Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2021/01/10 12:38 p.m.95 views

Doppler VDP: Limited access to billing dashboard by Admin and Collaborator in conflict with user role permissions.

Summary: Hello Team, The admin and collaborator roles aren't supposed to be able to have read access to the billing dashboard. However, a bug was found where both roles have limited read access to the dashboard contrary to Doppler docs. F1151905 Steps To Reproduce: 1. Log in to your...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2021/01/06 9:59 a.m.95 views

Doppler VDP: Owner can change themself for another Role Mode but application doesnot have this function.

Hello team, I have found a Privilege escalation bug in your application. Basically your website doesn't allow owner to change role mode for themself, they only can able to change role mode of another user. But i found authorization bug in your application that if we add user id of themself in...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2020/12/25 9:57 a.m.95 views

h1-ctf: [hacky-holidays] Grinch network is down

Flag 1 As always CTF begins with a tweet: F1126838 So we are supposed to start from https://hackyholidays.h1ctf.com/ . The first flag was easy on https://hackyholidays.h1ctf.com/ I found a file named robots.txt which had the following content: User-agent: Disallow: /s3cr3t-ar3a Flag:...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/12/11 7:52 p.m.95 views

VK.com: XSS в названии звонка

XSS в сниппете звонка. Уязвимость позволяла выполнить скрипт на стороне пользователя, позвонив ему...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2020/01/21 8:3 a.m.95 views

Internet Bug Bounty: OOB read in php_strip_tags_ex

This issue is open https://bugs.php.net/bug.php?id=79099&edit=2 You can know the bug in the link Impact Memoey leak or rce...

6.4CVSS7.1AI score0.07402EPSS
Exploits1
Hacker One
Hacker One
added 2019/12/18 11:12 p.m.95 views

Nextcloud: Update App Store: Django account high jacking vulnerability

High Severity Framework Security Fix Impact There's a nasty bug that allows accounts to be highjacked. Attackers still can't distribute archive since they are signed but can highjack admin accounts and swap out packges in the admin panel. I've updated the deps, tests work fine locally but you...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2019/03/30 2:10 p.m.95 views

Ruby: Ruby is shipping a vulnerable jQuery

No this isn't a report about the website! Ruby ships Darkfish as part of RDoc https://github.com/ruby/ruby/tree/HEAD/lib/rdoc/generator/template/darkfish https://github.com/ruby/rdoc/tree/master/lib/rdoc/generator/template/darkfish https://github.com/ged/darkfish Darkfish includes jQuery v1.6.4,...

4.3CVSS6.9AI score0.29726EPSS
Exploits6
Hacker One
Hacker One
added 2018/08/23 6:18 p.m.95 views

DuckDuckGo: SSRF on duckduckgo.com/iu/

Normally, a call to https://duckduckgo.com/iu contains a query parameter u with some path using the domain yimg.com. This call will succeed in most cases. F337121 And if we change that path to something like https://google.com it's rejected. F337118 However, it appears that the check that ensures...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/03/27 1:21 p.m.95 views

Node.js third-party modules: [angular-http-server] Server Directory Traversal

I would like to report a Server Directory Traversal vulnerability in angular-http-server. It allows reading local files on the target server. Module module name: angular-http-server version: 1.4.3 npm page: https://www.npmjs.com/package/angular-http-server Module Description A very simple...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/05/25 7:19 p.m.95 views

Nextcloud: Shared file link - password protection bypass under certain conditions

Summary An unauthenticated remote attacker can bypass password protection on certain shared file types through the file sharing app's publicpreview.php function. Vulnerable URL http://server/nextcloud/index.php/apps/filessharing/ajax/publicpreview.php?x=width&y=height&t=share ID Description...

5CVSS0.5AI score0.01068EPSS
Exploits1
Hacker One
Hacker One
added 2015/01/21 12:51 p.m.95 views

Ruby on Rails: RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1

With the release of Ruby on Rails 4.2 the so called Web Console was introduced. As the Web Console documentation states: Web Console is built explicitly for Rails 4. By default the Web Console is available in the Rails Development Environment and allows only the IPs 127.0.0.1 and ::1 to access th...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2014/05/26 1:17 p.m.95 views

Mail.ru: https://217.69.135.63/rb/: money.mail.ru sources disclosure

Money.mail.ru source code disclosure...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2024/07/04 6:47 a.m.94 views

Internet Bug Bounty: CVE-2024-34750 Apache Tomcat DoS vulnerability in HTTP/2 connector

CVE-2024-34750: Apache Tomcat Denial of Service Vulnerability A vulnerability was discovered in Apache Tomcat versions between 11.0.0-M1 and 11.0.0-M20, 10.1.0-M1 and 10.1.24, and 9.0.0-M1 and 9.0.89. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers...

7.5CVSS7.7AI score0.04602EPSS
Exploits0
Hacker One
Hacker One
added 2024/07/03 7:9 a.m.94 views

Internet Bug Bounty: important: Apache HTTP Server on WIndows UNC SSRF (CVE-2024-38472)

The Apache HTTP Server on Windows contained a SSRF vulnerability CVE-2024-38472 that allowed potential leakage of NTLM hashes to a malicious server. The vulnerability was reported through the official Apache HTTP Server security email on April 1, 2024 and was fixed in version 2.4.60 released on...

7.5CVSS8.4AI score0.6795EPSS
Exploits1
Hacker One
Hacker One
added 2024/05/12 2:53 p.m.94 views

HackerOne: Bypassing the victim's phone number OTP in the account recovery process on the https://hackerone.com/settings/auth/setup_account_recovery

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/12/26 8:8 p.m.94 views

Sorare: Mystery with a leaked token and Reusability of email confirmation link leading to Account Takeover

A vulnerability was discovered where leaked email confirmation links could be reused to gain access to a user's account without requiring a password. This was possible by modifying the token parameter in the URL of the expired confirmation link. An attacker who gains access to such a leaked link...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2021/06/25 10:1 a.m.94 views

Glassdoor: Reflected XSS on https://help.glassdoor.com/GD_HC_EmbeddedChatVF

Hi there, I have found the xss vulnerability at: https://help.glassdoor.com/GDHCEmbeddedChatVF Browsers tested: Firefox, Chrome, Edge latest version Steps To Reproduce: Go to: https://help.glassdoor.com/GDHCEmbeddedChatVF?FirstName=l0cpd%22;a=alert,b=document.domain,ab// Supporting...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2021/04/25 9:38 a.m.94 views

U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)

Description: https://██████/██████████/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system. References...

7.5CVSS0.2AI score0.99737EPSS
Exploits19
Hacker One
Hacker One
added 2021/01/04 2:22 a.m.94 views

Logitech: Stored XSS on oslo.io in notifications via project name change

Hey Logitech team. Summary: It is possible for an editor on a project to rename a project to a malicious HTML element, which when opened in the notification dropdown will render and fire javascript. Steps To Reproduce: add details for how we can reproduce the issue 1. Invite user to join the...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2021/01/03 10:4 a.m.94 views

Logitech: Manipulating response leads to free access to Streamlabs Prime

Heyy team, I have a found cool bug which allows me to get access to streamlabs prime features for free. Here is the api endpoint which checks whether the user has a prime subscription or not: https://streamlabs.com/api/v5/user/prime/subscription json "isactive": false, "ispending": false,...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/11/06 11:23 a.m.94 views

BugPoC: Solution for XSS challenge wacky.buggywebsite.com

Summary: Found a HTML injection in https://wacky.buggywebsite.com/frame.html?param=Injected Bypasswing CSP : CSP : script-src 'nonce-txjohfomwjdo' 'strict-dynamic'; frame-src 'self'; object-src 'none'; Then found a vuln code in https://wacky.buggywebsite.com/frame.html js window.fileIntegrity =...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/08/12 4:52 p.m.94 views

GitHub Security Lab: Java: CWE-798 - Hardcoded AWS credentials

This bug was reported directly to GitHub Security Lab...

1AI score
Exploits0
Hacker One
Hacker One
added 2020/07/28 10:3 p.m.94 views

Shopify: Stored XSS in my staff name fired in another your internal panel

Hi all, I had lots of tests for bug bounty in my test store "trstore-3.myshopify.com" created about 4 years ago and then one of your developers noticed that a stored cross-site scripting payload in my staff name fired in another your internal panel. I have attached the email sent to me by your...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/07/27 7:20 p.m.94 views

GitHub Security Lab: Python : Add query to detect Server Side Template Injection

This bug was reported directly to GitHub Security Lab...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/03 9:17 a.m.94 views

Visma Bug Bounty Program: Administration page visible without authentication

A backend system administration interface could be accessed without authorization, but it did not display any data unless the user was correctly logged in...

3.7AI score
Exploits0
Hacker One
Hacker One
added 2020/02/07 7:51 p.m.94 views

X (Formerly Twitter): NO username used in authenthication to www.mopub.com leading to direct password submission which has unlimited submission rate.

Summary:user name is not used in authentication leading to direct password submission Description: user name not used in authentication in https://www.mopub.com/login/?next=/dsp-portfolio/ this page is labelled as SITE ADMIN: refer POC can lead to direct submitting of password and this password h...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/01/17 1:14 p.m.94 views

Razer: [press.razer.com] Origin IP found, Cloudflare bypassed

The tester discovered that the press.razer.com site exposed its IP which could allow bypassing of anti-DDoS mechanisms. While minor, Razer does appreciate the report and the tester bringing this to our attention...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2019/12/14 7:52 a.m.94 views

Mail.ru: API method at api.my.games allows to enumerate user emails

API method which allowed to enumerate emails at https://api.my.games/ was not sufficiently protected...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/10/22 12:6 p.m.94 views

Node.js third-party modules: Prototype pollution in dot-prop

I would like to report a parameter pollution in dot-prop It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation DoS, access to sensitive data, RCE. Module module name: dot-prop version: 5.1.1 npm page:...

7.5CVSS0.3AI score0.03079EPSS
Exploits1
Hacker One
Hacker One
added 2019/09/16 7:54 a.m.94 views

Node.js third-party modules: Path traversal using symlink

I would like to report Path Traversal in statics-server Module module name: statics-server version: 0.0.9 npm page: https://www.npmjs.com/package/statics-server Module Description npm install statics-server -g Go to the folder you want to statics-server Run the server statics-server Module Stats...

5CVSS1.4AI score0.01529EPSS
Exploits1
Hacker One
Hacker One
added 2019/08/25 12:34 p.m.94 views

Brave Software: Stored XSS in localhost:* via integrated torrent downloader

Summary: Due to filename of downloading torrent file isn't sanitized, an attacker is able to execute arbitrary JavaScript on localhost: by abusing crafted torrent file. Products affected: Brave 0.68.131 Chromium: 76.0.3809.100 Official Build Steps To Reproduce: 1. Open...

4.3CVSS6.3AI score0.01471EPSS
Exploits0
Hacker One
Hacker One
added 2019/08/02 11:2 a.m.94 views

MyEtherWallet: Malicious Node JavaScript Injection Leading to Theft of Private Keys and User Funds

Summary This vulnerability allows injection of arbitrary JavaScript code by the node that the MyEtherWallet user is connected to. This could be one of the default nodes e.g api.myetherwallet.com, or a custom node. With this code injection, the private key can be stolen if Keystore File or Private...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/04/26 9:48 p.m.94 views

Mail.ru: [authdl.mail.ru] Spoofing IP address

Client IP address could be spoofed via X-Forwarded-For headers in authdl.mail.ru. While no direct impact were identified, this issue could potentially lead to issues with logging, limitations or ABF protection...

3.5AI score
Exploits0
Hacker One
Hacker One
added 2019/01/12 12:46 a.m.94 views

Internet Bug Bounty: imagecolormatch Out Of Bounds Write on Heap

The link to the PHP bug: https://bugs.php.net/bug.php?id=77270 This is possible to exploit in PHP 7.0.33 and 5.6.39. I used this vulnerability to write a local safe mode bypass exploit. It is possible to write up to 1200 bytes over the boundaries of a buffer allocated in the imagecolormatch...

6.8CVSS9.1AI score0.65116EPSS
Exploits7
Hacker One
Hacker One
added 2018/10/30 11:42 a.m.94 views

Node.js third-party modules: Prototype pollution attack in node.extend

I would like to report a prototype pollution vulnerability in node.extend. It allows an attacker to inject properties on Object.prototype. Module module name: node.extend version: 2.0.0 npm page: https://www.npmjs.com/package/node.extend Module Description A port of jQuery.extend that actually...

7.5CVSS1AI score0.01719EPSS
Exploits1
Hacker One
Hacker One
added 2018/08/22 8:43 a.m.94 views

HackerOne: DOM Based XSS in www.hackerone.com via PostMessage

Summary: The Marketo contact form available on the www.hackerone.com website is affected by a cross-site scripting vulnerability, caused by an insecure 'message' event listener installed on the page. Whilst this could allow an attacker to execute JavaScript in the context of the www.hackerone.com...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2018/02/27 9:14 a.m.94 views

Internet Bug Bounty: memory corruption while parsing HTTP response

In the network interfacing PHP API filegetcontents, a mechanism is implemented to parse the HTTP/S response from the remote host. A vulnerability is found when the vulnerable PHP build processes certain malformed HTTP/S response packets, resulting an array negative indexing. Vulnerable code at:...

7.5CVSS8.9AI score0.87883EPSS
Exploits3
Hacker One
Hacker One
added 2018/02/14 9:13 a.m.94 views

X (Formerly Twitter): CVE-2017-15277 on Profile page

Hi security team, Summary: Please refer to 302885 for more details. Uploading a .gif produces significantly different images every time which means the server is leaking information. Steps To Reproduce: 1. Clone https://github.com/neex/gifoeb 2. Generate exploitable gif with ./gifoeb gen 5120x512...

4.3CVSS6.7AI score0.19193EPSS
Exploits4
Hacker One
Hacker One
added 2017/07/07 7:33 a.m.94 views

Coinbase: Captcha Bypass in Coinbase SignUp Form

Vulnerability description: The g-recaptcha-response is not validated on the server-side when submitting a Signup form to the endpoint. Any or no value can be provided for this header Step to reproduce: 1. https://www.coinbase.com/signup 2. Fill the input field and Validate the captcha. 3. Trun on...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/07/02 11:4 a.m.94 views

WakaTime: Missing Account Deletion Notification

Currently, there is no email notification sent out when the account was deleted. I understand it asks for the password to delete but when an attacker somehow get's the credentials, he can only 'read' users data without alarming the user. It would stop him if he knows the user would come to know...

5AI score
Exploits0
Hacker One
Hacker One
added 2017/06/30 9:44 p.m.94 views

WakaTime: Session Not Expired On Logout

Hi Wakatime Security Team, There is a session management vulnerability in your website. i.e. user's session is not expiring immediately after the logout. You can get more information of the vulnerability here -...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/03/27 10:55 a.m.94 views

Pornhub: Blind Stored XSS against Pornhub employees using Amateur Model Program

The researcher discovered a stored XSS attack vector via the amateur model settings page on Pornhub. I was able to turn Stored Self-XSS in the MPP Model Payment Program application input form field into the Blind Stored XSS without user interaction against employees who process the MPP...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2017/01/17 3:11 a.m.94 views

VK.com: HTML Injection possible due to bad filter

Hello, I have found an area where it may be possible to run certain HTML/JS scripts. TO REPRODUCE: 1. Go to documents 2. Upload anything and edit it 3. On the edit page in tags, enter code without a closing bracket ex. img src=x 4. Click enter 5. It will be parsed in that area, but after saving i...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2016/02/13 4:31 a.m.94 views

HackerOne: Null byte injection

Hi , I would like to report an issue that I have noticed in https://hackerone.com/users/signin?invitationtoken= . I am not sure if this is a valid security issue , but I have decided to report it anyway and see what you guys think. Details: - When you go to...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/01/09 12:13 a.m.94 views

General Motors: refelected Xss on https://gmid.gm.com/gmid/jsp/GMIDInitialLogin.jsp

Reflected Cross Site Scripting existed on a page of gmid.gm.com. The vulnerability has been remediated...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2015/04/15 12:0 a.m.94 views

Internet Bug Bounty: invalid pointer free() in phar_tar_process_metadata()

https://bugs.php.net/bug.php?id=69443...

7.5CVSS7.4AI score0.07697EPSS
Exploits1
Hacker One
Hacker One
added 2025/01/03 10:22 p.m.93 views

Internet Bug Bounty: Deadlock in x86 HVM standard VGA handling

The Xen hypervisor contained a vulnerability in its handling of standard VGA memory accesses for HVM guests. The locking mechanism used had an unusual discipline that could lead to a deadlock when emulating an instruction with two memory accesses to VGA memory. The vulnerability was acknowledged ...

6.5CVSS7AI score0.00246EPSS
Exploits0
Hacker One
Hacker One
added 2024/03/27 11:54 p.m.93 views

Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc

A remote code execution vulnerability was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. The vulnerability was caused by the lack of restrictions on the classes that could be restored when parsing .rdocoptions as a YAML file. Additionally, object injection and...

4.5CVSS7.9AI score0.01571EPSS
Exploits0
Hacker One
Hacker One
added 2023/08/24 2:0 a.m.93 views

Internet Bug Bounty: CVE-2023-40273: Session fixation in Apache Airflow web interface

A session fixation vulnerability was discovered in Apache Airflow web interface. This vulnerability allowed an authenticated user to continue accessing the webserver even after their password had been reset by the admin. The issue has been addressed in version 2.7.0 of Apache Airflow...

8CVSS7.7AI score0.01366EPSS
Exploits0
Hacker One
Hacker One
added 2023/03/20 12:36 a.m.93 views

U.S. Dept Of Defense: Sensitive Data Exposure via wp-config.php file

Sensitive data exposure occurred via the wp-config.php file, which contained confidential information such as MySQL and AWS credentials and various keys. The vulnerability was found on a specific endpoint, and it could potentially provide unauthorized access to sensitive information to users who ...

6.6AI score
Exploits0
Total number of security vulnerabilities5000