Lucene search
K
HackeroneMost viewed

15372 matches found

Hacker One
Hacker One
added 2021/06/07 9:9 p.m.73 views

GitHub Security Lab: [Java] CWE-295 - Incorrect Hostname Verification - MitM

This bug was reported directly to GitHub Security Lab...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/12/04 10:54 a.m.73 views

U.S. Dept Of Defense: Sensitive data exposure via https://███/secure/QueryComponent!Default.jspa - CVE-2020-14179

Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...

5CVSS2.1AI score0.76042EPSS
Exploits1
Hacker One
Hacker One
added 2020/12/03 11:52 p.m.73 views

VK.com: Path Traversal в iOS приложении

Передача файлов из внутреннего каталога iOS приложения. С помощью хакерской атаки можно было угнать файлы из внутреннего каталога IOS приложения...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/11/09 4:47 a.m.73 views

Stripo Inc: No rate limiting for subscribe email + lead to Cross origin misconfiguration

Summary: I found bypass no rate limiting using Access-Control-Allow-Origin: and look the response as 200 vulnerable No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. If the repetition doesn't give any error after 50, 100, 1000 repetitions...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/09/25 5:44 a.m.73 views

CS Money: IDOR in https://3d.cs.money/

Summary: Hello, I found an IDOR in https://3d.cs.money/ which will allow you to save, edit, delete build of victim account without any grant on the victim account Steps To Reproduce: This bug based on steamID which is reflected on Steam or you can use any Steam ID Finder software to find...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/06/06 9:53 a.m.73 views

h1-ctf: [H1-2006 2020] CTF writeup

Context Well, against all expectations you finally get it, you got the flag! Let's go back in time to remember how. --- Twitter Once upon a time As always the CTF starts with a tweet: F855948 --- Subdomains According to the policy page, .bountypay.h1ctf.com is in scope. You decide to scan...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2020/03/17 1:42 a.m.73 views

Razer: 🐞 OS Command Injection at https://sea-web.gold.razer.com/lab/ws-lookup via IP parameter

The tester discovered a Razer Gold Thailand site that suffered from a service with a command injection vulnerability. Razer thanks the tester for his report and clear PoC. a real world CTF-Like challenge 😅 Burpsuite Collaborator Client was very helpful Thanks @Razer for the bounty 🥳...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/03/12 12:38 a.m.73 views

Nord Security: The Linux binaries (nordvpn and nordvpnd) don't use PIE/ASLR

Summary: The Linux binaries nordvpn and nordvpnd don't have PIE/ASLR enabled. A such feature is used to harden programs against the exploitation of memory corruption bugs and should be enabled. The use of ASLR has long been debated among the Golang community. However, it seems that it's becoming...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2020/01/28 11:8 a.m.73 views

X (Formerly Twitter): iOS app crashed by specially crafted direct message reactions

Summary: iOS app crashed by specially crafted direct message reactions Description: Twitter does not properly sanitize direct message reactions, making it possible for arbitrary reaction text to be shown to the user via the message preview in the direct message list. Special characters such as \r...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/01/02 9:34 a.m.73 views

MTN Group: Information Disclosure Microsoft IIS Server service.cnf in a mtn website

Hi there i found a information disclosure Microsoft IIS Server service.cnf file in the website https://www.mtn.co.za/ using firefox. In the following steps i will demonstrate how to reproduce the vulnerability. POC: 1ºGo to the following url: https://www.mtn.co.za/vtipvt/service.cnf you will see:...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/12/05 10:8 a.m.73 views

PUBG: Reflected XSS in pubg.com

Summary: PUBG's main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting XSS. As per OWASP's definition: "Cross-Site Scripting XSS attacks are a type of injection, ...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/09/07 9:32 p.m.73 views

Mail.ru: OOB XXE

Limited XXE on XML request processing led to blind SSRF possibility OOB XXE on one of Ext. B Mail.ru domains, which could be exploited as blind SSRF...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2019/08/12 6:42 p.m.73 views

U.S. Dept Of Defense: [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc

Summary / Description: █████ is vulnerable to Path Traversal which can lead to remote code execution. Impact Critical Step-by-step Reproduction Instructions 1. Run the following cURL command to get the file /etc/hosts curl --path-as-is -k -D-...

7.5CVSS0.8AI score0.99999EPSS
Exploits22
Hacker One
Hacker One
added 2019/07/15 10:4 p.m.73 views

WordPress: Stored XSS Vulnerability

Hi there, I found a stored xss @ https://core.trac.wordpress.org/ Steps: 1. Go to https://core.trac.wordpress.org/ and login. open new private window and login with another account 2. Go to https://core.trac.wordpress.org/newticket and set a summary and description. 3. Select a Workflow Keyword a...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/04/01 6:15 p.m.73 views

U.S. Dept Of Defense: SQL Injection in ████

Summary There is an SQL injection vulnerability in ████████ in the /█████/recruiter/updapp.aspx page, exploitable through the appid form parameter. Impact An attacker could use this vulnerability to control the content in the database, exfiltrate information, and obtain remote code execution...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/27 5:38 a.m.73 views

QIWI: [*.rocketbank.ru] Web Cache Deception & XSS

Практически все сайты .rocketbank.ru, основанные на readymag.rocketbank.ru, уязвимы к Web Cache Deception и XSS. Пример запроса: http GET /?xx HTTP/1.1 Host: wknd.rocketbank.ru X-Forwarded-Host: cacheattack'"alertdocument.domain HTTP ответ: html alertdocument.domain/friends/" alertdocument.domain...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/05/31 2:49 p.m.73 views

Trello: Stored XSS in Treeview plugin

There was a potential XSS issue in a third party power-up. While issues with third party apps are generally out of scope for our bug bounty program, in this case we opted to award a small bounty...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/03/29 11:28 a.m.73 views

VK.com: Определение id по номеру телефона

Недостаточность проверок в определенных запросах...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/03/28 6:51 a.m.73 views

Node.js third-party modules: [serve] Directory listing and File access even when they have been set to be ignored

I would like to report a vulnerability in serve on macOS. It allows listing directory and reading local files on the target server. Module module name: serve version: 6.5.3 npm page: https://www.npmjs.com/package/serve Module Description Ever wanted to share a project on your network by running...

5CVSS0.1AI score0.01048EPSS
Exploits1
Hacker One
Hacker One
added 2018/02/06 2:8 p.m.73 views

Node.js third-party modules: [localhost-now] Path Traversal allows to read content of arbitrary file

Hi Guys, There is Path Traversal in localhost-now module. It allows to read content of arbitrary files on the remote server. Module localhost-now This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

5CVSS7.6AI score0.02021EPSS
Exploits1
Hacker One
Hacker One
added 2017/04/14 3:3 a.m.73 views

Phabricator: Autoclose can close any task regardless of policies/spaces

Description If a user can push to a repository that has autoclose enabled, they can close //any// Maniphest task on the install, including tasks whose policies otherwise restrict the user from viewing or editing, and tasks inside Spaces that the user can't view. I don't think this rises to the...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2017/02/01 12:53 a.m.73 views

Phabricator: User with only Viewing Privilege can send message to Room

Hey, mongoose When the owner of a chat room gives any user Viewing Privilege, that user can then send messages to the room. As expected, there's no form to send messages when the user access the room since in theory it shouldn't be possible. However, messages via POST requests can still be sent a...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2016/09/18 5:58 a.m.73 views

Yelp: Password reset token not expiring

Hello Yelp, Old unused Password reset tokens are not expiring on yelp.com after the issuance of a new token. EXPLANATION: Suppose at 09:00 hrs I used password reset options of yelp and got a token on my email.Lets call it token01. But i did not use it. And at 09:04 hrs I used again the password...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/07/07 1:16 a.m.73 views

Uber: Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com

Limited disclosure at @rojanr's request Subdomains including translate.uber.com, fr.uber.com and de.uber.com were pointing to a CNAME for a site that was not claimed. I was able to claim the site and add any content. For PoC purposes, I showcased my blog on translate.uber.com and de.uber.com...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2015/02/28 5:38 p.m.73 views

HackerOne: Improperly validated fields allows injection of arbitrary HTML via spoofed React objects

Note: I haven't yet investigated the implications of this fully, so this may be more severe than I'm currently aware of. Right now the only exploits I'm aware of allow a team member to attack other team members. I've found a couple fields that I'd expect to be limited to string values, but which...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2015/02/18 5:46 p.m.73 views

Internet Bug Bounty: Bad Write in TTF font parsing (win32k.sys)

This bug was originally reported through Project Zero at Google. Alex Rice suggested to me that I could potentially receive a bounty through Hacker One so I am also opening a report here. The vulnerability reference numbers are MS15-010 CVE-2015-0059 The original bug report is...

6.9CVSS6.2AI score0.11104EPSS
Exploits0
Hacker One
Hacker One
added 2015/01/26 5:48 p.m.73 views

Mobile Vikings: Stored XSS in Direct debit name

Make new or edit old Direct debit for example https://mobilevikings.be/en/account/easypay/correct-direct-debit-mandate/111366/ 2. Fill owners name with payload asdf'"alertdocument.cookie 3. Save form. We got Stored XSS in pages: https://mobilevikings.be/en/account/easypay/...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2014/09/28 6:50 p.m.73 views

HackerOne: No email verification on username change

Hello Hackerone People This is an issue that i discovered in the username change option. Basically anyone can ask your system to change anyone's username on hackerone. I tested this by mailing at [email protected] to change the username of my friend's account from yhunterz to yahoohuntz whose...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2014/05/20 1:13 a.m.73 views

Mail.ru: XXE and SSRF on webmaster.mail.ru

SSRF request: POST /domain/metadata HTTP/1.1 Host: webmaster.mail.ru User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.9; rv:29.0 Gecko/20100101 Firefox/29.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2014/04/09 7:51 a.m.73 views

Yahoo!: REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2014/01/14 12:0 a.m.73 views

Internet Bug Bounty: Handling of jar: URIs bypasses AllowScriptAccess=never

This bug was reported directly to Adobe. http://helpx.adobe.com/security/products/flash-player/apsb14-02.html...

10CVSS6.3AI score0.07117EPSS
Exploits0
Hacker One
Hacker One
added 2024/04/13 10:23 a.m.72 views

Node.js: Bypass incomplete fix of CVE-2024-27980

The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arose from improper handling of batch files with all possible extensions on Windows via childprocess.spawn and childprocess.spawnSync. A malicious command line argument could have been used ...

8.1CVSS7.5AI score0.01387EPSS
Exploits0
Hacker One
Hacker One
added 2024/03/10 9:32 p.m.72 views

curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL

The vulnerability in vquic-tls.c in the curlwsslinitctx function allowed for a certificate check bypass when using the WolfSSL backend. The error handling was not properly implemented, resulting in a potential bypass of the certificate verification requirements...

6.3CVSS6.5AI score0.01709EPSS
Exploits1
Hacker One
Hacker One
added 2022/11/27 8:42 p.m.72 views

Cloudflare Public Bug Bounty: Using special IPv4-mapped IPv6 addresses to bypass local IP ban

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/09/28 2:43 p.m.72 views

Fastify: Deny of service via malicious Content-Type

Summary: I found a way to crash a [email protected] server with a single query on a minimal setup. The function ContentTypeParser.getParser do not check properly if the requested content-type parser exists. /lib/contentTypeParser.js:94 javascript ContentTypeParser.prototype.getParser = function...

5CVSS7.3AI score0.59244EPSS
Exploits0
Hacker One
Hacker One
added 2022/09/22 1:10 p.m.72 views

Yelp: No rate limit on subscribe form

Summary: Hi team, I found that you missing a rate limit protection for subscribe form Platforms Affected: https://business.yelp.com/?source=consumersiteheader&utmcontent=header&utmmedium=www&utmsource=conshome Steps To Reproduce: 1. go to...

Exploits0
Hacker One
Hacker One
added 2022/05/11 7:11 a.m.72 views

Internet Bug Bounty: CVE-2022-27778: curl removes wrong file on error

Summary: Curl command has a logic flaw that results in removal of a wrong file when combining --no-clobber and --remove-on-error if the target file name exists and an error occurs. Steps To Reproduce: 1. echo "important file" foo 2. echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n"...

5.8CVSS7.8AI score0.03453EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/17 10:50 a.m.72 views

Basecamp: Subdomain Takeover due to ████████ NS records at us-east4.37signals.com

Description Hi! I have discovered that us-east4.37signals.com was pointing to an unclaimed ████ NS zone and I've managed to claim it in my account. POC http://nagli.us-east4.37signals.com/takeover.html F1451587 Remediation Make sure to configure the DNS records under us-east4.37signals.com Best...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2021/08/08 5:40 p.m.72 views

UPchieve: Failed to validate Session after Password Change

While conducting my research I discovered that the application Failed to validate session after password change. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords in another browser. Steps To Reproduce: 1 Login with the same account ...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2021/06/22 10:49 p.m.72 views

GitHub Security Lab: [GO] CWE-1004: Sensitive cookie without HttpOnly

This bug was reported directly to GitHub Security Lab...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/06/22 10:49 p.m.72 views

GitHub Security Lab: [Java] BeanShell Injection

This bug was reported directly to GitHub Security Lab...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2021/04/15 5:11 p.m.72 views

Kryptor: Kryptor/SECURITY.md missing HACKERONE program update.

Hi Team, I was going through code and found that in this https://github.com/samuel-lucas6/Kryptor/blob/master/SECURITY.md , "Security Policy" is missing update regrading Hackerone platform that "Security Bug now be submitted @ https://hackerone.com/kryptor/ this . Please update the policy...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2020/10/21 1:47 p.m.72 views

Shopify: Bypass For #997350 your-store.myshopify.com preview link is leak on third party website Via Online Store

Hi Security Team, Description Full Description in 997350 The owner of that website can perform a security compromise by grabbing those links. Solution: The solution is very very SIMPLE. Just include the following HTML code in the following in code between tags of the html of the page: This will n...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/08/20 3:19 p.m.72 views

Dropcontact: Sensitive Information Disclosure

we were displaying sensitive information. While testing the site i was able to disclose sensitive information such as username, passwords, api keys, etc due to DEBUG = True .This bug arose due to default configuration at the backend. Now the bug is fixed. Thanks to the team for the quick fix!...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/07/13 10:28 a.m.72 views

Mail.ru: [https://youdrive.today/] Nginx directory traversal

Invalid nginx configuration allowed limited path traversal in youdrive.today and leaking sensitive application data in configuration files. Nginx directory traversal via misconfigured alias leads for disclosing all the configuration. Exploit: https:///static../config.js...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2020/05/05 11:2 p.m.72 views

Topcoder: CSRF on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action

Summary: Hi : There is a CSRF on creating bookmarks form. Steps To Reproduce: There is no CSRF token or anything like that on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action. I added the poc html file below. When someone opens this html file, or we can add it into o...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/03/16 9:23 p.m.72 views

PlayStation: Access token stealing.

Summary: https://my.playstation.com/auth/response.html suffers from a misconfiguration which leads to access token stealing. Description: The page...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/11/11 12:36 p.m.72 views

Trint Ltd: SSO bypass in zendesk using trint organization able to leak internal ticket information

Summary hello there because in app.trint.com there's no email verification i able to login in your zendesk SSO using your organization your organization using domain @trint.com because there's no email verification i able to read and takeover + claim this email [email protected] and i able to...

Exploits0
Hacker One
Hacker One
added 2019/08/28 6:42 p.m.72 views

Central Security Project: Unrestricted File Upload Leading to Remote Code Execution

Description As an administrator user it is possible to create files and directories in any location on the file system of the server. This can be abused to write files to any sensitive location on the Windows file system because the Nexus process runs with SYSTEM privileges. This can allows an...

6.5CVSS7.3AI score0.02061EPSS
Exploits0
Hacker One
Hacker One
added 2018/02/03 8:55 p.m.72 views

Node.js third-party modules: [uppy] Stored XSS due to crafted SVG file

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Module: Uppy. Affected version: 0.22.2...

6.3AI score
Exploits0
Total number of security vulnerabilities5000