Lucene search
K
HackeroneMost viewed

15370 matches found

Hacker One
Hacker One
added 2019/11/05 9:31 p.m.77 views

Node.js third-party modules: [npm-git-publish] RCE via insecure command formatting

I would like to report a RCE issue in the npm-git-publish module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: npm-git-publish version: 0.2.4-beta npm page: https://www.npmjs.com/package/npm-git-publish Module Description Share/publish private packag...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2019/09/08 6:0 a.m.77 views

Mail.ru: OOB XXE

Limited XXE on XML request processing led to blind SSRF possibility OOB XXE on one of Ext. B Mail.ru domains, which could be exploited as blind SSRF...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2019/09/04 4:34 p.m.77 views

Omise: Found Origin IP's Lead To Access To [ Grafana Instance , PgHero Instance [ Can SQL Injection ]

Hello through RECON for on go.exchange i found origin ip's on https://censys.io/ipv4?q=go.exchange That's allow to the attacker to access to Many Instances Like Grafana But Need Crediantles And Access To PgHero and TokenModel · GO.Exchange where the attacker can use pghero to Execute postgresql...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/12/04 9:0 a.m.77 views

Mail.ru: PHP-FPM Status Page

PHP-FPM status page was available at guild.live.ro.gmru.net...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/04/23 11:1 a.m.77 views

Ed: DOM XSS in edoverflow.com/tools/respond due to unsafe usage of the innerHTML property.

Hi, There's a DOM XSS vulnerability on edoverflow.com. This cannot be exploited without user-interaction so I had to make a clickjacking PoC to trick the user in triggering the payload her/himself. Reproduction Steps 1. Open the attached HTML document in FireFox. 2. Drag Frog 1 to the other two...

Exploits0
Hacker One
Hacker One
added 2018/03/03 11:22 p.m.77 views

Node.js third-party modules: `atob` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below

I would like to report an uninitialized Buffer allocation issue in atob. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON, on Node.js 4.x and lower. Module module name: atob...

6.4CVSS0.2AI score0.02174EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/30 6:24 a.m.77 views

Node.js third-party modules: Prototype pollution attack (Hoek)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the Hoek library. Module: hoek Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the structure...

6.5CVSS8.9AI score0.04226EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/23 12:34 p.m.77 views

Node.js third-party modules: [html-janitor] Passing user-controlled data to clean() leads to XSS

Module: Name: html-janitor Version: 2.0.2 Summary: Passing user-controlled data to the module's clean function can result in arbitrary JS execution, because of unsafe DOM operations. The description "Cleans up your markup and allows you to take control of your HTML. HTMLJanitor uses a defined...

4.3CVSS5.9AI score0.01063EPSS
Exploits1
Hacker One
Hacker One
added 2017/02/05 11:50 a.m.77 views

Nextcloud: Calendar and addressbook names disclosed (NC-SA-2017-012)

Calendar and addressbook names disclosed NC-SA-2017-012 Risk level: Low CVSS v3 Base Score: 3.5 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CWE: Information Exposure Through Directory Listing CWE-548 Description A logical error caused disclosure of calendar and addressbook names to other logged-in users...

3.5CVSS0.3AI score0.00724EPSS
Exploits0
Hacker One
Hacker One
added 2017/01/20 11:30 p.m.77 views

Boozt Fashion AB: Bypass email validity in newsletter field

Hi, I think i've discovered a little vulnerability on your website i don't know if she is outside the bug bounty program. In the newsletter field, the incorrect email addresses for example with special characters it's not accpeted. But with a specific HTTP request it's possible to bypass this...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/12/22 7:18 p.m.77 views

Zendesk: a stored xss in web widget chat

The researcher found a stored XSS vulnerability where an end-user was able to execute arbitrary Javascript against the Zendesk agent via the chat integration. The researcher participated in the Zendesk 2016 holiday promotion and was awarded the Zendesk promotional bounty...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2016/10/31 10:11 a.m.77 views

Nextcloud: Content Spoofing in "files" app

@ahsantahir reported a Content Spoofing Vulnerability in the Nextcloud Server. The related security advisory can be found at https://nextcloud.com/security/advisory/?id=nc-sa-2017-006 On request of the reporter the issue has only been disclosed limitedly...

4.3CVSS4.8AI score0.01537EPSS
Exploits0
Hacker One
Hacker One
added 2016/05/27 5:30 p.m.77 views

Pornhub: Reflected XSS by way of jQuery function

The researcher identified a path which exposed a vulnerable jQuery sinkhole allowing XSS. Additionally, the researcher was able to demonstrate a variety of attacks possible by way of arbitrary Javascript execution. Depending on the OS and browser implementation, the researcher demonstrated that h...

2.7AI score
Exploits0
Hacker One
Hacker One
added 2016/03/22 8:6 p.m.77 views

Uber: XSS in getrush.uber.com

'' 'https://getrush.uber.com/business?utmcampaign=tttttt%27%3C/script%3E%3Cscript%3Ealert0%3C/script%3E&utmmedium=top&utmsource=website''' You need to escape the utmcampaign parameter before rendering it in the HTML. Thanks, David Dworken...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2014/04/18 5:25 p.m.77 views

Localize: X-Content-Type-Options header missing

URL : http://www.localize.io/ Description : The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff' Solution : This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type head...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2026/03/17 7:20 p.m.76 views

Rocket.Chat: Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file

Vulnerability description not provided...

7.5CVSS5.3AI score0.00723EPSS
Exploits0
Hacker One
Hacker One
added 2024/07/03 7:9 a.m.76 views

Internet Bug Bounty: moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation

moderate: Apache HTTP Server proxy encoding problem CVE-2024-38473 An encoding problem was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This issue allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via...

8.1CVSS7.5AI score0.35447EPSS
Exploits1
Hacker One
Hacker One
added 2024/04/17 5:46 p.m.76 views

Mozilla: Jira Credential Disclosure within Mozilla Slack

The Jira admin API keys were disclosed within a Mozilla Slack channel by a staff member. The exposed credentials allowed for the verification of the user's elevated privileges, including being a Jira Administrator, Administrator, and Jira Service Desk user...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2024/03/27 4:39 p.m.76 views

Internet Bug Bounty: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

CVE-2024-2379 was a vulnerability in libcurl's QUIC implementation where certificate verification was skipped under certain conditions when using the wolfSSL library. The vulnerability was caused by an error path that accidentally returned success when encountering unknown or unsupported ciphers ...

6.3CVSS6.5AI score0.01709EPSS
Exploits1
Hacker One
Hacker One
added 2023/11/02 12:51 a.m.76 views

curl: CVE-2023-46219: HSTS long file name clears contents

Vulnerability description not provided...

5.3CVSS5.9AI score0.01133EPSS
Exploits1
Hacker One
Hacker One
added 2023/08/05 11:12 a.m.76 views

WakaTime: Waketime Payment Gateway Vulnerability

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/07/17 4:50 a.m.76 views

Internet Bug Bounty: [CVE-2023-27531] Possible Deserialization of Untrusted Data vulnerability in Kredis JSON

A deserialization vulnerability was discovered in the Kredis JSON deserialization code, allowing for the potential deserialization of untrusted data. This could result in unexpected objects being deserialized in the system. The vulnerability has been assigned the CVE identifier CVE-2023-27531...

5.3CVSS5.2AI score0.00518EPSS
Exploits0
Hacker One
Hacker One
added 2023/06/04 6:40 p.m.76 views

TikTok: CRLF to XSS & Open Redirection

Due to inadequate input validation, a vulnerability allowed for the injection of CRLF HTTP Response Splitting into a parameter on a TikTok seller endpoint. This could have resulted in Reflective XSS Cross-Site Scripting and open redirection attacks. The vulnerability has been resolved...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2022/10/24 11:29 a.m.76 views

Node.js: Permissions policies can be bypassed via process.mainModule

A vulnerability was discovered in Node.js permission policies that allowed a script to include any non-whitelisted module by calling process.mainModule.require. This could allow an attacker to bypass the limited whitelist and access internal file systems or run child processes. The vulnerability...

7.5CVSS7.7AI score0.02023EPSS
Exploits0
Hacker One
Hacker One
added 2022/08/10 8:50 a.m.76 views

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)

Summary: Due to an incomplete fix for CVE-2022-32215, the llhttp parser in the http module in Node v16.16.0 and 18.7.0 still does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. Description: add more details about this vulnerability We have...

6.4CVSS7.4AI score0.68796EPSS
Exploits1
Hacker One
Hacker One
added 2022/07/14 8:46 a.m.76 views

Internet Bug Bounty: Node.js - DLL Hijacking on Windows

Full Node.js Security Releases - summarizing the issue is here:https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1447455 ----- Node.js versions earlier than 16.16.0 LTS and 14.20.0 are vulnerabl...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2022/07/05 10:59 p.m.76 views

Internet Bug Bounty: Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing

ReDoS in Rack::Multipart::BROKENQUOTED and Rack::Multipart::BROKENUNQUOTED. https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service...

5CVSS8.1AI score0.02056EPSS
Exploits0
Hacker One
Hacker One
added 2022/06/21 12:57 a.m.76 views

Nextcloud: SSRF via potential filter bypass with too lax local domain checking

Summary: Hi. Reviewing the code for filtering for ssrf, in preventLocalAddress, we can see that it calls the function ThrowIfLocalAddress. It has three common checks, first, it checks if the string is localhost, or if it ends in .local or .localhost php // Disallow localhost and local network if...

5CVSS0.6AI score0.00739EPSS
Exploits0
Hacker One
Hacker One
added 2022/06/08 10:35 p.m.76 views

Internet Bug Bounty: Read beyond bounds in ap_strcmp_match() [zhbug_httpd_47.7]

Greetings. I have found a read-beyond-bounds attack against httpd that allows an attacker to search httpd's memory for strings matching an attacker-specified pattern 1. The attack arises from an overflow in apstrcmpmatch server/util.c. 2 The vulnerability can be reached via an LUA program that us...

6.4CVSS9.4AI score0.05729EPSS
Exploits0
Hacker One
Hacker One
added 2022/01/11 3:15 a.m.76 views

EXNESS: Verification process done using different documents without corresponding to user information / User information can be changed after verification

A business logic flaw in the Exness trading platform allowed a verified user to change their profile information Name, DoB, and Address after identity verification. Additionally, a user could verify their account with official documents that did not correspond to their provided information. This...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2021/09/24 1:37 p.m.76 views

Concrete CMS: A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution

Hi, I 'm currently testing the latest concretecms on my own pc and found some security problems of file manager. Concretecms allows user to upload remote files via file manager. With some techniques to bypass restriction of this function, a evil user will be able to download arbitary php file int...

6.5CVSS7.6AI score0.03132EPSS
Exploits1
Hacker One
Hacker One
added 2021/06/20 12:38 p.m.76 views

Weblate: No rate Limit on Add new Translation Project

Attacker able to create unlimited Translation projects which lead to no more project name for the users who wanted to create new project on hosted.weblate.org Below is the POC video which ,you can go through Impact Other users cant use the project names there wanted and attacker can occupy space...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2021/04/28 2:7 p.m.76 views

Node.js: Improper handling of untypical characters in domain names

Description Missing input validation of host names returned by Domain Name Servers in node's dns library can lead to output of wrong hostnames leading to Domain Hijacking and injection vulnerabilities in applications using the library leading to Remote Code Execution, XSS, Applications crashes,...

7.5CVSS9.9AI score0.21952EPSS
Exploits1
Hacker One
Hacker One
added 2021/04/18 8:8 a.m.76 views

Homebrew: Broken parsing of Git diff allows an attacker to inject arbitrary Ruby scripts to Casks on official taps

Description Due to improper parsing of Git diff in Homebrew/actions/review-cask-pr, it's possible to confuse parser to ignore additional lines. Which leads injection of malicious Ruby scripts. Root cause review-cask-pr uses the git diff file to check if the pull request is "simple" enough to...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2021/03/26 1:17 p.m.76 views

Moneybird: Access control issue on invoice documents downloading feature.

Reporter has found a way to download exports as an unauthorized user. This was only possible after changing the permissions for the user and having a certain page open during this change. The issue has been resolved by adding extra permission checks during the download action...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2020/10/29 3:3 p.m.76 views

Basecamp: Bypass of image rewriting / tracking blocker via srcset

CVSS ---- Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Description ----------- One of the security features of Hey is blocking of tracking pixels to preserve users privacy. As such, img tags and similar are rewritten by the app to point to gopher.hey.com. However, an attacker can bypas...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2020/10/13 9:29 a.m.76 views

DRIVE.NET, Inc.: [www.drive2.ru] Insufficient Security Configurability - Notification message not sent when account is deleted

Email notifications are not sent when account is deleted. Email notifications are not sent when account is deleted. Best Practices As recommended practices, For security reasons, users should be able to be notified via email notification of changes to important operations such as account deletion...

3.4AI score
Exploits0
Hacker One
Hacker One
added 2020/09/12 11:36 p.m.76 views

Visma Public: Bypassing Business ID/VAT # validation during registration to create accounts with duplicate Business ID/VAT #

The security researcher was able to bypass the Business ID/VAT validation that is required during registration. By doing this he was able to create accounts with duplicate Business ID/VAT...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2020/05/06 12:15 p.m.76 views

Topcoder: Stored XSS on https://apps.topcoder.com/wiki/pages/editpage.action

Summary: Hi : There is a stored XSS on wiki pages and it executes when editing page. Steps To Reproduce: After I submitted 867125, i realized that the vote macro causes stored XSS on wiki edit page. A user can edit wiki pages on https://apps.topcoder.com/wiki/pages/editpage.action?pageId=. Users...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2020/04/25 7:31 p.m.76 views

Mail.ru: [capsula.mail.ru] overriding order info

IDOR vulnerability in order editing functionality of capsula.mail.ru allowed to override the incomplete unsubmitted order saved for later...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2019/11/18 3:20 p.m.76 views

Mail.ru: IDOR в списке пользователей по домену в relap.io

IDOR in relap.io allowed users enumeration for domain...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2019/10/14 5:8 a.m.76 views

HackerOne: ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages

Summary: Hi team, I've found an issue on the profile picture upload feature of your asset - https://hackerone.com, which can allow a malicious attacker to perform an application wide denial of service attack. Description: I was playing with the profile picture upload feature, then i observed that...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/09/14 5:54 a.m.76 views

PortSwigger Web Security: Clicking "http://burp" hyperlink on FireFox CA Installation guide redirects to "burp.com" (unclaimed website).

Executive Summary --------------------------------------------------- I was in the process of installing Burp suite community edition on my recent machine where I believe I stumbled across a potential open redirect issue on the CA certificate installation website. This is a security concern due t...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/09/13 2:39 a.m.76 views

Semmle: Worker container escape lead to arbitrary file reading in host machine

Summary: Because lack of security, attacker will be able to remove original log file and replace it will a symlink to other file, After finishing job, host machine copy file from docker container. Because the original log file has been removed, the host machine will copy the symlink file. But the...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/08/12 10:5 p.m.76 views

Mail.ru: Bash History file log

Researcher found a publicly accessible .bashhistory file on one of servers. File contained commands without sensitive data in them...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2019/08/01 10:49 a.m.76 views

Starbucks: Subdomain takeover of datacafe-cert.starbucks.com

Summary: The subdomain datacafe-cert.starbucks.com had an CNAME record pointing to an unclaimed Azure webservice. This is a high severity security issue because an attacker can register the subdomain on Azure and therefore can own the subdomain datacafe-cert.starbucks.com. Description: The dangli...

Exploits0
Hacker One
Hacker One
added 2019/07/12 4:29 p.m.76 views

Khan Academy: RTL override char allowed at khanacademy redirect page

Summary Attacker can embed RTLO character at the following URL https://www.khanacademy.org/computer-programming/linkredirector?url= to trick the user to download suspicious files. Steps to reproduce Visit https://www.khanacademy.org/computer-programming/linkredirector?url= add the following paylo...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/05/18 5:35 a.m.76 views

X (Formerly Twitter): cookie injection allow dos attack to periscope.tv

Description: i find in periscope.tv a parameter "createuser" allow to inject "loginissignup" cookie, when tested with crlf payload get response "HTTP/1.1 504 GATEWAYTIMEOUT" Link Vulnerable: https://www.periscope.tv/i/twitter/login?createuser=payload&csrf=yourcsrftoken Steps To Reproduce: 1. go t...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2019/04/17 2:46 p.m.76 views

TomTom: Exposed Git Repo at http://betaforum.tomtom.com/.git/{subfolders}

Dear Security team, I found a git repository on http://betaforum.tomtom.com/.git. This endpoint allows an attacker to retrieve much of the source code and git history for this service which could potentially reveal sensitive information, it all depends what is stored there. Example: 1...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/03/15 2:21 p.m.76 views

Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_TIFF

This bug can be reproduced only in 32 bit PHP builds. This bug is present in exifprocessIFDinTIFF method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77509 PHP version ...

7.5CVSS8.9AI score0.09395EPSS
Exploits2
Total number of security vulnerabilities5000