Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2021/08/07 3:20 a.m.59 views

Twitter Algorithmic Bias: Underrepresentation Bias through Twitter's Cropping Algorithm #2: Favoring Animals over Black People

Bounty Hunter Name: CyberQueenMeg About You: Megan, also known as CyberQueenMeg, is a passionate rising cybersecurity professional who is interested in programming, cybersecurity, and web development. Megan is a high school senior in a rigorous computer science program at her high school where sh...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2021/04/04 2:33 p.m.59 views

X (Formerly Twitter): Bypass t.co link shortener in Twitter direct messages

The researcher demonstrated a way to create a link that will not be replaced with safe shortened t.co url, by sending Direct Messages containing more than 50 t.co links to another Twitter user. If the recipient views the message using Twitter’s Android app, and clicks the 51st link in the...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2021/03/17 6:30 p.m.59 views

curl: CVE-2021-22890: TLS 1.3 session ticket proxy host mixup

Summary: I don't think that this can be easily exploitable, but I am submitting it as a security issue for precaution. I am not looking for a bounty. Commit 549310e907e82e44c59548351d4c6ac4aaada114 enables session resumption with TLS 1.3. Curl connections maintain two SSL contexts, one for the...

4.3CVSS5.4AI score0.03141EPSS
Exploits1
Hacker One
Hacker One
added 2021/03/05 9:8 p.m.59 views

U.S. Dept Of Defense: CSRF to Cross-site Scripting (XSS)

hello dear support I have found csrf to XSS on█████████ my payload "; Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2021/02/07 7:56 p.m.59 views

Revive Adserver: Reflected XSS on /admin/campaign-zone-zones.php

I found a reflected XSS attack on /admin/campaign-zone-zones.php. Revive-Adserver version is revive-adserver-5.1.1. - Go to http://revive-adserver.loc/admin/campaign-zone-zones.php?=&clientid=1&campaignid=1&status=available%22%3E%3Cimg%20src=1%20onerror=alertdocument.domain%3E&text= - Malicious...

4.3CVSS2.8AI score0.19811EPSS
Exploits1
Hacker One
Hacker One
added 2021/02/03 3:3 p.m.59 views

U.S. Dept Of Defense: IDOR leads to Leakage an ██████████ Login Information

Hi security team, According to my report 1092618, The VDP team agreed that █████████ and it's subdomains is in the scope of the DoD program I continue testing that domain . . Issue Description: There is an IDOR in██████.███████ that connected with ████████.███████ highly protected encryption chat...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/01/07 4:20 p.m.59 views

VK.com: XSS в обработчике ссылок

XSS в парсере ссылок...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2020/11/03 1:2 a.m.59 views

Mail.ru: file read on MCS servers via supplying a QCOW2 image with external backing file

Local file read in mcs.mail.ru by providing QCOW2 disk image with backing image pointing to external file Mail.ru Cloud Solutions allows uploading custom images for disks. This functionality supported QCOW2 disk images. A QCOW2 disk image can have a so-called "backing image" - a file to read...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/11/02 5:4 p.m.59 views

TikTok: RCE on TikTok Ads Portal

The video upload endpoint on the TikTok Ads portal was potentially susceptible to remote code execution RCE due to a ffmpeg misconfiguration. We thank @ bubbounty for reporting this to our team and confirming the resolution. During my research on the TikTok Ads portal I found a RCE thought the...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/09/15 3:13 a.m.59 views

Basecamp: HEY.com email stored XSS

An attacker can bypass the HEY.com HTML sanitizer and inject arbitrary unsafe HTML in emails. To reproduce the bug you have to send raw HTML-formatted email. You can do it e.g. with the Sendmail tool on Linux. Example email: plain From: [email protected] To: [email protected] Subject: HackerOne test...

Exploits0
Hacker One
Hacker One
added 2020/09/12 11:53 a.m.59 views

Node.js third-party modules: [json8-merge-patch] Prototype Pollution

I would like to report a Prototype Pollution vulnerability in json8-merge-patch The apply function fails to restrict access to prototypes of objects, allowing for modification of prototype behavior. Module module name: json8-merge-patch version: v1.0.1 npm page:...

5CVSS0.7AI score0.01277EPSS
Exploits1
Hacker One
Hacker One
added 2020/07/16 4:12 p.m.59 views

OWOX, Inc.: Unrestricted File Upload in Chat Window

Summary: The application allows the attacker to upload dangerous file types that can be automatically processed within the product's environment. Steps To Reproduce: - Hit the browser and navigate to https://bi.owox.com and sign in. - Open The Chat window. - Upload any .rb or .php file . - Click ...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2020/06/23 3:23 p.m.59 views

Shopify: XSS / SELF XSS

I found xss but i think its self xss POC 1. Go to yourstore.myshopify.com 2. Go to settings import 3. Upload wrong file csv with file name payload xss " Impact xss attack...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/04/21 2:46 p.m.59 views

Mail.ru: Cross-Site Request Forgery (CSRF) in my.games API

CSRF vulnerability allowed to add/delete/edit store.my.games comments...

3.8AI score
Exploits0
Hacker One
Hacker One
added 2020/01/29 4:12 a.m.59 views

X (Formerly Twitter): Twitter Source Label allow 'mongolian vowel separator' U+180E (app name)

Summary: Twitter app-names which are shown in the Tweet source label are supposed to be unique and because of that they must not include invisible unicode characters. However, you can use the mongolian vowel separator in these app-name, which allows to fake a app-name. Description: Every tweet ha...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2019/08/03 10:13 a.m.59 views

Omise: Email enumeration at SignUp page

Hi. There's bad security practise at https://trade.go.exchange/en/auth/sign-up against User enumeration. Description: At the signup page here https://trade.go.exchange/en/auth/sign-up , when you enter an existing user's mail , a msg box says "Email is invalid." F546294 The problem is that any use...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/05/27 1:14 p.m.59 views

Unikrn: Full Path Disclosure

HI security team! we can see path on your resource. https://crm.unikrn.com/app/bundles/CampaignBundle/EventListener/LeadSubscriber.php You must create a ban on viewing the script from the outside using .htaccess Impact Full Path Disclosure https://www.owasp.org/index.php/FullPathDisclosure...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/05/10 1:17 p.m.59 views

Passit: password rest link not expired after change the password

Hi, this is my first report and bug .. i found password rest link not expired after change the password by resiver my e-mail Proof of Concept: 1Go to https://app.passit.io/account/reset-password and ask for password reset link. 2go to Email inbox. 3clicke to link from inbox example // Recovery li...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/01/09 10:3 p.m.59 views

Internet Bug Bounty: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile

Phar files with HALTCOMPILER; in unexpected places can lead to a buffer overrun. This is something I found while fuzzing with AFL using an ASAN instrumented PHP. The issue can be observed by disabling the ZEND allocator and using ASAN or valgrind/etc? with a crafted phar as input. I have prepared...

5CVSS8.5AI score0.0566EPSS
Exploits1
Hacker One
Hacker One
added 2018/11/15 5:33 a.m.59 views

GitLab: CRLF injection & SSRF in git:// protocal lead to arbitrary code execution

Summary: The implementation of git:// protocal in GitLab is vulnerable to CRLF injection and Server-Side Request Forgery. If the redis server is configured to listen on TCP socket eg. port 6379, an attacker can abuse SSRF to manipulate redis server, injecting malicious payload into systemhookpush...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/09/17 5:54 a.m.59 views

HackerOne: User login page doesn't implement any form of rate limiting

Hi Team, Summary: As a best practice a login page should have a rate limitting just like hackerone.com Vulnerable Request POST /auth/postlogin HTTP/1.1 Host: ctf.hacker101.com User-Agent: Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ctf.hacker101.com/...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/16 6:34 a.m.60 views

HackerOne: Missing Certificate Authority Authorization rule

Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/08/31 7:50 p.m.59 views

Zomato: [www.zomato.com] SQLi - /php/██████████ - item_id

Thanks @gerbenjavado for helping us keep @zomato secure : Thanks to the entire @Zomato team for doing this challenge. Its a pleasure to be back in the bug bounty game after a while. Introduction So I managed to find SQLi on https://www.zomato.com/php/██████████ in the POST parameter itemid...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2018/04/14 5:22 p.m.59 views

Internet Bug Bounty: CVE-2018-6797: A crafted regular expression can cause a heap buffer write overflow in Perl 5 giving a remote attacker control over bytes written

An attacker supplies a regular expression containing one or more \xDF characters after an escape putting the regexp into unicode matching mode, such as a \N escape. Each \xDF character adds one byte of overflow, and any other text in the regular expression is written in order, providing the...

7.5CVSS9AI score0.06599EPSS
Exploits0
Hacker One
Hacker One
added 2017/11/29 11:8 p.m.59 views

Open-Xchange: SSRF in /appsuite/api/autoconfig

FYI: This was conducted on a local install of App Suite and not the sandbox. App Suite version was: 7.8.4 Rev14 Hello, There is a possible SSRF vulnerability in the following App Suite API endpoint that will primarily allow blind port scanning of the App Suite server and any internal servers...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/05/24 2:42 p.m.59 views

Snapchat: Open prod Jenkins instance

@prebenve found a Jenkins instance where they could login with any valid Google account. Once logged in, they gained access to sensitive API tokens. The access also included some source code disclosure for public apps and the ability to execute arbitrary code via the Jenkins Script Console...

3AI score
Exploits0
Hacker One
Hacker One
added 2017/03/12 6:34 a.m.59 views

HackerOne: IE 11 Self-XSS on Jira Integration Preview Base Link

I wasn't sure if you would accept this report due to it being Self-XSS, but I figured it might be useful information because it breaks one of the flows used to validate URLs. Steps ==================== 1. Launch IE 11 2. Log into a HackerOne account that has admin on a program. 3. Go to the...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2016/10/29 5:8 a.m.59 views

Bumble: Leave inaccessible messaging system with a message (https://us1.badoo.com)

Hello, to test the messaging system I found a vulnerability that allows Inaccessible leave mensajaria system to another user only required to send a message. The vulnerability is in the system as the mobile version smiles and app do not have that system is only vulnerable version desktop VULNERAB...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2016/06/17 4:13 p.m.59 views

Nextcloud: nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)

Hello, We can bomb spam any email by using your website. Please Check attack success poc image in attached file you will understand : POC : 1.go to. Link :- 2. in details fill , all things in email option enter victim email. 4.replay the same request many time , the victim's email will be spammed...

Exploits0
Hacker One
Hacker One
added 2016/05/05 6:7 p.m.59 views

Vimeo: OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing

Hello Vimeo Security Team, There is a vulnerability in api.vimeo.com/oauth which allows an attacker to gain full App privilege over a Vimeo victim user account without user approval, just by having the victim open a link to the attacker webpage. Proof of Concept link :...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/02/03 6:49 p.m.59 views

VK.com: Внедрение внешних сущностей в функционале импорта пользователей YouTrack

Уязвимость существует из-за возможности использования внешних сущностей XML разметки в функционале импорта пользователей YouTrack. Веб-приложение доступно по адресу youtrack.vk-cdn.net Исходя из документации https://confluence.jetbrains.com/display/YTD6/Import+Users поддерживает импорт данных...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/01/28 7:25 p.m.59 views

Mail.ru: [api.login.icq.net] Open Redirect

https://api.login.icq.net/auth/cancel?f=1&k=1&supportedIdType=1&succUrl=http://example.com...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/07/01 1:59 p.m.59 views

Ubiquiti Inc.: Arbritrary file Upload on AirMax

It's possible to upload arbitrary files to airMAX devices via HTTP because of a vulnerability in the airOS web server. An attacker can bypass the device's authentication mechanisms by exploiting this vulnerability...

10CVSS9.3AI score0.73999EPSS
Exploits1
Hacker One
Hacker One
added 2015/06/04 5:29 a.m.59 views

Coinbase: OAuth authorization page vulnerable to clickjacking

Due to a misconfiguration, the 'authorize' button on the OAuth authorization page was vulnerable to clickjacking. The bug was fixed by ensuring our OAuth-related responses included the same security headers including X-Frame-Options as the rest of the site...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2015/05/29 4:42 p.m.59 views

VK.com: Page replacement and redirect loop

Открытие страницы через параметр в запросе и циклическое перенаправление. This report includes a description of two vectors: 1. Page replacement via hidden vulnerable parameter that may lead to phishing attacks. 1. Infinite redirect loop...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2015/03/31 3:56 p.m.59 views

HackerOne: Reflected Filename Download

First of all congratulations on awesome bounty system. Big fan here! I found out that it's possible run a RFD attack on Hackerone. If we visit: https://hackerone.com/dsopas We see the normal HTML webpage. Nothing new here. But if we add ?format=json to the URL we can see the JSON file generated b...

Exploits0
Hacker One
Hacker One
added 2015/03/18 12:0 a.m.59 views

Internet Bug Bounty: ZIP Integer Overflow leads to writing past heap boundary

https://bugs.php.net/bug.php?id=69253 Integer overflow in the zipcdirnew function in zipdirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service...

7.5CVSS8.9AI score0.27869EPSS
Exploits1
Hacker One
Hacker One
added 2014/12/25 12:0 a.m.59 views

Internet Bug Bounty: libcurl: URL request injection

libcurl: URL request injection CVE-2014-8150...

4.3CVSS9.3AI score0.0681EPSS
Exploits0
Hacker One
Hacker One
added 2014/11/17 6:20 a.m.59 views

Internet Bug Bounty: Adobe Flash Player MP4 Use-After-Free Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. After parsing a malformed mp4 file, Flash will not free the NetStream object properly. Such memory block is still accessed even the page containing Flash is closed, which leads to a memory crash...

10CVSS6.3AI score0.09927EPSS
Exploits0
Hacker One
Hacker One
added 2014/10/06 7:6 p.m.59 views

Coinbase: New Device confirmation tokens are not properly validated.

Hi, team I noticed that the new device confirmation code sent by your server is not validated . POC: 1 Login to a new computer and ask for confirmation code two times. Say around at 12.00 PM and at 12.01 PM 2 Now verify the device with the confirmation token which arrived at 12.01 PM and after...

7AI score
Exploits0
Hacker One
Hacker One
added 2014/06/03 5:38 a.m.59 views

WePay: CSRF & Nonce Token Weak Implementation

Hello, this report is a copy of my previous reports sent to your email [email protected] some days ago. Please note that everything written below are copied and pasted from the report. Ticket 437212 : As part of your responsible disclosure program, I am reporting this leakage weak implementation...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2014/05/20 12:23 p.m.59 views

joola.io: X-Content-Type-Options header missing

Hello Team The doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google...

1AI score
Exploits0
Hacker One
Hacker One
added 2014/04/21 8:39 a.m.59 views

Mail.ru: rs.mail.ru - Flash Based XSS

Hi, I found a flash based XSS in rs.mail.ru. Vulnerable link: http://rs.mail.ru/b27161485.swf?link1=javascript:alertdocument.domain Just click on the page and you will see the alert. Tested on Mozilla Firefox Regards, Florin...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2014/04/09 9:58 a.m.59 views

InVision: TLS Renegotiation and Denial of Service Attacks on InVision.

Hi, I found a Bug in your website.It's a TLS Renegotiation and Denial of Service Attacks. Description:- A group of hackers known as THC The Hacker's Choice last week released an interesting DoS tool that works at the SSL/TLS layer. The tool is exploiting the fact that, when a new SSL connection i...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2014/04/08 12:38 a.m.59 views

Khan Academy: Lighttpd version disclosure / directory listing

Hello there, the website at http://graphite.khanacademy.org/ isn't configured correctly. It displays the lighttpd version as well the directory contents. You should disable these features in your lighttpd.conf / php.ini. PoC: Index of / Name Last Modified Size Type Parent Directory/ - Directory...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2014/03/01 11:7 p.m.59 views

Slack: csrf

Hi, Anti CSRF token to prevent CSRF attacks are missing on this link https://sehacure.slack.com/help/requests/new A new request can be submitted by an malicious guy to the support team on behalf of the user. The victim will never get to know. 1 Go to this link...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2024/11/07 8:41 a.m.58 views

Internet Bug Bounty: Secrets not masked in UI when sensitive variables are set via Airflow cli

A vulnerability was discovered in Apache Airflow where sensitive variables set using the Airflow CLI were not properly masked in the UI, specifically in the Audit logs page. This issue was addressed in the 2.10.3 release of Apache Airflow...

4.9CVSS6.5AI score0.01201EPSS
Exploits0
Hacker One
Hacker One
added 2024/07/03 7:9 a.m.58 views

Internet Bug Bounty: important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)

important: Apache HTTP Server: Crash resulting in Denial of Service in modproxy via a malicious request CVE-2024-38477 A null pointer dereference vulnerability was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This vulnerability allowed an attacker to crash the server ...

7.5CVSS8.5AI score0.03153EPSS
Exploits0
Hacker One
Hacker One
added 2024/01/15 2:48 p.m.58 views

Node.js: "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash

A vulnerability was discovered in the Node.js HTTP/2 stack http2 package. An attacker could send a small amount of TCP packets with HTTP/2 frames, causing the Node.js server to crash due to an assertion failure in the Http2Session destructor. The issue occurred when headers with HTTP/2 CONTINUATI...

8.2CVSS6.3AI score0.87211EPSS
Exploits1
Hacker One
Hacker One
added 2023/06/04 7:58 a.m.58 views

Internet Bug Bounty: [CVE-2023-22796] Possible ReDoS based DoS vulnerability in Active Support’s underscore

A regular expression based Denial of Service DoS vulnerability was discovered in Active Support. The vulnerability allowed for a specially crafted string to cause the regular expression engine to enter a state of catastrophic backtracking, leading to excessive CPU and memory usage. The...

7.5CVSS7.3AI score0.01712EPSS
Exploits0
Total number of security vulnerabilities5000