Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2016/02/13 4:31 a.m.94 views

HackerOne: Null byte injection

Hi , I would like to report an issue that I have noticed in https://hackerone.com/users/signin?invitationtoken= . I am not sure if this is a valid security issue , but I have decided to report it anyway and see what you guys think. Details: - When you go to...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2025/01/03 10:22 p.m.93 views

Internet Bug Bounty: Deadlock in x86 HVM standard VGA handling

The Xen hypervisor contained a vulnerability in its handling of standard VGA memory accesses for HVM guests. The locking mechanism used had an unusual discipline that could lead to a deadlock when emulating an instruction with two memory accesses to VGA memory. The vulnerability was acknowledged ...

6.5CVSS7AI score0.00246EPSS
Exploits0
Hacker One
Hacker One
added 2024/03/27 11:54 p.m.93 views

Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc

A remote code execution vulnerability was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. The vulnerability was caused by the lack of restrictions on the classes that could be restored when parsing .rdocoptions as a YAML file. Additionally, object injection and...

4.5CVSS7.9AI score0.01571EPSS
Exploits0
Hacker One
Hacker One
added 2023/12/20 8:7 p.m.93 views

EXNESS: GraphQL attribute Batching DOS can take down pwapi.ex2b.com

Summary: Hi team! I hope you are having a great day! pwapi.ex2b.com instances work with a GraphQL API. This GraphQL endpoint is at / and can be called by unauthenticated users. This Graphql endpoint allows you to perform a query with the same attribute multiple times on a single request. The more...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2023/08/24 2:0 a.m.93 views

Internet Bug Bounty: CVE-2023-40273: Session fixation in Apache Airflow web interface

A session fixation vulnerability was discovered in Apache Airflow web interface. This vulnerability allowed an authenticated user to continue accessing the webserver even after their password had been reset by the admin. The issue has been addressed in version 2.7.0 of Apache Airflow...

8CVSS7.7AI score0.01366EPSS
Exploits0
Hacker One
Hacker One
added 2022/11/27 4:29 p.m.93 views

inDrive: Full access to InDrive jira panel via exposed API token

The Jira API token was exposed in a GitHub repository, allowing unauthorized access to the InDrive Atlassian panel and sensitive information stored in Jira...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2022/05/12 2:53 p.m.93 views

curl: Memory leak in CURLOPT_XOAUTH2_BEARER

Summary: Once a bearer token is set with CURLOPTXOAUTH2BEARER, each HTTP request done with the same handler leaks the token itself. Steps To Reproduce: Given the following code: c include int mainvoid curlglobalinitCURLGLOBALALL; CURL curl = curleasyinit; curleasysetoptcurl, CURLOPTHTTPAUTH,...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/11/21 12:51 p.m.93 views

UPchieve: Authentication Bypass - Email Verification code bypass in account registration process.

Hi Team, I was able to bypass Email Verification code in account registration process. Summary : Authentication Bypass is a dangerous vulnerability, which is found in Web-Applications. An Attackers can bypass the control mechanisms which are used by the underlying web application like Email...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/07/02 9:52 p.m.93 views

GitHub Security Lab: [Java] JShell Injection

This bug was reported directly to GitHub Security Lab...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2021/07/02 9:52 p.m.93 views

GitHub Security Lab: [Java] CWE-918: Added URLClassLoader and WebClient SSRF sinks

This bug was reported directly to GitHub Security Lab...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2021/06/22 10:50 p.m.93 views

GitHub Security Lab: ihsinme: CPP Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type

This bug was reported directly to GitHub Security Lab...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2021/04/06 10:55 p.m.93 views

U.S. Dept Of Defense: Sensitive data exposure via https://███████/jira//secure/QueryComponent!Default.jspa - CVE-2020-14179

Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. Impact...

5CVSS2.1AI score0.76042EPSS
Exploits1
Hacker One
Hacker One
added 2020/12/24 1:38 a.m.93 views

h1-ctf: Hackyholidays CTF writeup

Writeup for the hackyholidays CTF This CTF consisted of 12 challenges released daily in the 12 days leading up to christmas. The goal was to stop the Grinch from ruining christmas by slowly destroying the apps that he used to terrorize Santa and his elfs. The challenges were: 1. Robots.txt 2. DOM...

7.9AI score
Exploits0
Hacker One
Hacker One
added 2020/12/17 9:1 p.m.93 views

U.S. Dept Of Defense: CVE 2020 14179 on jira instance

Summary: An remote attacker can view the custom sla fields used in the jira instance and also can use the sla fields to make a jql query. Impact Information disclosure of the custom sla fields, senstive information leakage throught he jql query parameter Read more about the impact here:...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/10/06 8:28 a.m.93 views

Mail.ru: mrgs.my.games account takeover

A chain of different bugs and misconfigurations invalid handling of arrays-like names in cookies, stored session with NULL ids allowed to login to mrgs.my.games with few different accounts...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2020/10/03 4:21 a.m.93 views

BugPoC: LFI to steal /etc/passwd - Bypass filter in the <meta property="og:image"> tag via redirect and much more

Hey Team, Good &simple challenge. Wasn't able to find time to attempt this initially but was able to go about it today. The explanation of the bug with the POC is hosted on bugpoc.com Here is the id & password as requested - BugPoC ID : bp-wHwB2qAF - Password : dARKlYbAnana89 POC Screenshot using...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/08/14 3:12 a.m.93 views

HackerOne: Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted

Hi team, I don't know your policy about pentestersabout their visibility on the platform, But I couldn't find any other pentesters before. 1 For example: GraphQL has the h1pentester attribute that would explicitly point us to the pentester, but if we make a query, it doesn't reveal the pentester ...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/07/28 7:6 a.m.93 views

QIWI: CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco

Steps to reproduce: I could delete arbitrary files from https://79.142.21.220/ using CVE-2020-3187. POC video is attached. Browser/OS: Chrome/Windows ALSO Cisco ASA - Arbitary File Read - CVE-2020-3452 the file downloaded also attached here for poc Impact Impact: RCE is P1 critical vulnerability,...

7.5CVSS1.3AI score0.99992EPSS
Exploits26
Hacker One
Hacker One
added 2020/06/28 1:9 p.m.93 views

Shopify: Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation

Hello Shopify, I have found a bug by which I can verify any email on .myshopify.com, the bug is very strange but it works. Also I can take over the accounts but only the ones which do not have SSO. To reproduce please follow the steps exactly as I written otherwise you will not be able to reprodu...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/06/04 1:27 p.m.93 views

Open-Xchange: Panic in file smtp-address.c: line 684 (smtp_address_write): assertion failed: (smtp_char_is_qpair(*p))

Reproducer is running test suite against file crash2.txt and getting following output : ./src/testsuite/testsuite crash2.txt Test case: crash2.txt: testsuitecatena: Panic: file smtp-address.c: line 684 smtpaddresswrite: assertion failed: smtpcharisqpairp Abort trap: 6 Content or crash2.txt is...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/04/04 2:15 p.m.94 views

Zomato: [www.zomato.com] Blind SQL Injection in /php/geto2banner

Hi Team! Our team discovered a Blind SQL Injection by Abusing LocalParams resid in /php/geto2banner We are working to create a full PDF Report as an WriteUp ; Here is a Temporal Exploit based on the Vulnerable request: POST /php/geto2banner HTTP/1.1 Host: www.zomato.com Connection: close...

Exploits0
Hacker One
Hacker One
added 2020/04/01 10:46 p.m.93 views

GitLab: Stored XSS in markdown when redacting references

Summary It's possible to inject arbitrary html into the markdown by abusing the ReferenceRedactorFilter. This is due to the data-original attribute allowing html encoded data to be stored, which is then extracted and used as the link content. If the original data already is html encoded then it...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/02/21 9:29 p.m.93 views

Ubiquiti Inc.: Unauthenticated request allows changing hostname

We have recently released new version of UniFi Cloud Key firmware that fixes a vulnerability found on v1.1.6 and prior for Cloud Key gen2 and Cloud Key gen2 Plus, according to the description below: Unauthenticated API requests allow changing device hostname. Affected Products: UniFi Cloud Key Ge...

5CVSS0.7AI score0.01028EPSS
Exploits0
Hacker One
Hacker One
added 2020/02/03 6:44 p.m.93 views

Stripo Inc: Authorization for wp-admin directory are vulnerable to brute force.

The domain https://my.stripo.email in the directory /wp-admin are not blocking amount of request in the authorization form, this leads to bruteforce attack. Where the attacker are able to guess tons of passwords without getting blocked or the password field gets locked. This attack make it possib...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2019/09/05 3:25 a.m.93 views

Central Security Project: OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)

OS Command Injection in Nexus Repository Manager 2.xbypass CVE-2019-5475 Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.14-01 Vulnerability Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. A...

9CVSS0.4AI score0.18396EPSS
Exploits5
Hacker One
Hacker One
added 2019/07/01 5:16 p.m.93 views

Nextcloud: Code injection in macOS Desktop Client

Vulnerability description I've identified a code injection vulnerability in your macOS desktop client. Any malicious application, running with standard user permissions is able to exploit this vulnerability and execute code in your application's context. Requirements In order to exploit this...

4.6CVSS0.2AI score0.00689EPSS
Exploits1
Hacker One
Hacker One
added 2019/06/19 4:50 a.m.93 views

Nextcloud: User with read-only access to a share can gain write access to sub-folders in the share

user0 creates folders /test and /test/sub user0 creates file /test/sub/file.txt user0 shares folder /test with user1 with read+share permissions 17 user1 receives the folder /test and can read-download /test/sub/file.txt - good user1 creates a link share of /test/sub - it has permissions 1...

4CVSS6.8AI score0.01056EPSS
Exploits0
Hacker One
Hacker One
added 2019/01/29 8:30 a.m.93 views

RATELIMITED: HTTP PUT method is enabled ratelimited.me

Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb. the following is POC Request: PUT /codeslayer137.txt HTTP/1.1 Host: ratelimited.me...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/07/12 5:59 a.m.93 views

Grab: [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/

Summary: DOM Based XSS or as it is called in some texts, “type-0 XSS” is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2017/01/17 6:15 a.m.93 views

Ruby: Parsing invalid unicode codepoints using json c extension (2.0.1+) triggers a segfault

Using the default json library packaged with ruby, one can trigger a segmentation fault by submitting a string with a unicode escape sequence in the range between \ud800-\udbff https://en.wikipedia.org/wiki/UTF-16U.2BD800toU.2BDFFF. This is can lead to a denial of service attack by segmentation...

7.7AI score
Exploits0
Hacker One
Hacker One
added 2016/06/16 11:31 a.m.93 views

Uber: Bulk UUID enumeration via invite codes

It is possible to enumerate UUID via invite code. During signup if we enter invite code then create request's response contains inviteruuid . As invite codes are public so attacker can easily enumerate bulk UUID . Here is sample request :- POST /signup/clients/create HTTP/1.1 X-Uber-RedirectCount...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2016/03/17 9:0 p.m.93 views

Shopify: Shopify GitHub Login and Password exposed all private source code might be available.

Sello com.shopify.Sello https://itunes.apple.com/us/app/sello/id947038847?mt=8 ios Mobile Application Versions 1.0.1, 1.1, 1.1.2, 1.1.3, 1.2, Podfile left inside application exposes GitHub Password for Shopify. username: shopify-dep password: 1910c92631a81a4c41dafbf96d537e3f24506b11 Impact: Acces...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2016/02/19 6:25 p.m.93 views

Zendesk: Stored XSS via Angular Expression injection on developer.zendesk.com

developer.zendesk.com is vulnerable to stored XSS via Angular template injection. To replicate: Browse to https://developer.zendesk.com Sign up with an arbitrary email address and the following name: "'a'.constructor.prototype.charAt=.join;$eval'x=alert1';" Observe the popup. This is a stored...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2015/03/09 10:20 a.m.93 views

HackerOne: Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain

Hi hackerone team, I'm a friend of Peiying and am looking for a position at hackerone. While playing around with your product, I found a serious vulnerability in your application: it allows attackers to craft executables on the hackerone.com domain rather than the sandboxed one on S3. 1. attacker...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2025/04/09 1:7 p.m.92 views

Bykea: IDOR on in-app hardcoded zombie endpoint

The researcher discovered an Insecure Direct Object Reference IDOR vulnerability in a hardcoded legacy zombie endpoint that was no longer actively used but remained accessible. By reverse engineering the Android app and reviewing the code for unused endpoints, the sensitive details related to...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/10/21 9:33 p.m.92 views

Internet Bug Bounty: potential denial of service attack via the locale parameter

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a denial of service attack via the locale parameter, which is treated as a regular expression. Impact By crafting a Python regex, a vulnerable site could suffer a DOS attack. The attack was...

5CVSS7.3AI score0.0272EPSS
Exploits0
Hacker One
Hacker One
added 2021/11/08 9:24 p.m.92 views

U.S. Dept Of Defense: Unauthenticated Access to Admin Panel Functions at https://██████████/████████

Description: I discovered that the admin panel at https://████/█████ and all its functions can be accessed without authentication. Impact An attacker is able to use the administrative functions in order to upload, delete or modify files. System Hosts ████████ Affected Products and Versions ██████...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2021/09/03 7:15 a.m.93 views

Mail.ru: CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. PoC - Send the following HTTP request http POST...

3.5CVSS5.4AI score0.09619EPSS
Exploits0
Hacker One
Hacker One
added 2021/07/02 8:37 p.m.92 views

Tor: Tor Browser using --log or --verbose logs the exact connection time a client connects to any v2 domains.

Summary: A vulnerability in the Tor Browser 78.11.0esr and below allows a local or physical attacker to view metadata about v2 domains, namely the exact timestamp that a user connected to a v2 onion address while using either the --log or --verbose command line options. A local or physical attack...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2021/05/06 4:58 p.m.92 views

Sifchain: Open S3 Bucket | information leakage

Hi I found an Open S3 Bucket. - POC : aws s3 ls s3://amazon-eks/ Source : https://github.com/Sifchain/sifnode/blob/bebbe9883560bbde4f452f81a2d85bdbc243636a/deploy/rake/dependencies.rake21 regards oos Impact information leakage...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/02/18 4:40 p.m.92 views

Ruby on Rails: redirect_to(["string"]) remote code execution

For example, redirecttoparams:userinput with a URL of ?userinput=something calls the method somethingurl and tries to redirect the return value of the method. If this call is on an unauthenticated route, it would allow an external user to test if a route name exists by determining if the app 500s...

5CVSS1.8AI score0.04195EPSS
Exploits1
Hacker One
Hacker One
added 2021/01/05 6:56 p.m.92 views

Doppler VDP: Access page must be reloaded to perform multiple requests

Hello team, I have found a authorization issues in your website. With this issue Low privileged user's like collaborator users can still access DEV environment even workplace owner unchecked dev access permission from owner account. With this issue collaborator user can unlimited access that dev...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2020/12/27 1:46 p.m.92 views

U.S. Dept Of Defense: Sensitive data exposure via https://███████/secure/QueryComponent!Default.jspa - CVE-2020-14179

Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...

5CVSS2.1AI score0.76042EPSS
Exploits1
Hacker One
Hacker One
added 2020/11/09 12:54 a.m.92 views

Shopify: Self xss in product reviews

1、install app Product Reviews F1070556 2、Open a product and write a review 3、Press F12 on the keyboard,Change the type of email to text. 4、Write in email"[email protected]. F1070565 5、Write other required fields,then submit. F1070566 Impact Self xss...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2020/07/14 5:29 p.m.92 views

lemlist: stored xss via Campaign Name.

Summary: Hi, I found a stored xss https://app.lemlist.com Steps To Reproduce: 1. go to https://app.lemlist.com/. 2. create or edit campaigns. 3. set the payload / in the Campaign Name. 4. visit Buddies-to-Be tab . 5. click Add one on the right Top . or click on one of the list of Contact 6. you...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/06/04 4:28 a.m.92 views

h1-ctf: [H1-2006 2020] CTF write-up

Hello, thank you for the awesome CTF! I definetly learned a lot. For now I will submit just the Flag. I am going to follow up with the Writeup as soon as possible. ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Kind regards, Alex - hackingfish Attached: A screenshot of the site which is showing the...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/05/23 4:57 a.m.92 views

Starbucks: Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages

Hi team, Summary: There is a cross-site scripting vulnerability on the login page of www.starbucks.com and various regions, due to improper escaping on the URL path. Description: The login page at https://www.starbucks.com/account/signin builds several links by the relative URL path. An attacker...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2020/04/24 1:46 p.m.92 views

Starbucks: Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number

nnez discovered that after a successful card balance transfer between two of their own registered Thailand Starbucks cards, they could update the 2nd card number URL parameter to another known Thailand Starbucks card number and view that 2nd card balance. @nnez — thank you for reporting this...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/01/29 9:59 p.m.92 views

Reddit: registering with the same email address multiple times leads to account takeover

i'm not sure if this issue is in scope or not or if it's intended , kindly if you don't accept this issue please close it as informative , thanks in advance Summary: the ability of the user to register many times using the same mail address can lead to account take over Steps To Reproduce: 1...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2019/11/16 11:57 a.m.92 views

Stripo Inc: Able to change password by entering wrong old password

Vulnerability Name: Able to change password by entering wrong old password. Description: The password change mechanism which is located at https://my.stripo.email/cabinet//profile is insecure as the password can be changed without knowing the old password. Any unauthorized user can access the...

7.2AI score
Exploits0
Total number of security vulnerabilities5000