Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2018/10/28 9:18 p.m.49 views

Infogram: Stored XSS in infogram.com via language

The stored XSS was found in the language profile parameter. POC: Change profile settings with following request: http PUT /api/users/me HTTP/1.1 Host: infogram.com User-Agent: Mozilla/5.0 X11; Linux x8664; rv:63.0 Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: en-US,en;q=0.5...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2018/10/06 1:9 a.m.49 views

HackerOne: Unauthenticated user can upload an attachment to the last updated report draft

The newly launched beta embedded submissions form introduced the concept of anonymous submissions. When an anonymous user starts writing a report through an embedded form, a UUID will be generated to track their submission. Any object that is created will reference this UUID. We call this a trace...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/10/04 9:7 a.m.49 views

Zomato: Reflected XSS on developers.zomato.com

There is a vulnerability in https://developers.zomato.com/documentation due to an old version of Swagger UI Step to reproduce: - Create an endpoint containing : json "swagger":"2.0","info":"description":"This is a sample server Petstore server. You can find out more about Swagger at...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2018/09/29 6:41 a.m.49 views

Brave Software: Field Day With Protocol Handlers

Summary ===================== When launching a protocol such as mailto:, SEARCH:, or bitcoin:, Brave only asks to allow the protocol to be opened by an external application. You can select on whether or not to remember the decision or not and to allow or deny it. The issue is that upon selecting...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/09/22 7:6 a.m.49 views

Khan Academy: Creating Unlimited Fake Accounts.

Hello @khanacademy, Anyone can create unlimited fake accounts using temp mails. i,e https://temp-mail.org/en/ 1- Go to https://temp-mail.org/en/ 2- Select an mail 3- Enter that mail while creating an account in khanacademy 4- You will get confirm mail from khanacademy on https://temp-mail.org/en/...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/09/15 1:52 p.m.49 views

Tor: Expose user IP if TOR crashs

Greetings, I have noticed that for unpredictable reason a TOR relay can exposes the IP of an user. I noticed this by going to the server http://195.176.3.24/ and getting information about the headers. I arrived to this header who is : "X-Your-Address-Is" . How : -- - So I went to this tor-relay...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/09/05 1:49 a.m.49 views

Node.js third-party modules: [apex-publish-static-files] Command Injection on connectString

I would like to report a command injection vulnerability in the apex-publish-static-files npm module. It allows arbitrary shell command execution through a maliciously crafted argument. Module module name: apex-publish-static-files version: 2.0.0 npm page:...

10CVSS0.6AI score0.06991EPSS
Exploits1
Hacker One
Hacker One
added 2018/07/19 10:54 a.m.49 views

WordPress: xss - reflected

vulnerable url: http://masterplan.wordpress.net/store/checkout/ payload: 1 Main Streetzbn0b"alertdocument.cookiek8ez0 vulnerable parameter: billing-address Request: POST /store/checkout/ HTTP/1.1 Host: masterplan.wordpress.net Accept-Encoding: gzip, deflate Accept: / Accept-Language: en...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/07/13 3:38 a.m.49 views

Slack: SSRF in api.slack.com, using slash commands and bypassing the protections.

Bypassing the reports 61312 and 356765 Tutorial: Go to api.slack.com and create an application with your own slash command. F320014 Enter your own domain: in your own domain: index.php location: http://:::22/ F320019 And save. Go to your Slack and type /youslash Try with my server...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/06/03 8:2 a.m.49 views

Monero: Trusted daemon check fails when proxied through torsocks or proxychains

Summary: If torsocks1 or proxychains1 is enforced when using Monero wallet with a remote node without explicit --untrusted-daemon arguments given, the application will assume the daemon is trusted. Description: By default, the wallet checks if the daemon address can be trusted by calling...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/05/04 5:16 p.m.49 views

Zomato: XSS in "explore-keywords-dropdown" results.

It seems that people have exploited this vulnerability before on this website, however, it remains unpatched, so here I am reporting the vulnerability. A XSS vulnerability exists when a restaurant or dish is created with a malicious name. The title of the dish or restaurant is not properly filter...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/05/03 12:4 a.m.49 views

Mail.ru: LFI in beta.mail.ru

Local file read via file:// URI in report's image in beta.mail.ru. beta.mail.ru is not currently covered by bug bounty program. Чтение произвольных файлов сервера путем недостаточной проверки прикрепленных изображений...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/04/18 6:24 p.m.49 views

Node.js third-party modules: Command injection in 'pdf-image'

I would like to report command injection in pdf-image It allows executing commands on the server Module module name: pdf-image version: 1.0.5 npm page: https://www.npmjs.com/package/pdf-image Module Description Provides an interface to convert PDF's pages to png files in Node.js by using...

10CVSS0.8AI score0.04568EPSS
Exploits2
Hacker One
Hacker One
added 2018/04/11 8:59 p.m.49 views

Shopify: Potential to abuse pricing errors in saved carts

If someone abandons a shopping cart and the price changes between that time and when the abandoned cart recovery email is sent, the saved cart will always show the old price. If saved carts do not expire, this can create a situation where bad actors can fill and save shopping carts with sale pric...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/01/30 3:14 p.m.49 views

Node.js third-party modules: Prototype pollution attack (defaults-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the defaults-deep library. Module: https://www.npmjs.com/package/defaults-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object"...

6.5CVSS8.9AI score0.02036EPSS
Exploits1
Hacker One
Hacker One
added 2017/12/07 4:44 a.m.49 views

RBKmoney: Open Redirection on auth.rbk.money

An open redirect vulnerability was found in KeyCloak. Find writeup soon in my website ; Edit , Write is here : http://abartandhakal.com.np/main/2018/01/27/open-redirection-on-rbk-money/...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/11/07 4:37 p.m.49 views

AlienVault : DNS pinning SSRF bypass

Summary: this issue is a bypass for this report: https://hackerone.com/reports/285380 . It is a SSRF bypass with DNS pinning. Description: We can bypass the SSRF protection with a simple domain that is resolving to 169.254.169.254 , like: ssrf-cloud.localdomain.pw Browsers Verified In: Firefox 56...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/31 8:6 a.m.49 views

International Islamic University Chittagong: Default credentials on http://119.18.148.140/hrd/

Hello, When the mentioned URL is opened, the user is presented with a login form that logs them into the "HR & Payroll" system of the university. The issue here is that the credentials used are the application's default credentials, which are mentioned here...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/27 9:30 p.m.49 views

AlienVault : [www.threatcrowd.org] - reflected XSS

Summary: I have found a reflected XSS in https://www.threatcrowd.org/graphHtml.php, in GET parameter email. Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/graphHtml.php?email=%27-alertdocument.domain-%27 2. Click on the embed functionnality in th...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/21 1:41 p.m.49 views

Inflection: Unsubscribe Any User

Researcher reported that HubSpot's "unsubscribe" feature allows any user to unsubscribe from marketing emails without having to confirm their email address. Inflection does not consider this a vulnerability, as we want to make it as easy as possible for users to stop receiving marketing emails th...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/04 10:47 a.m.49 views

Legal Robot: cross site web socket hijacking

In the below web-socket request successful 101 protocol handshake is working with the origin:https://app.legalrobot.com, but if you place the malicious origin in the place of https://thisdata.com which is http://evil.com or any page containing the malware, the web socket server is still giving 10...

Exploits0
Hacker One
Hacker One
added 2017/09/27 8:49 p.m.49 views

Internet Bug Bounty: Perl $ENV Key Stack Buffer Overflow

The CPerlHost::Add method in win32\perlhost.h is vulnerable to a stack buffer overflow. void CPerlHost::AddLPCSTR lpStr char szBuffer1024; LPSTR lpPtr; int index, length = strlenlpStr+1; forindex = 0; lpStrindex != '\0' && lpStrindex != '='; ++index szBufferindex = lpStrindex; szBufferindex = '\0...

7.5CVSS9.5AI score0.06981EPSS
Exploits1
Hacker One
Hacker One
added 2017/08/18 1:24 p.m.49 views

Internet Bug Bounty: Heap Use After Free in unserialize()

ext/standard/varunserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zvalgettype function in Zend/zendtypes.h. Exploitation of this issue can have an unspecified impact on the integrity of PHP. This...

5CVSS8.8AI score0.03634EPSS
Exploits0
Hacker One
Hacker One
added 2017/07/24 9:46 p.m.49 views

Rockstar Games: CSRF Vulnerability allows attackers to steal SocialClub private token.

The researcher was able to combine a Flash exploit with a CSRF vulnerability in order to obtain sensitive user tokens from https://socialclub.rockstargames.com/profileedit/GetTokens. This page is ordinarily only called in a secure fashion such that an attacker is unable to see another user's...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/07/01 3:24 a.m.49 views

WakaTime: No notificatoin sent on email after account deletion.

Hi again, Description: I've just noticed that there's no email notification received after successfully removal of account. Fixation: User should be notified by email notification at his email after removal of an account. Cheers Mansoor...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2017/05/31 4:2 a.m.49 views

Mixmax: Security Vulnerability - SMTP protection not used

Hi, I'm checking your website found SPF record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/04/18 2:34 p.m.49 views

Homebrew: Host header Injection

HI SECURITY TEAM Here is host header injection. Request changing host to www.google.com GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 Windows NT 6.1; rv:24.0 Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language:...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/04/18 7:36 a.m.49 views

Internet Bug Bounty: OOB write in BN_bn2dec() (CVE-2016-2182)

The function BNbn2dec does not check the return value of BNdivword. This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because reco...

7.5CVSS8.7AI score0.44218EPSS
Exploits1
Hacker One
Hacker One
added 2017/03/22 4:13 p.m.49 views

Mail.ru: Cross-Site Request Forgery

CSRF in whiskas.ny.mail.ru "like" feature. whiskas.ny.mail.ru is not currently in the bug bounty scope...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2017/03/10 11:48 a.m.49 views

Ruby: sprintf combined format string attack

In a ticket that was also reported to "shopify-scripts" regarding "MRuby", I reported in details a combined attack against the sprintf gem: Information leak Heap buffer underflow The full ticket details can be found in: Ticket 212239 The ticked was opened several minutes ago but I add it in case ...

6.4CVSS8.1AI score0.09718EPSS
Exploits1
Hacker One
Hacker One
added 2017/02/02 5:26 p.m.49 views

Internet Bug Bounty: CVE-2017-5482 The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print().

Reported to the project maintainers in 2016. Regardless of CVE-2016-8575 q933print still could overread the buffer trying to parse a short packet. Fixed by https://github.com/the-tcpdump-group/tcpdump/commit/c39c1d99ac3b6d5d9519b39da6717180651650d3...

7.5CVSS8.9AI score0.05504EPSS
Exploits0
Hacker One
Hacker One
added 2017/01/12 4:42 p.m.49 views

Nextcloud: User Information Disclosure via REST API

Hello, I found out that you are using WP 4.6.2 on your domain which is outdated. https://nextcloud.com/readme.html Description:- WordPress versions 4.7 and earlier are affected by multiple security issues. Kindly check https://wpvulndb.com/wordpresses/462 for the vulnerabilities and in detailed...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/01/07 12:59 a.m.49 views

Shopify: apps.shopify.com - CSRF token leakage through Google Analytics

Description: When a user tries to send a support a message to an app developer in apps.shopify.com , he will be asked to login and once he is logged in , he will be redirected to apps.shopify.com/appid?authenticitytoken=currentuserauthenticitytoken. Developers can track their app page view in...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/12/06 11:19 p.m.49 views

Starbucks: Persistent XSS in www.starbucks.com

There is a persistent XSS in https://www.starbucks.com/coffee/espresso/latte-macchiato It is caused by loading scripts from: //starbucksmacchiato-prod.elasticbeanstalk.com/scripts/bn-v1.0.0-Release-min.js Note that starbucksmacchiato-prod.elasticbeanstalk.com is not registered on elastic beanstal...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2016/12/04 9:3 p.m.49 views

OLX: Multiple vulnerabilities in http://blog.dubizzle.com/uae

http://blog.dubizzle.com/uae/ uses outdated Yoast Seo plugin which has following vulnerabilities: ! Title: Yoast SEO = 3.2.4 - Subscriber Settings Sensitive Data Exposure Reference: https://wpvulndb.com/vulnerabilities/8487 ! Title: Yoast SEO = 3.2.5 - Unspecified Cross-Site Scripting XSS...

Exploits0
Hacker One
Hacker One
added 2016/11/30 1:21 p.m.49 views

PortSwigger Web Security: Order-phishing via Payment ID URL

Hello. I discovered the endpoint, which allows the attacker conduct the fishing attack to other users and they can pay for attacker's order. Why this can happen? On the site, order id parameter sends to the https://portswigger.net/CCPayment.aspx as POST, but attacker can append it as GET and it...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/11/21 2:35 p.m.49 views

LocalTapiola: XSS and open redirect in verkkopalvelu.lahitapiola.fi

Summary: Dears, Kindly note that after submitting CSRF vulnerability in the subject subdomain which is still triaged https://hackerone.com/reports/178811 I Noticed After more testing to the subject domain that there is multiple endpoints vulnerable to an XSS and those are the same endpoints i...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2016/11/01 4:29 p.m.49 views

VK.com: Новый 2FA Bypass

Частичный обход проверки сессии. Косяк в функции смены пароля...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/09/04 7:31 p.m.49 views

Slack: Rate-limit bypass

Hello Slack, This vulnerability is about a 2FA Bypass, On Slack Web Application there is rate limit implemented. After performing 4-6 failed 2FA Attempt, Rate limit logic will ge Triaged and ask user to wait for next attemptpreventing automated 2FA Attempts I tested the same using iOS AppiOS 9.3....

0.2AI score
Exploits0
Hacker One
Hacker One
added 2016/09/01 8:42 p.m.49 views

Internet Bug Bounty: urllib HTTP header injection CVE-2016-5699

https://bugs.python.org/issue22928 https://access.redhat.com/security/cve/cve-2016-5699...

4.3CVSS6.7AI score0.09887EPSS
Exploits3
Hacker One
Hacker One
added 2016/08/31 10:15 a.m.49 views

QIWI: [lk.contact-sys.com] SQL Injection reset_password FP_LK_USER_LOGIN

Steps to reproduce 1 Открыть https://lk.contact-sys.com/index.php/LK/login 2 Нажать "Забыли пароль?" 3 Заполнить форму Код Участника: test Логин: ' and @@version=1 and '1'='1 HTTP Request http POST /index.php/LK/resetpassword HTTP/1.1 Host: lk.contact-sys.com Content-Type:...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/06/24 3:40 a.m.49 views

Internet Bug Bounty: CVE-2015-8874 Stack overflow with imagefilltoborder

Reported in 2014 https://bugs.php.net/bug.php?id=66387 A variation was rediscovered this year and reported to PHP and LIBGD: https://bugs.php.net/bug.php?id=72350 https://github.com/libgd/libgd/issues/215 Patches for both issues:...

5CVSS7.2AI score0.08276EPSS
Exploits1
Hacker One
Hacker One
added 2016/06/17 7:27 p.m.49 views

Nextcloud: Server side request forgery (SSRF) on nextcloud implementation.

An admin of nextcloud server can add other trusted nextcloud server in his own installation. The following request passes when a new add request is processed: http POST /nextcloud/index.php/apps/federation/trusted-servers HTTP/1.1 Host: myown.nextcloudserver.com User-Agent: Mozilla/5.0 Macintosh;...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/06/17 5:44 p.m.49 views

Nextcloud: failure to invalidate session on password change

Steps to reproduce 1. Login as user1 in firefox browser 2. Go to http://localhost/nextcloud/index.php/settings/personal 3. Go to other browser chrome and login as user1 4. Change the password in chrome Observe that the session in firefox still works...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2016/05/08 9:5 a.m.49 views

Mail.ru: AXFR на plexus.m.smailru.net работает

MacBook-Pro:subbrute isox$ dig @217.69.129.107 plexus.m.smailru.net axfr ; DiG 9.8.3-P1 @217.69.129.107 plexus.m.smailru.net axfr ; 1 server found ;; global options: +cmd plexus.m.smailru.net. 600 IN SOA ns1.mail.ru. hostmaster.mail.ru. 2300425875 900 900 1209600 300 plexus.m.smailru.net. 600 IN ...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2016/05/03 10:49 a.m.49 views

GitLab: SSRF when importing a project from a git repo by URL

Fixed in 8.17.4, 8.16.8, and 8.15.8 SSRF when importing a project from a Repo by URL GitLab instances that have enabled project imports using "Repo by URL" were vulnerable to Server-Side Request Forgery attacks. By specifying a project import URL of localhost an attacker could target services tha...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2016/03/20 10:3 a.m.49 views

HackerOne: External links should use rel="noopener" or use the redirect service

This is a rather low severity one and a successful exploitation relies on unlikely user interaction as well as the ability to control the HTML output of an remote host. Furthermore it is a kinda new hardening features in some browsers. Though one can work around this using "noreferrer" which is...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/01/19 6:24 p.m.49 views

Shopify: Full access to Amazon S3 bucket containing AWS CloudTrail logs

An Amazon S3 bucket used internally by Shopify was misconfigured, allowing external users to read, write and list objects. The excess permissions have been removed...

3.7AI score
Exploits0
Hacker One
Hacker One
added 2016/01/18 2:16 p.m.49 views

VK.com: Checking whether user liked the media or not even when you are blocked

Poc : Take 2 accounts A and B 1. Now from A id make a random post say http://vk.com/id307083341?w=wall30708334136 2.Now from C id try to like the post of A . 3.Now from B id visit https://vk.com/dev/likes.getList 4. now put the owner id A and the post id == 307083341 which 36 in this case 5.and i...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2015/12/10 4:4 p.m.49 views

Coinbase: HTML injection in apps user review

just watch this video https://www.dropbox.com/s/360cytluyiw2ym9/HTMLI.mp4?dl=0 this about full fake login exploit https://www.youtube.com/watch?v=5iRylyJTzWc...

6.9AI score
Exploits0
Total number of security vulnerabilities5000