Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2020/10/09 1:6 p.m.89 views

U.S. Dept Of Defense: Access to Unclassified / FOUO Advanced Motion Platform of █████████.mil

Hey, I have recently found a website in the namespace of the Amazon Web Services cloud for the US government which exposes a classification header of Unclassified / FOUO. Hence, I thought it might be a good idea to report this vulnerability to you. Furthermore, the source code tells us that the...

Exploits0
Hacker One
Hacker One
added 2020/08/16 2:23 p.m.89 views

Visma Public: Information disclosure to "Permission as auditor" user

Inside the same company, the researcher was able to view information that that was not supposed to with the Auditor role associated with the user...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2020/08/09 2:54 p.m.89 views

U.S. Dept Of Defense: Сode injection host █████████

Good day, security team. Host █████████ vulnerable to code injection. POC The server makes a time delay. POST /cgi-bin/gMapBuild.py HTTP/1.1 Host: ███ Accept: / Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded...

Exploits0
Hacker One
Hacker One
added 2020/08/05 11:26 a.m.89 views

U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA

Hey, I found out that host ████████.mil was vulnerable to CVE-2020-3452. You can test it by visiting the URL: https://██████████.mil/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portalinc.lua To try it with CURL please run the following command:...

5CVSS0.99992EPSS
Exploits24
Hacker One
Hacker One
added 2020/06/09 2:54 a.m.89 views

h1-ctf: [H1-2006 2020] Includes 1 free content discovery

Summary Got it! Thanks guys for going through the trouble to make these. Best regards @nahamsec @adamtlangley @B3nac for hosting and @hackingfish @zonkism and @clos for peer support to make it. Writeup to follow, but let's have the flag first! F859962 Impact Participating in CTFs can cause...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/06/06 8:32 a.m.89 views

Radancy: [www.werkenbijbakertilly.nl] Information Disclosure

the 50x status code server responded with an html page containing the nginx version. an update of the loadbalancer fixed the issue. Summary When the web server encountered a 502 GateWay error, I discovered a strange bug in which internal information was exposed. Description When web server 502...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2020/01/23 9:58 p.m.89 views

GitHub Security Lab: CodeQL query to detect weak (duplicated) encryption keys for ASP.NET Telerik Upload

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/11/05 2:7 a.m.89 views

Shopify: Stored XSS in private message

1.Open customer function https://mosuan-img-src-x.myshopify.com/admin/customers 2.Click on the customer's email address F625957 3.Click the sent message on the current page F625959 Impact admin...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2019/10/31 6:8 a.m.89 views

curl: SMB access smuggling via FILE URL on Windows

Summary: While CURL 7.62 parses URLs that have an ? parameter separator char after the fragment separator, CURL urlapi code treats the path with the hash part as it being the same one, this may allow some problem on specific protocols that may have a security impact. On HTTP, an attacker may be...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/09/14 6:24 p.m.89 views

New Relic: Can fake content email of newrelic to any user

@lamscun reported an issue where an arbitrary account name, including special characters and anchor tags, would show up in an invitation email. While we've seen this issue several times, we've decided not to change how account names are formatted. Ultimately, the email client determines how the...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2019/07/27 4:50 p.m.89 views

Mail.ru: Information Disclosure - Получаем доступ к работам и к приватным презентациям к курсам

Access to course training materials was possible in Geekbrains due to read access to S3-compatible bucket. Geekbrains belongs to extended Ext. B scope...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2018/09/26 9:32 p.m.89 views

PayPal: IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users

PayPal Business Accounts allow account owners to create multiple secondary users with specific privileges assigned to their employees. This submission identified a method that made it possible for a Business Account owner to assign secondary users from other accounts. The new secondary user would...

4.7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/08 10:25 p.m.89 views

Open-Xchange: SSRF - Blacklist bypass for mail account addition

FYI - Tested on local installation of App Suite 7.8.4-Rev19, on CentOS 7.4 Hello, There appears to be a vulnerability with the way the IP blacklist works for adding servers for a new mail account. The default blacklist is designed to stop connections to the localhost address, but these can be...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/01/06 4:17 p.m.89 views

Alvosec: [ns2.████] Vulnerable to DNS Zone Transfer

This server is misconfigured, as a result allowed the consultant to initiate a zone transfer the following shows the output: ██████████. 3600 IN SOA ns1.██████████. webmaster.█████. 2017041813 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 3600 ;minimum ███. 3600 IN A ██████████ █████. 3600 IN...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/09/15 8:58 a.m.89 views

X (Formerly Twitter): Twitter iOS fails to validate server certificate and sends oauth token

Twitter on iOS newest two versions 6.62 and 6.62.1 are affected, other versions not tested. Tested independently on two different iPhone 6 with iOS version 9.3.3 and 9.3.5 without Jailbreak. The iPhone were without any mobileconfig profiles installed - no we did not install any CA certificate in...

4.3CVSS5.9AI score0.00822EPSS
Exploits1
Hacker One
Hacker One
added 2016/08/27 3:36 p.m.89 views

VK.com: Обход 2ух-шаговой авторизации / 2FA Bypass

Недостаточная проверка пользователя при сбросе сессий. Был косяк в функционале завершения сессий. При обращении на login.vk.com с resethash любого пользователя, мы получали доступ к аккаунту жертвы минуя 2FA...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/08/24 4:53 p.m.89 views

Nextcloud: Information Disclosure of .htaccess file in Private Server/Subdomain

@ahsantahir reported a missing permission check on an internal service allowing the extraction of the .htaccess file. We've fixed this by adjusting the Apache configuration and putting Basic Auth in front of the page. On request of the reporter this is disclosed limitedly. Non-Critical, small...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2016/05/18 7:13 p.m.89 views

Phabricator: Passphrase credential lock bypass

mongoose :D Testing was performed on our own installed testing environment, with a standard installation and configuration of Phabricator. The Passphrase application has feature where stored credentials can be locked. When you lock a credential, it claims "This credential will be locked and the...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2015/03/10 9:51 a.m.89 views

Concrete CMS: Stored XSS in Image Alt. Text

XSS payload can be executed and saved permanently in Image Alt. Text. Poc Code: "click me!"...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2014/05/19 8:12 a.m.89 views

Secret: Content Sniffing not disabled

URL :- https://www.secret.ly/ Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2023/11/11 5:2 p.m.88 views

U.S. Dept Of Defense: Unauthenticated File Read Adobe ColdFusion

A vulnerability allowing unauthenticated arbitrary file read in Adobe ColdFusion was discovered. This could result in unauthorized access to sensitive data on affected systems. The vulnerability impacts ColdFusion versions 2021 Update 5 and earlier, and 2018 Update 15 and earlier. Mitigation is t...

8.6CVSS8.4AI score0.97339EPSS
Exploits13
Hacker One
Hacker One
added 2022/09/07 7:32 p.m.88 views

TikTok: Stored XSS in the ticketing system

A Stored Cross-Site Scripting XSS vulnerability was found on a TikTok Seller endpoint, which could have resulted in a JavaScript payload injected into the endpoint causing it to be executed within the context of the victim's browser. We thank @codeslayer137 for reporting this to our team...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2022/03/24 9:23 a.m.88 views

Internet Bug Bounty: Time-of-check to time-of-use vulnerability in the std::fs::remove_dir_all() function of the Rust standard library

The implementation of std::fs::removedirall in the Rust standard library is vulnerable to a time-of-check to time-of-use link replacement attack. This applies to all versions of Rust before 1.58.1. Vulnerability details The documentation of std::fs::removedirall guarantees that the function does...

3.3CVSS6.8AI score0.01376EPSS
Exploits1
Hacker One
Hacker One
added 2021/06/20 10:38 a.m.88 views

Unikrn: Open URL Redirection

Open URL Redirect Steps To Reproduce: 1 Go to the following link & Register for new account https://unikrn.com/██████ 2 After registering It will redirect to example.com Reference: https://www.owasp.org/index.php/UnvalidatedRedirectsandForwardsCheatSheet Impact The attacker can force the user to...

1AI score
Exploits0
Hacker One
Hacker One
added 2020/12/30 5:23 p.m.88 views

h1-ctf: HackyHolidays H1 CTF Writeup

HackyHolidays Day 1 Once the CTF started and the Grinch released the scope hackyholidays.h1ctf.com, I started the CTF by a good old Nmap scan, to see whats running on the server. So the nmap command looked like nmap -sC -sV -oA nmap hackyholidays.h1ctf.com/. The result showed a promising entry...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/08/06 12:48 p.m.88 views

Zomato: Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json

@zzzhacker13 identified a Solr Injection on the userid parameter at :/v2/leaderboardv2.json. Our team analyzed internally and found that only fq=injection was possible on the Solr endpoint, hence the Solr injection was of low impact since there was no way to escalate it to exfiltrate data, one...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/06/09 4:54 p.m.89 views

h1-ctf: [H1-2006 2020] CTF write-up

Summary: Hello HackerOne team! I finally managed to solve this long but really nice CTF! Here is the flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. You can access my writeup at https://diego95root.github.io/posts/H1-2006-CTF/. It's password protected, the password is the flag. Thank you so...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/06/01 2:35 p.m.88 views

h1-ctf: [H1-2006 2020] [Multiple Vulnerability] CTF Writeup - @abdilahrf_

As there is a private invite for the first 10 solver, i send only the flag now F851115 will complete my writeup on the next comment. Impact Controlling martenmickos account...

3.9AI score
Exploits0
Hacker One
Hacker One
added 2020/04/10 1:8 p.m.88 views

BTFS: xss on bittorrent.com

hi team i realized xss bug on headers.php. https://www.bittorrent.com/scripts/site/headers.php?=1586521900793&callback= https://www.bittorrent.com/scripts/social/gettweet.php?=1586521900791&callback= its works on IE browsers. Impact fix them...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2020/01/14 1:7 a.m.88 views

Yelp: No rate limiting for confirmation email lead to email flooding

Description: There is no rate limiting implemented in sending the confirmation email. Thus, attacker can use this vulnerability to bomb out the email inbox of the victim. Affected URL: https://biz.yelp.com/welcome/resendconfirmation with POST method Details: 1. Login to biz.yelp.com 2. Go to...

Exploits0
Hacker One
Hacker One
added 2019/12/12 9:36 a.m.88 views

Mail.ru: Public available Sensitive Information about drivers

Domain, site, application -- API for client app Citimobil https://c-api.city-mobil.ru/ Version 4.33.0 and others Testing environment -- Device on any OS with internet connection Any software to send https requests Steps to reproduce -- Send POST request to url...

Exploits0
Hacker One
Hacker One
added 2019/12/06 10:2 p.m.88 views

Nord Security: Open redirect

The following URL is vulnerable to an open redirect it will redirect to google.com: https://support.nordvpn.com//path///google.com vulnerable code: if window.location.href.indexOf'/path' !== -1 console.log"document.URL", document.URL window.location.href =...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/11/25 2:2 p.m.88 views

Mail.ru: Boolean-based SQL Injection on relap.io

Boolean/error based SQLi in relap.io due to insecure use of GET parameters...

2.9AI score
Exploits0
Hacker One
Hacker One
added 2018/10/02 2:24 a.m.88 views

HackerOne: Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session

Hi Team, Summary: I have found an Insufficient Session Expiration on implementation of the new Revoke user session feature of HackerOne here: https://hackerone.com/settings/sessions Description: The new REVOKE session feature will destroy the session of the selected device, that means any request...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/09/01 5:45 p.m.88 views

Weblate: Tab nabbing via window.opener

Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Attack scenario: here i have provided 2 videos, in video 1 i have my editorial link set. to show that tabnapping is...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/07/25 5:23 a.m.88 views

Ubiquiti Inc.: Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7

AirMax XW.v6.2.0 and prior containing multiple end-points with parameters vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. These vulnerabilities were found on AirMax AirMax AirOS v6.2.0 and prior...

4.3CVSS0.4AI score0.0102EPSS
Exploits0
Hacker One
Hacker One
added 2018/07/17 2:32 p.m.88 views

Semrush: Stored XSS in '' Section and WAF Bypass

Summary Stored Cross-site Scripting XSS is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2018/03/21 1:44 p.m.88 views

Node.js third-party modules: [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name

I would like to report HTML Injection vulnerability in sexstatic module. It is possible to use HTML in directory names, which might lead to run arbitrary JavaScript code in the browser. Module module name: sexstatic version: 0.6.2 npm page: https://www.npmjs.com/package/sexstatic Module Descripti...

4.3CVSS6.3AI score0.00922EPSS
Exploits1
Hacker One
Hacker One
added 2018/02/28 7:28 a.m.88 views

Grab: [growth.grab.com] Reflected XSS via Base64-encoded "q" param on "my.html" Valentine's microsite

Hi, An encoded injection in the q parameter on my.html can be used to reflect JavaScript in the growth.grab.com context. This microsite creates a "Grab's Valentine" card for a driver over the past year, and carries its data in Base64 format. Proof of concept Please visit the following URL, scroll...

Exploits0
Hacker One
Hacker One
added 2017/08/13 9:36 a.m.88 views

Internet Bug Bounty: Use-after-free in XML::LibXML::Node::replaceChild

Hi security team, I have reported a bug in Perl https://rt.cpan.org/Public/Bug/Display.html?id=122246 this bug was assigned CVE-2017-10672 https://nvd.nist.gov/vuln/detail/CVE-2017-10672...

7.5CVSS8.9AI score0.07929EPSS
Exploits1
Hacker One
Hacker One
added 2017/01/24 3:17 p.m.88 views

LocalTapiola: SQL Injection /webApp/cancel_iltakoulu regId parameter (viestinta.lahitapiola.fi)

Basic report information Summary: There is a SQL Injection vulnerability on http://viestinta.lahitapiola.fi/webApp/canceliltakoulu?regId=478836614&locationId=464559674 Domain: viestinta.lahitapiola.fi Steps To Reproduce: Tested on sqlmap framework with following command: ./sqlmap.py -u...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/12/04 11:40 a.m.88 views

Nextcloud: Login Hints on Admin Panel

Hi, Hope you are doing fine. I wanted to inform you regarding the enabling of the login hints on your wp-admin panelhttps://nextcloud.com/wp-login.php. Vulnerability: The admin panel shows very "specific" hint information if a hacker tries for a bruteforcing attack. Steps to reproduce: 1. Navigat...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/06/22 10:35 a.m.88 views

Informatica: [product360.informatica.com] Unauthenticated Apache Tomcat 8 Installation

The consultant identified that the affected url and port leads to an unprotected default Apache X configuration, this service should be protected or removed if not required. The affected link is as follows: http://product360.informatica.com:8443/ Upon visiting the URL, the consultant was presente...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/05/15 12:3 a.m.88 views

Uber: OneLogin authentication bypass on WordPress sites via XMLRPC

When a user logs on one of your WordPress sites via OneLogin, the authentication plugin creates a new entry in the WordPress user database with the default password @@@nopass@@@. This wouldn't be a problem if the plugin disabled all normal WordPress authentication methods, but it doesn't. The...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2016/02/21 8:33 p.m.88 views

Mail.ru: Admin panel access restrictions bypass [poll.mail.ru/admin/]

Access to http://poll.mail.ru/admin/ could be obtained. poll.mail.ru is not currently in the Bug Bounty scope, but reward was issued due to problem significance...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2015/06/11 12:0 a.m.88 views

Internet Bug Bounty: Malformed ECParameters causes infinite loop

Malformed ECParameters causes infinite loop CVE-2015-1788 =========================================================== Severity: Moderate When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can...

4.3CVSS6.6AI score0.23222EPSS
Exploits0
Hacker One
Hacker One
added 2023/10/19 10:1 a.m.87 views

Internet Bug Bounty: [CVE-2023-38546] cookie injection with none file

A vulnerability was found in the libcurl library. By duplicating an easy handle with cookies enabled but no cookies loaded, and a nonexistent cookie file specified, an attacker could potentially inject cookies into a program using libcurl if a file named "none" was present and readable in the...

3.7CVSS7.3AI score0.06208EPSS
Exploits0
Hacker One
Hacker One
added 2022/10/02 8:47 a.m.87 views

Acronis: mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040

Hello Acronis team, Please run curl -ksL -m5 -o /dev/null -I -w "%httpcode" "https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync" curl -ksL -m5...

6.5CVSS1.6AI score0.99945EPSS
Exploits9
Hacker One
Hacker One
added 2022/08/25 11:29 a.m.87 views

U.S. Dept Of Defense: Host Header Injection on https://███/████████/Account/ForgotPassword

Dear DoD Team, I found one high bug on your another domain. This is from Hack US Program. Affected domain is https://█████/ An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2020/10/26 5:0 a.m.87 views

U.S. Dept Of Defense: [████] SQL Injections on Referer Header exploitable via Time-Based method

Summary: SQL Injections on Referer Header exploitable via Time-Based method Description: https://owasp.org/www-community/attacks/SQLInjection Impact https://owasp.org/www-community/attacks/SQLInjection Step-by-step Reproduction Instructions First, vulnerable points:...

7.3AI score
Exploits0
Total number of security vulnerabilities5000