Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2020/04/03 3:35 p.m.48 views

Shopify: *.shopify.com - Authentication bypass

I´ve found a flaw in the authentication process when accessing the website https://upcoming.shopify.com. There seems to be an HTTP Authentication in place to prevent access without authentication. Please follow below POC to get access to https://upcoming.shopify.com without login. The website is...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/02/18 11:3 a.m.48 views

GSA Bounty: open redirect in eb9f.pivcac.prod.login.gov

poc: https://eb9f.pivcac.prod.login.gov/?nonce=wI0UglN84A06Q4z4JnkZVc3i1V8%3D&redirecturi=https%3A%2F%2Fgoogle.com%23%40secure.login.gov%2Flogin%2Fpivcac visit this and will redirect to google.com Impact phishing...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/01/07 9:59 a.m.48 views

Mail.ru: XSS на сайте https://warofdragons.my.games/.

Reflected XSS via GET parameter in https://warofdragons.my.games...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/12/19 11:3 a.m.48 views

MTN Group: Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/

Hi there i found a information disclosure Microsoft FrontPage configuration in the subdomain https://www.mtn.co.za/ that allows me to see version number and scripting paths off sharepoint using firefox. POC: Go to the following url: https://www.mtn.co.za/vtiinf.html and you will see a blank page...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2019/09/28 9:22 a.m.48 views

Node.js third-party modules: [treekill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the treekill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: treekill version: 1.0.0 npm page: https://www.npmjs.com/package/treekill Module Description treekill process and it's all children and child...

7.5CVSS0.1AI score0.02742EPSS
Exploits0
Hacker One
Hacker One
added 2019/08/31 9:18 a.m.48 views

Node.js third-party modules: gitlabhook OS Command Injection

I would like to report OS Command Injection in gitlabhook. It allows execution of arbitrary code on the remote server, that waits for instructions from gitlab. Module module name: gitlabhook version: 0.0.17 npm page: https://www.npmjs.com/package/gitlabhook Module Description This is an easy to u...

10CVSS0.1AI score0.59768EPSS
Exploits5
Hacker One
Hacker One
added 2019/08/04 9:41 a.m.48 views

GSA Bounty: Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov

Hi Team, I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username on data.gov x-amz-meta-s3cmd-attrs: uid:0/gname:root/uname:root/gid:0/mode:33184/mtime:1513269652/atime:1513269652/md5:2049644b6b833f5dbb826f60a4721f64/ctime:1513269652 Server:...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/30 11:9 p.m.48 views

GitLab: Private System Note Disclosure using GraphQL

Summary When you use the REST API or UI to view an issue's discussion/notes, private system note is hidden to member's only. Such as moving an issue to a private project, making issue as duplicate of a confidential issue, someone mentioned this issue in a confidential issue. They are properly...

5CVSS0.7AI score0.01852EPSS
Exploits1
Hacker One
Hacker One
added 2019/05/29 6:28 p.m.48 views

Starbucks: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice

@geekjeremy, at the same time as other hackers who submitted their own reports, discovered a browsable WSDL service on an API endpoint under the starbucks.com.cn domain, running on a non-standard port. @geekjeremy demonstrated that the service had several functions that executed without any...

4AI score
Exploits0
Hacker One
Hacker One
added 2019/05/22 10:48 a.m.48 views

phpBB: CSS injection via BB code tag "█████"

The input to the "█████" BBcode tag is not properly filtered. It gets converted into a CSS style attribute for a span HTML element. Quotes " are removed, so there's no way to break out of the CSS style attributed. However it is possible to arbitrarily dress the resulting span element. To illustra...

5CVSS7.3AI score0.01077EPSS
Exploits0
Hacker One
Hacker One
added 2019/03/24 5:48 p.m.48 views

Omise: Failure to Invalid Session after Password Change

While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Steps to Reproduce: ---------------------- Video PoC attached Step By...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/03/01 9:59 a.m.48 views

WePay: Active mixed content issues on the site https://stage-go.wepay.com.

Hello. Summary: Page https://stage-go.wepay.com/static/ contains active mixed content: Description: Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, an attacker can replace a picture sent via HTTP...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2019/02/27 10:58 a.m.48 views

Starbucks: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/

This report from @spaceraccoon demonstrated a valid attack resulting in RCE and full compromise of the target. The detailed and thorough report was especially helpful throughout the triage process, and ultimately helped us reproduce and resolve the issue as quickly as possible. The vulnerable sit...

7.5CVSS0.1AI score0.90768EPSS
Exploits7
Hacker One
Hacker One
added 2019/02/19 1:1 a.m.48 views

U.S. Dept Of Defense: [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/

Description Hello. I discovered a Path Traversal issue on the https://██████████/ I was able to turn it to the local file read, and after series of the test determined that it's possible to reach sensitive system files with administrator rights. POC The next request will read the...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/02/13 4:43 p.m.48 views

Notepad++: No SearchEngine sanatizing can lead to command injection

Information: Summary: Notepad++ is vulnerable to a command injection vulnerability. Debug Info: Notepad++ v7.6.3 32-bit Build time : Jan 27 2019 - 17:20:30 Path : C:\Program Files x86\Notepad++\notepad++.exe Admin mode : ON Local Conf mode : OFF OS : Windows 10 64-bit Plugins : none Description:...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/02/04 3:3 p.m.48 views

Semrush: XSS Reflected on my_report

Еще раз привет. На этот раз, кроме HTML-инъекции проходит полноценный XSS в дашбоарде пользователя. Payload: https://www.semrush.com/myreports/api/v1/document%22%3E%3Cimg%20src=x%20onerror=alertdocument.cookie%3E/4007861 PoC: На скрине Impact Кража сессионных куков...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2018/12/12 1:59 a.m.48 views

HackerOne: Response program can create bounty table

Summary: Follow h1 document https://docs.hackerone.com/programs/bounty-tables.htmlgatsby, create bounty table only available for bounty program. Description: Step1: Create request to graphql entrypoint Step2: Change team id in parameter like this: "teamid":"Z2lkOi8vaGFja2Vyb25lL1RlYW0vMzYyOTE="...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/12/11 4:29 p.m.48 views

RATELIMITED: Server Header disclose The Os and Web server Version

Server header was present and disclosed the version of the web server and OS in HTTP responses. Server header was present and disclosed the version of the web server and OS...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/12/03 5:57 p.m.48 views

Mail.ru: [e.mail.ru] Stored xss in Mpop cookie

XSS on e.mail.ru domain via cookie content XSS in cookie via mitm. Good article - https://habr.com/en/post/460101/ by @w2w...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/29 1:54 a.m.48 views

Mail.ru: сервант статус

Apache server status was available at jw-cn-test-1.ext.terrhq.ru...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/15 10:22 p.m.48 views

Vanilla: Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability

Summary: An authenticated admin user can inject an unserializable password in a another users account. Later when attempting a login with that user, the attacker can trigger a call to an unserialize in the splitHash function. By using a custom pop chain to write into the constants.php file, an...

Exploits0
Hacker One
Hacker One
added 2018/09/02 10:15 a.m.48 views

Weblate: flood of comment no rate limit on commnets >> by using different user agent

It was possible to post 200- 300 of comments within minutes, there was no rate limiting applied...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2018/08/06 10:57 a.m.48 views

Node.js third-party modules: Command Injection Vulnerability in libnmap Package

I would like to report a command injection vulnerability in libnmap. It allows an attacker to inject arbitrary OS commands instead of a valid network range to be scanned. Module module name: libnmap version: 0.4.11 npm page: https://www.npmjs.com/package/libnmap Module Description API to access...

10CVSS1.4AI score0.03854EPSS
Exploits1
Hacker One
Hacker One
added 2018/08/06 10:40 a.m.48 views

Node.js third-party modules: Prototype Pollution Vulnerability in mpath Package

I would like to report prototype pollution vulnerability in mpath. It allows an attacker to inject arbitrary properties on Object.prototype. Module module name: mpath version: 0.4.1 npm page: https://www.npmjs.com/package/mpath Module Description G,Set javascript object values using MongoDB-like...

5CVSS0.5AI score0.01101EPSS
Exploits1
Hacker One
Hacker One
added 2018/08/06 10:19 a.m.48 views

Node.js third-party modules: Command Injection is ps Package

I would like to report a command injection in ps package. It allows attacker to inject arbitrary OS commands instead of PID numbers. Module module name: ps version: 0.0.2 npm page: https://www.npmjs.com/package/ps Module Description A Node.js module for looking up running processes. Module Stats ...

7.5CVSS1.1AI score0.02856EPSS
Exploits0
Hacker One
Hacker One
added 2018/07/20 2:31 p.m.48 views

Vanilla: Bypassing the Trusted Link Alert System

Summary: I have discovered a means of bypassing the system that will alert users of an untrusted link utilizing the Right to Left Overrride unicode character. The alert looks like this: https://i.imgur.com/9rp1K7b.mp4 Description: For this demonstration, I have added "facebook.com" to the trusted...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/06/22 10:40 a.m.48 views

Mail.ru: Вывод значений переменных Nginx в теле страницы

При обращении к url вида: https://biz.mail.ru/$имяпеременнойnginx Значение этой переменной попадет в страницу ответа 404, во все места вида: e.mail.ru/login?lang=ruRU&Page=https%3A%2F%2Fbiz.mail.ru%2Fзначениепеременнойnginx Примеры запросов: 1 https://biz.mail.ru/test$realpathroot в ответе:...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/06/13 7:27 a.m.48 views

Basecamp: Remote code execution on Basecamp.com

A critical flaw in Basecamp's profile image upload function leads to remote command execution. Images are converted on the server side, but not only image files but also PostScript/EPS files are accepted if renamed to .gif. This is probably due to ImageMagick / GraphicsMagick being used for image...

6.8CVSS2.2AI score0.96968EPSS
Exploits7
Hacker One
Hacker One
added 2018/06/05 2:23 a.m.48 views

Liberapay: Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings

Hello! Vulnerability Details The /username/charts.json endpoint can return a JSONP callback due to the fact that jsonpdump is used in the file charts.json.spt. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which...

Exploits0
Hacker One
Hacker One
added 2018/06/02 4:53 p.m.48 views

Liberapay: csrf token did not changed after login/logout many times

hello team, your csrf token did not expired and after login and logout many times , i found that your csrf token is generated same as last one. Impact if an attacker found an xss on your domain and you fixed it but attacker still has csrf token of user, attacker can use it to perform any action...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/05/14 10:14 a.m.48 views

Mail.ru: Открытая информация phpinfo() на сайте https://agent.mail.ru

phpinfo was available on agent.mail.ru. agent.mail.ru is not currently covered with bug bounty program...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/04/26 8:55 p.m.48 views

Node.js third-party modules: Privilege escalation allows any user to add an administrator

I would like to report privilege escalation in the npm module express-cart. It allows a normal user to add another user with administrator privileges. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully...

6.5CVSS0.9AI score0.01156EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/10 12:0 a.m.48 views

Node.js third-party modules: Fastify denial-of-service vulnerability with large JSON payloads

Module: Fastify - https://www.npmjs.com/package/fastify Affected versions: =0.37.0 all version before 0.38.0 Summary: A denial-of-service attack can be performed against servers running Fastify by sending a request with "Content-Type: application/json" and a very large payload. Description: Fasti...

5CVSS7.4AI score0.01799EPSS
Exploits1
Hacker One
Hacker One
added 2017/12/26 4:17 p.m.48 views

VK.com: Монипулирование на страницах пользоватлей значением "Подсказывать стикеры в полях ввода"

Отсутствовал hash в запросах при изменении настроек стикеров. Ошибочка в репорте включить на конце 1 Включить https://m.vk.com/attachments?ajax=1&act=stickershintsenabled&value=1 CSRF - ОТСУСТВИЕ HASH дает возможность совершать переключение в мобильной версии ВК , подсказок в полях ввода ! Тем...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/12/15 3:15 a.m.48 views

GitLab: SQL injection in MilestoneFinder order method

The MilestoneFinder is a class used to find milestones based on group or project identifiers. The class is used in multiple controllers. It allows to filter based on state and can be used to order the result set. One of the uses can be found in the Groups::MilestonesController. When the index...

5CVSS7.9AI score0.01392EPSS
Exploits0
Hacker One
Hacker One
added 2017/12/01 2:0 p.m.48 views

Open-Xchange: Adding external participants to unaccessible appointments

Description When making an appointment users are able to invite additional participants which do not have an open-xchange account. However, it appears than any user can invite external participants to any appointment even this appointment is not accessible for him. Additionaly using the same bug...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 5:15 a.m.48 views

Aspen: No Rate Limit (Leads to huge email flooding/email bombing)

Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account confirmation emails for accounts on above selected domain which i...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/05 9:45 a.m.48 views

Weblate: Add another email address without verification

Introduction In the normal case, to link another email address to the Weblate account, users need to own the email address and click the verification link. However, I found an issue, that allows adding another email address without clicking on the verification link. Description and PoC: Create a...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2017/07/13 5:57 a.m.48 views

Upserve : Ability to create own account UUID leads to stored XSS

I found an interesting bug where the system allows a user to create their own UUIDs. There are character length restrictions on this action, however it's not bound to a specific set of characters. Even so, I was able to include an external script that I URL shortened to just hit the character lim...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/07/10 2:33 p.m.48 views

Mail.ru: The auth token does not expire on logging out and even after logging out all sessions

API token for web.icq.com was not expired after user logout...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2017/07/01 2:11 p.m.48 views

WakaTime: Session not expired on logout

Description: Session management issue in https://wakatime.com Cookies are used to maintain session of the particular user and they should expire once the user logs out of his account.In secure web application,Cookies immediately expire once the user logs out of his account. But this is not...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2017/06/22 2:38 p.m.48 views

shopify-scripts: Null pointer dereference with send/method_missing

The following program triggers a null pointer dereference with mruby b200c747: ruby def methodmissingm ensure begin A rescue break rescue end end send '' ASAN report: text ASAN:DEADLYSIGNAL ================================================================= ==12116==ERROR: AddressSanitizer: SEGV on...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2017/05/20 10:59 a.m.48 views

Weblate: Option method enabled

Description HTTP OPTIONS method is enabled. Affected URL : https://demo.weblate.org/ https://weblate.org/en/ https://hosted.weblate.org PoC curl -X OPTIONS https://hosted.weblate.org -vv Output aku@galau:$ curl -X OPTIONS https://hosted.weblate.org -vv Rebuilt URL to: https://hosted.weblate.org/...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/05/20 8:15 a.m.48 views

Paragon Initiative Enterprises: Full directory path listing

STEP: ==================== 1. goto https://bridge.cspr.ng/login and enter your username,password 2. click "LogIn" and intercept the request 3. change the value in cookie header and add 'single quote in PHPSESSID field eg: PHPSESSID=kn7e21dpp2ocai2ckn1v147qev' 4. Forward the packet and see full pa...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/05/13 9:57 a.m.48 views

Paragon Initiative Enterprises: Directory Disclose,Email Disclose Zendmail vulnerability

i found three vulnerability Directory information disclose,Email address disclose, and possible Remote code execution in Zendmail during signup your code accept username with ',",/,@ while all of the special character must be forbidden or encoded in username Directory Disclose: 1. goto sign-up pa...

7.5CVSS9.6AI score0.38438EPSS
Exploits10
Hacker One
Hacker One
added 2017/05/09 9:29 p.m.48 views

Internet Bug Bounty: CVE-2017-8798 - miniupnp getHTTPResponse chunked encoding integer signedness error

Integer signedness error in miniupnpc 1 allows remote attackers to cause a denial of service condition access violation and heap corruption via specially crafted HTTP response An integer signedness error was found in miniupnp's miniwget allowing an unauthenticated remote entity typically located ...

7.5CVSS9.3AI score0.24027EPSS
Exploits6
Hacker One
Hacker One
added 2017/05/04 2:4 p.m.48 views

Paragon Initiative Enterprises: I am because bug

I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :' want money because father :' F181832 Thank you wish you because pay lots $$$$$$$$...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2017/05/03 6:9 p.m.48 views

Dashlane: Throttling Bypass - ws1.dashlane.com

Description The host at ws1.dashlane.com throttles requests based on the IP address of the user after a certain amount of repeated requests. By adding the X-Forwarded-For header, an attacker can bypass the throttling completely, rendering the security measure ineffective against DOS attacks. Proo...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/04/21 10:44 a.m.48 views

Mapbox: Open Aws Amazon S3 Buckets

Security researcher @saadahmed reported two Mapbox owned S3 buckets with public-read ACL. One of these, mapbox-js, was public-read by design, the other however was not and subsequently was switched to a private ACL. Thank you again @saadahmed, we appreciate you keeping Mapbox security in mind...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/02/23 12:59 p.m.48 views

HackerOne: Able to create basic user account via Google login on HackerOne Drupal CMS

Summary: Hi, I've found that hackerone.com has drupal installed and when I navigated to this URL https://www.hackerone.com/user/password Found "Log in" and "password reset option". When I clicked on login it redirected me to google login Then I login using my gmail account and it redirected to...

Exploits0
Total number of security vulnerabilities5000