Lucene search
K
HackeroneMost viewed

15372 matches found

Hacker One
Hacker One
added 2017/02/02 12:44 a.m.47 views

VK.com: Missing Server Side Rate Limiting can Lead to VK Account Take over

Insufficient flood control...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/01/29 2:6 p.m.47 views

Pornhub: Account hijack via deleted PH account

The researcher identified a faulty Oauth implementation allowing YouPorn accounts to be hijacked. The researcher exploited a feature which links Pornhub and YouPorn accounts together by leveraging old accounts which were previously deleted, or where username was changed. A faulty Oauth auth...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2017/01/02 9:17 a.m.47 views

Uber: lert.uber.com: Few default folders/files of AURA Framework are accessible

There were a few default folders/files of the AURA Framework accessible on lert.uber.com. The specified files/folders in the AURA framework were supposed to be accessible, so we did not make any changes here. However, we do appreciate the time taken to submit this report and are disclosing per th...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2016/12/15 12:9 p.m.47 views

LocalTapiola: Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi)

Basic report information Summary: Hi, The values within the ctx tag, are not filtered, they are reflected inside a javascript code in http://viestinta.lahitapiola.fi/webApp/APP3242, which can be exploited to perform an XSS Attack. The parameter are: ctxothersDrivingmagallupcount...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2016/12/15 11:41 a.m.47 views

X (Formerly Twitter): CRLF and XSS stored on ton.twitter.com

Hey, 1 CRLF: It's similar to 52042 but weaker to reproduce go to: https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC you will find that test cookie with the val...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2016/11/12 5:58 p.m.47 views

LocalTapiola: SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)

Vulnerable script: /webApp/omaconf Vulnerable parameter: ctxvarsemail Database: PostgreSQL PoC http POST /webApp/omaconf HTTP/1.1 Host: viestinta.lahitapiola.fi Content-Type: application/x-www-form-urlencoded Content-Length: 1131...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/09/27 2:3 p.m.47 views

Internet Bug Bounty: Heap overflow caused by type confusion vulnerability in merge_param()

Since the original report is still marked as private in the PHP bug tracker please find the copy & pasted bug report below edited for readability and to include correct bug tracker id. See the references section for a link to the issue in the PHP bug tracker! The maintainer already fixed the issu...

7.5CVSS9.7AI score0.06797EPSS
Exploits1
Hacker One
Hacker One
added 2016/09/06 8:29 p.m.47 views

Yelp: Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot

On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/08/25 9:31 a.m.47 views

Instacart: WordPress Authentication Denial of Service

Hi, I found out that you are using WordPress version 4.5.3. Researchers found out 5 days ago, that this version has a vulnerability, a Path traversal in WordPress Core Ajax handlers. Intro WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2016/07/11 2:47 p.m.47 views

OLX: SQLi in Payment Request

Hi there, I have found out that one request in your API is vulnerable to SQL injection. PoC: Invalid Request: GET /api/v1.0/payments/items?ids=891048367'"&platform=desktop HTTP/1.1 Host: www.olx.com.ar User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:46.0 Gecko/20100101 Firefox/46.0 Accept:...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2016/06/17 4:31 p.m.47 views

Nextcloud: Nextcloud server software: Content Spoofing

In Nextcloud the "dir" parameter is vulnerable to content spoofing attack. If anyone puts a valid directory name in dir parameter then it goes that directory other wise it redirects to the home directory / By putting ../../ in dir parameter I was able to stop the redirect then I had put some...

5CVSS0.2AI score0.01681EPSS
Exploits1
Hacker One
Hacker One
added 2016/06/01 1:53 p.m.47 views

Internet Bug Bounty: CVE-2016-2177 Undefined pointer arithmetic in SSL code

1.0.2 version here: https://github.com/openssl/openssl/commit/a004e72b95835136d3f1ea90517f706c24c03da7 1.0.1 version here: https://github.com/openssl/openssl/commit/6f35f6deb5ca7daebe289f86477e061ce3ee5f46 These will get listed in the next security advisory and rolled up in the next release...

7.5CVSS8.8AI score0.44505EPSS
Exploits1
Hacker One
Hacker One
added 2016/05/13 1:12 p.m.47 views

Uber: Self-XSS on partners.uber.com

Hi, I found a reflected XSS vulnerability in password reset page https://partners.uber.com/reset-password. I have tested this vulnerability in the latest Chrome and Firefox browsers. Reproduction Steps: 1- Go to https://login.uber.com/forgot-password and reset password. Then, Click password reset...

Exploits0
Hacker One
Hacker One
added 2016/05/13 1:10 a.m.47 views

Internet Bug Bounty: Adobe Flash Player ContentFactory class Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platfor...

7.6CVSS8.6AI score0.09561EPSS
Exploits0
Hacker One
Hacker One
added 2016/05/03 11:41 a.m.47 views

Internet Bug Bounty: EVP_EncryptUpdate overflow (CVE-2016-2106)

https://github.com/openssl/openssl/commit/3f3582139fbb259a1c3cbb0a25236500a409bf26...

5CVSS8.9AI score0.27261EPSS
Exploits1
Hacker One
Hacker One
added 2016/05/03 11:41 a.m.47 views

Internet Bug Bounty: EVP_EncodeUpdate overflow (CVE-2016-2105)

https://github.com/openssl/openssl/commit/ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920...

5CVSS8.9AI score0.3965EPSS
Exploits1
Hacker One
Hacker One
added 2016/04/10 9:17 p.m.47 views

Uber: reopen #128853 (Information disclosure at lite.uber.com)

Issue in 128853 occurs again. 1. go to https://login.uber.com/oauth/v2/authorize?responsetype=code&redirecturi=https%3A%2F%2Flite.uber.com%2Fauth%2Fcallback&scope=profile%20history%20places%20historylite%20requestreceipt%20request%20paymentbaiduwallet&clientid=y-JJyZRABnEwbJQq4VdQPORo4EKqv0j 2...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/03/14 8:0 a.m.47 views

Mail.ru: bgplay.mail.ru

Potential RCE via Java object deserialization in out-of-scope service...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2016/03/01 7:8 p.m.47 views

Internet Bug Bounty: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)

https://openssl.org/news/secadv/20160301.txt...

5CVSS8.9AI score0.27022EPSS
Exploits1
Hacker One
Hacker One
added 2015/12/25 2:34 p.m.47 views

Informatica: [rev-app.informatica.com] - XXE via SAML

Request: POST /sso HTTP/1.1 Host: rev-app.informatica.com Connection: keep-alive Content-Length: 8669 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Origin: https://infapassport.okta.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5....

1AI score
Exploits0
Hacker One
Hacker One
added 2015/12/18 7:48 p.m.47 views

GlassWire: DLL Hijacking Vulnerability in GlassWireSetup.exe

GlasswireSetup.exe is subject to the attack described here: http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/ You can get a simple demo with this harmless DLL: https://bayden.com/dl/shfolder.dll See attached image for proof of execution...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2015/12/10 9:55 a.m.47 views

QIWI: [rubm.qiwi.com] Yui charts.swf XSS

Yui charts.swf XSS...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2015/11/24 1:23 a.m.47 views

Radancy: RC4 cipher suites detected

A group of researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found new attacks against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical fla...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2015/10/19 2:31 p.m.47 views

Radancy: Version Disclosure (NginX)

Hi, I found a version disclosure Nginx in the your web server's HTTP response. Extracted Version: 1.8.0 This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx. Impact An attacker...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2015/08/28 6:31 p.m.47 views

InVision: Deleting a Project for which the user is not owner but a normal member

A Project member who is not the owner of the project does not have delete option. But using proxy tool like Burp Suite, a low privilege Project member user can delete the Project, Where only the project owner has the privilege to delete the project. Pre-Requisite: A project where current user is...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2015/08/24 6:1 a.m.47 views

Gratipay: DKIM records not present, Email Hijacking is possible

Your SPF record is v=spf1 include:email.freshdesk.com include:spf.mandrillapp.com include:spf.google.com -all Which very well shows that you don't want spoofed email to be sent from your domains, but you just forget one thing: DKIM DomainKeys Identified Mail is an important authentication mechani...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2015/06/12 10:25 a.m.47 views

VK.com: Issue in the implementation of captcha and race condition

Reuse of captcha. The researcher was able to find a misconfiguration in the captcha mechanism which allowed him to reuse any captcha and bypass the uniquness of the same . Furthermore the race condition bypassed the no. of retries...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2015/04/21 2:44 p.m.47 views

Vimeo: API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass

OAuth2 API makes it possible for users to grant access to their accounts to some third-side applications. Of course, users are able to manage such applications' access to their accounts and may deny access for any application. When some user denies access for the application, all accesstokens are...

Exploits0
Hacker One
Hacker One
added 2015/03/11 11:9 p.m.47 views

Mail.ru: XSS in ad.mail.ru

The XSS vulnerability is located here: https://ad.mail.ru/adi/3030 and is triggered by setting referer to: "alert0 The problem is that the referer is being loaded like so: html alert0 " I am aware that this is out of scope, but I am still reporting it since I just happened to spot it while lookin...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2015/02/09 6:50 p.m.47 views

Internet Bug Bounty: Use After Free in Flash MessageChannel.send can cause arbitrary code execution

Sending messages between workers while having the animation reloaded can cause an object to be freed while a reference remains in memory. An attacker can use this issue to control eip and potentially execute arbitrary code. Identified as CVE-2015-0320, and reported to Adobe via Chrome VRP:...

10CVSS6.7AI score0.09983EPSS
Exploits0
Hacker One
Hacker One
added 2015/01/22 11:40 a.m.47 views

X (Formerly Twitter): Insecure Data Storage in Vine Android App

Hi Twitter, - Vulnerability Class:OWASP M2 : Insecure Data Storage Every application needs to store something secret, like a website username,password, cookies etc. , internal storage is the place to do it, android sandbox prevents other applications from accessing this data but,In vine android a...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2015/01/16 6:26 a.m.47 views

X (Formerly Twitter): twitter android app Fragment Injection

com.twitter.android.WidgetSettingsActivity extend PreferenceActivity and export. By entering the appropriate extra intent can call any of its internal fragment. So do not export com.twitter.android.WidgetSettingsActivity...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2015/01/05 7:37 p.m.47 views

Vimeo: Vimeo.com Insecure Direct Object References Reset Password

Hello, my name is Toufik Airane. This is Responsible Disclosure and Silent Disclosure. Thanks you to opened bug bounty program! Please find a proof of concept for IDOR attack on famous vimeo.com. With this IDOR, attacker can reset any password, of any account and take controle of it. Please, find...

1AI score
Exploits0
Hacker One
Hacker One
added 2014/11/18 1:25 p.m.47 views

QIWI: Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails

Hi - vulnerable hosts; agent.qiwi.com static.qiwi.com visa.qiwi.com w.qiwi.com www.qiwi.com • the type of vulnerability; Information disclosure • where exactly; There are multiple locations for documents with valuable metadata attached. These are both Qiwi documents and documents uploaded by...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2014/11/06 5:35 a.m.47 views

Block.io: SMPT Protection not used, I can hijack your email server.

Description Companies like Coinbase, Yahoo,Google,Facebook and even hackerone implemented a strict email security policy combining SPF, DKIM, and DMARC but I don't see taht from block.io , You should apply strict SMPT policy to stop spoofed email sending from your domain. POC is attached. Exploit...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2014/10/25 11:46 p.m.47 views

X (Formerly Twitter): URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS

Hi, This is an urgent issue and I hope you will act on it likewise. Your subdomain media.vine.co is pointing to AWS S3, but no bucket was connected to it. Actually, the reason to it is due to the CNAME of the meda.vine.co-DNS-entry: media.vine.co - media.vine.co is an alias for...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2014/06/03 12:18 a.m.47 views

Mavenlink: Login password guessing attack

I have found out that an attacker can perform brute force attack on your login panel because there is no rate limitation to prevent this attack...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2014/05/21 12:43 p.m.47 views

Yahoo!: Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2026/06/04 6:3 a.m.46 views

curl: OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl

Summary curl's OpenSSL backend can accept a new TLS 1.2 HTTPS connection after the server certificate has expired if the connection resumes a previously cached TLS session. A full handshake made at the same time with the same certificate fails with CURLEPEERFAILEDVERIFICATION, but the resumed...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2025/09/16 7:59 a.m.46 views

curl: Stack Buffer Overflow in cURL Cookie Parsing Leads to RCE

Summary I discovered a critical stack-based buffer overflow vulnerability in cURL's cookie parsing mechanism that can lead to remote code execution. The vulnerability occurs when processing maliciously crafted HTTP cookies, affecting all applications that use libcurl for HTTP requests. Descriptio...

9AI score
Exploits0
Hacker One
Hacker One
added 2024/06/18 11:0 p.m.46 views

curl: CVE-2024-6197: freeing stack buffer in utf8asn1str

The libcurl library at commit 04739054cdac5a0614fb94e3655e313c03399f35 contained an invalid invocation of the free function in the utf8asn1str function. The buffer being freed was located on the stack, which posed a security risk as the freed address could have been later returned by malloc calls...

7.5CVSS7.6AI score0.04296EPSS
Exploits1
Hacker One
Hacker One
added 2024/06/14 9:3 a.m.46 views

curl: Denial of Service in curl Request - HTTP headers eat all memory

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2024/04/26 4:32 a.m.46 views

HackerOne: 2FA Bypass via Leaked Cookies

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/10/29 7:37 a.m.46 views

Nextcloud: Bruteforce protection in password verification can be bypassed

A vulnerability was found where the IP address used for brute force protection in Nextcloud server could be bypassed by adding a valid X-Forwarded-For header. This allowed an attacker to bypass the brute force protection and brute force login credentials...

9.8CVSS6.9AI score0.01041EPSS
Exploits0
Hacker One
Hacker One
added 2023/10/21 10:57 a.m.46 views

Node.js: Path traversal by monkey-patching Buffer internals

A path traversal vulnerability was introduced in the experimental permission model in Node.js 20 and 21 by monkey-patching Buffer internals. This allowed modification of the result of path.resolve, leading to traversal beyond the expected path...

7.9CVSS7.2AI score0.01262EPSS
Exploits0
Hacker One
Hacker One
added 2023/10/13 4:40 p.m.46 views

Internet Bug Bounty: CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature

A vulnerability in Apache Airflow versions prior to 2.7.2 allowed authenticated users to list warnings for all DAGs, revealing dagids and stack traces even for DAGs the user did not have permission to access. Users should upgrade to Airflow 2.7.2 or newer...

6.5CVSS6.1AI score0.01071EPSS
Exploits0
Hacker One
Hacker One
added 2023/09/11 7:20 a.m.46 views

U.S. Dept Of Defense: authentication bypass

An authentication bypass vulnerability was discovered in the login page of a web portal, allowing unauthorized access without providing valid credentials...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2023/08/09 6:37 p.m.46 views

Internet Bug Bounty: (CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks

The fs.mkdtemp and fs.mkdtempSync functions in Node.js were found to be missing getValidatedPath checks, allowing for a path traversal attack. This vulnerability could be exploited to create arbitrary directories...

5.3CVSS7.1AI score0.01048EPSS
Exploits0
Hacker One
Hacker One
added 2023/06/13 3:56 p.m.46 views

GitHub Security Lab: [Python] Unsafe Unpacking and TarSlip bug slaying

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/06/08 10:22 p.m.46 views

GitHub Security Lab: cpp: if (a+b>c) a=c-b is incorrect if a+b overflows

Vulnerability description not provided...

7.1AI score
Exploits0
Total number of security vulnerabilities5000