Lucene search
K
HackeroneMost viewed

15365 matches found

Hacker One
Hacker One
added 2018/09/24 3:35 p.m.68 views

Chaturbate: Open redirect on chaturbate.com (tipping/purchase_success)

Hi, I would like to report an open redirect issue on https://chaturbate.com/ Description An attacker can redirect a user to any external website using the parameter prejoindata, this parameter seems to miss sanitization. Steps to Reproduce Visit the following url:...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/17 11:5 p.m.68 views

Vanilla: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)

Summary: An unauthenticated attacker can inject an serialized payload into a phar archive and trigger read access to it via an unprotected getimagesize. The attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - THIS BUG IS UNAUTHENTICATED, however you...

8.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/17 2:1 p.m.68 views

Shopify: Potential SSRF and disclosure of sensitive site on *shopifycloud.com

Note: I am reporting this after talking with @shopify-peteryaworski Summary There is a staging/testing site for payment cancellations and refunds at shopifycloud.com. This site allows sending post request and fetching the response back to the user. This leads to SSRF because it allows fetching...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/02/01 12:21 a.m.68 views

Node.js third-party modules: Prototype pollution attack (mixin-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the mixin-deep library. Module: mixin-deep Summary: Utilities function in all the listed modules can be tricked into modify the prototype of "Object" when the attacker control part of the...

6.5CVSS8.9AI score0.02123EPSS
Exploits1
Hacker One
Hacker One
added 2017/10/04 11:56 a.m.68 views

Snapchat: Subdomain Takeover via Unclaimed WordPress site

@ysx found a bitstripsforschools CNAME entry pointing to an unclaimed WordPress domain, which could be taken over by an external party. The CNAME entry was for a product that is no longer active. An unclaimed WordPress domain mapping upgrade could be leveraged to assume the...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/04 9:35 a.m.68 views

Legal Robot: Bypass email verification when register new account

Hi Legalrobot, I have found a way to ignore Activate your account in my mailbox. Here is my new acc: [email protected] and the activate link: https://app.legalrobot-uat.com/email-verify?v=1Y5wiWwcvGcxznjlUsO-TuyEZgFpVbxMmQdfpEKrVTp I never click on that link and i can still log in at...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2017/08/16 7:14 a.m.68 views

Legal Robot: Improper validation of parameters while creating issues

Heya LegalRobot Team, There is some Improper Access Control on the /Issues/insert endpoint, which leads to three notable vulnerabilities. ----- The first allows attackers to create public issues without undergoing review by setting state: "Open" and public: true. A sample request is given below:...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2017/07/12 10:27 a.m.68 views

Internet Bug Bounty: PHP WDDX Deserialization Heap OOB Read in timelib_meridian()

Description: While deserializing an invalid dateTime value, wddxdeserialize would result in a heap out-of-bounds read in timelibmeridian. As wddxdeserialize is exposed to network data, and sometimes echo the results back to client, this issue could potentially allow remote peeking of the process...

5CVSS8.4AI score0.04812EPSS
Exploits0
Hacker One
Hacker One
added 2017/07/06 5:35 a.m.68 views

WakaTime: Running 2 accounts with a single email

Hi, While testing, I found a logic flaw which made me to make two accounts with a single email Reproduction Steps 1-Create one account with [email protected] 2-another with [email protected] or [email protected] etc 3-Emails of both accounts will come at [email protected] fix: Dont allow "+" in emails. Thank...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/06/17 1:20 p.m.68 views

Shopify: Stored XSS in *.myshopify.com

Hello, First of all in noticed that this is out of scope "Any issue related to the storefront area being displayed in a element in the admin area, for example in the Theme Editor." This is not in the store front and this will be set in an XSS payload. 1. Go to https://YOUR...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2017/04/18 7:42 a.m.68 views

Internet Bug Bounty: Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)

This issue is very similar to CVE-2016-6307. The underlying defect is different but the security analysis and impacts are the same except that it impacts DTLS. A DTLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Message...

7.1CVSS7.5AI score0.14067EPSS
Exploits0
Hacker One
Hacker One
added 2017/03/18 10:57 p.m.68 views

Rockstar Games: Login form on non-HTTPS page

Summary: ======= A page on a microsite is not fully protected by an SSL certificate. This could allow an attacker in a Man-in-the-Middle position to obtain usernames and passwords of users visiting the site. Description: ======= On the Red Dead Redemption subpage, the comments section on news...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/01/23 11:34 a.m.68 views

Alvosec: Alvocrypt uses a cryptographically insecure PRNG.

Dear Alvosec bug bounty team, Summary --- A PRNG is an algorithm used to produce random-looking numbers with certain desirable statistical properties. In order for a PRNG to be cryptographically secure it must be resistant to prediction. The generatepass function in Alvocrypt currently uses...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/10/15 3:58 p.m.68 views

Vimeo: Disclosure of sensitive information through Google Cloud Storage bucket

An insecure bucket was discovered on the GCP platform that had some debug information in it. Steps were taken to secure the bucket and it's contents...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2016/09/20 2:33 a.m.68 views

Internet Bug Bounty: CVE-2016-7418 PHP Out-Of-Bounds Read in php_wddx_push_element

CVE-2016-7418 PHP Out-Of-Bounds Read in phpwddxpushelement 1. Affected Version + PHP 7.0.10 + PHP 5.6.25 2. Credit This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. 3. Testing Environments + OS: Ubuntu + PHP: 7.0.10 + Compiler: Clang + CFLAGS: -g -O0 -fsanitize=address 4. PoC...

5CVSS8.1AI score0.11402EPSS
Exploits1
Hacker One
Hacker One
added 2016/08/26 12:19 p.m.68 views

New Relic: Java RMI (Remote Code Execution)

hello Guys while i was testing your site i found an interesting domain of newrelic which is pinger-master.newrelic.com and when i visit that domain it says unable to connect with the host the i quickly do nslookup and i got this results fish@punt $ nslookup pinger-master.newrelic.com Server:...

7.9AI score
Exploits0
Hacker One
Hacker One
added 2016/06/23 4:49 p.m.68 views

Uber: Authentication Issue for easter egg on bonjour.uber.com

This probably ok, almost definitely is just informative but thought I would throw it out here anyways. : bonjour.uber.com hosts an easter egg view source and scroll down where the passcode is insecurely stored as a javascript variable. The source for the easter egg is: html //error easter egg -...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/02/18 6:25 p.m.68 views

Gratipay: Prevent content spoofing on /~username/emails/verify.html

Hi, When an user add his email then a verification link has been sent to that email. the link looks like this https://gratipay.com/exampleuser/emails/verify.html?email=example%40gmail.com&nonce=cb2487f6-61cf-4a8a-81af-c8fab6fe0f90 The link has three changeable things. 1. Username ex: exampleuser ...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/01/10 10:10 a.m.68 views

Ubiquiti Inc.: Subdomain Takeover in http://assets.goubiquiti.com/

Hi there, Its urgent issue about your subdomain http://assets.goubiquiti.com pointing to AWS S3 but no such website configuration is made. This unused subdomain can claim by anyone and fully take over it. An attacker can fully takeover this subdomain and do whatever he wants. this can cause huge...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2015/07/30 12:0 a.m.68 views

Internet Bug Bounty: Multiple Use After Free Vulnerabilites in unserialize()

https://bugs.php.net/bug.php?id=70166 https://bugs.php.net/bug.php?id=70168 https://bugs.php.net/bug.php?id=70169...

7.5CVSS8.3AI score0.07057EPSS
Exploits0
Hacker One
Hacker One
added 2014/07/20 10:42 p.m.68 views

Internet Bug Bounty: rsync hash collisions may allow an attacker to corrupt or modify files

The rsync algorithm synchronizes remote files in 3 steps: - The receiver divides the basis file into 700-byte blocks, performing two checksums on each block a rolling checksum based on Addler32 and an md5 sum - The sender then scans it's version of the file byte-by-byte looking for matches agains...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2024/04/07 2:32 p.m.67 views

Internet Bug Bounty: Proxy-Authorization header not cleared on cross-origin redirect in undici.request

The Proxy-Authorization header was not cleared on cross-origin redirects in the Undici HTTP client library. This issue was reported and patched in later versions of Undici...

4.3CVSS4.6AI score0.00734EPSS
Exploits0
Hacker One
Hacker One
added 2023/12/29 2:22 a.m.67 views

curl: CVE-2024-0853: OCSP verification bypass with TLS session reuse

A vulnerability was identified in cURL version 8.5.0 that allowed revoked certificates to be accepted when reusing a TLS session. The issue was caused by a correction that inadvertently skipped OCSP stapling verification during TLS session reuse. This allowed revoked certificates to be accepted i...

5.3CVSS4.7AI score0.01102EPSS
Exploits1
Hacker One
Hacker One
added 2023/12/03 2:2 p.m.67 views

Valve: Web API key registration allows registering multiple keys by reusing `request_id`

A vulnerability was found in the Steam API key registration process that allowed multiple API keys to be registered for an account by reusing the request ID. The issue was fixed by updating the request ID after successful confirmation. Accounts with multiple keys were corrected...

7AI score
Exploits0
Hacker One
Hacker One
added 2022/08/12 6:14 p.m.67 views

KAYAK: 1 click Account takeover via deeplink in [com.kayak.android]

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/09/20 9:58 p.m.67 views

GitHub Security Lab: ihsinme: Add query for CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

This bug was reported directly to GitHub Security Lab...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2021/07/27 12:14 p.m.67 views

U.S. Dept Of Defense: Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint on ████████

Description: Hi, While going through the testing of DoD assets, I have came across a subdomain that is vulnerable to CVE-2020-14179. Some of the internal fields that are exposed are Project, Status, Limits, Creator, Query, Created Date, Updated Date, Resolution Date, etc. References...

5CVSS1.5AI score0.76042EPSS
Exploits1
Hacker One
Hacker One
added 2021/02/24 3:19 p.m.67 views

DuckDuckGo: Reflected/Stored XSS on duckduckgo.com

Hi DuckDuckGo, While browsing normally since I use DuckDuckGo on a daily basis, I discovered an interesting stored XSS on the duckduckgo main search engine. A payload that somebody had left on urbandictionary.com had triggered a HTML injection, and a stored XSS as a result. Steps to Reproduce 1...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2021/02/15 11:12 a.m.67 views

HackerOne: HackerOne Jira integration plugin Leaked JWT to unauthorized jira users

Summary: HackerOne provides an application tool HackerOne for Jira, an application that allows programs to track security issues through a jira instance. After testing the integration feature in the application, it was found that the application leads to the leakage of the JWT to unauthorized...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/02/12 10:41 a.m.67 views

Concrete CMS: Authenticated path traversal to RCE

crayons Description The bFilename parameter in the scenario index.php/ccm/system/dialogs/block/design/submit is vulnerable to remote code execution via path traversal vulnerability. Authenticated attacker with rights to edit web application pages can upload malicious PNG file containing PHP code...

6.5CVSS9AI score0.02425EPSS
Exploits0
Hacker One
Hacker One
added 2020/11/26 6:57 p.m.67 views

Zomato: SQL Injection in www.hyperpure.com

Vulnerable Request : PUT /consumer/onboarding/saleslead/6b6a8a5a-4a74-46db-b2fe-32a46f927ecc HTTP/1.1 Host: api.hyperpure.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:83.0 Gecko/20100101 Firefox/83.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/11/04 7:53 p.m.67 views

Basecamp: Information Disclosure of Garbage Collection Cycle 'Again'

A diagnostic subdomain was still available publicly after being reported https://hackerone.com/reports/981796 and remediation. Subsequently a researcher was able to access the subdomain. Disclosure has been limited as the report contains low sensitive information, but sensitive none the less...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/10/18 3:35 a.m.67 views

Shopify: Low Privileged Staff Member Can Export Billing Charges

Details I'm not 100% sure about this because i don't have billing transactions on my account. However, from my experience on how Shopify backend respond, i think this is a valid finding just need confirmation from Shopify's security team. A GraphQL mutation billingChargesExport can be used by a...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/08/04 7:20 p.m.67 views

Mail.ru: Public access to Sidekiq dashboard at shopper.sbermarket.ru

Anonymous access to Sidekiq process dashboard was available on shopper.sbermarket.ru...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2020/06/03 9:5 a.m.67 views

Mail.ru: [account.mail.ru] XSS-уязвимость в форме авторизации

User-assisted XSS in account.mail.ru due to unsafe usage of GET parameter Думаю, что данная XSS'шка является отличным примером того, что фильтрация HTML-символов во входных данных не всегда достаточная мера защиты. Если будем раскрывать уязвимость, то вот более удачная демонстрация, без моих куко...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2020/06/02 1:10 p.m.67 views

h1-ctf: [H1-2006 2020] CTF Writeup!

The Beginning ===================== The scope of the H1-2006 CTF was .bountypay.h1ctf.com. After opening https://bountypay.h1ctf.com, I noticed that on the top left of the screen there was a dropdown with two login pages: one for Customers https://app.bountypay.h1ctf.com/ and one for Staff...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2020/05/26 3:31 p.m.67 views

Kubernetes: DoS for client-go jsonpath func

Summary: jsonpath recursive descent cause a DoS vul kubectl apiextensions-apiserver cli-runtime and kubernetes is depends on client-go I think evalRecursive cause of this vulnerability function pos: client-go/util/jsonpath/jsonpath.go:451 Component Version: client-go:master Steps To Reproduce: i...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/02/19 3:54 p.m.67 views

Stripo Inc: XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique

XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2019/11/26 10:37 a.m.67 views

Nextcloud: SSRF on local storage of iOS mobile

The tester uploaded the text file, containing "test ssrf" message, in order to proof SSRF attack. 2. Next, the tester uploaded the common file and then manipulate the content and extension file to html format in order to find the application path: 3. The tester access that file and found the...

Exploits0
Hacker One
Hacker One
added 2019/10/31 3:14 a.m.67 views

VK.com: Мини-уязвимость в обработке ссылок

Проблема с парсингом ссылок. В 2013 существовал баг, который позволял при нажатии на лайк к записи перенаправить пользователя по ссылке. Необходимо было закодировать любую ссылку в HTML-мнемонику типа & ; и после публикации разметка у поста сразу ломалась. Тогда эту, со стороны безобидную, дырку...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/05/25 11:25 p.m.67 views

Valve: [CS 1.6] Map cycle abuse allows arbitrary file read/write

The CS 1.6 server has a feature of map cycle - i.e. automatic map change after specified period of time. This feature relies on data of the file specified in mapcyclefile cvar. Any user with RCON access to the server can set this variable to arbitrary value - no input sanitization applies. In ord...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/04/19 8:0 p.m.67 views

Dropbox: Algorithmic complexity vulnerability in ZXCVBN leads to remote denial of service attack

@davidrenardy discovered that the ZXCVBN algorithm is quadratic in time complexity, which implies that the user can submit an arbitrarily long password to the library, leading to a potential denial of service attack if performed at scale. Given how ZXCVBN is used at Dropbox, we accept the Denial ...

2.7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/21 12:42 a.m.67 views

HackerOne: Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details

It's possible for an attacker to enumerate embedded submission form UUIDs through HackerOne's GraphQL node interface. In normal application behavior, an embedded submission form is queried through GraphQL with a UUID. These UUIDs are random and they're not susceptible to brute force attacks...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/10/20 1:3 p.m.67 views

Zomato: [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information

Summary: Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information. Description: An HTML5 cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy ...

Exploits0
Hacker One
Hacker One
added 2018/07/20 7:20 a.m.67 views

Internet Bug Bounty: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c

This bug was reported to PHP last month and a fix was public last week:https://bugs.php.net/bug.php?id=76423 Heap OverFlow in exifthumbnailextract of exif.c This vulnerability can be triggered by exifreaddata in any 32-bit system. exif.c:2947: if ImageInfo-Thumbnail.offset +...

5CVSS8.2AI score0.08975EPSS
Exploits1
Hacker One
Hacker One
added 2018/03/24 5:23 a.m.67 views

New Relic: Drupal admin takeover via install.php not being performed prior to install.

@grampae discovered an uninitialized Drupal instance running on one of our properties being hosted by a third party provider, an issue we've seen previously. To prevent this issue from surfacing again, we decommissioned the related domains and contacted the provider with details of the issue...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2018/01/26 10:6 p.m.67 views

Node.js third-party modules: [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML

Hi Guys, simplehttpserver allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module: 'simpehttpserver' is simple imitiation of python's SimpleHTTPServer and intended for testing, development and debugging purposes...

3.5CVSS5.6AI score0.00638EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/12 10:26 p.m.67 views

Grab: Unrestricted access to https://██████.█████myteksi.net/

Hello again Grab Security Team ! Following my previous research, it seems that your Microservices architecture you are currently running on .█████myteksi.net is publicly exposed on another endpoint : https://█████████.█████myteksi.net. Summary: When researching and starting a new enumeration of...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2018/01/08 6:49 p.m.67 views

Coursera: [www.coursera.org] Leaking password reset link on referrer header

Hi team, the user gets the email with a password reset link when opening it you will be redirected to password reset page when clicking on external links within the reset password page leaked password reset token in the referer header. steps: 1. open lost password page 2. enter your email and cli...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/11/06 9:13 a.m.67 views

Internet Bug Bounty: CVE-2017-13090 wget heap smash

The retr.c:fdreadbody function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in piec...

9.3CVSS8.3AI score0.36563EPSS
Exploits0
Total number of security vulnerabilities5000