Lucene search
K
HackeroneMost viewed

15365 matches found

Hacker One
Hacker One
added 2024/05/15 4:12 a.m.50 views

Booking.com: Default Admin Account lead to full access control at https://desk-demo.fareharbor.engineering

Login to the application at https://desk-demo.fareharbor.engineering/login with [email protected], password: test F3271060 2. Realizing that the login is successful, the attacker can use all functions in the application. F3271059 Impact attacker can use all admin functions...

7AI score
Exploits0
Hacker One
Hacker One
added 2024/03/05 10:53 a.m.50 views

Internet Bug Bounty: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

The django.utils.text.Truncator.words method with html=True and truncatewordshtml template filter were found to be vulnerable to a potential regular expression denial-of-service attack. The vulnerability was caused by regular expressions stored in variables that were susceptible to ReDoS attacks,...

5.3CVSS6.3AI score0.01854EPSS
Exploits0
Hacker One
Hacker One
added 2023/12/13 8:21 p.m.50 views

Node.js: Denial of Service by resource exhaustion in fetch() brotli decoding

A denial of service vulnerability was identified in Node.js related to resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The issue stems from fetch always decoding Brotli content, allowing an attacker controlling the URL to cause resource exhaustion...

6.5CVSS6.8AI score0.01309EPSS
Exploits0
Hacker One
Hacker One
added 2023/08/09 6:34 p.m.50 views

Internet Bug Bounty: (CVE-2023-32006) Permissions policies can impersonate other modules in using module.constructor.createRequire()

A vulnerability was discovered in Node.js that allowed permissions policies to impersonate other modules using the module.constructor.createRequire function. This could bypass the policy mechanism and enable the loading of modules outside of the defined policy. The vulnerability affected all user...

8.8CVSS8.3AI score0.01273EPSS
Exploits0
Hacker One
Hacker One
added 2023/06/30 8:17 a.m.50 views

Cloudflare Public Bug Bounty: Ability to bypass Admin override on Cloudflare WARP Android

A security vulnerability allowed an attacker with local access to an Android device running Cloudflare WARP to bypass the Admin override feature by changing the device's date and time settings. This allowed the attacker to extend the maximum allowed disconnected time of the WARP client granted by...

5.5CVSS5.2AI score0.00182EPSS
Exploits0
Hacker One
Hacker One
added 2022/12/15 7:7 p.m.50 views

Kubernetes: The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML

A code execution vulnerability was found in the io.kubernetes.client.util.generic.dynamic.Dynamics class of the Kubernetes Java Client version 17.0.0. The vulnerability was due to the use of SnakeYAML parser without safe constructor, which allowed an attacker to achieve code execution inside the...

9.8CVSS8.8AI score0.99615EPSS
Exploits7
Hacker One
Hacker One
added 2022/07/11 9:19 a.m.50 views

Cloudflare Public Bug Bounty: Completely remove VPN profile from locked WARP iOS cient.

It was possible for a user to delete VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restriction enforced for enrolled devices by the Zero Trust platform. The issue was fixed in Warp...

5.5CVSS1.8AI score0.0037EPSS
Exploits0
Hacker One
Hacker One
added 2022/05/23 7:23 a.m.50 views

Acronis: unauth mosquitto ( client emails, ips, license keys exposure )

Hi team Summary connect.acronis.com ip 88.99.142.45:1883 has unauth mosquitto mqtt, anyone can connect and read\write messages Steps To Reproduce add details for how we can reproduce the issue 1. https://github.com/bapowell/python-mqtt-client-shell 1. python3 mqttclientshell.py 1. connection 1...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2021/10/25 4:49 a.m.50 views

Panther Labs: Broken subdomain takeover of runpanther which was pointing towards herokuapp

An outdated link on our public blog pointed to a decommissioned Slack sign-up app hosted on Heroku for our also-decommissioned open source Slack community. The reporter was able to re-register the decommissioned subdomain with his own Heroku account...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2021/10/23 6:52 a.m.50 views

IBM: Remote Code Execution at https://169.38.86.185/ (edst.ibm.com)

A discovered Gitlab server was running an old version affected by RCE. This vulnerability could have allowed an unauthenticated attackers to compromise the server by public exploit in ExifTool. The issue was reported to IBM and remediated...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/08/03 5:49 p.m.50 views

Mail.ru: [185.30.178.57:8080] - Vulnerable to Jetleak

sfpc.euits.dev-my.games contains a vulnerable to JetLeak web server Jetty...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2021/05/23 1:27 a.m.50 views

VK.com: Open redirect в карусели сообщения бота

Открытое перенаправление в каруселях чат-ботов. Уязвимость позволяет перенаправить пользователя на вредоносную ссылку из карусели, минуя away.php...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2021/04/18 1:0 p.m.50 views

Nextcloud: Unexpected federated shares added via public link

So I'm not 100% sure if this is an security issue or not. But it is in my opinion at least unexpected and could be handled better to make sure people trust the system. 1. Get a public link share again plenty of those around 2. Click the 'add to your Nextcloud' 3. A federated share is added/create...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/02/11 6:8 p.m.50 views

VK.com: Stored XSS при удалении группы из беседы (m.vk.com)

Недостаточная фильтрация символов в названии сообщества...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/07/26 12:51 a.m.50 views

Imgur: Stored XSS in Post title (PoC)

Hello, Stored XSS in Post title, example: https://imgur.com/gallery/Y5JUzv3, Thanks Impact steal cookies and session...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2020/07/13 11:14 a.m.50 views

Nextcloud: No rate limiting on sinup page

Hi Team, Summary: As a best practice a login page should have a rate limiting. Below is the captured request of respective login page of nextcloud.com -------------------------------------------------------------------------------------------------------------------- POST...

5CVSS0.5AI score0.01906EPSS
Exploits1
Hacker One
Hacker One
added 2020/06/08 3:56 p.m.50 views

Internet Bug Bounty: IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136

Many machines 150K-180K on the internet accept and route IP over IP by default. IP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets. This is very similar to IPSEC VPNs in tunnel mode, except in the case of...

5CVSS5.6AI score0.26458EPSS
Exploits0
Hacker One
Hacker One
added 2020/04/13 6:52 p.m.50 views

Mail.ru: XSS in [community.my.games]

Crossite scripting in community.my.games via post comments All we say is Thank You for an Account Takeover Flaw!...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/21 3:41 p.m.50 views

Staging.every.org: Private account causes displayed through API

Summary: Any authenticated user can see which causes a private account user is interested in, by sending a GET request to the API, even though this information is not displayed anywhere on the profile page. In the profile settings, the following message is displayed for "Private Supporter" option...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2020/02/17 9:45 p.m.50 views

FileZilla: FileZilla 3.46.3 - 'Scale factor' Buffer Overflow

Summary: FileZilla in has a problem in the "Scale Factor" field is vulnerable to a Buffer Over Flow attack or a denial attack. Adding random characters in an entry that must accept only Float input type values. Steps To Reproduce: A python file of name generatepaste.py was generated for the...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2020/01/06 8:39 p.m.50 views

Valve: [GoldSrc] RCE via 'spk' Console Command

Details: Description RCE can be achieved on clients via the 'spk' console command due to missing length checks before copying into a stack based buffer. POC 1. Place the attached cfg file in the root directory of the game: F676967 2. Launch the game and bring up the console with 3. Type in exec...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/07/11 2:55 p.m.50 views

HackerOne: Total bounties paid amount is disclosed because of redesign of the Program Profiles

Description: On July 2 Hackerone redesigned the Program Profiles.After the new program page design, I noticed that it is disclosing total bounties paid amount. For some program total bounties paid amount was hidden ████. It used to show like $4000 if the bounty was $3990.But after the redesign, i...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/05/28 8:8 p.m.50 views

Shopify: XSS on services.shopify.com

Hy security, i Got a stored xss in one of your sub-domain "services.shopify.com" steps: 1- Go to https://yourstore.myshopify.com/admin/apps/expertsmarketplace/servicesmarketplace 2- Then Go to All servicesMarketing and salesemail marketing Design custom email templates click select 3- fill al the...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/05/07 8:29 a.m.50 views

Node.js third-party modules: [serve-here.js] List any file in the folder by using path traversal.

I would like to report Path Traversal in serve-here.js. It allows to list any file in another folder of web root. Module module name: serve-here.js version: 1.1.3 npm page: https://www.npmjs.com/package/serve-here.js Module Description Serve static files over HTTP Vulnerability Vulnerability...

5CVSS0.6AI score0.01502EPSS
Exploits1
Hacker One
Hacker One
added 2019/04/16 5:4 p.m.50 views

TomTom: CSRF allows attacker to manage customer's shopping cart.

The following endpoint https://www.tomtom.com:443/enus/store/basket-add.html had no CSRF checks / tokens .. whatsoever , which allows a malicious user add massive amounts of a any product to a victim's cart or empty the cart. the CSRF POC file included adds 50 items of the giving product the a...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2019/04/10 3:50 p.m.50 views

Shopify: Unpublished Product Images can be disclosed

Hi, This looks like a minor issue but felt like it was something worth reporting. Ideally, a product can be published or remain unpublished on any sales channel. If a product remains unpublished, then no information regarding it must be visible to public including product pictures. But I found an...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2019/04/02 5:34 p.m.50 views

Mail.ru: Source code disclosure

PHP configuration file was available for download on few terrhq.ru subdomains...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2019/03/05 4:55 p.m.50 views

Internet Bug Bounty: DOS in stream filters

see bug report https://bugs.php.net/bug.php?id=76249 as simple as one process running in an endless loop Impact DOS, process ends up in an endless loop, CPU or available php processes or both of affected system get easily exhausted...

5CVSS8AI score0.10564EPSS
Exploits0
Hacker One
Hacker One
added 2018/11/30 12:23 a.m.50 views

Liberapay: Import of repositories from GitHub is tied to username instead of immutable ID

When a user verifies a Github account at /edit/elsewhere the final result is a Github username tied to a Liberapay account. The issue is Github usernames are mutable. Consider the scenario. 1. I create an account called ed-liberapay something likely to be claimed in the future 2. Verify that I ow...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/07 1:52 p.m.50 views

Phabricator: TOTP Key is shorter than RFC 4226 recommended minimum

mongoose Observed Behavior: When creating a TOTP secret a 16 character base32 encoded string is presented to the user. Expected Behavior: I would expect a 32 character base32 secret to be presented. The RFC recommends 160 bits of entropy, which is 32 character x 5 bits per character in a base32...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/10/03 4:37 p.m.50 views

Mail.ru: Найден build.sh в webagent.mail.ru

Source code of build script for web application was available for download. It could leak some non-sensitive information on internal build processes and configurations...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2018/09/10 4:28 p.m.50 views

BOHEMIA INTERACTIVE a.s.: Weak Password Policy on Signup at https://accounts.bistudio.com/auth

Hi, I found that you are using a weak password policy! Because user can set his password same as Email address! Steps To reproduce: 1. Register an account with Email address "[email protected]" 2. Also password "[email protected]". You can see both values are same. You will become successfully register...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/09/01 10:44 a.m.50 views

Khan Academy: SignUp With Fake Email

Hello KhanAcademy Security Team, I'm rootbakar, I found an oddity that allows a user to register with Khanacademy using an invalid or fake email. In this trial I used the email '[email protected]' and after pressing the SIGN UP button it will automatically enter the user dashboard pag...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/21 12:53 a.m.50 views

Uber: Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover

By getting an authenticated victim to visit a malicious link, an attacker can cause that victim to execute arbitrary JavaScript in the context of the login.uber.com or auth.uber.com domains...

3.5AI score
Exploits0
Hacker One
Hacker One
added 2018/08/02 12:13 p.m.50 views

HackerOne: TeamProfile exposes partially sensitive information through GraphQL

I noticed there is new field teamprofile added and using the graphql below the latest serious report and reports received in three months were exposed "query":"query Dashboardreportseveritybreakdowntable$first0:Int! \n query \n id,\n ...F0\n \n\nfragment F0 on Query \n...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/05/31 7:53 p.m.50 views

Starbucks: SQL Injection Proof of Concept for Starbucks URL

browser: firefox quantum 60.0.1 64 bit os: windows 10 sqli type: char formula injection info found: oracle database system url: https://www.starbucks.de/coffee/our-coffees/format/whole-bean injected url using oracle concatenation and char functions:...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/05/27 1:57 p.m.50 views

Nextcloud: Disclosed Version of PORTS SSH|HTTP|SSL

I found Version of ports are disclosed ,But the intersting that SSH port is open and showing his version == OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 Ubuntu Linux; protocol 2.0 F:302383 Searching I have found that this version has common vulunrablitie https://vuldb.com/?id.89622 So it's not good to disclos...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/05/24 5:10 p.m.50 views

Node.js third-party modules: [simplehttpserver] List any file in the folder by using path traversal.

I would like to report Path Traversal in simplehttpserver. It allows to list any file in another folder of web root. Module module name: simplehttpserver version: 0.1.1 npm page: https://www.npmjs.com/package/simplehttpserver Module Description 'simpehttpserver' is an simple imitation of python's...

5CVSS0.5AI score0.02038EPSS
Exploits1
Hacker One
Hacker One
added 2018/03/24 2:49 a.m.50 views

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

An application deserialization vulnerability was found in a misconfigured Department of Defense DoD website by @joaomatosf via POST/GET request. Impressive work. This showcases your skills! Thank you for supporting the DoD Vulnerability Disclosure Program!...

7.5CVSS2.3AI score0.43492EPSS
Exploits4
Hacker One
Hacker One
added 2018/02/26 2:13 p.m.50 views

Node.js third-party modules: [m-server] Path Traversal allows to display content of arbitrary file(s) from the server

I would like to report Path Traversal in m-server module. It allows to read content of any arbitrary file from the server where m-server is installed and run. Module module name: m-server version: 1.4.0 npm page: https://www.npmjs.com/package/m-server Module Description M-Server is a mini http...

4CVSS0.4AI score0.01333EPSS
Exploits1
Hacker One
Hacker One
added 2018/02/02 6:57 p.m.50 views

LocalTapiola: Securemail server used to internal spam and resource exhaustion

Basic report information Summary: Confidential message systems fails to restrict large amount of receivers. This might lead to hardware exhausting and/or attacking localtapiola internal employees as securemail recipient. Description: Despite https://secure.lahitapiola.fi/ is designed to send...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/11/29 11:11 a.m.50 views

HackerOne: Query parameter reordering causes redirect page to render unsafe URL

Hello hackerone team I want to report I bypass w/c lead to XSS but limited only for IE due to CSP block on chrome Here is the POC ------------------ https://hackerone.com/redirect?signature=c9304cadaeabca0bfb7b92503c0318da5c42a86b&url=http%3A%2F%2Fbuglabs.me&url=JAVASCRIPT:alert%09document.domain...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 1:17 p.m.50 views

Rockstar Games: Client-side Template Injection in Search, user email/token leak and maybe sandbox escape

In this report, the researcher was able to perform AngularJS Template Injection on our Support site in order to retrieve data, including email address, userid and tokens. Typically, a user is always able to retrieve this information about themselves and on its own, this is known behavior. However...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/09/23 9:6 p.m.50 views

Zomato: SSRF in https://www.zomato.com████ allows reading local files and website source code

@nbsp found a SSRF vulnerability which leads to read local files from the web server source code & system files. We have resolved the issue quickly and rewarded the researcher...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 8:33 p.m.50 views

GitLab: [Markdown] Stored XSS via character encoding parser bypass

Hi @briann and team, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript on GitLab 10.0 hosts. Given the nature of this injection, which makes use of a rather esoteric filter bypass, the scope for exploitation may vary...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2017/09/04 7:53 a.m.50 views

Radancy: [Cross Domain Referrer Leakage] Password Reset Token Leaking to Third party Sites.

Domain and URL: https://werkenbijdefensie.nl Summary:: Password Reset Token Leaking to Third party Sites from the link in the footer Description: Hello, I found that the if a user request for a password reset link and open it but don't change the password and click on the Third Parties Sites link...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/08/30 1:51 a.m.50 views

Roblox: Subdomain Takeover at creatorforum.roblox.com

Hello. A few days ago, I was looking at Roblox subdomains, and I noticed an unusual one called creatorforum.roblox.com. Upon further investigation, I visited it and saw that creatorforum.roblox.com's CNAME was a nonexistant Discourse website. I immediately reported to [email protected], and...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/06/26 4:39 p.m.50 views

Mixmax: SSRF via webhook

Hi, There exists an SSRF vulnerability with the account webhook feature, allowing an attacker to verify the existence of the EC2 metadata url and enumerate URL's. POC: 1. Create a webhook at https://app.mixmax.com/dashboard/settings/rules with url http://169.254.169.254/latest/meta-data/. 2...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/06/15 6:17 a.m.50 views

Ubiquiti Inc.: CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection

EdgeOS version 1.9.1 and prior, the researcher was able to bypass the CSRF protection. An attacker with access to an operator read-only account, can lure an admin root user to access the attacker controlled page, doing so will allow the attacker to gain admin privileges in the system...

8.5CVSS7.8AI score0.00558EPSS
Exploits0
Hacker One
Hacker One
added 2017/06/04 4:15 a.m.50 views

Shopify: [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network

Disclaimer In case this report ever becomes public I wanted to start it out with a disclaimer so it doesn't become referenced an example for out-of-scope/policy violating submissions in the future: At the time of submission this report is out-of-scope and as such I have no expectations of reward...

7.4AI score
Exploits0
Total number of security vulnerabilities5000