Lucene search
K
HackeroneMost viewed

15372 matches found

Hacker One
Hacker One
added 2015/05/07 2:25 p.m.91 views

Udemy: teach.udemy.com log poison vulnerability through wordpress debug.log being publically available

Hello udemy your site teach.udemy.com has its debug.log publically available consisting of 1 gb of debug logs. The logs don't expose critical information except for some user ip addresses, mail-addresses and other info, but it may lead to remote code execution,since the logs also store user agent...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2023/07/24 6:24 p.m.90 views

U.S. Dept Of Defense: Adobe ColdFusion - Access Control Bypass [CVE-2023-38205] at ██████

An access control bypass vulnerability was discovered in Adobe ColdFusion, allowing attackers to bypass the restriction on external access to the ColdFusion Administrator...

7.5CVSS7.5AI score0.99732EPSS
Exploits0
Hacker One
Hacker One
added 2023/07/05 3:54 p.m.90 views

Node.js: process.binding() can bypass the permission model through path traversal

The use of the deprecated API process.binding allowed for bypassing the permission model in Node.js 20.x through path traversal...

7.5CVSS8.4AI score0.01481EPSS
Exploits1
Hacker One
Hacker One
added 2023/03/19 6:49 p.m.90 views

Fastly VDP: CVE-2018-6389 exploitation - using scripts loader

Vulnerability description not provided...

7.5CVSS7.3AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2023/02/06 8:3 p.m.90 views

EXNESS: SSRF in graphQL query (pwapi.ex2b.com)

An SSRF vulnerability was discovered in the GraphQL query for allTicks on the pwapi.ex2b.com website. This vulnerability allowed an attacker to set the source parameter to perform arbitrary GET requests, potentially compromising internal services exposed to internal network requests...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/12/22 4:12 a.m.90 views

curl: curl file writing susceptible to symlink attacks

Summary: If curl command is used to download a file with predictable file name to a world writable directory such as /tmp, a local attacker is able to mount a symlink attack to either A redirect the target file writing to another file writable by the user or B replace the downloaded file contents...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2022/04/28 5:26 p.m.90 views

curl: CVE-2022-27780: percent-encoded path separator in URL host

Summary: URL decoding the entire proxy string could lead to SSRF filter bypasses. For example, When the following curl specifies the proxy string http://example.com%2F127.0.0.1 - If curl URL parser or another RFC3986 compliant parser parses the initial string http://127.0.0.1%2F.example.com, it...

7.5AI score0.02187EPSS
Exploits1
Hacker One
Hacker One
added 2022/04/12 12:53 a.m.90 views

Reddit: Regular Expression Denial of Service vulnerability

Summary: The vulnerability I have found is classified as a Regular Expression Denial of Service. While inspecting the source code file RealtimeGQLSubscriptionAsync.js I came across the nodemodule subscriptions-transport-ws See Screenshot 1. The search result of the subscriptions-transport-ws...

5CVSS2AI score0.02821EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/09 12:34 a.m.90 views

curl: CVE-2021-22946: Protocol downgrade required TLS bypassed

Summary: In imap and pop3, --ssl-reqd is silently ignored if the capability command failed. In ftp, a non-standard 230 response preauthentication? in the greeter message forces curl to continue unencrypted, even if TLS has been required. Steps To Reproduce: Use a parameterizable test server to fa...

5CVSS1.7AI score0.04224EPSS
Exploits1
Hacker One
Hacker One
added 2021/05/06 11:3 a.m.90 views

Sifchain: Clickjacking Vulnerability in sifchain.finance

Hello team - Greetings! Hope you are fine. sifchain.finance website is vulnerable to Clickjacking. NOT ONLY THE HOME PAGE IS VULNERABLE, ALL THE PAGES IN THE WEBSITE IS VULNERABLE TO CLICKJACKING. And it has to be fixed because, Clickjacking is an attack that tricks the user to click a webpage...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/05/05 4:15 p.m.90 views

Kaspersky: Several domains on kaspersky.com are vulnerable to Web Cache Deception attack

Reported security issue allowed a potential attacker to steal potentially sensitive information of users of a website, because multiple subdomains of the Kaspersky domain were vulnerable to web cache deception attack. In this scenario the user needs to open a phishing link in a web browser. The...

3.8AI score
Exploits0
Hacker One
Hacker One
added 2021/04/07 12:36 a.m.90 views

QIWI: SSRF на https://qiwi.com с помощью "Prerender HAR Capturer"

Здравствуйте! На сайте https://qiwi.com вы используете Prerender HAR Capturer 5.6.0 на основе Headless Chrome для рендеринга HTML, снимков экрана, PDF-файлов и файлов HAR с любой веб-страницы https://github.com/prerender/prerender. Если на qiwi.com послать запрос с измененным юзер-агентом...

Exploits0
Hacker One
Hacker One
added 2021/04/02 6:45 a.m.90 views

Shopify: XSS at https://exchangemarketplace.com/blogsearch

There is an XSS vulnerability on https://exchangemarketplace.com/blogsearch page through the q parameters. https://exchangemarketplace.com/blogsearch?q=OnMoUsEoVeR=prompt/hacked/// F1251282 Impact XSS at https://exchangemarketplace.com/blogsearch...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2021/03/12 7:16 p.m.90 views

Liberapay: Login CSRF : Login Authentication Flaw on https://liberapay.com/

Description: There is no csrf validation while logging in which leads to csrf. An attacker can craft an HTML page containing information to have the victim sign into an attacker's account, where the victim may add sensitive payment information to the attacker's new account assuming he/she is logg...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/10/10 9:10 p.m.90 views

Informatica: Cross-site Scripting (XSS) - DOM - iqcard.informatica.com

Hello all I found a DOM based XSS at iqcard.informatica.com Description After finding the path iqcard.informatica.com/pub/fujitsu/fm3v2/player/attach.html. I noticed that the code inside attach.html was vulnerable to DOM XSS, due to the fact of the javascript document.location function. search. T...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/06/02 2:29 p.m.90 views

h1-ctf: [H1-2006 2020] The Story of Making Bounty Hunters Happy

Disclaimer: I will try to make this post a fun read, given that whoever triagges will be probably going through similar write-ups again and again. The beginning: Being away from HackerOne over a month had made me rusty. Although the call to arms for Mr. Mickos and the community could not be left...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/05/07 11:27 p.m.90 views

Topcoder: IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter

Hi : On https://apps.topcoder.com/wiki/users/viewmydrafts.action, you can see your drafts, edit or delete them. Users can delete their own drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action?discardDraftId=. But there is no check and an attacker can change discardDraftId and delete...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2020/04/23 8:21 p.m.90 views

Cuvva: Time-limit Bypassing, Rate-limit Bypassing and Spamming at https://ops.cuvva.co

Hello cuvva secteam, Hope you are well and safe Summary When trying to sign in at https://ops.cuvva.com: 1. There is no checking if supplied email is valid before sending login link Note: the sent login links do not work but this bug can be used for spamming any supplied email. 2. The time-limit...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/04/17 5:8 p.m.90 views

GitHub Security Lab: CPP: Out of order Linux permission dropping without checking return codes

This bug was reported directly to GitHub Security Lab...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/03/16 2:9 p.m.90 views

Node.js third-party modules: [sapper] Path Traversal

I would like to report a critical path traversal vunerability in the sapper module It allows an attacker to simply obain arbitrary files from the remote server, exploiting a simple path traversal using URL-encoded "../". Module module name: sapper version: 0.27.10 npm page:...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/02/16 5:18 p.m.90 views

Semrush: IDOR in marketing calendar tool

INTRODUCTION I used two accounts to search for this vulnerability: Id: █████ Email: ██████ Id: ███ Email: ███ IP used: 78.194.169.36 Endpoint URL: https://ec.semrush.com/api/v1/ga/userstatus/?calendarid=CALENDARID EXPLOITATION Description of Security Issue: When a marketing calendar is loaded in...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2020/01/25 5:17 p.m.90 views

Localize: 2-factor authentication can be disabled when logged in without confirming account password

Description === When users wants to Disable his/her TwoFactor Authentication, they have to know their account password. But using this vulnerability They don't need password to disable it. this will allow hacker who get someone cookie to disabling twofactor auth and also Fullytakeover the account...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2020/01/08 4:54 a.m.90 views

Automattic: Theme Assets uploader allows HTML content

The reporter submitted a report highlighting that specially formatted yet valid HTML files were able to be uploaded as theme assets. Even though we allow for JavaScript on our blog network, we don't allow HTML files to be uploaded here so that we can restrict JavaScript execution to the blog...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/10/30 4:51 p.m.90 views

Automattic: [IDOR] Attacker user can Approve/Decline AFK on the behalf of other users

Summary: Hi team Hope you are good Missing proper authorization checks on the vulnerable request allows an attacker to approve/decline afk of users on the behalf of other user who is a member of other organization. This can be exploited simply by changing the responderuserid in the vulnerable...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2019/10/08 5:43 a.m.90 views

OWOX, Inc.: Session is not expire after logout

Reproduction: step no 1:Open URL:https://www.owox.com/products/ or open your user account step no 2: copy URL or paste another tab step no 3:Go back again first tab or logout your account step no 4: And check the copied URL section is working properly Reference From :244875 Reference From :263873...

Exploits0
Hacker One
Hacker One
added 2019/08/15 10:24 p.m.90 views

U.S. Dept Of Defense: Examples directory is PUBLIC on https://████████mil, leading to multiple vulns

Description: Hello, In an effort to consolidate reporting. I have located 4 issues with having the Examples Directory openmy require just 1 solution to mitigate The following URLs that show concern are the following: 1. https://█████mil/examples/servlets/servlet/SessionExample --Will lead to...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/07/27 8:21 a.m.90 views

Starbucks: Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com

Summary: I was able to claim the subdomain: d02-1-ag.productioncontroller.starbucks.com using Azure Cloud Service Platforms Affected: Subdomain Azure Cloud Service Steps To Reproduce: 1. Using dig, I was able to determine that the subdomain 'd02-1-ag.productioncontroller.starbucks.com' was...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/17 6:51 p.m.90 views

Uber: Arbitrary File Reading on Uber SSL VPN

The hacker has found a series of 0 day related to Pulse Secure SSL VPN...

7.5CVSS1.2AI score0.99999EPSS
Exploits38
Hacker One
Hacker One
added 2019/04/27 3:50 p.m.90 views

HackerOne: Account recovery text message is sending a wrong domain to users.

Hey, I hope you're fine. : Summary: When users setup Account recovery at Authentication section Hackerone sends them text message to their updated phone number with a wrong domain link. Description: When users adds phone number at Account recovery, they get a text message on their phone number,...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/07/19 3:51 p.m.90 views

Internet Bug Bounty: heap-buffer-overflow (READ of size 48) in exif_read_data()

exifreaddata in PHP 5.6.36, 7.1.x and 7.2.x is vulnerable to a heap buffer overflow when fed a specially crafted JPEG. Any online service that reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. This has been fixed with the release of PHP 7.2.8 today. Other releases are...

4.3CVSS7.3AI score0.04306EPSS
Exploits0
Hacker One
Hacker One
added 2018/06/05 3:58 p.m.90 views

Node.js third-party modules: Arbitrary File Write Through Archive Extraction

I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...

4.3CVSS0.3AI score0.15359EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/08 10:25 p.m.90 views

Open-Xchange: SSRF - Blacklist bypass for mail account addition

FYI - Tested on local installation of App Suite 7.8.4-Rev19, on CentOS 7.4 Hello, There appears to be a vulnerability with the way the IP blacklist works for adding servers for a new mail account. The default blacklist is designed to stop connections to the localhost address, but these can be...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/11/27 6:37 a.m.90 views

Internet Bug Bounty: Multiple issues in Libxml2 (2.9.2 - 2.9.5)

Libxml2 is the XML C parser and toolkit developed for the Gnome project. Due to its flexible C implementation and continuous development, Libxml2 is known to be very portable, the library builds and works on a variety of systems Linux, Unix, Windows, CygWin, MacOS, MacOS X, RISC Os, OS/2, VMS, QN...

7.5CVSS7.5AI score0.1398EPSS
Exploits3
Hacker One
Hacker One
added 2017/05/07 5:41 p.m.90 views

VK.com: local file disclosure via FFmpeg hls processing

Vulnerability in FFmpeg. FFmpeg is video encoding software that is used by VK for preview generation and video conversion. FFmpeg is known to process HLS playlists that may contain references to external files. I was able to fire this feature using GAB2 subtitle chunks inside an AVI file. After...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/04/18 7:41 a.m.90 views

Internet Bug Bounty: Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)

A TLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being...

4.3CVSS7.6AI score0.13837EPSS
Exploits0
Hacker One
Hacker One
added 2017/01/06 4:17 p.m.90 views

Alvosec: [ns2.████] Vulnerable to DNS Zone Transfer

This server is misconfigured, as a result allowed the consultant to initiate a zone transfer the following shows the output: ██████████. 3600 IN SOA ns1.██████████. webmaster.█████. 2017041813 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 3600 ;minimum ███. 3600 IN A ██████████ █████. 3600 IN...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/12/17 4:38 p.m.90 views

Nextcloud: Limitation of app specific password scope can be bypassed (NC-SA-2017-009)

Limitation of app specific password scope can be bypassed NC-SA-2017-009 Risk level: Low CVSS v3 Base Score: 3 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N CWE: Improper Authorization CWE-285 Description Improper session handling allowed an application specific password without permission to the files...

4.3CVSS0.7AI score0.00985EPSS
Exploits0
Hacker One
Hacker One
added 2016/08/16 11:25 p.m.90 views

Snapchat: [render.bitstrips.com] Stored XSS via an incorrect avatar property value

While modifying an avatar, an attacker has the opportunity to submit XSS payloads as its property values. The resulting png file will return a 500 error with the payload in the response body. The response has a text/html content type, which makes the XSS attack possible. PoC: 1. Go to...

6AI score
Exploits0
Hacker One
Hacker One
added 2015/03/10 9:51 a.m.90 views

Concrete CMS: Stored XSS in Image Alt. Text

XSS payload can be executed and saved permanently in Image Alt. Text. Poc Code: "click me!"...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2014/05/19 8:12 a.m.90 views

Secret: Content Sniffing not disabled

URL :- https://www.secret.ly/ Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2023/09/13 2:52 p.m.89 views

Internet Bug Bounty: [curl] CVE-2023-38039: HTTP header allocation DOS

CVE-2023-38039 is a security vulnerability in the curl library that allowed a malicious server to send an unlimited number of headers in an HTTP response, causing curl to exhaust heap memory and potentially leading to a denial-of-service condition...

7.5CVSS7.6AI score0.62246EPSS
Exploits1
Hacker One
Hacker One
added 2023/01/08 12:34 p.m.89 views

curl: CVE-2023-23916: HTTP multi-header compression denial of service

An HTTP multi-header compression denial of service vulnerability was discovered that allowed an attacker to send an HTTP response with many occurrences of Transfer-Encoding and/or Content-Encoding headers, consuming all available memory and causing a denial of service. The vulnerability was patch...

6.5CVSS6.6AI score0.01703EPSS
Exploits1
Hacker One
Hacker One
added 2022/12/14 9:22 p.m.89 views

Internet Bug Bounty: CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)

The following is from: https://hackerone.com/reports/1656627 Intro The Rails HTML sanitzier allows to set certain combinations of tags in it's allow list that are not properly handled. Similar to the report 1530898, which identified the combinationselect and style as vulnerable, my fuzz testing...

5.8CVSS6.3AI score0.00988EPSS
Exploits1
Hacker One
Hacker One
added 2022/06/08 11:19 p.m.89 views

Internet Bug Bounty: Read beyond bounds in mod_isapi.c [zhbug_httpd_41]

Greetings. I have found a read-beyond-bounds bug in httpd that arises from an apparent logic error. The bug is in /modules/arch/win32/modisapi.c, on lines 979 and/or 983, which use the length of the path to the ISAPI DLL |strlenr-filename| to index into the string specified by the ISAPI DLL itsel...

5CVSS7.1AI score0.03398EPSS
Exploits0
Hacker One
Hacker One
added 2021/06/26 1:10 p.m.89 views

Urban Company: Exposed data of credit card details to hacker or attacker.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Name of Vulnerability:...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/06/22 10:56 p.m.89 views

GitHub Security Lab: C++: Support Pqxx connector to search for sql injections to Postgres

This bug was reported directly to GitHub Security Lab...

1AI score
Exploits0
Hacker One
Hacker One
added 2021/05/13 4:53 p.m.89 views

GitHub Security Lab: [Python] CWE-400: Regular Expression Injection

This bug was reported directly to GitHub Security Lab...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2021/05/07 8:20 p.m.89 views

Sifchain: Wrong Url in Main Page

Hello, There is no linkedin account belonging to the url you added to your homepage and this link can be easily captured by someone else. Misunderstandings may occur. F1293094 https://www.linkedin.com/company/kns-group/about/ Impact Broken Link Hijack...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/04/26 3:15 a.m.89 views

Logitech: Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com]

Hi Security team, Summary: I was able as Administrator to change the account owner access token Description: As Administrator i have high privileges but i have some restricted areas F1278364 For example i got invitation from MrX with Administrator role. When i navigated to MrX account as...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/02/12 6:55 p.m.89 views

Bitso: Broken link hijack

Hello sir My name is Mohit kumar i found a bug known as broken link hijack on telegram Steps to view bug -- Navigate to -- https://bitso.com/ -- go down and click on language and then click on Espanol-Argentina you can now see the telgram link click on that I have attached a video poc too There's...

1.4AI score
Exploits0
Total number of security vulnerabilities5000