Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
•added 2018/05/13 12:57 a.m.•64 views

Valve: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution

A malformed .BSP can trigger an Access Violation on CS:GO that can lead to arbitrary code execution on a remote computer. I have attached a copy of the malformed .BSP which reliably triggers an Access Violation on CS:GO. Impact An attacker hosting a malicious server could compromise a remote clie...

4AI score
Exploits0
Hacker One
Hacker One
•added 2018/04/11 9:30 a.m.•64 views

ExpressionEngine: RCE By import channel field

The reporter determined that a malicious Channel Set could be used to allow an administrator to upload a PHP file that they might otherwise not have permission to upload. Combined with the temporary folder name algorithm being available in the source code, the malicious administrator could...

1.8AI score
Exploits0
Hacker One
Hacker One
•added 2017/09/01 5:6 p.m.•64 views

Rockstar Games: Stored XSS on support.rockstargames.com

In this report, the researcher demonstrated an AngularJS injection that allowed them to leave Stored XSS attacks on Support Community threads. We were able to resolve this issue and others by updating the version of AngularJS we run on the Support site...

6.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/08/23 4:40 p.m.•64 views

Gratipay: Gratipay rails secret token (secret_key_base) publicly exposed in GitHub

Summary Gratipay's Rails secret token is publicly exposed on GitHub. Knowing the secret token allows an attacker to impersonate any user in the application. Thanks to EdOverflow for sharing the tips for finding security issues in GitHub projects, below is the referenced github for the analysis...

7.1AI score
Exploits0
Hacker One
Hacker One
•added 2017/04/25 12:25 a.m.•64 views

Weblate: Null Password - Setting a new password doesn't check for empty spaces

Hi Again! As seen your website at https://demo.weblate.org/accounts/password/ Your password can't be too similar to your other personal information. Your password must contain at least 6 characters. Your password can't be a commonly used password. Your password can't be entirely numeric. I found...

7.2AI score
Exploits0
Hacker One
Hacker One
•added 2017/01/24 12:2 p.m.•64 views

Boozt Fashion AB: Email spoofing at booztlet.com

Hello : This There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other booztlet email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email fro...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2016/07/27 3:2 p.m.•64 views

Shopify: Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181

What is Zookeeper? ==================== Zookeeper is a coordination service for distributed applications. It allows common services such as naming, synchronisation, configuration management and group services to be managed by a simple interface and It uses a data model of File System on an...

0.6AI score
Exploits0
Hacker One
Hacker One
•added 2016/02/24 11:0 p.m.•64 views

Coinbase: XSSI (Cross Site Script Inclusion)

Hi, https://www.coinbase.com/pusher/auth returns sensetive a json auth-token response that can be parsed by javascript JSON.parse from external site. this can easily be mitigated by putting // or // chars at the beginning of the json response and thus making functions like JSON.parse unable to ge...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2015/04/20 8:0 p.m.•64 views

Shopify: amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/

An Amazon S3 bucket http://shopify.com.s3.amazonaws.com/ was unintentionally left with directory listing enabled. Even though the files in the bucket were all publicly accessible, it was not intended for the directory listing to be visible...

0.3AI score
Exploits0
Hacker One
Hacker One
•added 2014/11/30 9:33 a.m.•64 views

Eobot: Multiple information disclosure

This script can help hackers check leaked email bases on registration with eobot without ban and etc.. https://www.eobot.com/[email protected] email disclosure in google google dork: site:eobot.com inurl:"widget.aspx" in result we see requests with email of your users...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2014/04/11 9:55 p.m.•64 views

Yahoo!: Bypass of the Clickjacking protection on Flickr using data URL in iframes

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2014/03/13 2:8 p.m.•64 views

Phabricator: OAuth Stealing Attack (New)

Hi Evan, I found a new and more dangerous way to steal phabricator facebooks oauth tokens,codes, In this case, I exploited the behavior of Phabricator OAuth Dialog, If you provide a differnet scope in phabricator OAuth Dialog...

1.2AI score
Exploits0
Hacker One
Hacker One
•added 2025/08/20 8:18 a.m.•63 views

curl: curl leaks destination IP via glibc getaddrinfo() UDP connect, bypassing SOCKS5/Tor

Summary: When using curl with a SOCKS5 proxy e.g. Tor on 127.0.0.1:9050, glibc getaddrinfo performs direct UDP connect probes to the target’s IP:443. These syscalls bypass the proxy and expose the user’s route to the destination, breaking anonymity expectations. The IPs I got in my case:...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2023/12/30 10:58 a.m.•63 views

Internet Bug Bounty: Request Smuggling in Apache Tomcat (Important, CVE-2023-45648)

A vulnerability in Apache Tomcat versions 11.0.0-M1 to 11.0.0-M11, 10.1.0-M1 to 10.1.13, 9.0.0-M1 to 9.0.80, and 8.5.0 to 8.5.93 allowed HTTP request smuggling due to improper parsing of trailer headers. This could be exploited by a remote attacker to bypass security controls when Tomcat was...

5.3CVSS6.3AI score0.05848EPSS
Exploits2
Hacker One
Hacker One
•added 2023/02/14 5:34 p.m.•63 views

Bitwarden: Biometric key is stored in Windows Credential Manager, accessible to other local unprivileged processes

A vulnerability in Bitwarden Desktop for Windows allowed a local attacker to access the biometric master key used for unlocking the vault through Windows Hello. The key was stored in plaintext in the Windows Credential Manager, accessible to any local unprivileged process. This allowed an attacke...

7.1CVSS6.8AI score0.00585EPSS
Exploits1
Hacker One
Hacker One
•added 2022/07/08 3:43 a.m.•63 views

Internet Bug Bounty: CVE-2022-32214 - HTTP Request Smuggling Due To Improper Delimiting of Header Fields

Original Report: https://hackerone.com/reports/1524692 Impact Depending on the specific web application, HRS can lead to cache poisoning, bypassing of security layers, stealing of credentials and so on...

6.4CVSS7.2AI score0.77278EPSS
Exploits1
Hacker One
Hacker One
•added 2021/07/12 10:0 p.m.•63 views

Shopify: Exposed Cortex API at https://cortex-ingest.shopifycloud.com/

Hi there, to be honest this is the first time I have seen this type of asset, but I think it is interesting/not supposed to be exposed. There is a Cortex metrics server running without authentication on https://cortex-ingest.shopifycloud.com/. This allows us to see the config for the server, call...

0.1AI score
Exploits0
Hacker One
Hacker One
•added 2021/06/12 4:15 a.m.•63 views

Acronis: bypass sql injection #1109311

hello dear support i have found SQL injection and bypass this case 1109311 Tests performed: 0'XORifnow=sysdate,sleep15,0XOR'Z = 20.002 0'XORifnow=sysdate,sleep6,0XOR'Z = 7.282 0'XORifnow=sysdate,sleep0,0XOR'Z = 0.912 0'XORifnow=sysdate,sleep15,0XOR'Z = 16.553 0'XORifnow=sysdate,sleep3,0XOR'Z =...

0.1AI score
Exploits0
Hacker One
Hacker One
•added 2021/06/10 1:52 p.m.•63 views

Nextcloud: Sensitive files/ data exists post deletion of user account

In the latest android app ,I created an account in the name of [email protected]. After few activities,deleted the account . Files containing user emails and tokens still exist.Relevant files not deleted upon deletion of account. Content of files post deletion of account:...

2.1CVSS1.7AI score0.00363EPSS
Exploits1
Hacker One
Hacker One
•added 2021/05/07 5:14 p.m.•63 views

Internet Bug Bounty: "urllib" will result to deny of service

if a client request a http/https/ftp service which is controlled by attacker, attacker can make this client hang forever, event client has set "timeout" argument. maybe this client also will consume more and more memory. i does not test on this conclusion. client.py import urllib.request req =...

7.1CVSS7.8AI score0.11586EPSS
Exploits1
Hacker One
Hacker One
•added 2021/04/15 9:54 p.m.•63 views

UPchieve: User enumeration through forget password

Vulnerability:- -User enumeration is possible through forgot password feature. steps to reproduce:- -Go to the above selected domain and go to forgot password. -submit random email and then intercept request by burp suit -in response you will get HTTP/1.1 500 Internal Server Error with "err":"No...

7AI score
Exploits0
Hacker One
Hacker One
•added 2021/03/23 8:28 p.m.•63 views

GitHub Security Lab: [Java] CWE-297: Insecure LDAP endpoint configuration

This bug was reported directly to GitHub Security Lab...

1.3AI score
Exploits0
Hacker One
Hacker One
•added 2021/02/02 6:49 a.m.•63 views

U.S. Dept Of Defense: Self stored Xss + Login Csrf

Description: User can set username between 8-20 alphanumeric characters, but with the help of inspect element attacker can manipulate ██████= & can insert a xss payload resulting in self stored xss & with the help of login csrf attacker can force the victim into attacker's account causing...

Exploits0
Hacker One
Hacker One
•added 2020/08/24 2:31 p.m.•63 views

Open-Xchange: Null dereference in `cmd_denotify_operation_execute`

To reproduce, run test suite on following input : require "vnd.dovecot.testsuite"; require "notify"; require "envelope"; test "D Middle" // notify :options "timo@exat"; denotify :is "noot"; if not testresultexecute testfail "fat"; Output is with ASAN enabled stack trace...

2.1AI score
Exploits0
Hacker One
Hacker One
•added 2020/08/20 1:45 a.m.•63 views

Mail.ru: CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218]

Unpatched CVE-2016-6415 vulnerability could potentially lead to information disclosure on the host in plazius.ru infrastructure...

5CVSS1.5AI score0.87687EPSS
Exploits7
Hacker One
Hacker One
•added 2020/05/07 6:5 a.m.•63 views

X (Formerly Twitter): XSS via referrer parameter

Description Hi, i would like to report an XSS via javascript scheme in https://www.twitterflightschool.com/student/award/ID?referer=, the payload e need just a click of user to be triggered because the link will be placed in a tag...

6.3AI score
Exploits0
Hacker One
Hacker One
•added 2020/03/19 4:44 p.m.•63 views

Internet Bug Bounty: Cache Poisoning

Summary: An attacker can cause Squid to return to the user attacker controlled data, for any domain. From Squid-4.7 and below both HTTPS and FTP could be poisoned. This is due to Squid URL decoding parts of the Request URL and using that to create a hash. Request that decode to the same URL will...

7.5CVSS8.6AI score0.04151EPSS
Exploits0
Hacker One
Hacker One
•added 2020/03/04 9:18 a.m.•63 views

Lark Technologies: SSRF with information disclosure

A SSRF server side request forgery vulnerability was identified in the messenger endpoint of Lark Suite which could have exposed internal credentials used by the server. We thank @jin0ne for reporting this to our team...

1.8AI score
Exploits0
Hacker One
Hacker One
•added 2020/02/04 10:31 a.m.•63 views

Visma Bug Bounty Program: Stored XSS in 'Notes'

A logged-in user can inject JavaScript code into a specifically crafted Note on a document, such as a Invoice, which will be executed when another user, logged in to the same company, edits the Note...

1.9AI score
Exploits0
Hacker One
Hacker One
•added 2020/01/18 4:13 a.m.•63 views

BlockDev Sp. Z o.o: xmlrpc.php FILE IS enable it will used for Bruteforce attack

xmlrpc.php FILE IS enable it will used for Bruteforce attack...

1.4AI score
Exploits0
Hacker One
Hacker One
•added 2019/12/14 6:19 a.m.•63 views

Nord Security: Host header injection/redirection | signup and login page

Hey Team. There's a host header injection vulnerability in signup and login page. If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways: Remove the redirection function from the application,...

7.2AI score
Exploits0
Hacker One
Hacker One
•added 2019/06/22 12:4 a.m.•63 views

Nextcloud: Wordpress Users Disclosure

Information Using REST API, we can see all the WordPress users/author with some of their information. Step to Reproduce You can get user info by entering below url in your browser: https://nextcloud.com/wp-json/wp/v2/users Reference: 356047 Impact Authors : LTR , LTREditor can be created scenario...

1.2AI score
Exploits0
Hacker One
Hacker One
•added 2019/04/30 8:12 p.m.•63 views

TomTom: Reflected XSS on www.tomtom.com

Summary: XSS on www.tomtom.com is very dangerous, if this vulnerability misused by Attacker to steal cookie it will be fatal for other users. Proof of Concept: - I tried to visit https://www.tomtom.com/enau/search/ - Then, search using keyword: TEST" - I realized double quote " is reflected - So,...

Exploits0
Hacker One
Hacker One
•added 2019/04/05 10:45 a.m.•63 views

Shopify: STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL

Hi, This is similar to 95589. I noticed that ActivityFeeds are now being fetched by GraphQL call on Shopify. But from my testing, I noticed that STAFF member with NO EXPLICIT permissions can fetch store's activity feed by calling the vulnerable endpoint. STEPS 1.STAFF member is not assigned any...

0.9AI score
Exploits0
Hacker One
Hacker One
•added 2018/12/19 4:43 p.m.•63 views

Keybase: Privilege Escalation via Keybase Helper (incomplete security fix)

In the previous report, about the privileged helper lacks of validation so any applications can abuse it to gain root privilege. But the security fix is incomplete. I can describe 3 different ways to bypass possibly 4, I doubt. All the poc are simplified to not sending the actual attack payload,...

8.3AI score
Exploits0
Hacker One
Hacker One
•added 2018/12/06 3:30 a.m.•63 views

Internet Bug Bounty: null pointer dereference in imap_mail

in imapmail if message args is null, in phpimapmail no check wheater message can get, so crash. fprintfsendmail, "\n%s\n", message; /usr/local/php/bin/php ./craxxx.php Warning: imapmail: No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3 sh: 1: -t: no...

5CVSS7.6AI score0.07065EPSS
Exploits0
Hacker One
Hacker One
•added 2018/11/26 4:2 a.m.•64 views

Liberapay: Broken Authentication and session management OWASP A2

Hello @liberapay, Description: It seems now if attacker has csrf token & victim cookies then attacker can easily login to victim account without any login details. No need Of Any Username/Password Theory Proof-Of-Concept: - Go to https://liberapay.com/admin.101/edit/username any username/Self...

0.4AI score
Exploits0
Hacker One
Hacker One
•added 2018/11/14 5:29 a.m.•63 views

Smule: Open Redirect on smule.com

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Open Redirect at smule.com You...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2018/09/14 5:20 p.m.•63 views

Valve: XSS in steam react chat client

The Steam chat client both sends and receives bbcode format chat messages. These map to HTML elements, and notably the url bbcode tag is supported for arbitrary URLs. React has strong XSS mitigations but does not mitigate javascript: URI based XSS. This is rather difficult to exploit as the clien...

1AI score
Exploits0
Hacker One
Hacker One
•added 2018/07/10 1:14 p.m.•63 views

Starbucks: svcardproxydevus.starbucks.com Subdomain take over

You have left a dns record pointing to a dead cloudapp vm. svcardproxydevus.starbucks.com - s00307ntmp0svcardproxydev0.trafficmanager.net - s00307dpipsvcardproxy00.eastus.cloudapp.azure.com = Dead Impact 1 Attacker takes over subdomain and then puts something like porn or something that shouldn't...

0.3AI score
Exploits0
Hacker One
Hacker One
•added 2018/06/26 3:1 a.m.•63 views

Internet Bug Bounty: CVE-2018-12882: heap-use-after-free in PHP 7.2 through 7.2.6, possible 7.2.7

exifreaddata in PHP 7.2 through 7.2.6 and possibly 7.2.7 is vulnerable to a heap use after free when fed a specially crafted JPEG. Any online service that uses PHP 7.2 and reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. USEZENDALLOC=0 ./php-e147eb2 -r...

7.5CVSS9.6AI score0.068EPSS
Exploits0
Hacker One
Hacker One
•added 2018/01/31 2:46 a.m.•63 views

Node.js third-party modules: Prototype pollution attack (assign-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the assign-deep library. Module: assign-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...

6.5CVSS8.9AI score0.02019EPSS
Exploits1
Hacker One
Hacker One
•added 2018/01/18 8:52 p.m.•63 views

Pornhub: xss

The researcher found a GET parameter, the value of which was output in the page source, resulting in XSS...

1.2AI score
Exploits0
Hacker One
Hacker One
•added 2017/08/28 3:38 p.m.•63 views

Legal Robot: Coding error !

here this is my mail id : [email protected] and pass : [email protected] i am able to set password as same as gmail address , but cant able to login , this was the issue here...

1.4AI score
Exploits0
Hacker One
Hacker One
•added 2017/05/27 9:46 a.m.•63 views

Cuvva: Missing Rate limiting on https://underwriter.partner.cuvva.com/login

Duplicate of 231380...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2017/04/19 10:30 a.m.•63 views

Homebrew: Stack Trace on jenkins.brew.sh

221833 is not fully patched. Kindly take a look at https://jenkins.brew.sh/jacegisecuritycheck still stack traces are visible. Let me know if any further info required. Best Regards, MrR3boot...

1AI score
Exploits0
Hacker One
Hacker One
•added 2017/04/07 3:29 a.m.•63 views

Uber: Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com

Summary This is not a standard vulnerability, but a chain of two more exotic vulnerabilities leading to a full authentication bypass of your SSO login system at auth.uber.com via saostatic.uber.com. The root cause of this authentication bypass is two-fold: 1. Subdomain saostatic.uber.com was...

0.2AI score
Exploits0
Hacker One
Hacker One
•added 2016/12/11 3:49 p.m.•63 views

Gratipay: Gratipay uses the random module's cryptographically insecure PRNG.

Dear Gratipay bug bounty team, Summary --- Gratipay currently uses the random module's pseudo-random number generator which is not a cryptographically secure PRNG as stated in the docs: The pseudo-random generators of this module should not be used for security purposes. For security or...

Exploits0
Hacker One
Hacker One
•added 2016/11/29 3:4 a.m.•63 views

HackerOne: Internal attachments can be exported via "Export as .zip" feature

Hello HackerOne Team This newly disclosed report: 182358 Partial disclosure of report activity through new "Export as .zip" feature was not completely fix. I have found that i can still view the attachment after it is being removed on the thread. Best PoC is this 182358 since this is the newly fi...

0.5AI score
Exploits0
Hacker One
Hacker One
•added 2016/11/11 10:43 p.m.•63 views

Ubiquiti Inc.: Subdomain Takeover (moderator.ubnt.com)

Hello Team This report is same as 179110 One of your subdomain http://moderator.ubnt.com is pointing towards 216.58.203.243 moderator.ubnt.com 216.58.203.243 ghs.google.com 216.58.203.243 ghs.l.google.com F134183 And it is unclaimed When I open it it is showing F134184 Impact :- An attacker can...

0.2AI score
Exploits0
Total number of security vulnerabilities5000