Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2020/06/04 4:28 a.m.92 views

h1-ctf: [H1-2006 2020] CTF write-up

Hello, thank you for the awesome CTF! I definetly learned a lot. For now I will submit just the Flag. I am going to follow up with the Writeup as soon as possible. ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Kind regards, Alex - hackingfish Attached: A screenshot of the site which is showing the...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/05/23 4:57 a.m.92 views

Starbucks: Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages

Hi team, Summary: There is a cross-site scripting vulnerability on the login page of www.starbucks.com and various regions, due to improper escaping on the URL path. Description: The login page at https://www.starbucks.com/account/signin builds several links by the relative URL path. An attacker...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2020/04/24 1:46 p.m.92 views

Starbucks: Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number

nnez discovered that after a successful card balance transfer between two of their own registered Thailand Starbucks cards, they could update the 2nd card number URL parameter to another known Thailand Starbucks card number and view that 2nd card balance. @nnez — thank you for reporting this...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/01/29 9:59 p.m.92 views

Reddit: registering with the same email address multiple times leads to account takeover

i'm not sure if this issue is in scope or not or if it's intended , kindly if you don't accept this issue please close it as informative , thanks in advance Summary: the ability of the user to register many times using the same mail address can lead to account take over Steps To Reproduce: 1...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2019/05/07 6:10 p.m.92 views

Pornhub: SSRF and local file disclosure by video upload on https://www.redtube.com/upload

The researcher was successful in exploiting a vulnerability in 3rd party encoding library resulting in the execution of SSRF attacks and Local File Disclosure...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2019/01/30 4:16 p.m.92 views

HackerOne: Disclosure of h1 challenges name through the calendar

Summary: It seems like the Calendar somehow grabs the name of the target for a h1 challenge even though the target name is not public. Description: h1challenges do not disclose the name of the target until the time it starts. For example for this challenge: █████ the name of the target is not...

Exploits0
Hacker One
Hacker One
added 2018/11/12 9:18 a.m.92 views

OLX: Cross-site Scripting (XSS) - Reflected

Dear Security OLX team, I want to report the findings of the security gap on the olx.co.id website, the detailed findings are as follows: impact:https://www.olx.co.id/adminpanel/login/ Payload : ope8i"alert1grpo8 POC: paramter = userpassword POST /adminpanel/login/?ref0action=index&ref0method=ind...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/02/14 3:23 a.m.92 views

Coinbase: Stored CSS Injection

When creating a product, users can upload a logo. The logourl was not escaped properly, allowing an attacker to inject malicious characters into a style tag. This vulnerability did not allow for XSS due to our CSP, however, it did allow for CSS injection...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/01/31 12:14 a.m.92 views

Node.js third-party modules: [crud-file-server] Path Traversal allows to read arbitrary file from the server

Hi Guys, There is Path Traversal vulnerability in crud-file-server module, which allows to read arbitrary file from the remote server. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...

5CVSS7.3AI score0.02216EPSS
Exploits1
Hacker One
Hacker One
added 2017/10/06 9:32 p.m.92 views

WakaTime: Can link to websites from profile

when I input a website to my profile it creates tag link: test.org this is a flaw, how? if the owner of the profile and a malicious link it is possible to redirect the user to a phishing page of wakatime. Here's the scenario of this attack: 1 Attacker put a malicious link on his profile. 2 Once t...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2017/08/10 10:2 a.m.92 views

Zomato: [www.zomato.com] Union SQLi + Waf Bypass

Summary @gerbenjavado found a SQL Injection vulnerability in one of our end point and he was able to bypass our WAF...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2017/01/09 9:4 a.m.92 views

Starbucks: Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com)

Hello, during some open redirects testing, I have noticed a very strange redirect that occured when I had modified a parameter using something like cofee. I have digged up further and then I have noticed that one can make a redirect by modifying GET parameters with this structure : //google.com...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2016/09/10 11:26 a.m.92 views

Eobot: No password length restriction

Hello Eobot, I am able to sign up on your web application using a long 100000 characters password which may lead to website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/07/25 11:37 a.m.92 views

X (Formerly Twitter): csp bypass + xss

Hi, On my previous report number 126464 I've mentioned that analytics.twitter.com has a CSP bypass which I couldn't exploit that time. Now, I've found a reflected XSS on careers.twitter.com which again I couldn't exploit by itself. Because you have CSP, and I've combined two of them to successful...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2016/06/01 9:19 p.m.92 views

Pornhub: [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com

Researcher was able to exploit a serialization error in the SimpleXMLElement class to perform object injection using the callbackUrl parameter. Researcher was successful in achieving the following: SSRF Local file inclusion Limited execution of database commands without output I exploited the...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/04/15 9:54 a.m.92 views

Moneybird: Malicious File Upload

This researcher found a vulnerability in which it was possible to upload attachments with malicious extensions. We have implemented a security filter to prevent these attachments to be uploaded...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2014/06/23 8:13 a.m.92 views

Uzbey: CMS Information Disclosure

Hi, I noticed that the CHANGELOG.txt disclose Drupal vesion. It might help an attacker to perform information gathering and help an attacker to find the vulnerabilties from the version. PoC: https://staging.uzbey.com/CHANGELOG.txt...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2024/05/02 9:18 p.m.91 views

HackerOne: Insecure Direct Object Reference (IDOR) Allows Viewing Private Report Details via /bugs.json Endpoint

The Insecure Direct Object Reference IDOR vulnerability allowed viewing private report details through the /bugs.json endpoint. Any private reports could be accessed by sending a POST request to the endpoint with the organization ID and a single-digit text query. This gave access to sensitive...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2023/03/20 7:32 a.m.91 views

Internet Bug Bounty: CVE-2023-27533: TELNET option IAC injection

A vulnerability CVE-2023-27533 was found in curl versions 7.7 to 7.88.1 that allowed users to pass on user name and "telnet options" for server negotiation without proper input scrubbing, potentially allowing for the injection of unintended TELNET commands to the telnet connection. The severity o...

8.8CVSS7AI score0.01993EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/26 9:17 a.m.91 views

MTN Group: CVE-2021-38314 @ https://www.mtn.co.rw

Summary: Hello. I your domain https://www.mtn.co.rw was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...

5CVSS0.28961EPSS
Exploits6
Hacker One
Hacker One
added 2021/06/23 10:18 a.m.91 views

Basecamp: Information Disclosure .htaccess accesible for public

Hello team! While doing a preliminary recon on the sub domain of "launchpad.37signals.com" I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. Information disclosure of path .htaccess on the subdomain of...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/06/21 7:3 a.m.91 views

Urban Company: Broken Link on Urban Company's Vulnerability Submission Form

Summary: - Urban Company has an unclaimed broken link on their HackerOne security page which can be claimed by any malicious user. And then later the malicious user can exploit this issue to deceive new researchers to submit their legitimate findings to the wrong hands. Steps To Reproduce: 1.Visi...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2021/04/20 7:30 a.m.91 views

Nextcloud: Password policy changes not enforced for existing passwords

So this is two reports in one. Sort of. But they are the same issue, or at least related. 1. When you setup your nextcloud there is no password policy at all. There is the strength indicator. I get the password policy app is not yet active at that point. But a minimum length would not be that...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2021/03/23 8:28 p.m.91 views

GitHub Security Lab: Java: CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

This bug was reported directly to GitHub Security Lab...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2020/12/27 3:34 p.m.91 views

h1-ctf: Taking Grinch Down To Save Holidays

Hi thank you Hackerone and Adam for organizing the CTF, this had honestly helped me to learn good skills and techniques. The CTF began with the scope: hackyholidays.h1ctf.com and mission to take down grinch So here's a quick visual summary of all the challenges F1131175 F1131176 1. Grinch Robots ...

8.3AI score
Exploits0
Hacker One
Hacker One
added 2020/11/09 10:36 p.m.91 views

GitHub Security Lab: Java: Detect remote source from Android intent extra

This bug was reported directly to GitHub Security Lab...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2020/09/14 9:0 p.m.91 views

U.S. Dept Of Defense: SQLi in login form of █████

Summary The following is vulnerable to a sqli, due to a limited char set this is t██████████y to demonstrate and not picked up by sqlmap. POST /██████████.asp HTTP/█████.████ Host: ███████ Description POST /██████.asp HTTP/████.███ Host: █████ Connection: close Content-Length: 45 Cache-Control:...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2020/08/08 9:58 a.m.91 views

BugPoC: XSS Challenge #2 Solution

Summary: An attacker can achieve arbitrary JavaScript execution in the context of the user's session on calc.buggywebsite.com. This is possible due to a weak origin check in the message event handler in http://calc.buggywebsite.com/frame.js as well as improper handling of the message data, allowi...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/07/21 6:32 p.m.91 views

lemlist: Stored XSS in app.lemlist.com

Summary: add summary of the vulnerability Steps To Reproduce: - Go to Company Buddies-to-Be Custom variables - Add malicious code: " onmouseover="confirmdocument.domain" a=" F915718 - Go to Company Messages Blank email - In the WYSIWYG editor select Custom variables - Malicious code executed...

4.6AI score
Exploits0
Hacker One
Hacker One
added 2020/07/16 6:14 p.m.91 views

PayPal: RCE via npm misconfig -- installing internal libraries from the public registry

A Bug Bounty researcher identified an issue where certain development projects defaulted to the public NPM registry, instead of using the intended internal packages. Since the packages on the public registry did not exist, the researcher created these and observed they were downloaded. Had these...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/06/20 4:51 a.m.91 views

Node.js third-party modules: Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS

I would like to report a denial of service vulnerability in fastify It allows to cause a DoS with some schemas that were otherwise assumed to be secure against DoS by their authors Module module name: fastify version: 2.14.1, 3.0.0-rc.4 npm page: https://www.npmjs.com/package/fastify Module...

4CVSS0.3AI score0.01157EPSS
Exploits1
Hacker One
Hacker One
added 2020/04/04 12:5 a.m.91 views

Visma Public: Read-only user can access payroll information without having access to payroll.

The researcher found that a read-only user without having access to payroll can still access all the data in payroll tab, by visiting the url directly, thus resulting into an unauthorized access...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2020/01/28 10:21 p.m.91 views

GitHub Security Lab: CodeQL query for finding CSRF vulnerabilities in Spring applications

This bug was reported directly to GitHub Security Lab...

2AI score
Exploits0
Hacker One
Hacker One
added 2018/12/18 10:35 p.m.91 views

Upserve : Open redirect at https://inventory.upserve.com/http://google.com/

The following URL is vulnerable to an open redirect it will redirect to stanko.sh: https://inventory.upserve.com/http://stanko.sh/ Impact Users could get redirected to malicious domain...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/12/12 5:12 p.m.91 views

Ian Dunn: Security issue: Github repo's wiki publicly editable

Hello Team, Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. POC Links:...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/06 7:11 p.m.91 views

HackerOne: Self DOM-Based XSS in www.hackerone.com

Summary: There is a 'self' DOM-based cross-site scripting vulnerability in the contact form available on the www.hackerone.com website. This could allow an attacker to perform cross-site scripting, or other client-side attacks, against users of the application. However, the risk presented by this...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2018/03/09 11:59 p.m.91 views

Rootstock Labs: JSON RPC methods for debugging enabled by default allow DoS

A vulnerability was discovered in the RSK JSON-RPC server that allowed an attacker to cause a denial of service DoS attack by sending the evmreset command. The server would hang, become slow, and eventually become synced to block 0, resulting in a loss of service and responsiveness to all users...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/07/30 7:19 p.m.91 views

WakaTime: Failure to check password history

I discovered that old passwords could be reused and believe that wakatime.com could benefit if there was a check for old passwords in your database. Because password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period ...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/04/18 7:33 a.m.91 views

Internet Bug Bounty: OOB write in MDC2_Update() (CVE-2016-6303)

An overflow can occur in MDC2Update either if called directly or through the EVPDigestUpdate function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate with a partial block then a length check can overflow resulting in a heap...

7.5CVSS8.2AI score0.31985EPSS
Exploits1
Hacker One
Hacker One
added 2017/01/29 7:8 p.m.91 views

Ubiquiti Inc.: Wordpress directories/files visible to internet

Issue During my testing I noticed that ubnt website https://directory.corp.ubnt.com seems to leak some data into internet. Wordpress directory https://directory.corp.ubnt.com/wp-content/uploads/ is showing files which I suppose shouldn't be visible to internet. I noticed that these files include...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2017/01/12 10:34 a.m.91 views

ok.ru: [insideok.ru] Database Dump

http://insideok.ru/db.sql Внутри - учётки админов на 2016 год. -- Хост: localhost -- Время создания: Сен 03 2016 г., 12:00 -- Версия сервера: 5.5.47-cll-lve -- Версия PHP: 5.4.45 Структура таблицы users CREATE TABLE IF NOT EXISTS users id int11 unsigned NOT NULL, █████ ███████ ███████ ██████████...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/01/12 10:20 a.m.91 views

ownCloud: User Information Disclosure via REST API

Hello, REST-API, allows anonymous access to functionality that allows a hacker to list all users who have published a post on a WordPress site. Unfortunately, this generally includes the admin account POC: https://owncloud.com/wp-json/wp/v2/users/ https://owncloud.com/wp-json/wp/v2/users/1/ Kind...

2.9AI score
Exploits0
Hacker One
Hacker One
added 2016/04/02 12:21 a.m.91 views

Bumble: [CRITICAL] Full account takeover using CSRF

Hi , I have found a CSRF issue that allows an attacker to link his gmail , facebook ... or any social account to the victim's account and hijack the whole account. Details: When a user tries to link a gmail account with his account , after he authorizes badoo to use his gmail account he will be...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2015/05/07 2:25 p.m.91 views

Udemy: teach.udemy.com log poison vulnerability through wordpress debug.log being publically available

Hello udemy your site teach.udemy.com has its debug.log publically available consisting of 1 gb of debug logs. The logs don't expose critical information except for some user ip addresses, mail-addresses and other info, but it may lead to remote code execution,since the logs also store user agent...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/26 2:47 a.m.90 views

curl: TLS conn reuse and session cache ignore fsslctx callback and ssl_config_data flags ( incomplete fix variant of 7541ae569 )

Summary matchsslprimaryconfig in lib/vtls/vtls.c:194 and the session-cache key built by cfsslpeerkeybuild in lib/vtls/vtlsscache.c:240 both compare only struct sslprimaryconfig fields when deciding whether to reuse a TLS connection or cached session. Several fields that materially change the TLS...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2023/08/14 5:47 p.m.90 views

HackerOne: Support Tickets can be created on behalf of other users using spoofed email | Bypass of #2001913

A vulnerability allowed an attacker to create support tickets on behalf of other users by sending a fake email to [email protected]. This bypassed a previous fix implemented by HackerOne to prevent support tickets from being created via email...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2023/07/24 6:24 p.m.90 views

U.S. Dept Of Defense: Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████

An access control bypass vulnerability was discovered in Adobe ColdFusion, allowing attackers to bypass the restriction on external access to the ColdFusion Administrator...

7.5CVSS7.5AI score0.99732EPSS
Exploits0
Hacker One
Hacker One
added 2023/07/05 3:54 p.m.90 views

Node.js: process.binding() can bypass the permission model through path traversal

The use of the deprecated API process.binding allowed for bypassing the permission model in Node.js 20.x through path traversal...

7.5CVSS8.4AI score0.01481EPSS
Exploits1
Hacker One
Hacker One
added 2023/03/19 6:49 p.m.90 views

Fastly VDP: CVE-2018-6389 exploitation - using scripts loader

Vulnerability description not provided...

7.5CVSS7.3AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2023/02/06 8:3 p.m.90 views

EXNESS: SSRF in graphQL query (pwapi.ex2b.com)

An SSRF vulnerability was discovered in the GraphQL query for allTicks on the pwapi.ex2b.com website. This vulnerability allowed an attacker to set the source parameter to perform arbitrary GET requests, potentially compromising internal services exposed to internal network requests...

7.1AI score
Exploits0
Total number of security vulnerabilities5000