Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2019/03/15 2:21 p.m.76 views

Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_TIFF

This bug can be reproduced only in 32 bit PHP builds. This bug is present in exifprocessIFDinTIFF method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77509 PHP version ...

7.5CVSS8.9AI score0.09395EPSS
Exploits2
Hacker One
Hacker One
added 2019/03/04 10:2 p.m.76 views

Valve: Malformed playlist.txt in GoldSrc games leads to Access Violation & arbitrary code execution

A crafted playlist.txt can be used to exploit a stack overflow vulnerability in GameUI.dll that can lead to arbitrary code execution. Reproduction Place attached playlist.txt in game directory valve, cstrike, etc.. The game will crash when it tries to play Splash track. Exploitability The file ca...

3.2AI score
Exploits0
Hacker One
Hacker One
added 2018/10/13 10:31 a.m.76 views

Starbucks: Sidekiq web UI (Ruby background processing) accessible unauthenticated via https://gift-test.starbucks.co.jp/sidekiq/busy

Summary: I found the following URL, which appears to be running an Sidekiq web UI instance that is accessible unauthenticated: https://gift-test.starbucks.co.jp/sidekiq/busy Description: Sidekiq is used for Ruby background processing as I've learned, I'm not really familiar with it. The web UI ca...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/09 9:2 a.m.76 views

RubyGems: Malware in `active-support` gem

This was sent to RubySec: The gem duplicates official activesupport no hyphen code, but adds a compiled extension. The extension attempts to resolve a base64 encoded domain 29faea63.planfhntage.de, downloads a payload, and executes...

10CVSS1.4AI score0.06129EPSS
Exploits1
Hacker One
Hacker One
added 2017/12/02 11:33 a.m.76 views

Ruby: NET::Ftp allows command injection in filenames

Hi While using NET::Ftp I realised you could get command execution through "malicious" file names. The problem lies in the gettextfileremotefile, localfile = File.basenameremotefile method. When looking at the source code, you'll note: def gettextfileremotefile, localfile = File.basenameremotefil...

9.3CVSS9.6AI score0.73927EPSS
Exploits5
Hacker One
Hacker One
added 2017/10/28 12:16 a.m.76 views

Internet Bug Bounty: Out-Of-Bounds Read in timelib_meridian()

Description While deserializing an invalid dateTime value, wddxdeserialize would result in a heap out-of-bounds read in timelibmeridian. As wddxdeserialize is exposed to network data, and sometimes echo the results back to client, this issue could potentially allow remote peeking of the process...

5CVSS8.4AI score0.26373EPSS
Exploits2
Hacker One
Hacker One
added 2017/07/06 3:33 p.m.76 views

Rockstar Games: Reflected XSS via Double Encoding

The researcher found a Reflected XSS vulnerability in the search query on support.rockstargames.com. This exploit worked by using double-encoding to bypass our filters. With the researcher's help we were able to resolve this vulnerability...

2.7AI score
Exploits0
Hacker One
Hacker One
added 2017/06/29 7:6 a.m.76 views

arxius: Missing Rate Limit for Password Reset Verification - Vulnerable to brute force

Description The password reset verification do not seem to contain rate limit which is implemented in the email verification on sign up. The password reset link looks like this: https://arxius.io/password/EMAIL%40DOMAIN.COM/RESTTOKEN On clicking the link, it prompts to enter a new password. When...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2016/08/29 5:27 p.m.76 views

Unikrn: Urgent: Server side template injection via Smarty template allows for RCE

Hi All, I've found an issue which has allowed me to execute filegetcontents and extract your /etc/passwd file. Description It appears as though you are using smarty on the backend for templating. Entering a malicious payload as my firstname, lastname and nickname and then inviting a user to join...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2016/04/25 11:39 a.m.76 views

LocalTapiola: Content Spoofing or Text Injection (404 error page injection on yrityspalvelu)

Vulnerability Description: Application allows users to inject any content on the 404 not found webpage Vulnerable Location: https://yrityspalvelu.tapiola.fi/a1/has%20been%20changed%20by%20a%20new%20one%20https://www.attacker.com%20so%20go%20to%20the%20new%20one%20since%20this%20one Fix : just use...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2016/04/14 5:14 a.m.76 views

Uber: Unsubscribe any user from receiving email

hi, At url https://www.uber.com/unsubscribe you can unsubscribe any email of any user, which is bit of concern for the people who wants to receive emails from uber. only people who gets email from uber should be allowed to unsubscribe themselves from uber emails rather than anybody unsubscribing...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2016/03/18 3:20 p.m.76 views

Imgur: XSS via React element spoofing

Hello, I noticed an XSS on imgur. Proof of concept: visit the URL http://imgur.com/vidgif/ticket/aaaaaaaa?errorpropsdangerouslySetInnerHTMLhtml=%3Cimg%20src=a%20onerror=%22alert%27XSS%20on%20%27%2bdocument.domain%22%3E&errorisReactElement=true&errortype=body It's not the simplest case as it...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2016/03/13 6:26 p.m.76 views

Shopify: Stored XSS in https://checkout.shopify.com/

STEPS TO REPRODUCE 1. Go to http://hardware.shopify.com/products/custom-gift-card?variant=976094353 and Design your own gift card. 2. Change file type to url on the upload field. 3. Add the payload...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2015/11/19 7:35 p.m.76 views

Pornhub: [xss, pornhub.com] /user/[username], multiple parameters

The researcher identified that the following URL for the Pornhub user was vulnerable to reflected/semi-stored cross site scripting, which enabled the researcher to craft a URL that pops an alert box upon mousing over the language selection at bottom of page. The affected url can be seen below:...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2015/02/11 8:3 p.m.76 views

HackerOne: CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain

Background - There has been at least one case where an attacker was able to insert arbitrary HTML into a submitted report - HackerOne uses a very strict Content Security Policy that prevents inline script and script from other origins - HackerOne uses an authenticitytoken in its POSTs to guard...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2014/04/09 11:22 a.m.76 views

ReddAPI: No Captcha or rate limit on Login Page

Hello ReddApi Security Team, Vulnerability Detail's:- Login page can be brute forced due to lack of captcha or backoff Impact:- An attacker can bruteforce for a particular username and can get a possibly a account takeover. POC:- I have made a proof of concept video of the same:-...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2024/03/27 9:50 a.m.75 views

Internet Bug Bounty: CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)

CVE-2024-2466: TLS certificate check bypass with mbedTLS. The vulnerability was reported in libcurl, where it did not check the server certificate of TLS connections made to a host specified as an IP address when built to use mbedTLS. This caused the certificate check to be completely skipped,...

6.5CVSS6.3AI score0.01299EPSS
Exploits1
Hacker One
Hacker One
added 2024/03/20 7:26 a.m.75 views

PortSwigger Web Security: [portswigger.net] Path Traversal al /cms/audioitems

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/12/22 11:49 a.m.75 views

Teleport: Improper session management - Failure to invalidate old session after password change

Failure to Invalidate Session on Password Change Failure to invalidate a session after a password change is a vulnerability which allows an attacker to maintain access on a service. Most users have the expectation that when they reset their password, no one else can access their account. When...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2023/02/17 7:23 p.m.75 views

Internet Bug Bounty: CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library

Multiple OpenSSL error handling issues were found in the Node.js crypto library. In some cases, Node.js did not clear the OpenSSL error stack after operations that may have set it, which could lead to false positive errors during subsequent cryptographic operations on the same thread and...

7.5CVSS7.5AI score0.02209EPSS
Exploits1
Hacker One
Hacker One
added 2022/05/13 12:29 a.m.75 views

GitHub Security Lab: [Java]: CWE-321 - Query to detect hardcoded JWT secret keys

This bug was reported directly to GitHub Security Lab...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2021/08/23 5:34 p.m.75 views

Brave Software: unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software

Summary: There is a unclaimed s3 bucket i.e brave-extensions.s3.amazonaws.com located in the 3 .js file on official brave software github page https://github.com/search?q=org%3Abrave+brave-extensions+language%3AJavaScript&type=Codethe attacker can takeover the bucket and create file that is used ...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/06/06 9:14 p.m.75 views

h1-ctf: HackerOne’s 100K CTF Writeup

Greetings team It has been a great challenge, thank you very much for the fun moments and also for the annoying ones : ██████████ P.S. I will put my writeup in my next comment. Impact ---...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2021/03/09 11:21 a.m.75 views

Acronis: Account Confirmation bypass leads to acess some fucntionality

STEPS: 1. Go to the URL https://account.acronis.com//auth/signup 2. Create a Business Account 3. Intercept the request using burp suite 4. Now intercept the response of given HTTP REQUEST below 5. Change the field "confirmed":false to true 6. Even you can bypass Accept term condition by changing...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/11/04 6:35 p.m.75 views

U.S. Dept Of Defense: Unauthorized access to admin panel of the Questionmark Perception system at https://██████████

Summary: Due to the lack of access control, an anonymous attacker can compromise the administrator account on the Questionmark Perception system. Description: By using the service description which publicly accessible on the internet, and by bypassing the access control, an anonymous attacker can...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/10/02 6:2 a.m.75 views

Mail.ru: Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru

Reflected XSS in account.mail.ru via backurl parameter...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/09/03 9:53 p.m.75 views

GitHub Security Lab: Query to find TLS configurations supporting hardcoded insecure versions of the protocol and cipher suites

This bug was reported directly to GitHub Security Lab...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2020/08/20 9:31 p.m.75 views

Dropcontact: Django should not have debug mode enabled

We were displaying sensitive information...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2020/04/22 2:4 p.m.75 views

Stripo Inc: [www.stripo.email] There is no rate limit for contact-us endpoints

Summary The speed limit for the https://stripo.email/es/contact-us endpoint has not been implemented. Steps To Reproduce 1. Go to the https://stripo.email/es/contact-us 2. Turn on blocking and fill out the contact form 3. Send request to Intruder. 4. Set your payloads and start attack. 5. There i...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/03/21 12:53 a.m.75 views

Node.js third-party modules: [logkitty] RCE via insecure command formatting

I would like to report a RCE issue in the logkitty module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: logkitty version: 0.7.0 npm page: https://www.npmjs.com/package/logkitty Module Description Display pretty Android and iOS logs without Android...

7.5CVSS1.8AI score0.0201EPSS
Exploits1
Hacker One
Hacker One
added 2020/01/18 10:11 p.m.75 views

Stripo Inc: HTTP Request Smuggling on my.stripo.email

Summary: HTTP request smuggling vulnerabilities arise when websites route HTTP requests through webservers with inconsistent HTTP parsing. By supplying a request that gets interpreted as being different lengths by different servers, an attacker can poison the back-end TCP/TLS socket and prepend...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/11/14 7:57 p.m.75 views

Stripo Inc: subdomain takeover at status0.stripo.email

Hi , The subdomain status0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with atest account on uptimerobot.com F634639 F634636 thanks Impact Anyone can use this subdomai...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/09/07 4:6 a.m.75 views

HackerOne: Disclosure of Email title report in quick award paypout email (no content mode)

Hello H1 Security Team Description In report 645264 and 669776, email title disclosure has been fixed in no content settings. However, there is one more area which needs to be fix - "Instant bounty Award Email". In this email, even though email settings have been set as "No content", still it's...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2019/05/23 1:21 a.m.75 views

Tor: Detect Tor Browser's language

Summary Some error pages uses Tor Browser's language based text, and iframe can steal it. Details Since the language of Tor Browser is used for the title of the link tag on 404 error page, an attacker can obtain the language of Tor Browser even if the user has set privacy.spoofenglish to 2. I...

5CVSS0.01856EPSS
Exploits1
Hacker One
Hacker One
added 2019/04/17 3:0 p.m.75 views

Node.js third-party modules: A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding

I would like to report a buffer over-read in mqtt-packet respectively BufferList module. It allows triggering an out of range read on a buffer which throws a RangeError. MQTT Brokers like mosca and aedes using this module can be forced to crash by sending a specifically malformed MQTT Subscribe...

5CVSS7.6AI score0.01586EPSS
Exploits1
Hacker One
Hacker One
added 2018/09/27 7:12 p.m.75 views

Chaturbate: Chaturbate "/chat_ignore_list/" endpoint does not check for Account status: Disabled before adding Ignore via POST

Summary Chaturbate.com provides the ability for its users when in chat to ignore other users in chat rooms via DM etc by adding their camhandle name to ignorelist via HUI Actually this is just a POST to /chatignorelist/ getting as a parameter the username which is the camhandle name in order to a...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/01 7:59 a.m.75 views

WakaTime: Validation of Password reset tokens

Dear sir, At first, i am very happy to report an issue. Before three months, i reported to wakatime and again i am reporting another issue now. Note:-This report is similar to 244614 which was previously reported at the start of this bug bounty program. Vulnerability:- -If two password reset toke...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/05/18 5:46 p.m.75 views

Zomato: Amazon S3 bucket misconfiguration (share)

Hi, Description I have discovered one of your Amazon S3 bucket and tested it via the AWS command line tool on Linux. It looks like permissions are not well configured and allow dangerous actions to everyone. The vulnerable bucket is: zomato-share PoC: aws s3 ls s3://zomato-share aws s3 cp test...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2017/02/08 10:6 a.m.75 views

WordPress: Infrastructure - Photon - SSRF

Description ------------------------ The service Photon located at http://i0.wp.com/ and described at https://code.trac.wordpress.org/browser/photon/ is vulnerable to Http SSRF via. redirect. The redirect can go to any IP including inside of any firewall photon might be inside any port and can ad...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2015/04/16 6:15 p.m.75 views

HackerOne: SPF whitelist of mandrill leads to email forgery

I just sent a forged email to [email protected] that appears to originate from [email protected]. I was able to do this because of the following SPF record: dig txt hackerone.com hackerone.com. 299 IN TXT "v=spf1 include:spf.google.com include:sendgrid.net include:mail.zendesk.com...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2015/03/22 4:26 p.m.75 views

Coinbase: Blacklist bypass on Callback URLs

In bug 47368, I was able to reach private IP addresses via the "Test Now" button of the "Callback URL" feature. Exploiting this flaw allowed me to reach the metadata server of your outbound proxy which is, afaik, maintained by Proximo. A comment by aianus states that callbacks are now restricted...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2014/06/25 1:43 p.m.75 views

Uzbey: Information Disclosure (phpinfo())

URL :- https://staging.uzbey.com/phpinfo.php Description :- phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. An attacker can obtain information such as: •Exact PHP version. •Exact OS and its version. •Details of the PHP...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2014/04/18 11:47 a.m.75 views

Localize: Login page password-guessing attack

Login page password-guessing attack Vulnerability description A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2024/08/23 12:34 a.m.74 views

Adobe: Unauthenticated Varnish Cache Purge

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2024/07/30 5:16 a.m.74 views

curl: CVE-2024-7264: ASN.1 date parser overread

Vulnerability description not provided...

6.5CVSS6AI score0.16212EPSS
Exploits1
Hacker One
Hacker One
added 2022/06/17 8:51 a.m.74 views

Hyperledger: Remote denial of service in HyperLedger Fabric

This issue was caused by a missing check of nil. An orderer to orderer consensus message that contains an empty inner message crashes the node because it attempts to figure out its type and the mere action of determining the type of a nil pointer, causes a panic. Thank you to Haosheng Wang of OPP...

5CVSS1.1AI score0.01612EPSS
Exploits0
Hacker One
Hacker One
added 2022/06/02 8:12 p.m.74 views

curl: CVE-2022-32208: FTP-KRB bad message verification

Summary: libcurl handles gssunwrap GSSSBADSIG error incorrectly. This enables malicious attacker to inject arbitrary FTP server responses to GSSAPI protected FTP control connection and/or make the client consume unrelated heap memory as a FTP command response. The defective krb5decode function is...

4.3CVSS0.8AI score0.05595EPSS
Exploits1
Hacker One
Hacker One
added 2022/04/21 3:28 a.m.74 views

curl: CVE-2022-27775: Bad local IPv6 connection reuse

Summary: Curl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1.Set up a fake server: ech...

5CVSS0.2AI score0.02794EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/23 11:36 p.m.74 views

GitHub Security Lab: [Python] CWE-522: Insecure LDAP Authentication

This bug was reported directly to GitHub Security Lab...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2021/04/20 7:42 a.m.74 views

Lark Technologies: Improper Access Control on Lark Footer Feature

Due to improper access control within Lark's footer feature, an attacker could have potentially accessed private files. We thank @imrannisar for reporting this to our team and confirming the resolution...

2.9AI score
Exploits0
Total number of security vulnerabilities5000