Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2019/01/29 4:14 p.m.87 views

PayPal: Stored XSS on https://paypal.com/signin via cache poisoning

Due to a configuration in frontend, caching servers, it was possible for a researcher to use request smuggling to convert a page request into a cached redirect. If the cached redirect were accessed by a legitimate user, an attacker's content would be rendered instead of the requested page. While...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/09/01 5:45 p.m.87 views

Weblate: Tab nabbing via window.opener

Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. Attack scenario: here i have provided 2 videos, in video 1 i have my editorial link set. to show that tabnapping is...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/03/21 1:44 p.m.87 views

Node.js third-party modules: [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name

I would like to report HTML Injection vulnerability in sexstatic module. It is possible to use HTML in directory names, which might lead to run arbitrary JavaScript code in the browser. Module module name: sexstatic version: 0.6.2 npm page: https://www.npmjs.com/package/sexstatic Module Descripti...

4.3CVSS6.3AI score0.00922EPSS
Exploits1
Hacker One
Hacker One
added 2017/05/26 10:41 p.m.87 views

Ubiquiti Inc.: CRLF Injection on openvpn.svc.ubnt.com

The researcher reported the vulnerability CVE-2017-5868 in one of our server, it got promptly mitigated, once no oficial patch was available at the time of submit. Ubiquiti's employee VPN server was vulnerable to CVE-2017-5868, the issue was reported to them by me and quickly patched. Thank you...

4.3CVSS1.9AI score0.04622EPSS
Exploits3
Hacker One
Hacker One
added 2015/07/31 12:0 a.m.87 views

Internet Bug Bounty: Use After Free Vulnerability in unserialize()

https://bugs.php.net/bug.php?id=70172...

7.5CVSS8.4AI score0.46801EPSS
Exploits4
Hacker One
Hacker One
added 2024/07/06 12:38 p.m.86 views

U.S. Dept Of Defense: Email Takeover leads to permanent account deletion

The security vulnerability found allowed an attacker to change the email address of a victim's account, leading to the permanent deletion of the victim's account. The vulnerability was caused by improper authentication on the change email functionality...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2024/06/16 8:2 a.m.86 views

Basecamp: Path traversal in deeplink query parameter can expose any user's private info to a public directory (one click)

The Basecamp mobile application was found to be vulnerable to a path traversal issue. By crafting a malicious deeplink with a specific "filename" parameter, an attacker could force the application to save user data to any directory on the device, including locations accessible to other applicatio...

7AI score
Exploits0
Hacker One
Hacker One
added 2023/07/28 11:12 p.m.86 views

Yelp: yelp.com and biz.yelp.com ATO via XSS + Cookie Bridge

The researcher discovered an XSS vulnerability on biz.yelp.com where the unverified email was reflected in a message, allowing for arbitrary JavaScript execution. This XSS was combined with Yelp's cookie bridge functionality to target other users, leaking HttpOnly session cookies and enabling...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2023/07/17 5:9 a.m.86 views

Internet Bug Bounty: CVE-2023-36617: ReDoS vulnerability in URI (Ruby)

A ReDoS vulnerability was discovered in the URI component of the Ruby uri gem versions 0.12.1 and earlier. The vulnerability allowed for the mishandling of invalid URLs with specific characters, resulting in an increase in execution time for parsing strings to URI objects. This issue was a result...

5.3CVSS7.2AI score0.02637EPSS
Exploits0
Hacker One
Hacker One
added 2023/06/21 2:33 a.m.86 views

Internet Bug Bounty: HTTP Request Smuggling via Empty headers separated by CR

The llhttp parser in the Node.js http module did not strictly use the CRLF sequence to delimit HTTP requests, which allowed for HTTP Request Smuggling HRS. This vulnerability affected all active versions of Node.js...

7.5CVSS7.7AI score0.03906EPSS
Exploits1
Hacker One
Hacker One
added 2023/01/04 3:20 p.m.86 views

U.S. Dept Of Defense: [U.S. Air Force] Information disclosure due unauthenticated access to APIs and system browser functions

Multiple information exposure vulnerabilities were found in a Jira Server instance, allowing unauthenticated attackers to access APIs and system browser functions, leading to unauthorized access to sensitive data. The vulnerability was registered as CVE-2020-14179...

5.3CVSS5.4AI score0.76042EPSS
Exploits1
Hacker One
Hacker One
added 2021/12/20 1:23 p.m.86 views

Krisp: Log4j CVE-2021–44228

The researcher's canary token got DNS interaction, which raised a false sense of log4shell vulnerability. $hostName would be exfiltrated if any of the processing servers were vulnerable, but as seen in the video submitted by the researcher just a plain DNS resolving was made...

6.9AI score0.99999EPSS
Exploits349
Hacker One
Hacker One
added 2021/07/25 8:33 p.m.86 views

U.S. Dept Of Defense: XSS due to CVE-2020-3580 [██████]

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...

2.6CVSS1.5AI score0.85439EPSS
Exploits2
Hacker One
Hacker One
added 2021/04/26 12:34 p.m.86 views

UPchieve: Full account takeover of any user through reset password

Summary: Hi Security team members, Usually, If we reset our password on https://app.upchieve.org that time we got a password reset link on the email. And through that password reset link, we can reset our password. But, I noticed that if we add another email in the request of forgot password...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/04/12 6:38 p.m.86 views

GitHub Security Lab: ihsinme: CPP Add query for CWE-570 detect and handle memory allocation errors.

This bug was reported directly to GitHub Security Lab...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2020/10/09 1:35 p.m.86 views

Weblate: Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile]

Hi There is a CSRF bug on your Website leads to logout user from the dashboard. If the user click on the attached file CSRF.html redirect to another page and see the following error and the user log out immediately: F1029146 Steps to reproduce: 1- Login to your account via Login page 2- Click on...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/08/21 4:45 a.m.86 views

Dropcontact: Information Disclosure through DEBUG at Subscription [https://app.dropcontact.io/app/subscription?connector=salesforce](CRITICAL)

We were displaying some sytem information in case of app crashing...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/07/09 5:29 p.m.86 views

lemlist: stored xss in app.lemlist.com

Hi there, I found a stored xss app.lemlist.com. Steps To Reproduce: 1. go to https://app.lemlist.com/. 1. create or edit campaigns. 1. visit tab Buddies-to-Be. 1. click Add one on the right Top. 1. Fill in the input 1. add / Icebreaker and companyName 1. click create . POC F901411 Impact Stealing...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/04/22 12:29 p.m.86 views

Mail.ru: XSS on https://deti.mail.ru/

deti.mail.ru allowed to insert javascript: links into post content leading to self XSS possibility on message editing...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2020/04/17 4:0 p.m.86 views

GitHub Security Lab: Go/CWE-643: XPath Injection Query in Go

This bug was reported directly to GitHub Security Lab...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/02/27 5:40 a.m.86 views

Visma Bug Bounty Program: A non-administrator user can change his email even when it is restricted by an administrator

A non-administrator user can change his email, even when it is restricted by an administrator, by tampering with the response data. Steps to Reproduce Login as a normal user and goto "My details" tab in Profile. Click on Edit icon in Account section. If this functionality is locked by your...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2020/02/03 5:32 p.m.86 views

Visma Bug Bounty Program: A user can view the name and number of a customer in another company if the GUID is known

An IDOR vulnerability exists in /api/internal/customerlabels/, allowing an attacker to add a label to a customer in a another company if he has previous knowledge about the UUID. The result is that the name and number of the customer is shown in the attackers context. As all objects in the API ar...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2019/11/05 5:9 p.m.86 views

Genasys Technologies: Ability to bypass social OAuth and take over any account [d2c-api]

Summary: An attacker is able to login to any email account that doesn't belong to him through using the OAuth functionality https://staging.genasystech.co.uk/d2c-api/v1/account/login/provider Steps To Reproduce: 1. Register an account with an email and verify it using the one time code that is...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/26 9:32 p.m.86 views

PayPal: IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users

PayPal Business Accounts allow account owners to create multiple secondary users with specific privileges assigned to their employees. This submission identified a method that made it possible for a Business Account owner to assign secondary users from other accounts. The new secondary user would...

4.7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/05 2:14 p.m.86 views

VK.com: CVE-2018-0296

Path traversal...

5CVSS7.5AI score0.99903EPSS
Exploits18
Hacker One
Hacker One
added 2017/07/28 1:40 p.m.86 views

Bitvise: The POODLE attack (SSLv3 supported)

Hi Bitvise security Team The url https://massmail.bitvise.com/ is vulnerable to ssl poodle attack. Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM Man-in-the-middle attack. This attack, called POODLE, is similar to the BEAST attack and also allows a...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/06/29 4:12 p.m.86 views

WakaTime: Missing SPF Flags

I am just looking at your SPF records then found following. SPF Records missing safe check which can allow me to send mail and phish easily any victim. PoC: The TXT records found for your domain are: v=spf1 include:spf.google.com include:mailgun.org include:spf.sendinblue.com all Checking to see ...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/02/24 3:50 p.m.86 views

VK.com: Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе."

Обход региональных ограничений на аудиозаписи через аттачи в мобильной версии сайта...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/07/05 5:37 a.m.86 views

ExpressionEngine: Filename and directory enumeration

Hello, The "Import File Converter" can be abused by an admin to map the server directories and files, because the "File location" field doesn't sanitize the user input and allows access to root directories and files. Steps to reproduce: 1- Go to...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2016/04/26 10:31 p.m.86 views

Internet Bug Bounty: ASN.1 BIO excessive memory allocation (CVE-2016-2109)

On 4 April 2016 I reported a bug to the OpenSSL Security Team where I was able to force OpenSSL to use large amounts of cpu time, memory and swap space. They confirmed receipt on 6 April 2016 and on 22 April 2016 I was notified that they were assigning CVE-2016-2109 to this flaw and the fix was...

7.8CVSS8.6AI score0.2921EPSS
Exploits1
Hacker One
Hacker One
added 2016/01/17 3:23 p.m.86 views

ownCloud: The csrf token remains same after user logs in

As the CSRF token doesn't change after login. Any other user that uses the same workstation is vulnerable. A safer way would be to use dynamic CSRF token or just change the token after login, so attacker doesnt get hold of this. Details of the attacks scenario in a shared workstation environment...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2015/10/28 8:5 a.m.86 views

withinsecurity: DDOS using xmlrpc.php

Wordpress blogs that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The blog at withinsecurity.com has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. In order to...

7AI score
Exploits0
Hacker One
Hacker One
added 2015/06/26 7:53 p.m.86 views

HackerOne: CSV Injection with the CVS export feature

The "Download as a CSV" feature of HackerOne does not properly "escape" fields. This allows an adversary to turn a field into active content so when a response team download the csv and opens it, the active content gets executed. Here is more information about this issue:...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2014/09/30 6:51 p.m.86 views

HackerOne: homograph attack. IDNs displayed in unicode in bug reports and on external link warning page

the IDN: http://ebаy.com/ is a homograph for the latin ebay.com. if you click that first link, youm might think that you are going to ebay.com. in fact, you are going to a homograph url http://xn--eby-7cd.com/ more info http://www.chromium.org/developers/design-documents/idn-in-google-chrome more...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2014/06/20 12:0 a.m.86 views

Internet Bug Bounty: SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities

This vulnerability was reported directly to the PHP development team. A detailed summary is available here: https://www.sektioneins.de/en/blog/14-08-27-unserialize-typeconfusion.html...

7.5CVSS7.7AI score0.30128EPSS
Exploits4
Hacker One
Hacker One
added 2014/06/06 6:39 p.m.86 views

Internet Bug Bounty: Flash Sandbox Bypass

Adobe Flash Player issue 2719 and 2720. Exploit of this bug uses 2 separate vulnerabilities. 2720 is a bug which is able to, from the local-with-file sandbox, default local sandbox, open both local and remote files, local files and http/https resources. An attacker could for example read your...

7.5CVSS6.2AI score0.10052EPSS
Exploits0
Hacker One
Hacker One
added 2024/03/21 6:47 p.m.85 views

Internet Bug Bounty: Libuv: Improper Domain Lookup that potentially leads to SSRF attacks

The vulnerability in the libuv library was caused by the improper truncation of hostnames to 256 characters before calling the getaddrinfo function. This behavior allowed the creation of addresses like 0x00007f000001, which were considered valid by getaddrinfo, potentially leading to SSRF attacks...

7.3CVSS7.4AI score0.02003EPSS
Exploits1
Hacker One
Hacker One
added 2023/08/31 4:14 a.m.85 views

FetLife: fetlife.com/signup_step_profile expose access_token of mapbox.com

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/08/28 6:25 a.m.85 views

Internet Bug Bounty: [CVE-2023-23913] DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements

A DOM-based cross-site scripting vulnerability was discovered in rails-ujs, affecting versions 5.1.0 and above. By pasting malicious HTML content with specific attributes into a contenteditable element, an attacker could execute arbitrary JavaScript on the affected origin. The vulnerability has...

6.3CVSS6.1AI score0.00632EPSS
Exploits0
Hacker One
Hacker One
added 2023/07/06 6:47 a.m.85 views

inDrive: Blind SQL injection on id.indrive.com

A blind SQL injection vulnerability was found where user input was not sanitized before being used in SQL queries. This allowed arbitrary SQL commands to be injected, revealing details of the backend database...

8.3AI score
Exploits0
Hacker One
Hacker One
added 2023/04/27 1:0 a.m.85 views

Reddit: Regression on dest parameter sanitization doesn't check scheme/websafe destinations

A vulnerability was discovered in Reddit's login page where the "dest" parameter was not properly sanitized, allowing an attacker to perform a JavaScript-based Open Redirect attack. This could lead to Cross-Site Scripting XSS injection and potential cookie theft. An attacker could exploit this...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2022/08/09 1:51 p.m.85 views

Internet Bug Bounty: [CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname

GHSA: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 Report: https://hackerone.com/reports/1642017 Impact SSRF...

7.5CVSS8.9AI score0.01388EPSS
Exploits1
Hacker One
Hacker One
added 2022/04/30 7:24 p.m.85 views

curl: CVE-2022-27781: CERTINFO never-ending busy-loop

Summary: Curl is prone to a DoS attack in case the NSS TLS library is used and the CERTINFO option is enabled. Using maliciously crafted certificates on a server, an attacker can make curl run into an endless loop when connecting to the server. The bug is located in the following code segment...

0.1AI score0.02434EPSS
Exploits1
Hacker One
Hacker One
added 2022/04/27 4:16 p.m.85 views

Internet Bug Bounty: OAUTH2 bearer not-checked for connection re-use

libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protcols: SMTPS, IMAPS, POP3S and LDAPS openldap only. libcurl maintains a pool of connections afte...

5.5CVSS8.1AI score0.01914EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/28 12:50 p.m.85 views

Elastic: Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows

Summary Hello team, I hope you're doing well! I was combing through your GitHub repository to look at the fixes for recent security releases and found the fix for CVE-2021-22151 to be incomplete. The current fix makes assumptions that are true on Linux but that don't hold on Windows. Details The...

5.7AI score0.00704EPSS
Exploits0
Hacker One
Hacker One
added 2021/09/26 9:9 a.m.85 views

MTN Group: CVE-2021-38314 @ https://www.mtn.ci

Summary: Hello. I your domain https://www.mtn.ci was vulnerable to CVE-2021-38314 Description: The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in...

5CVSS0.28961EPSS
Exploits6
Hacker One
Hacker One
added 2021/02/17 10:18 p.m.85 views

GitHub Security Lab: [JavaScript]: add query for Express-HBS LFR

This bug was reported directly to GitHub Security Lab...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2020/09/10 9:28 p.m.85 views

Logitech: GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=]

Summary: Description: in the following link, the parameter query is reflecting in multiple places, one of them is in the tag in the head section of the HTML source, the reflection is in the content attribute to be precise check the below image F983200 And i was able to break out of the content...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/08/18 8:54 p.m.85 views

HackerOne: Recently added 'Country' field doesn't send email notification when changed

Summary: Hi team, This is a small bug report. Actually I think there is no important security issue but I wanted to report it ¯\ツ/¯ If you change your 'Country' information on account settings, HackerOne doesn't send Your profile was recently changed email. Description: There is an email...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/12/04 9:38 p.m.85 views

Polymail, Inc.: XSPA on API service endpoint

Batch endpoint on the api was vulnerable to XSPA due to incorrect validation of url parameter in the request body...

2.4AI score
Exploits0
Total number of security vulnerabilities5000