Lucene search
K
HackeroneMost viewed

15306 matches found

Hacker One
Hacker One
added 2021/01/21 4:36 p.m.100 views

Revive Adserver: Reflected XSS on /admin/userlog-index.php

I found a reflected XSS attack on /admin/userlog-index.php. Revive-Adserver version is revive-adserver-5.1.0. - Go to...

4.3CVSS2.8AI score0.22064EPSS
Exploits2
Hacker One
Hacker One
added 2020/11/20 12:12 p.m.100 views

Internet Bug Bounty: Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks)

Summary: Build jobs mingw64 | openssl-1.1.1d and mingw32 | openssl-1.0.2u download dependencies from build.openvpn.net and www.oberhumer.comover an insecure channel http, not https and do not check their integrity in any way. This opens the door to person-in-the-middle attacks, whereby an attacke...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/10/10 11:20 a.m.100 views

Weblate: Reset password cookie leads to account takeover

Hi There are 3 issues on this report lead to account takeover. 1- When the user requests a reset password link, server sends a link for the user via email, whenever the user click on the link for the first time redirects to Reset password page but if the user close browser or tab and click again ...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/09/23 3:49 p.m.100 views

CS Money: Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription

Summary: In website https://3d.cs.money you need to subscribe prime to have a custom background for skin F999661 But with this vulnerability, we can use custom background without any fee required Steps To Reproduce: add details for how we can reproduce the issue - Grab a build of skin - Save it...

Exploits0
Hacker One
Hacker One
added 2020/09/11 2:34 p.m.100 views

Bitwarden: Rate limits too low for email 2FA

NO RATE LIMIT ON 2FA CAN LEAD TO ACCOUNT COMPROMISE! 1. Create account on vault.bitwarden.com if you don't have. 2.Setup 2FA via email 3.Logout and log in again. This time along with password you have to fill the 2fa code which is sent to the email. 4.Type Any Random number, intercept request wit...

3.4AI score
Exploits0
Hacker One
Hacker One
added 2020/08/01 3:56 p.m.100 views

Dropcontact: Unrestricted File Upload on https://app.dropcontact.io/app/upload/

hi team, I found Unrestricted File Upload Vulnerabilities on https://app.dropcontact.io/app/upload/. Steps To Reproduce: 1. Create an account in https://app.dropcontact.io/app/ 1. go to https://app.dropcontact.io/app/upload/ 1. try to upload html file , you will see message only : .csv, .txt, .xl...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/07/11 9:51 p.m.100 views

X (Formerly Twitter): Denial of Service [Chrome]

Hi Team, Summary: I encountered such an error while creating a new account: F903872 But I don't remember where I found this last point. I remember only when I was a new member. I created a url using the load %xx as in 500686 reports as follows. https://twitter.com/i/flow/%00 I got a result like t...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/07/03 4:42 p.m.100 views

Mail.ru: Improper Restriction of Excessive Authentication Attempts at https://mirror.w1.dwar.ru/login.php

Password at dwar.ru was not sufficiently protected against bruteforce...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2020/06/11 5:0 a.m.100 views

h1-ctf: [h1-2006 2020] Writeup h12006 CTF

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Impact...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/04 4:13 p.m.100 views

Open-Xchange: Null pointer deference in call to `mail_get_flags`

run test suite on following input require "vnd.dovecot.testsuite"; require "fileinto"; require "imap4flags"; require "mailbox"; testset "message" text: Subject: Test message. Test message. . ; test "Flag changes between stores" fileinto :create "FolderA"; if not testresultexecute testfail "failed...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/03 4:59 p.m.100 views

h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers

Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. First part: Web I started by...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2020/06/03 2:52 p.m.100 views

h1-ctf: [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties

Summary: 1. A publicly accessible logfile discloses a user's credentials 2. Weak 2FA implementation allows user account takeover 3. Path injection in user's cookie allows SSRF, bypassing the IP restriction to list available builds on https://software.bountypay.h1ctf.com/ 4. API token leak in...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2020/03/05 5:30 p.m.100 views

Node.js: Node.js: TLS session reuse can lead to hostname verification bypass

The Node.js TLS library supports client side reuse of TLS sessions when multiple connections to the same server are opened. Code that wants to use this feature can listen for the 'session' event https://nodejs.org/api/tls.htmltlseventsession on a tls.TLSSocket to get notified of newly created TLS...

5.8CVSS7.3AI score0.06485EPSS
Exploits1
Hacker One
Hacker One
added 2020/02/21 6:5 p.m.100 views

GitLab: Email notification about login email changed is not received when using verified linked email address

Summary In https://gitlab.com/profile, user can update the email id to use for login to gitlab account using field "Email". Usually, when this login email id is updated, there will be 2 email sent on previous email Id with subjects as. Email 1 - Email Changed:- This tell that login email has been...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/01/29 1:1 a.m.100 views

Razer: AWS subdomain Takeover at estore.razersynapse.com

The tester discovered the razersynapse.com domain was vulnerable to a subdomain takeover. Although this is out of scope of our program, we appreciate the tester bringing this to our attention...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2019/11/01 11:26 a.m.100 views

New Relic: [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927

INTRODUCES: Overcoming mechanism of controlling url insertion, redirecting users to fake pages STEPS: Payload: Add dashboard note and insert code malicious. Code : Click link to view note detail : Impact Redirecting users to malicious pages, stealing user information such as fake scripts and user...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/10/29 3:37 p.m.100 views

Zomato: [www.zomato.com] Blind XSS on one of the Admin Dashboard

Thanks for the report @pandaaaa. The Blind XSS fired when the order details were viewed by the admin at the back-end, The script was injected through an API endpoint from the Zomato app on one of the parameters which was recently introduced to provide special instructions to the restaurant on how...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/09/21 4:13 a.m.100 views

Razer: Race Condition in Oauth 2.0 flow can lead to malicious applications create multiple valid sessions

The tester discovered a flaw in the Razer ID authentication system that could allow multiple access tokens. This was a minor issue but could theoretically have led to extended access due to unexpired tokens. Razer thanks the tester for their diligence. Here is a write-up for similar bug:...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/04/11 9:12 a.m.100 views

Coda: Lack or Origin check leads to Cross-Site Websocket Hijacking (CSWSH)

Summary @fisher discovered a CSRF-related vulnerability in Coda docs by which an attacked could craft a convincing page that would make modifications to a specific document without the victim knowing. This is due to the inherent nature of Websockets not being secure by default. Although a...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/01/19 9:7 p.m.100 views

Starbucks: Information Exposure Through an Error Message at news.starbucks.com

I've discovered Information Exposure Through an Error Message on your system POC link: https://news.starbucks.com/cms/index.php?/cp/login/forgottenpasswordform=http://evil.com/?id=test-test Vulnerable url --...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/10/15 11:12 p.m.100 views

PayPal: [PayPal Android] Remote theft of user session using push_notification_webview deeplink

A deeplink feature built into the PayPal Android application failed to validate the requested endpoint. A specifically crafted request from a website or separate app on the device could call the deeplink and direct traffic to any destination. While the impact was limited by compensating controls,...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2018/03/24 3:6 a.m.100 views

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

SUMMARY: ==================== This report describes a vulnerability similar to that described in my other reports 329376, 329397, 329399 The DoD https://████/psc/EXPROD/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks D...

7.5CVSS0.4AI score0.43492EPSS
Exploits4
Hacker One
Hacker One
added 2017/12/19 9:8 p.m.100 views

GitLab: Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook

The secret token field of a webhook is vulnerable to a new line injection, allowing an attacker to inject non-HTTP commands in a TCP stream. When a GitLab instance is configured with an external Redis instance, e.g. on 127.0.0.1:6379, it may result in arbitrary code execution on a Sidekiq worker ...

7.5CVSS0.1AI score0.05705EPSS
Exploits0
Hacker One
Hacker One
added 2017/08/26 4:54 a.m.100 views

GSA Bounty: Server Side Misconfiguration (EMAIL SPOOFING)

Hi team, Bug Type: Server Security Misconfiguration Mail Server Misconfiguration Missing SPF on Email Domain Weakness: Improper Authentication Description: i observe this when i send a email from [email protected] through http://emkei.cz/ to email [email protected] and afte...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/08/03 11:54 a.m.100 views

Uber: Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains

When creating new tags on Tealium, the application did not check that the user creating the tag had authorized as the same account they were creating a tag for. It was possible for an attacker to inject arbitrary content into a web page using the utag.js tag. Depending on how the victim implement...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/07/12 11:21 a.m.100 views

X (Formerly Twitter): XXE on sms-be-vip.twitter.com in SXMP Processor

Hi team, What type of issue are you reporting? Does it align to a CWE or OWASP issue? I've identified an XXE vulnerability in the cloudhopper sxmp servlet on sms-be-vip.twitter.com which discloses local files to an external attacker and allows web requests to be sent. This aligns to...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/03/31 12:18 p.m.100 views

Udemy: sweet32

hello have found new attack against 3DES-CBC cipher in TLS,that they can decrypt customer data using a method called SWEET32 Birthday Attack. This Vulnerability has got CVE-2016-2183 and has cvss score 5.0 in atach you will see a print screen vuln confirmation by nmap script Mitigation for SWEET3...

5CVSS7.7AI score0.95707EPSS
Exploits7
Hacker One
Hacker One
added 2017/01/16 5:58 a.m.100 views

Nextcloud: HTTP-Basic Authentication on logs.nextcloud.com

Greetings, While visiting https://logs.nextcloud.com/ , I noticed that this server use HTTP-Basic Authentication. F152730 POC : ------ GET https://logs.nextcloud.com/ HTTP/1.1 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.11; rv:50.0 Gecko/20100101 Firefox/50.0 Accept:...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/05/12 5:56 a.m.100 views

Internet Bug Bounty: Bleichenbacher oracle in SSLv2 (CVE-2016-0704)

I'm retroactively submitting CVE-2016-0704, a.k.a. "Leaky Export", which is a Bleichenbacher-style bug that leads to another variant of the Special DROWN attack. I'm submitting on behalf of myself and J. Alex Halderman, as we independently found this bug. This was validated by OpenSSL as...

4.3CVSS7.8AI score0.06903EPSS
Exploits0
Hacker One
Hacker One
added 2016/05/05 3:5 p.m.100 views

Uber: Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com)

This issue has some relevance to most of my previous submissions so I thought it's clearer if I open a new ticket about it. I understood you've intended the various .uber.com WordPress sites to be isolated so that compromising them wouldn't impact Uber's internal network or user data. This has be...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/02/17 1:8 p.m.100 views

Zendesk: Chat History CSV Export Excel Injection Vulnerability

I have found a vulnerability in the Chat History export function. If an attacker submits a special name containing a system command when chatting with an agent and that agent later exports the history of that chat to CSV, the resulting CSV may execute commands when opened. I have tested this usin...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2015/10/04 9:38 p.m.100 views

Shopify: customers password hash leak!!!!

An endpoint in the Draft Order feature would return a serialized version of the Customer that contained the account password hashed and salted as well as the last password reset token when available...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2015/07/22 12:14 p.m.100 views

ok.ru: http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script

Tomcat Servlet Examples application was accessible at wmf.ok.ru which leaved ok.ru vulnerable to cookie manipulation http://lab.onsec.ru/2013/03/tomcat-servlet-examples-threats.html and whatever else vulnerability Servlet Examples might contain...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2015/04/10 7:33 a.m.100 views

Shopify: Lack of SSL Pinning on POS Application ( iOS )

Description Given that this is a POS application and handle CHD, cryptographic security is of most importance. Applications such as Square, Amazons POS, etc. have already implemented this. The iOS application is correctly checking for SSL certs using the os keychain, but due to the lack of checki...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2015/01/21 10:7 p.m.100 views

Mobile Vikings: Insecure crossdomain.xml

Hi, https://mobilevikings.be/crossdomain.xml contains the following xml file: This will make any one able to receive content from https://mobilevikings.be/. More information about this issue is available here: http://gursevkalra.blogspot.nl/2013/08/bypassing-same-origin-policy-with-flash.html Bes...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2024/11/08 1:10 a.m.99 views

curl: CVE-2024-11053: netrc + redirect credential leak

CVE-2024-11053 was a logic flaw in Curl that resulted in a credential leak during redirects. The issue was caused by the way Curl processed netrc credentials when performing redirects. Under certain conditions, the redirect passed along credentials specified for the original host to the redirecti...

3.4CVSS3.7AI score0.01351EPSS
Exploits1
Hacker One
Hacker One
added 2023/09/14 2:58 p.m.99 views

curl: CVE-2023-38546: cookie injection with none file

Vulnerability description not provided...

3.7CVSS7.6AI score0.06208EPSS
Exploits0
Hacker One
Hacker One
added 2023/08/29 5:31 p.m.99 views

Internet Bug Bounty: CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE

Apache Airflow Spark Provider before 4.1.3 was affected by a deserialization vulnerability that allowed remote code execution RCE. Attackers could exploit this vulnerability by configuring a malicious Spark server address through the Airflow UI, which would then manipulate the PySpark clients...

8.8CVSS9AI score0.01413EPSS
Exploits0
Hacker One
Hacker One
added 2022/09/02 7:3 p.m.99 views

Node.js: Weak randomness in WebCrypto keygen

https://github.com/nodejs/node/pull/35093 introduced a call to EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1. It does not check the return value, it assumes EntropySource always succeeds, but it can and sometimes will fail. 2. The...

6.4CVSS9.2AI score0.0187EPSS
Exploits1
Hacker One
Hacker One
added 2022/05/30 4:12 p.m.99 views

Yelp: installed.json sensitive file was publicly accessible on your web application which discloses information about authors and admins

kindly if you don't accept this issue please close it as informative , thanks in advance Description: The installed.json file is a sensitive file and it was publicly accessible on your webserver , which discloses some information about your web site and users such as authors like admin as shown...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2022/05/05 11:54 p.m.99 views

Phabricator: Possible to make restricted files public on Phabricator via Diffusion

Files on Phabricator are always viewable to a user if they are attached to an object that they can view. It seems Phabricator does check if you can view a file before allowing you to a attach it. If you don't have access to the file, it will just look like this F99999999999 in plaintext. It seems...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2021/05/13 1:59 p.m.99 views

Kaspersky: No Rate Limit On Forgot Password Page

Reported security issue allowed a potential attacker to abuse the password recovery option on our My Kaspersky portal for mass sending of password recovery messages. This was fixed with a password reset throttling feature to protect our service from its abuse by third parties. Note that this...

3.6AI score
Exploits0
Hacker One
Hacker One
added 2021/02/14 5:5 p.m.99 views

GitLab: Stored DOM XSS via Mermaid chart

Prologue Gitlab supports Mermaid as part of GFM to allow users to generate diagrams and flowcharts from text. In version 8.6.0, Mermaid added a support of directives to add more control over stylesthemes applied to the diagrams. You can read more about how this works here:...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2021/01/24 10:53 a.m.99 views

FetLife: Stored XSS via `Create a Fetish` section.

The reporter pointed out that the fetish field for creating new fetishes on FetLife was vulnerable to a stored XSS exploit, after creating a fetish for which this exploit was used the contents would execute whenever people added the fetish to their profile and attempted to edit the fetish through...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2020/11/30 3:28 p.m.99 views

Stripo Inc: Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo

Summary: Can you imagine discovering an API key disclosure vulnerability in a disclosed API key disclosure report? The same thing is what I came across while going through the disclosed reports at Stripo Inc. Plus, the disclosed API key isn't even revoked, and therefore I am still able to use the...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/09/17 1:5 a.m.99 views

GitHub Security Lab: Java : add MongoDB injection sinks

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/08/31 3:56 p.m.99 views

U.S. Dept Of Defense: Reflected XSS on ███████

Summary: Reflected Cross site Scripting XSS on████leaving.html?url=%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3E Steps To Reproduce: 1. Navigate to███leaving.html?url= 2. Enter a crafted XSS payload like "alert"xss by nagli" 3. Alert will pop :- █████████ How can the system be exploited wit...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2020/08/09 8:56 p.m.99 views

BugPoC: DOM based Cross-site Scripting

Summary: The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities. Steps To Reproduce: Visit -...

Exploits0
Hacker One
Hacker One
added 2020/07/07 7:39 p.m.99 views

Kubernetes: Fake email from <any_name>@kubernetes.io to any other email

Hi, I just found an issue No Valid SPF Records in your mail server @kubernetes.io Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/02/24 1:54 a.m.99 views

Monero: Monero wallet password change is confirmed when not matching

Summary: If you change your wallet password in gui, the confirmation does not need to match the new password. Releases Affected: list each version and OS of the application affected list each version and OS of the application affected Steps To Reproduce: Open your wallet. Go to settings. Change...

0.6AI score
Exploits0
Total number of security vulnerabilities5000