Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2020/08/16 11:32 p.m.457 views

U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://█████

Summary: I discovered a vulnerability Read-only path traversal CVE-2020-3452 at https://███████ Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote...

5CVSS1AI score0.99992EPSS
Exploits24
Hacker One
Hacker One
added 2020/04/03 5:2 a.m.457 views

Liberapay: Leaking Of Sensitive Information on Github

Summary: Sensitive Data were leaked in https://github.com/liberapay/liberapay.com Steps To Reproduce: 1. Install gitleaks from https://github.com/zricethezav/gitleaks 2. Run the following command in a Linux terminal gitleaks -v --pretty -r=https://github.com/liberapay/liberapay.com The following...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2024/12/18 3:20 a.m.455 views

Internet Bug Bounty: [CVE-2024-54133] Possible Content Security Policy bypass in Action Dispatch

A vulnerability was discovered in the contentsecuritypolicy helper in Action Pack of Ruby on Rails. Carefully crafted inputs were able to inject new directives into the Content-Security-Policy CSP header, potentially leading to a bypass of the CSP and its protection against cross-site scripting X...

2.3CVSS5.6AI score0.00989EPSS
Exploits0
Hacker One
Hacker One
added 2020/12/05 6:38 a.m.455 views

Top Echelon Software: Public and secret api key leaked in JavaScript source

Summary: Summary the vulnerabilities I am surfing on the bb3jobboard.topechelon.com website. I found a sensitive data including authentication key written in public accessible javascript file. URL Vulnerability https://bb3jobboard.topechelon.com/!/search?page=1 Steps To Reproduce: Open...

7AI score
Exploits0
Hacker One
Hacker One
added 2024/12/11 7:57 a.m.454 views

Internet Bug Bounty: netrc and redirect credential leak

The netrc file in curl could lead to the unintentional leakage of a password to a different host when following HTTP redirects, if the netrc file had an entry matching the redirect target hostname but omitting either just the password or both login and password...

3.4CVSS3.9AI score0.01351EPSS
Exploits1
Hacker One
Hacker One
added 2022/09/14 4:5 p.m.453 views

Cloudflare Public Bug Bounty: Take over subdomains of r2.dev using R2 custom domains

███████ ████ ████ ███████████████████████████ ███ ██████████ It is possible to take over any subdomain of r2.dev possible also the base domain and have it serve the contents of an R2 bucket in your account. Requirements Access to R2 public buckets in the dashboard is currently behind a flag. The...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/05/08 6:34 p.m.453 views

Pornhub: SSRF and local file disclosure by video upload on https://www.tube8.com/

The researcher was successful in exploiting a vulnerability in 3rd party encoding library resulting in the execution of SSRF attacks and Local File Disclosure...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2019/07/17 10:47 p.m.449 views

Internet Bug Bounty: Multiple HTTP Smuggling reports

Theses reports spreads other several years and are all about HTTP Smuggling issues HTTP Requests or Responses splitting, Cache Poisoning, Security filter bypass. I've made reports on a wide range of open source projects, explaining the not always easy problems to the various security maintainers...

7.5CVSS7.7AI score0.73327EPSS
Exploits6
Hacker One
Hacker One
added 2025/05/01 3:15 p.m.447 views

Fastify: Remote Code Execution via unsafe usage of `reply.view({ raw })` in @fastify/view (EJS template engine)

The @fastify/view plugin, when used with the EJS engine and the reply.view raw: pattern, allowed arbitrary EJS execution. This vulnerability arose from the fact that Fastify trusted the raw template string without sanitization or restrictions when passed directly to EJS's compile method, leading ...

7.7AI score
Exploits0
Hacker One
Hacker One
added 2022/01/07 5:24 p.m.447 views

Mattermost: html injection via invite members can be leads account takeover

An HTML injection vulnerability was found on the website that allowed an attacker to inject HTML code into an email invitation sent to a victim. This could lead to the victim being redirected to a malicious site or tricked into giving away login credentials...

5.4CVSS4.6AI score0.00639EPSS
Exploits1
Hacker One
Hacker One
added 2017/02/01 6:19 a.m.444 views

Pornhub: XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint

The researcher discovered an XSS-vulnerable parameter at the premiumsignup endpoint...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/04/26 9:0 a.m.442 views

Weblate: CSV export filter bypass leads to formula injection.

Dear Weblate bug bounty team, Summary --- The new filter can be bypassed using: %0A-3+3+cmd|' /C calc'!D2. python text = "%0A-3+3+cmd|' /C calc'!D2" def csvfilterbypass: if text and text0 in '=', '+', '-', '@': return "'" + text return text How can this be fixed? --- You need to escape and detect...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2018/03/08 7:38 p.m.441 views

JamieWeb: Insecure Transportation Security Protocol Supported (TLS 1.0) on https://www.jamieweb.net

Summary: https://www.jamieweb.net still support TLS 1.0 protocol which has several flaws. Vulnerability: With a SSL security scanner i was able to identify that an insecure transportation security protocol TLS 1.0 is still supported by your web server. TLS 1.0 has several flaws. An attacker can...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/04/15 3:7 p.m.440 views

Zomato: Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE)

Inspired by report 337219. Please note that this report includes a clear security impact as well as a proof of concept. CVSS ---- medium 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Description ----------- The application does not send a X-Frame-Options header, thus allowing pages to be...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2018/04/09 9:10 p.m.439 views

LocalTapiola: DoS of www.lahitapiolarahoitus.fi via CVE-2018-6389 exploitation

Description There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details Detailed attack scenario is described for example here:...

5CVSS0.2AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2023/12/02 5:39 p.m.437 views

Deriv.com: Mailgun subdomain takeover

Summary: I have found an unclaimed subdomain of deriv.cloud. Which is successfully claimable. Platforms Affected: email.mailgun.deriv.cloud Steps To Reproduce: You just need a mailgun account and the you can successfully claim this domain. Supporting Material/References:...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2020/06/17 6:8 a.m.437 views

U.S. Dept Of Defense: Unrestricted File Upload Leads to XSS & Potential RCE

Summary: Unrestricted file upload at████████/request?openform. When the user wants to upload a file the app allows the user to upload a HTML file leading to stored XSS and creation of a simple php script. A user can upload the HTML file and trigger XSS and trigger potential RCE with php shell...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2020/01/10 12:7 p.m.435 views

Node.js: CRLF Injection in legacy url API (url.parse().hostname)

Summary: There is CRLF Injection in legacy url.hostname API. Description: During the recent penetration test, I have found a whitelist bypass using CRLF Injection. We did a code review and determined the issue is in a legacy url.hostname API. Not sure if it's a known issue or not, I wasn't able t...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2020/08/20 4:48 p.m.432 views

Dropcontact: Django DEBUG mode enabled and leaked system information.

We were leaking / showing system information. Django DEBUG mode was enabled and showing some information on some errors.I just follow the errors and finally got some sensitive system information such as configuation ,API keys ,Database users ,System Directories,etc...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2023/01/21 6:3 p.m.430 views

Krisp: SQL Injection + Insecure Deserialization leads to Remote Code Execution on https://krisp.ai

The tenweb-speed-optimizer WordPress plugin prior to version 2.12.22 was vulnerable to unauthenticated SQL injection in /wp-json/tenwebio/v2/compress-one, which could be exploited to gain remote code execution by chaining it with insecure deserialization...

9.1AI score
Exploits0
Hacker One
Hacker One
added 2021/05/28 12:40 a.m.429 views

Node.js: Node Installer Local Privilege Escalation

Node is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. To demonstrate thi...

6.2CVSS2.3AI score0.07409EPSS
Exploits2
Hacker One
Hacker One
added 2014/04/08 12:7 p.m.429 views

Khan Academy: Weak Ciphers Enabled

Vulnerability Details:- I detected that weak ciphers are enabled during secure communication SSL. You should allow only strong ciphers on your web server to protect secure communication with your visitors. Impact:- Attackers might decrypt SSL traffic between your server and your visitors. Remedy:...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2022/08/08 8:11 a.m.425 views

U.S. Dept Of Defense: springboot actuator is leaking internals at ██████████

Proof of Concept If you go to https://█████████/actuator you'll get a complete overview of all the endpoints that are accessable Suggestion: Use a Firefox Browser if possible, its json representation is well formed and the links are clickable ██████████ Impact Information Disclosure...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/04/15 8:54 p.m.424 views

Starbucks: Java Deserialization RCE via JBoss on card.starbucks.in

The researcher discovered that a Starbucks online system running on the domain http://card.starbucks.in/ performs deserialization of java objects that are submitted by users on a specific path belonging to JBOSSMQ without sanitizing/validating the data. As a result, an attacker can inject a...

7.5CVSS1AI score0.29323EPSS
Exploits5
Hacker One
Hacker One
added 2022/04/29 11:0 p.m.423 views

U.S. Dept Of Defense: CVE-2020-3187 - Unauthenticated Arbitrary File Deletion

A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted...

7.5CVSS0.8AI score0.96595EPSS
Exploits4
Hacker One
Hacker One
added 2018/10/30 5:38 p.m.423 views

██████: Golden techniques to bypass host validations in Android apps

███...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2017/03/03 4:32 p.m.423 views

Rockstar Games: Bypass CAPTCHA protection

In this report, the researcher found that it was possible to bypass our CAPTCHA check by injecting a random value into the X-Forwarded-For header in the sign in POST request. At the time the researcher submitted this report, we only enforced CAPTCHA checks on sign-in requests that had failed...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2021/12/02 9:6 p.m.422 views

U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA

I found out that https://███/ was vulnerable to CVE-2020-3452. The IP has a SSL certificate pointing to DoD. curl -kv https://██████████/ Output: Server certificate: subject: █████ Impact Anyone can read any file present on the server. System Hosts ████ Affected Products and Versions CVE Numbers...

5CVSS0.2AI score0.99992EPSS
Exploits24
Hacker One
Hacker One
added 2015/09/14 10:55 p.m.421 views

ownCloud: Apache Range Header Denial of Service Attack (Confirmed PoC)

owncloud.com is vulnerable to Apache range header denial of service. This was confirmed by injecting Range: header payloads and analyzing the request vs. response times to an arbitrary page. The results confirm that processing times took up to 50,000 milliseconds per request when the range header...

7.8CVSS1.6AI score0.98945EPSS
Exploits17
Hacker One
Hacker One
added 2021/05/12 4:52 p.m.420 views

Sifchain: CORS Misconfiguration

Summary: An cross-origin resource sharing CORS policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of th...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/02/05 12:23 p.m.420 views

Mail.ru: [mobs.mail.ru] nginx path traversal via misconfigured alias

Domain, site, application -- mobs.mail.ru Steps to reproduce -- http://mobs.mail.ru/media../mobs/settings.py Actual results -- py ... SECRETKEY = '████████████' ... DISTIMOPRIVATEKEY = '████████████' ... PoC, exploit code, screenshots, video, references, additional resources --...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2017/02/20 12:48 a.m.419 views

Shopify: Subdomain takeover on s3.shopify.com

Preword I know that this is not explicitly in scope, but I still felt it was serious enough to justify a report and let you decide the potential impact. Description The subdomain s3.shopify.com was pointed using CNAME to Amazon S3, but no bucket with that name was registered. This meant that anyo...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2020/05/17 8:13 p.m.415 views

U.S. Dept Of Defense: Remote Code Execution through DNN Cookie Deserialization

Summary: The application at https://████████ presents a deserialization vulnerability that permits RCE and file read/write Step-by-step Reproduction Instructions 1. Navigate to a random page that must return a 404 Error status like https://████/test 2. Add this cookie in the request header:...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2025/04/30 5:14 a.m.414 views

Omise: Facebook Username Takeover via Broken Link in Footer

The Facebook username associated with the broken link in the footer was available for takeover. This could have allowed an attacker to create a fake Facebook page and mislead users into trusting it...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/10/26 12:31 p.m.412 views

Acronis: Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com

Summary: The Subdomains https://register.acronis.com, https://promo.acronis.com, https://info.acronis.com and https://promosandbox.acronis.com are vulnerable to takeover due to unclaimed marketo CNAME records. Anyone is able to own these subdomains at the moment. This vulnerability is called...

Exploits0
Hacker One
Hacker One
added 2019/09/02 2:30 p.m.412 views

Mail.ru: Blind SSRF on sentry.dev-my.com due to Sentry misconfiguration

Insufficient isolation of Sentry installation could potentially lead to blind SSRF...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2021/01/05 9:3 p.m.409 views

Logitech: Host Header injection in oslo.io (using X-Forwarded-For header) leading to email spoofing

Hello team I hope it will be a happy year for you and for me 😇 Summary: I found Host Header injection in oslo.io I tried to use it to show the security effect on users And I found this Steps To Reproduce: 1. Well, first of all, enter your project 2.Make an invitation by email 3.Now through the...

Exploits0
Hacker One
Hacker One
added 2016/04/27 10:4 p.m.409 views

HackerOne: RCE in profile picture upload

Issue ===== The profile picture upload at /settings/profile/edit is vulnerable to remote code execution due to the uploaded file being passed to ImageMagick without checking whether it's an actual image. Combined with the fact that ImageMagick parses ASCII text as so called MVG Magic Vector...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/08/30 3:13 p.m.408 views

CS Money: Pixel Flood Attack leads to Application level DoS

Summary: Hello Team, I had gone through your policy and I saw that DoS is out of scope but I am not sure about Application level DoS. The another reason to report this attack because it affects real customers who want to chat with your support team. I had tested this with two accounts 1. From...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2024/12/11 6:19 a.m.406 views

AWS VDP: A potential risk in the aws-lambda-ecs-run-task which can be used to privilege escalation.

The aws-lambda-ecs-run-task application created a function with a role that had excessive permissions, including the AdministratorAccess policy. This allowed for potential privilege escalation by an attacker...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2020/03/19 9:29 p.m.406 views

BTFS: Subdomain Takeover uptime

Hello Team: i can't report it to the company so i hope to accept it as a valid bug , i found subdomain takeover in your subdomain uptime.btfs.io , i found this subdomain pointed to uptimerobot and not claimed so i signedup in uptimerobot and claimed it. POC: ------ 1 - open https://uptime.btfs.io...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/08 11:11 a.m.404 views

Pornhub: Blind XSS in redtube administering site my.reflected.net

Researcher was able to execute Blind XSS in Redtube WAF administering panel Blind XSS in Redtube WAF administering panel...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2016/02/10 6:53 p.m.404 views

Imgur: SSRF in https://imgur.com/vidgif/url

Hello, Short description ======== https://imgur.com/vidgif/url endpoint is vulnerable to a SSRF vulnerability which allows an attacker to craft connections originating from imgur servers to any destination on the internet and imgur internal network and craft outgoing UDP-packets / telnet-based...

9CVSS9AI score0.11027EPSS
Exploits0
Hacker One
Hacker One
added 2019/12/07 4:20 a.m.403 views

Yelp: DoS of https://blog.yelp.com/ and other WP instances via CVE-2018-6389

Description: There is possibility in /wp-admin/load-scripts.php script to generate large 3Mb amount of data via simple non-authenticated request to server. The vulnerability is registered as https://vulners.com/cve/CVE-2018-6389 Details: Detailed attack scenario is described for example here:...

5CVSS0.6AI score0.73098EPSS
Exploits11
Hacker One
Hacker One
added 2018/09/13 10:13 p.m.403 views

Internet Bug Bounty: mod_userdir CRLF injection (CVE-2016-4975)

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Reported to security team 24th July 2016 Issu...

4.3CVSS7.4AI score0.19798EPSS
Exploits0
Hacker One
Hacker One
added 2014/11/17 10:31 p.m.403 views

QIWI: [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/

An XML external entities injection vulnerability exists on the soap server hosted on send.qiwi.ru. The attack allows an attacker to open local files although perhaps not return the data, see below, leading at best to a DoS. Often this attack can be used to extract files from the server such as...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2019/09/14 10:51 p.m.401 views

U.S. Dept Of Defense: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████

Description Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25: CVE-2019-11510 - Pre-auth Arbitrary File Reading CVE-2019-11542 - Post-auth Stack Buffer Overflow CVE-2019-11539 - Post-auth...

7.5CVSS0.6AI score0.99999EPSS
Exploits38
Hacker One
Hacker One
added 2014/10/28 8:57 p.m.401 views

InVision: Backup of wordpress configuration file found. Leaking database users/passwords

Hi there, I noticed that there is a backup of the wordpress configuration file wp-config.php.orig publicly accessible. This file contains some sensitive information about your wordpress installation, including database users/passwords and secret tokens Proof curl...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2022/10/14 2:27 p.m.400 views

MTN Group: Reflected XSS in chatbot

Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts Pro...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2021/07/25 8:32 p.m.398 views

U.S. Dept Of Defense: XSS due to CVE-2020-3580 [███]

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks against a user of the web services interface of an...

2.6CVSS1.5AI score0.85439EPSS
Exploits2
Total number of security vulnerabilities5000