Lucene search
K
HackeroneMost viewed

15372 matches found

Hacker One
Hacker One
added 2014/06/25 1:43 p.m.75 views

Uzbey: Information Disclosure (phpinfo())

URL :- https://staging.uzbey.com/phpinfo.php Description :- phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. An attacker can obtain information such as: •Exact PHP version. •Exact OS and its version. •Details of the PHP...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2014/04/18 11:47 a.m.75 views

Localize: Login page password-guessing attack

Login page password-guessing attack Vulnerability description A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2024/08/23 12:34 a.m.74 views

Adobe: Unauthenticated Varnish Cache Purge

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/06/17 8:51 a.m.74 views

Hyperledger: Remote denial of service in HyperLedger Fabric

This issue was caused by a missing check of nil. An orderer to orderer consensus message that contains an empty inner message crashes the node because it attempts to figure out its type and the mere action of determining the type of a nil pointer, causes a panic. Thank you to Haosheng Wang of OPP...

5CVSS1.1AI score0.01937EPSS
Exploits0
Hacker One
Hacker One
added 2022/06/02 8:12 p.m.74 views

curl: CVE-2022-32208: FTP-KRB bad message verification

Summary: libcurl handles gssunwrap GSSSBADSIG error incorrectly. This enables malicious attacker to inject arbitrary FTP server responses to GSSAPI protected FTP control connection and/or make the client consume unrelated heap memory as a FTP command response. The defective krb5decode function is...

4.3CVSS0.8AI score0.06762EPSS
Exploits1
Hacker One
Hacker One
added 2022/05/11 7:6 a.m.74 views

Internet Bug Bounty: CVE-2022-27780: percent-encoded path separator in URL host

Advisory: https://curl.se/docs/CVE-2022-27780.html Original Report: https://hackerone.com/reports/1553841 Impact URL filter bypasses...

7.7AI score0.02187EPSS
Exploits1
Hacker One
Hacker One
added 2022/04/21 3:28 a.m.74 views

curl: CVE-2022-27775: Bad local IPv6 connection reuse

Summary: Curl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address and other conditions for connection reuse are fulfilled it will be reused for connections regardless of the zone index. Steps To Reproduce: 1.Set up a fake server: ech...

5CVSS0.2AI score0.02794EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/23 11:36 p.m.74 views

GitHub Security Lab: [Python] CWE-522: Insecure LDAP Authentication

This bug was reported directly to GitHub Security Lab...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2021/04/20 7:42 a.m.74 views

Lark Technologies: Improper Access Control on Lark Footer Feature

Due to improper access control within Lark's footer feature, an attacker could have potentially accessed private files. We thank @imrannisar for reporting this to our team and confirming the resolution...

2.9AI score
Exploits0
Hacker One
Hacker One
added 2021/04/19 9:25 a.m.74 views

Ruby: 'net/http': HTTP Header Injection in the set_content_type method

The set\content\type's parameter is not filtered to prevent the injection from altering the entire request. The vulnerable code: ruby def setcontenttypetype, params = @header'content-type' = type + params.map|k,v|"; k=v".join'' end PoC 1. ruby require 'net/http' uri = URI'http://127.0.0.1:8080' r...

6.4CVSS7.4AI score0.0642EPSS
Exploits1
Hacker One
Hacker One
added 2021/03/30 12:56 p.m.74 views

Zivver: Cross-site Scripting (XSS) - Reflected

This issue is out of scope per our policy. It would require very unlikely user involvement, such as getting the victim to directly copy and paste malicious code into the search bar as the search query can not be passed dynamically, e.g. as a URL parameter. vulnerabal url : = docs.zivver.com...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/02/20 12:25 a.m.74 views

Shopify: Stored XSS on apps.shopify.com

Steps to reProduce: 1 Write payload luc1d"@wearehackerone.com as Store contact email in General Settings page.myshopify.com/admin/settings/general F1202181 -- Wait here around 60 mins maybe more idk, it was 60 mins for me for the change to reflect -- You can confirm the change on here...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2021/02/01 4:21 p.m.74 views

GitLab: FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com

Summary: Hi Team, a bit of a odd one here. The FogBugz import code uses CarrierWave::Uploader::Base:download! to download attachments from fogbugz.com when importing a FogBugz repository. CarrierWave::Uploader::Base:download! ultimately uses Kernel.Open to download the provided attachment URL...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2021/01/04 8:44 p.m.74 views

U.S. Dept Of Defense: Reflected XSS on https://█████████html?url

Vulnerable Website URL or Application: https://███████html?url=javascript:alert"nagli" Description of Security Issue: please limit to one site/app per submission Reflected XSS due to no input validation █████████ Remediation Sanitize the input on the that parameter Best Regards nagli Impact...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/09/06 2:56 p.m.74 views

New Relic: IDOR - User is able to download charts/dashboards from cross accounts

@k3ne described an issue where a user on an account could access data concerning dashboards for another user on the same account. While this appeared to be a cross-account access issue, both users on the account have access to the same data by design...

4.4AI score
Exploits0
Hacker One
Hacker One
added 2019/12/27 11:7 p.m.74 views

Nextcloud: Remote code execution via path traversal in Zip extraction in the Extract app

I realise this doesn't qualify for a reward, as it's a vulnerability in a third-party app, but as the app is part of the "official" VM image provided by Hansson IT, I think it's well worth fixing. The Extract app doesn't validate the path or filename of a zip file to be extracted, allowing an...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/12/14 8:30 p.m.74 views

InnoGames: Blind SQL Injection

Summary of the Issue A Time Based Blind SQL injection vulnerability was detected on www.innogames.com. Using a specifically crafted payload it was possible to extract database entries. Vulnerable endpoint: https://www.innogames.com/ Steps to reproduce: 1. Getting two states for boolean based sql...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/09/27 1:43 p.m.74 views

Razer: DOM XSS at https://www.thx.com in IE/Edge browser

Summary: I just recently found easy exploitable DOM XSS vulnerability because of https://www.thx.com/assets/plugins/ultimate-social-media-icons/js/custom.js?ver=5.2.3 js file Steps To Reproduce: First i want to say this is vulnerable code function sfsimobilewechatshareurl if...

2AI score
Exploits0
Hacker One
Hacker One
added 2019/09/06 12:2 a.m.74 views

GitLab: SSRF In plantuml (on plantuml.pre.gitlab.com)

NOTE! Thanks for submitting a report! Please replace all the parenthesized sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary The site...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/07/23 1:53 p.m.74 views

Central Security Project: OS Command Injection in Nexus Repository Manager 2.x

Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.9-01 Vulnerability Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is...

9CVSS0.2AI score0.18396EPSS
Exploits5
Hacker One
Hacker One
added 2019/07/02 12:16 a.m.74 views

Node.js third-party modules: Command Injection in npm module name passed as an argument to pm2.install() function

Hi Lads, I would like to report Command Injection possible when npm module name is passed into pm2.install. An attacker is able to attach OS commands to npm module name and those commands will be executed when payload reaches execution sink in continueInstall function in API/Modules/NPM.js file...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/01/17 4:37 p.m.74 views

MariaDB: CRLF injection on https://buildbot.mariadb.org

A CRLF new line injection vulnerability has been discovered in the Buildbot.net software and reported to us. We have forwarded this to the Buildbot developers which coordinated a fix release and public disclosure. This vulnerability has been assigned CVE-2019-7313. More details in the advisory te...

5.8CVSS2AI score0.0087EPSS
Exploits1
Hacker One
Hacker One
added 2018/07/17 5:9 p.m.74 views

Rocket.Chat: Blind XSS in the rocket.chat registration email

Note: This report was initially sent via email and I was invited to submit this here. Hi team, During an audit on a third-party, I discovered that rocket.chat Android client might be vulnerable to blind XSS. My XSS payload fired in the context of the target's rocket.chat client as you can see bel...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/03 9:27 a.m.74 views

VK.com: XSS-уязвимость, связанная с загрузкой файлов

XSS в документах...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2018/02/27 3:51 p.m.74 views

Shopify: myshopify.com domain takeover

Hello Shopify Security Team, I just received your email and I'm sorry for any inconvenience. Yes, it was me. Basically, I just tried to audit your website using some black box testing. Unfortunately, I didn't read about those guidelines, such as creating a store on https://partners.shopify.com/ a...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2018/01/07 9:18 a.m.74 views

Ruby: Unix domain socket and a path containing a null character

Some methods on UNIX domain socket are not checked for null characters. vagrant@localhost $ ls /tmp vagrant@localhost $ irb irbmain:001:0 require 'socket' = true irbmain:002:0 UNIXServer.open"/tmp/socket\0ruby" |serv| irbmain:003:1 c = UNIXSocket.open"/tmp/socket\0sapphire" irbmain:004:1 s =...

5CVSS1.3AI score0.07169EPSS
Exploits0
Hacker One
Hacker One
added 2017/08/30 8:6 p.m.74 views

Automattic: xss filter bypass [polldaddy]

Hi, previously reported xss https://hackerone.com/reports/107405 which is fixed, but i am able to bypass that fix. Payload for bypass : Click Here Steps: - Login into Polldaddy account polldaddy.com - go to POLLS and create new poll - in answers. enter xss payload Click Here F217173 - Save it - g...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/08/25 10:35 a.m.74 views

Rockstar Games: Stored XSS with CRLF injection via post message to user feed

In this report, the researcher was able to demonstrate a Stored XSS vulnerability in User Feeds. This vulnerability leveraged CRLF injection in order to bypass existing filters and execute the payload. With their help we were able to improve our filtering and sanitization rules in order to preven...

3AI score
Exploits0
Hacker One
Hacker One
added 2017/06/18 5:4 p.m.74 views

Pornhub: pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss

The researcher discovered a stored XSS in the user's basic info page...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2017/02/11 12:11 p.m.74 views

WordPress: Wordpress unzip_file path traversal

Summary The Wordpress unzipfile function https://codex.wordpress.org/FunctionReference/unzipfile is vulnerable to path traversal when extracting zip files. Extracting untrusted zip files using this function this could lead to code execution through placing arbitrary PHP files in the DocumentRoot ...

Exploits0
Hacker One
Hacker One
added 2016/11/15 7:0 a.m.74 views

Pushwoosh: Unsecured Grafana instance

Unsecured Grafana instance...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2016/07/13 12:38 p.m.74 views

Automattic: [bbPress] Stored XSS in any forum post.

Intro: Encouraged by the success of cure53 and their reward, i start the research plugins in your scope. And almost immediately i found critical Stored XSS, which of course leeds to privelege escalation or PHP code execution. This vulnerability doesnt requres "special" preveleges like...

3.5CVSS6.4AI score0.05633EPSS
Exploits1
Hacker One
Hacker One
added 2016/06/14 4:51 p.m.74 views

Sucuri: SSRF in sitecheck.sucuri.net

Hi, Sucuri Security Team. I found a SSRF in https://sitecheck.sucuri.net/ Although there was already an protection to prevent SSRF, but it can be bypassed by 302 redirection! ssrf.php https://sitecheck.sucuri.net/results/orange.tw/ssrf.php And your port will receive "HELLO WORLD" orange@z:$ nc -v...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/05/11 10:35 p.m.74 views

Pornhub: [stored xss, pornhub.com] stream post function

Stored Cross Site Scripting The user profile page is vulnerable to stored cross site scripting, a user can post a text post on their page with the following as the message body: http://url=http://www.pornhub.com/"/onmouseover="alertdocument.domain"/http://a/"/url This gets stored in a post and ca...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2016/04/21 12:0 a.m.74 views

Internet Bug Bounty: Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)

The 1 EPHEMERAL, 2 HTTPS, 3 MVG, 4 MSL, 5 TEXT, 6 SHOW, 7 WIN, and 8 PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." See also:...

10CVSS8.5AI score0.97485EPSS
Exploits11
Hacker One
Hacker One
added 2016/03/26 5:43 p.m.74 views

Uber: CBC "cut and paste" attack may cause Open Redirect(even XSS)

Hello, Uber Security Team I found an vulnerability in Uber URL redirect page. Vulnerability In page...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2015/09/25 3:35 p.m.74 views

Ruby on Rails: Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter

Nested attributes rejection proc bypass in Active Record. There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577...

5CVSS5.7AI score0.0425EPSS
Exploits0
Hacker One
Hacker One
added 2014/11/04 12:0 a.m.74 views

Ruby on Rails: Arbitrary file existence disclosure in Action Pack

This bug was reported directly to the Rails team: https://groups.google.com/forum/!topic/rubyonrails-security/23fiuwb1NBA...

5CVSS6.3AI score0.04162EPSS
Exploits1
Hacker One
Hacker One
added 2013/12/04 2:17 p.m.74 views

Internet Bug Bounty: TLS Virtual Host Confusion

I am a security researcher at INRIA Paris in team PROSECCO http://prosecco.inria.fr We have been investigating a new class of attacks against the deployment of TLS on the Web. The main idea behind these attacks is that when two servers host different domains but share the same certificate which...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2013/11/22 12:0 a.m.74 views

Ruby: Ruby: Heap Overflow in Floating Point Parsing

Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values...

6.8CVSS3.7AI score0.34968EPSS
Exploits46
Hacker One
Hacker One
added 2024/07/03 7:9 a.m.73 views

Internet Bug Bounty: important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476)

The Apache HTTP Server vulnerability CVE-2024-38476 was discovered in versions 2.4.0 through 2.4.59. The vulnerability allowed the use of exploitable or malicious backend application output to run local handlers via internal redirect. Users were recommended to upgrade to version 2.4.60, which fix...

9.8CVSS8.6AI score0.41611EPSS
Exploits0
Hacker One
Hacker One
added 2024/05/30 9:25 a.m.73 views

Internet Bug Bounty: CVE-2024-32760 in nginx

CVE-2024-32760 was discovered in the HTTP/3 QUIC module of NGINX Plus and NGINX OSS. When the module was configured, undisclosed HTTP/3 encoder instructions could cause NGINX worker processes to terminate or experience other potential impact...

6.5CVSS6.4AI score0.00848EPSS
Exploits0
Hacker One
Hacker One
added 2024/04/08 8:41 p.m.73 views

Internet Bug Bounty: Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash

The Node.js HTTP/2 server was affected by a vulnerability that caused it to crash instantly after receiving a small number of HTTP/2 frames. The issue was caused by a race condition that occurred when the Http2Session destructor was triggered while header frames were still being processed, leavin...

8.2CVSS6.3AI score0.87211EPSS
Exploits1
Hacker One
Hacker One
added 2024/02/23 5:22 a.m.73 views

PortSwigger Web Security: CSP Bypass and escalation of https://hackerone.com/reports/2279346

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/06/06 5:18 p.m.73 views

inDrive: #1 XSS on watchdocs.indriverapp.com

The security vulnerability found on watchdocs.indriverapp.com allowed for cross-site scripting XSS attacks. The vulnerability was triggered by crafting a specific URL that executed arbitrary JavaScript code when accessed by users...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2023/01/03 12:18 p.m.73 views

Node.js: CRLF Injection in Nodejs ‘undici’ via host

A CRLF injection vulnerability existed in the 'host' header of undici.request API, allowing an attacker to inject arbitrary HTTP headers and conduct various attacks. The vulnerability impacted undici library versions up to 5.14.0...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2022/01/20 1:37 p.m.73 views

Internet Bug Bounty: Buffer Overflow in optimized_escape_html method

This report is a copy of bug report https://hackerone.com/reports/1328463. I was asked to submit this bug here, because Ruby bug bounty program is moved to this new Internet Bug Bounty program. Operating System ================ Windows 10 This should reproduce in any other operating system where...

7.5CVSS8.9AI score0.04766EPSS
Exploits1
Hacker One
Hacker One
added 2021/12/12 6:43 a.m.73 views

FetLife: Able to access private picture/video/writing when requesting for their JSON response

Description Endpoint https://fetlife.com/users/user-id/pictures/pic-id has 2 types of responses, HTML and JSON. The type of response depends on Accept header of request it get. If request contains Accept: application/json, then it will return JSON response. Other than that, it returns HTML...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/08/11 7:10 p.m.73 views

U.S. Dept Of Defense: Sensitive information on ██████████

Hi team, i found a sensitive file hosted on '████' that i think must be not public accessible due to the wording "████████" Vulnerable Endpoint: https://██████ █████████ Regards Impact Sensitive information pubblicy accessible System Hosts ██████████ Affected Products and Versions CVE Numbers Ste...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2021/06/15 3:39 p.m.73 views

curl: CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport

Summary: libcurl Secure Transport SSL backend fails to secure the CURLOPTSSLCERT against current directory file overriding the keychain nickname specified. This leads to the possibility of locally created file overriding the CURLOPTSSLCERT specified certificate and thus causing denial of service...

5CVSS0.2AI score0.0982EPSS
Exploits1
Total number of security vulnerabilities5000