4:59 p.m.102 views

h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers

Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. First part: Web I started by...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2020/06/03 2:52 p.m.102 views

h1-ctf: [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties

Summary: 1. A publicly accessible logfile discloses a user's credentials 2. Weak 2FA implementation allows user account takeover 3. Path injection in user's cookie allows SSRF, bypassing the IP restriction to list available builds on https://software.bountypay.h1ctf.com/ 4. API token leak in...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2020/03/05 5:30 p.m.102 views

Node.js: Node.js: TLS session reuse can lead to hostname verification bypass

The Node.js TLS library supports client side reuse of TLS sessions when multiple connections to the same server are opened. Code that wants to use this feature can listen for the 'session' event https://nodejs.org/api/tls.htmltlseventsession on a tls.TLSSocket to get notified of newly created TLS...

5.8CVSS7.3AI score0.06065EPSS
Exploits1
Hacker One
Hacker One
added 2020/02/21 6:5 p.m.102 views

GitLab: Email notification about login email changed is not received when using verified linked email address

Summary In https://gitlab.com/profile, user can update the email id to use for login to gitlab account using field "Email". Usually, when this login email id is updated, there will be 2 email sent on previous email Id with subjects as. Email 1 - Email Changed:- This tell that login email has been...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2019/11/01 11:26 a.m.102 views

New Relic: [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927

INTRODUCES: Overcoming mechanism of controlling url insertion, redirecting users to fake pages STEPS: Payload: Add dashboard note and insert code malicious. Code : Click link to view note detail : Impact Redirecting users to malicious pages, stealing user information such as fake scripts and user...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/09/21 4:13 a.m.102 views

Razer: Race Condition in Oauth 2.0 flow can lead to malicious applications create multiple valid sessions

The tester discovered a flaw in the Razer ID authentication system that could allow multiple access tokens. This was a minor issue but could theoretically have led to extended access due to unexpired tokens. Razer thanks the tester for their diligence. Here is a write-up for similar bug:...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/07/10 9:16 p.m.102 views

OLX: SQL Injection on https://www.olx.co.id

I found the SQL Injection on the website https://www.olx.co.id Affectected URL : https://www.olx.co.id/ajax/buybundle/getbundle/ POC: 1 In this below request i got SQL injection vulnerability in location parameter post method POST /ajax/buybundle/getbundle/ HTTP/1.1 Host: www.olx.co.id User-Agent...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2019/01/19 9:7 p.m.102 views

Starbucks: Information Exposure Through an Error Message at news.starbucks.com

I've discovered Information Exposure Through an Error Message on your system POC link: https://news.starbucks.com/cms/index.php?/cp/login/forgottenpasswordform=http://evil.com/?id=test-test Vulnerable url --...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/10/15 11:12 p.m.102 views

PayPal: [PayPal Android] Remote theft of user session using push_notification_webview deeplink

A deeplink feature built into the PayPal Android application failed to validate the requested endpoint. A specifically crafted request from a website or separate app on the device could call the deeplink and direct traffic to any destination. While the impact was limited by compensating controls,...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2018/05/23 7:11 a.m.102 views

Node.js third-party modules: Samlify is vulnerable to signature wrapping

I would like to report a signature wrapping weakness in samlify It allows an attacker to modify a SAML token received from the IdP before validating it with the service provider Module module name: samlify version: 2.3.7 npm page: https://www.npmjs.com/package/samlify Module Description Highly...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/03/24 3:6 a.m.102 views

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

SUMMARY: ==================== This report describes a vulnerability similar to that described in my other reports 329376, 329397, 329399 The DoD https://████/psc/EXPROD/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks D...

7.5CVSS0.4AI score0.43492EPSS
Exploits4
Hacker One
Hacker One
added 2017/12/19 9:8 p.m.102 views

GitLab: Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook

The secret token field of a webhook is vulnerable to a new line injection, allowing an attacker to inject non-HTTP commands in a TCP stream. When a GitLab instance is configured with an external Redis instance, e.g. on 127.0.0.1:6379, it may result in arbitrary code execution on a Sidekiq worker ...

7.5CVSS0.1AI score0.05705EPSS
Exploits0
Hacker One
Hacker One
added 2017/08/03 11:54 a.m.102 views

Uber: Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains

When creating new tags on Tealium, the application did not check that the user creating the tag had authorized as the same account they were creating a tag for. It was possible for an attacker to inject arbitrary content into a web page using the utag.js tag. Depending on how the victim implement...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/07/12 11:21 a.m.102 views

X (Formerly Twitter): XXE on sms-be-vip.twitter.com in SXMP Processor

Hi team, What type of issue are you reporting? Does it align to a CWE or OWASP issue? I've identified an XXE vulnerability in the cloudhopper sxmp servlet on sms-be-vip.twitter.com which discloses local files to an external attacker and allows web requests to be sent. This aligns to...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/01/16 5:58 a.m.102 views

Nextcloud: HTTP-Basic Authentication on logs.nextcloud.com

Greetings, While visiting https://logs.nextcloud.com/ , I noticed that this server use HTTP-Basic Authentication. F152730 POC : ------ GET https://logs.nextcloud.com/ HTTP/1.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.11; rv:50.0 Gecko/20100101 Firefox/50.0 Accept:...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/05/12 5:56 a.m.102 views

Internet Bug Bounty: Bleichenbacher oracle in SSLv2 (CVE-2016-0704)

I'm retroactively submitting CVE-2016-0704, a.k.a. "Leaky Export", which is a Bleichenbacher-style bug that leads to another variant of the Special DROWN attack. I'm submitting on behalf of myself and J. Alex Halderman, as we independently found this bug. This was validated by OpenSSL as...

4.3CVSS7.8AI score0.06903EPSS
Exploits0
Hacker One
Hacker One
added 2016/02/17 1:8 p.m.102 views

Zendesk: Chat History CSV Export Excel Injection Vulnerability

I have found a vulnerability in the Chat History export function. If an attacker submits a special name containing a system command when chatting with an agent and that agent later exports the history of that chat to CSV, the resulting CSV may execute commands when opened. I have tested this usin...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2015/10/04 9:38 p.m.102 views

Shopify: customers password hash leak!!!!

An endpoint in the Draft Order feature would return a serialized version of the Customer that contained the account password hashed and salted as well as the last password reset token when available...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2015/07/22 12:14 p.m.102 views

ok.ru: http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script

Tomcat Servlet Examples application was accessible at wmf.ok.ru which leaved ok.ru vulnerable to cookie manipulation http://lab.onsec.ru/2013/03/tomcat-servlet-examples-threats.html and whatever else vulnerability Servlet Examples might contain...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2015/05/28 12:0 a.m.102 views

Internet Bug Bounty: Null pointer dereference in phar_get_fp_offset()

https://bugs.php.net/bug.php?id=69720...

6.8CVSS8.3AI score0.10288EPSS
Exploits0
Hacker One
Hacker One
added 2015/04/10 7:33 a.m.102 views

Shopify: Lack of SSL Pinning on POS Application ( iOS )

Description Given that this is a POS application and handle CHD, cryptographic security is of most importance. Applications such as Square, Amazons POS, etc. have already implemented this. The iOS application is correctly checking for SSL certs using the os keychain, but due to the lack of checki...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2024/11/08 1:10 a.m.101 views

curl: CVE-2024-11053: netrc + redirect credential leak

CVE-2024-11053 was a logic flaw in Curl that resulted in a credential leak during redirects. The issue was caused by the way Curl processed netrc credentials when performing redirects. Under certain conditions, the redirect passed along credentials specified for the original host to the redirecti...

3.4CVSS3.7AI score0.01351EPSS
Exploits1
Hacker One
Hacker One
added 2023/09/25 5:8 p.m.101 views

U.S. Dept Of Defense: Information Disclosure FrontPage Configuration Information

An information disclosure vulnerability was discovered in the Microsoft FrontPage configuration of a subdomain. This vulnerability allowed an attacker to view the version number and scripting paths of Sharepoint using Firefox...

6.2AI score
Exploits0
Total number of security vulnerabilities5000