Lucene search
K
HackeroneMost viewed

15372 matches found

Hacker One
Hacker One
added 2021/04/15 3:12 p.m.77 views

Ruby: 'net/ftp': Uncontrolled Resource Consumption (Memory/CPU)

Current TIMEPARSER implementation allows attackers to cause a denial of service memory consumption via a large integer value for the fractions property. The problem code: ruby TIMEPARSER = -value, local = false unless /\A?\d4?\d2?\d2 ?\d2?\d2?\d2 ?:.?\d+?/x = value raise FTPProtoError, "invalid...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2021/04/12 6:38 p.m.77 views

GitHub Security Lab: [codeql-go]: Add CWE-79: HTML template escaping passthrough

This bug was reported directly to GitHub Security Lab...

Exploits0
Hacker One
Hacker One
added 2020/12/20 5:38 p.m.77 views

Concrete CMS: Phar Deserialization Vulnerability via Logging Settings

Vulnerability Description: The vulnerable code is located within the concrete/controllers/singlepage/dashboard/system/environment/logging.php script. Specifically, into the Logging::updatelogging method: public function updatelogging $config = $this-app-make'config'; $request = $this-request; if...

6.5CVSS7.6AI score0.0368EPSS
Exploits1
Hacker One
Hacker One
added 2020/11/03 12:13 a.m.77 views

Basecamp: SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens.

SUMMARY - Replacing the login page of launchpad.37signals.com with subdomain help-basecamphq.37signals.com greats you to a login page in which is unsecure and with header sec-fetch-site: same-origin injected into your headers you can disable cookies such as . STEPS TO REPRODUCE 1. Visit...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/08/11 11:0 p.m.77 views

Avito: link.avito.ru - Bypass of restrictions on external links.

Hello Avito! On "link.avito.ru" subdomain of "www.avito.ru" attacker able to bypass restriction for dangerous external links via trusted domain google.com. This scenario may be also possible with all other trusted subdomains of avito such as "yandex.ru" and so on, but in this example i'm used...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/05/16 10:40 p.m.77 views

Stripo Inc: Integer Overflow (CVE_2017_7529)

Integer Overflow - The issue affects nginx 0.5.6 - 1.13.2...

5CVSS3.8AI score0.62597EPSS
Exploits6
Hacker One
Hacker One
added 2020/04/26 2:0 p.m.77 views

Stripo Inc: CORS on my.stripo.email

Hey Team i don't know if it's valid or not i just want to let you know about this thanks. following the HTML File .. var req = new XMLHttpRequest; req.onload = reqListener; req.open'get','https://my.stripo.email/cabinet/stripo-ws/v1/stripo-websocket/info?t=1587908666898',true; req.withCredentials...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/04/10 12:4 p.m.77 views

BTFS: .git file accessible on remote.bittorrent.com

Hi team, i detected your .git file accessible for any unauthorized user. url : https://remote.bittorrent.com/static/webui/.git/config HTTP/1.1 200 OK Set-Cookie: BTURT=talon-i-0837bbfadd509c546-2; path=/; domain=.utorrent.com Server: TornadoServer/2.1.1git Connection: keep-alive Content-Length: 2...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/15 5:34 p.m.77 views

Kubernetes: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

This bug report mostly concerns the default CNI plugins https://github.com/containernetworking/plugins but I believe affects many K8S clusters. Because the CNI team still doesn’t provide an explicit way to report security bugs, I hope the K8S security team doesn’t mind doing the coordination job...

9.3CVSS7AI score0.14555EPSS
Exploits0
Hacker One
Hacker One
added 2019/11/29 12:48 a.m.77 views

Node.js third-party modules: [express-laravel-passport] Improper Authentication

I would like to report Improper Authentication in express-laravel-passport It allows to forge user's identity Module module name: express-laravel-passport version: 1.1.2 npm page: https://www.npmjs.com/package/express-laravel-passport Module Description You want a middleware support express get...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2019/11/06 5:46 p.m.77 views

Node.js: HTTP header values do not have trailing OWS trimmed

I suspect I may have tagged the wrong vulnerability type -I'm failing to find "insufficient validation of user input" According to the HTTP-spec, http values are field-value = field-content | LWS httpparser does not appear to trim trailing LWS. This means if a user sends "Host: foo\r\n" the strin...

7.5CVSS8.8AI score0.20041EPSS
Exploits1
Hacker One
Hacker One
added 2019/11/05 9:31 p.m.77 views

Node.js third-party modules: [npm-git-publish] RCE via insecure command formatting

I would like to report a RCE issue in the npm-git-publish module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: npm-git-publish version: 0.2.4-beta npm page: https://www.npmjs.com/package/npm-git-publish Module Description Share/publish private packag...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2019/08/12 10:5 p.m.77 views

Mail.ru: Bash History file log

Researcher found a publicly accessible .bashhistory file on one of servers. File contained commands without sensitive data in them...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2018/04/23 11:1 a.m.77 views

Ed: DOM XSS in edoverflow.com/tools/respond due to unsafe usage of the innerHTML property.

Hi, There's a DOM XSS vulnerability on edoverflow.com. This cannot be exploited without user-interaction so I had to make a clickjacking PoC to trick the user in triggering the payload her/himself. Reproduction Steps 1. Open the attached HTML document in FireFox. 2. Drag Frog 1 to the other two...

Exploits0
Hacker One
Hacker One
added 2018/01/30 6:24 a.m.77 views

Node.js third-party modules: Prototype pollution attack (Hoek)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the Hoek library. Module: hoek Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the structure...

6.5CVSS8.9AI score0.04226EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/23 12:34 p.m.77 views

Node.js third-party modules: [html-janitor] Passing user-controlled data to clean() leads to XSS

Module: Name: html-janitor Version: 2.0.2 Summary: Passing user-controlled data to the module's clean function can result in arbitrary JS execution, because of unsafe DOM operations. The description "Cleans up your markup and allows you to take control of your HTML. HTMLJanitor uses a defined...

4.3CVSS5.9AI score0.01063EPSS
Exploits1
Hacker One
Hacker One
added 2017/02/05 11:50 a.m.77 views

Nextcloud: Calendar and addressbook names disclosed (NC-SA-2017-012)

Calendar and addressbook names disclosed NC-SA-2017-012 Risk level: Low CVSS v3 Base Score: 3.5 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CWE: Information Exposure Through Directory Listing CWE-548 Description A logical error caused disclosure of calendar and addressbook names to other logged-in users...

3.5CVSS0.3AI score0.00724EPSS
Exploits0
Hacker One
Hacker One
added 2017/01/20 11:30 p.m.77 views

Boozt Fashion AB: Bypass email validity in newsletter field

Hi, I think i've discovered a little vulnerability on your website i don't know if she is outside the bug bounty program. In the newsletter field, the incorrect email addresses for example with special characters it's not accpeted. But with a specific HTTP request it's possible to bypass this...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/12/22 7:18 p.m.77 views

Zendesk: a stored xss in web widget chat

The researcher found a stored XSS vulnerability where an end-user was able to execute arbitrary Javascript against the Zendesk agent via the chat integration. The researcher participated in the Zendesk 2016 holiday promotion and was awarded the Zendesk promotional bounty...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2016/10/31 10:11 a.m.77 views

Nextcloud: Content Spoofing in "files" app

@ahsantahir reported a Content Spoofing Vulnerability in the Nextcloud Server. The related security advisory can be found at https://nextcloud.com/security/advisory/?id=nc-sa-2017-006 On request of the reporter the issue has only been disclosed limitedly...

4.3CVSS4.8AI score0.01537EPSS
Exploits0
Hacker One
Hacker One
added 2016/08/29 5:27 p.m.77 views

Unikrn: Urgent: Server side template injection via Smarty template allows for RCE

Hi All, I've found an issue which has allowed me to execute filegetcontents and extract your /etc/passwd file. Description It appears as though you are using smarty on the backend for templating. Entering a malicious payload as my firstname, lastname and nickname and then inviting a user to join...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2016/04/25 11:39 a.m.77 views

LocalTapiola: Content Spoofing or Text Injection (404 error page injection on yrityspalvelu)

Vulnerability Description: Application allows users to inject any content on the 404 not found webpage Vulnerable Location: https://yrityspalvelu.tapiola.fi/a1/has%20been%20changed%20by%20a%20new%20one%20https://www.attacker.com%20so%20go%20to%20the%20new%20one%20since%20this%20one Fix : just use...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2016/03/22 8:6 p.m.77 views

Uber: XSS in getrush.uber.com

'' 'https://getrush.uber.com/business?utmcampaign=tttttt%27%3C/script%3E%3Cscript%3Ealert0%3C/script%3E&utmmedium=top&utmsource=website''' You need to escape the utmcampaign parameter before rendering it in the HTML. Thanks, David Dworken...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2024/07/03 7:9 a.m.76 views

Internet Bug Bounty: moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation

moderate: Apache HTTP Server proxy encoding problem CVE-2024-38473 An encoding problem was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This issue allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via...

8.1CVSS7.5AI score0.35447EPSS
Exploits1
Hacker One
Hacker One
added 2024/04/17 5:46 p.m.76 views

Mozilla: Jira Credential Disclosure within Mozilla Slack

The Jira admin API keys were disclosed within a Mozilla Slack channel by a staff member. The exposed credentials allowed for the verification of the user's elevated privileges, including being a Jira Administrator, Administrator, and Jira Service Desk user...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2024/03/27 4:39 p.m.76 views

Internet Bug Bounty: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

CVE-2024-2379 was a vulnerability in libcurl's QUIC implementation where certificate verification was skipped under certain conditions when using the wolfSSL library. The vulnerability was caused by an error path that accidentally returned success when encountering unknown or unsupported ciphers ...

6.3CVSS6.5AI score0.01709EPSS
Exploits1
Hacker One
Hacker One
added 2023/12/22 11:49 a.m.76 views

Teleport: Improper session management - Failure to invalidate old session after password change

Failure to Invalidate Session on Password Change Failure to invalidate a session after a password change is a vulnerability which allows an attacker to maintain access on a service. Most users have the expectation that when they reset their password, no one else can access their account. When...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2023/11/02 12:51 a.m.76 views

curl: CVE-2023-46219: HSTS long file name clears contents

Vulnerability description not provided...

5.3CVSS5.9AI score0.01133EPSS
Exploits1
Hacker One
Hacker One
added 2023/08/05 11:12 a.m.76 views

WakaTime: Waketime Payment Gateway Vulnerability

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/07/17 4:50 a.m.76 views

Internet Bug Bounty: [CVE-2023-27531] Possible Deserialization of Untrusted Data vulnerability in Kredis JSON

A deserialization vulnerability was discovered in the Kredis JSON deserialization code, allowing for the potential deserialization of untrusted data. This could result in unexpected objects being deserialized in the system. The vulnerability has been assigned the CVE identifier CVE-2023-27531...

5.3CVSS5.2AI score0.00518EPSS
Exploits0
Hacker One
Hacker One
added 2023/06/04 6:40 p.m.76 views

TikTok: CRLF to XSS & Open Redirection

Due to inadequate input validation, a vulnerability allowed for the injection of CRLF HTTP Response Splitting into a parameter on a TikTok seller endpoint. This could have resulted in Reflective XSS Cross-Site Scripting and open redirection attacks. The vulnerability has been resolved...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2022/10/24 11:29 a.m.76 views

Node.js: Permissions policies can be bypassed via process.mainModule

A vulnerability was discovered in Node.js permission policies that allowed a script to include any non-whitelisted module by calling process.mainModule.require. This could allow an attacker to bypass the limited whitelist and access internal file systems or run child processes. The vulnerability...

7.5CVSS7.7AI score0.02023EPSS
Exploits0
Hacker One
Hacker One
added 2022/08/10 8:50 a.m.76 views

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)

Summary: Due to an incomplete fix for CVE-2022-32215, the llhttp parser in the http module in Node v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. Description: add more details about this vulnerability We have...

6.4CVSS7.4AI score0.68796EPSS
Exploits1
Hacker One
Hacker One
added 2022/07/14 8:46 a.m.76 views

Internet Bug Bounty: Node.js - DLL Hijacking on Windows

Full Node.js Security Releases - summarizing the issue is here:https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1447455 ----- Node.js versions earlier than 16.16.0 LTS and 14.20.0 are vulnerabl...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2022/07/05 10:59 p.m.76 views

Internet Bug Bounty: Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing

ReDoS in Rack::Multipart::BROKENQUOTED and Rack::Multipart::BROKENUNQUOTED. https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service...

5CVSS8.1AI score0.02056EPSS
Exploits0
Hacker One
Hacker One
added 2022/06/21 12:57 a.m.76 views

Nextcloud: SSRF via potential filter bypass with too lax local domain checking

Summary: Hi. Reviewing the code for filtering for ssrf, in preventLocalAddress, we can see that it calls the function ThrowIfLocalAddress. It has three common checks, first, it checks if the string is localhost, or if it ends in .local or .localhost php // Disallow localhost and local network if...

5CVSS0.6AI score0.00739EPSS
Exploits0
Hacker One
Hacker One
added 2022/06/08 10:35 p.m.76 views

Internet Bug Bounty: Read beyond bounds in ap_strcmp_match() [zhbug_httpd_47.7]

Greetings. I have found a read-beyond-bounds attack against httpd that allows an attacker to search httpd's memory for strings matching an attacker-specified pattern 1. The attack arises from an overflow in apstrcmpmatch server/util.c. 2 The vulnerability can be reached via an LUA program that us...

6.4CVSS9.4AI score0.05729EPSS
Exploits0
Hacker One
Hacker One
added 2022/01/11 3:15 a.m.76 views

EXNESS: Verification process done using different documents without corresponding to user information / User information can be changed after verification

A business logic flaw in the Exness trading platform allowed a verified user to change their profile information Name, DoB, and Address after identity verification. Additionally, a user could verify their account with official documents that did not correspond to their provided information. This...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2021/09/24 1:37 p.m.76 views

Concrete CMS: A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution

Hi, I 'm currently testing the latest concretecms on my own pc and found some security problems of file manager. Concretecms allows user to upload remote files via file manager. With some techniques to bypass restriction of this function, a evil user will be able to download arbitary php file int...

6.5CVSS7.6AI score0.03132EPSS
Exploits1
Hacker One
Hacker One
added 2021/08/23 5:34 p.m.76 views

Brave Software: unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software

Summary: There is a unclaimed s3 bucket i.e brave-extensions.s3.amazonaws.com located in the 3 .js file on official brave software github page https://github.com/search?q=org%3Abrave+brave-extensions+language%3AJavaScript&type=Codethe attacker can takeover the bucket and create file that is used ...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/06/20 12:38 p.m.76 views

Weblate: No rate Limit on Add new Translation Project

Attacker able to create unlimited Translation projects which lead to no more project name for the users who wanted to create new project on hosted.weblate.org Below is the POC video which ,you can go through Impact Other users cant use the project names there wanted and attacker can occupy space...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2021/04/28 2:7 p.m.76 views

Node.js: Improper handling of untypical characters in domain names

Description Missing input validation of host names returned by Domain Name Servers in node's dns library can lead to output of wrong hostnames leading to Domain Hijacking and injection vulnerabilities in applications using the library leading to Remote Code Execution, XSS, Applications crashes,...

7.5CVSS9.9AI score0.21952EPSS
Exploits1
Hacker One
Hacker One
added 2021/04/18 8:8 a.m.76 views

Homebrew: Broken parsing of Git diff allows an attacker to inject arbitrary Ruby scripts to Casks on official taps

Description Due to improper parsing of Git diff in Homebrew/actions/review-cask-pr, it's possible to confuse parser to ignore additional lines. Which leads injection of malicious Ruby scripts. Root cause review-cask-pr uses the git diff file to check if the pull request is "simple" enough to...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2021/03/26 1:17 p.m.76 views

Moneybird: Access control issue on invoice documents downloading feature.

Reporter has found a way to download exports as an unauthorized user. This was only possible after changing the permissions for the user and having a certain page open during this change. The issue has been resolved by adding extra permission checks during the download action...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2020/10/29 3:3 p.m.76 views

Basecamp: Bypass of image rewriting / tracking blocker via srcset

CVSS ---- Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Description ----------- One of the security features of Hey is blocking of tracking pixels to preserve users privacy. As such, img tags and similar are rewritten by the app to point to gopher.hey.com. However, an attacker can bypas...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2020/10/13 9:29 a.m.76 views

DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Security Configurability - Notification message not sent when account is deleted

Email notifications are not sent when account is deleted. Email notifications are not sent when account is deleted. Best Practices As recommended practices, For security reasons, users should be able to be notified via email notification of changes to important operations such as account deletion...

3.4AI score
Exploits0
Hacker One
Hacker One
added 2020/09/12 11:36 p.m.76 views

Visma Public: Bypassing Business ID/VAT # validation during registration to create accounts with duplicate Business ID/VAT #

The security researcher was able to bypass the Business ID/VAT validation that is required during registration. By doing this he was able to create accounts with duplicate Business ID/VAT...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2020/05/06 12:15 p.m.76 views

Topcoder: Stored XSS on https://apps.topcoder.com/wiki/pages/editpage.action

Summary: Hi : There is a stored XSS on wiki pages and it executes when editing page. Steps To Reproduce: After I submitted 867125, i realized that the vote macro causes stored XSS on wiki edit page. A user can edit wiki pages on https://apps.topcoder.com/wiki/pages/editpage.action?pageId=. Users...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2020/04/25 7:31 p.m.76 views

Mail.ru: [capsula.mail.ru] overriding order info

IDOR vulnerability in order editing functionality of capsula.mail.ru allowed to override the incomplete unsubmitted order saved for later...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2020/03/21 12:53 a.m.76 views

Node.js third-party modules: [logkitty] RCE via insecure command formatting

I would like to report a RCE issue in the logkitty module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: logkitty version: 0.7.0 npm page: https://www.npmjs.com/package/logkitty Module Description Display pretty Android and iOS logs without Android...

7.5CVSS1.8AI score0.0201EPSS
Exploits1
Total number of security vulnerabilities5000