Lucene search
K
HackeroneMost viewed

15370 matches found

Hacker One
Hacker One
added 2020/03/22 1:27 p.m.46 views

PlayStation: Authorization Token on PlayStation Network Leaks via postMessage function

Description After some analysis on how playstation network authentication work, I came across a certain pattern of how authorization tokens are handled. The web application utilizes postMessage function to exchange authorization tokens between windows/frames. To simplify this, let's follow on one...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/01/21 6:10 a.m.46 views

Kubernetes: Compromise of auth via subset/superset namespace names.

Report Submission Form Summary: Use of nginx.ingress.kubernetes.io/auth annotations results in a file named namespace-ingress.passwd. If user knows the namespace and ingress of an ingress they want to compromise they need to be able to create a namespace that is some subset of namespace-ingress...

4.9CVSS1AI score0.00894EPSS
Exploits0
Hacker One
Hacker One
added 2020/01/17 4:40 p.m.46 views

h1-ctf: [h1-415 2020] I got the flag

Hey guys, The flag is: h1ctfy3s1mc0sm1cn0w I'll submit a well written writeup later today or tomorrow. I now have a lot of work to catch up thanks to this devilish ctf hehehe. Thanks Ben and the rest of the team for this awesome challenge. Impact Getting the flag...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/01/08 10:18 p.m.46 views

8x8: Reflected xss on 8x8.com subdomain

The Beta version of a new chat API was discovered to contain a reflected XSS flaw. With the help of the researcher we were able to resolve the issue and ensure the future chat product will not contain this flaw. Write-up for beginners like me.. hackwithcommunity...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/12/04 8:6 p.m.46 views

Nord Security: Password Reset Link Leaked In Refer Header In Request To Third Party Sites

The reporter has identified that the web application is leaking password reset token in the HTTP referrer header. By obtaining a token, malicious user would be able to reset the passwords for a particular user. It is worth to mention that the attack must be highly personalised and requires prior...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/11/10 11:32 a.m.46 views

Clario: XSS in https://affiliates.kromtech.com

Summary XSS in https://affiliates.kromtech.com Vulnerable URL: https://affiliates.kromtech.com/monetize-mac-traffic/adgroup/affiliatefixhello%22%3Ehello/type/affiliate Vulnerable Parameter: "URL Path" XSS Payload: hello"hello Steps To Reproduce: Navigate to the Vulnerable URL Notice the pop-up...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/11/06 8:13 a.m.46 views

Node.js third-party modules: Filesystem Writes via `yarn install` via symlinks and tar transforms inside a crafted malicious package

I would like to report an arbitrary filesystem write vulnerability in Yarn when installing a malicious package from the default repositories. This vulnerability has the potential for RCE -- even if --ignore-scripts is disabled. It allows a malicious package, upon install, to write to any path on...

5.1CVSS8.3AI score0.05033EPSS
Exploits1
Hacker One
Hacker One
added 2019/10/09 10:52 a.m.46 views

8x8: Publicly accessible .svn repository - aastraconf.packet8.net

The server contained artifacts from an old SVN repository. The files were removed...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2019/10/03 5:19 a.m.46 views

Ruby: Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON)

During my recent keyword argument separation work on rbscanargs in the master branch, I discovered what I now think is a vulnerability. While the CVE-2013-0269 change fixed most usage of JSON.parse, it ended up not fixing KernelJSON. The reason behind this is that internally, in...

7.5CVSS0.13911EPSS
Exploits0
Hacker One
Hacker One
added 2019/09/19 4:29 p.m.46 views

Nextcloud: Only the file extensions are checked, not the MIME types as configured

The tool is not working as hoped. File access control speaks of MIME types that are blocked or not blocked. In fact, only the file extensions are checked. If a user renames an unauthorized file to an allowed file, he can upload and download it. The MIME type of the current file is insignificant,...

6CVSS0.7AI score0.0113EPSS
Exploits0
Hacker One
Hacker One
added 2019/09/03 11:51 a.m.46 views

curl: krb5: double-free in read_data() after realloc() fail

Summary: In 'lib/security.c', there is a double-free of the reference 'buf-data' on the teardown path if 'Curlsaferealloc' fails. Also, since we read 'len' from the 'fd', the sender might be able to remotely trigger a realloc failure, and then the double-free, by sending the value 0x7fffffff...

7.5CVSS1.7AI score0.07266EPSS
Exploits0
Hacker One
Hacker One
added 2019/08/05 3:52 p.m.46 views

Grammarly: Can register any mobile number in MFA without current code.

@chackmate identified a vulnerability that allows a user to connect arbitrary phone numbers with their account. No users affected...

4.8AI score
Exploits0
Hacker One
Hacker One
added 2019/08/02 7:47 a.m.46 views

Mail.ru: Publicly Accessible Harshi Corp Consul

Consul interface was available from outside on one of my.com subdomains...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2019/06/09 12:42 p.m.46 views

QIWI: Обход комиссии на переводы

Доброго времени суток. Не так давно мне на кошелек подключили тариф «Активный пользователь кошелька» Этот тариф подразумевает 2% комиссии на переводы. Меня, соответственно, это крайне не устроило и я решил пойти искать обход. После недолгих поисков удалось найти дыру вот здесь...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/02/27 8:48 a.m.46 views

GitLab: Attacker is able to access commit title and team member comments which are supposed to be private

Summary: add summary of the vulnerability Description: add more details about this vulnerability Steps To Reproduce: To reproduce this vulnerability, we need two accounts, lets say those accounts are: - [email protected] - [email protected] - Create a project from account [email protected] with th...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2019/02/25 9:22 a.m.46 views

X (Formerly Twitter): url that twitter mobile site can not load

Summary: A url that twitter mobile site can not load, crushes any page containing this url Description: Invalid hex characters crushes twitter mobile site as example go to https://mobile.twitter.com/?%xx twitter won't load. 1 Sending such url on a direct message, twitter will no longer be able to...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2019/02/10 6:29 a.m.46 views

HackerOne: report id is exposed for undisclosed reports in Hacktivity

Summary: This is similar to https://hackerone.com/reports/127620 where the report Id of undisclosed report is visible on graphql query Description: The new hacktivity graphql query includes undisclosed reports, but part of the query result is the report id which is included in private information...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/12/14 1:28 p.m.46 views

Nextcloud: Retrieval and alteration of exposed media on Android Oreo

Good afternoon. Any media downloaded from the cloud server within the Android app is subject to third party modification and server re-upload without explicit user consent. This happens at least on Android Oreo, as data is automatically stored on shared folder...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/30 4:6 a.m.46 views

HackerOne: A user can bypass approval step in Hacker Publishing feature, allowing them to publish reports immediately

Summary: Hi team Description: Hacker can request agree-on-going-public publish report Steps To Reproduce 1. Create publish report 2. https://hackerone.com/reports/bulk POST...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/11/18 4:57 a.m.46 views

GitLab: GitLab's GitHub integration is vulnerable to SSRF vulnerability

The GitHub service is vulnerable to a SSRF vulnerability. An attacker may be able to leverage this to make arbitrary POST requests in a GitLab instance's internal network. It can also be used to connect to cloud provider's instance metadata API, which may result in the ability to execute commands...

4CVSS0.3AI score0.00988EPSS
Exploits1
Hacker One
Hacker One
added 2018/10/29 5:3 p.m.46 views

Node.js third-party modules: Prototype pollution attack in just-extend

I would like to report a prototype pollution vulnerability in just-extend It allows an attacker to inject properties on Object.prototype. Module module name: just-extend version: 2.1.0, and 3.0.0 npm page: https://www.npmjs.com/package/just-extend Module Description Part of a library of...

7.5CVSS0.8AI score0.01836EPSS
Exploits1
Hacker One
Hacker One
added 2018/08/21 6:33 a.m.46 views

Valve: Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection

With the vulnerability of the GoldSource Engine, the server is able to perform remote code execution on the client, overwriting the stack when reading the BMP file. The problem is in the LoadBMP8 function, which is executed when the player connects to the server, by loading the...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/13 9:11 p.m.46 views

Chaturbate: Account Takeover via billing

The hacker found that when subscribing to a fanclub the parameters could be manipulated to purchase a fanclub subscription for another user. This will set the email of the target account if they had no email on file. This could then be used to reset the password for the target user. The purchasin...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2018/07/20 6:31 p.m.46 views

Internet Bug Bounty: linkinfo - openbasedir bypass on Windows PHP

Upstream bug - windows linkinfo lacks openbasedir check === https://bugs.php.net/bug.php?id=76459 Summary == Description: ------------ linkinfo function on windows doesn't implement openbasedir check, it can be seen by reviewing the source code. This could be abused to find files on paths outside...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/06/29 9:53 p.m.46 views

Nextcloud: Accessing to download.nextcloud.com from original ip adreess | insecure Download

Hi team , Summary I found that when I can access from original ip to the web site ,.This disable Https secure connection. Description First I make DNS Lookup to find the ip adress download.nextcloud.com has address 88.198.160.133 F313820 Now When I open The website from download.nextcloud.com I s...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/05/16 6:40 a.m.46 views

Reverb.com: Api token exposed in Reverb.com's public github repository

An access token of a user account was available in a public github repo. The token was tied to an experimental project, and the account was only used for that project, so no sensitive information was able to be obtained...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2018/03/25 12:36 p.m.46 views

Internet Bug Bounty: Silent omission of certificate hostname verification in LibreSSL and BoringSSL

Abstract LibreSSL and BoringSSL implemented X509VERIFYPARAMset1host differently than OpenSSL. All applications that use the preferred and documented way to configure a TLS connection for hostname validation, silently neglect to perform hostname validation at all. As a consequence, they are...

5.8CVSS7.1AI score0.01056EPSS
Exploits0
Hacker One
Hacker One
added 2017/12/24 7:25 a.m.46 views

Unikrn: [unikrn.com] Profile updated with error":true,"success":false"

Greetings, We noticed that even if the https://unikrn.com/apiv2/user/updateprofile gave an answer that the code is on error , the post is proceeded : PoC : -- curl 'https://unikrn.com/apiv2/user/updateprofile' -XPOST -H 'Referer: https://unikrn.com/profile' -H 'Content-Type: application/json' -H...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2017/12/17 10:29 p.m.46 views

Uber: Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication

Summary Configuration file and/or source code information leakage without Uber OneLogin SSO authentication. Security Impact Misconfiguration on the server results in information leakage without authentication. Reproduction Steps...

5CVSS6.3AI score0.02856EPSS
Exploits1
Hacker One
Hacker One
added 2017/12/12 7:44 a.m.46 views

Deriv.com: Leaking Referrer in Reset Password Link

On 12th Dec flex0geek reported that binary.com was leaking password reset tokens through referer headers . At first this sight the report was closed as we had fixed this earlier and our code base seemed fine . Later on the researcher sent a video POC which did show that we were leaking password...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2017/12/11 3:51 p.m.46 views

Internet Bug Bounty: Exim use-after-free vulnerability while reading mail header involving BDAT commands

Original article is here Use-after-free in receivemsg leads to RCE Vulnerability Analysis To explain this bug, we need to start with the memory management of exim. There is a series of functions starts with store such as storeget, storerelease, storereset. These functions are used to manage...

7.5CVSS9.4AI score0.46705EPSS
Exploits6
Hacker One
Hacker One
added 2017/10/28 1:3 a.m.46 views

AlienVault : [www.threatcrowd.org] - reflected XSS in report.php

Summary: I have found a reflected XSS in https://www.threatcrowd.org/report.php in GET parameter report Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/report.php?report=javascript%3aalertdocument.domain 2. Click on Visit...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/04 4:6 a.m.46 views

RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier

We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes... "I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which was the fix for the DNS hijacking issue CVE-2017-0902. The function still handles the DNS response in ...

6.8CVSS0.4AI score0.0475EPSS
Exploits1
Hacker One
Hacker One
added 2017/09/28 8:16 p.m.46 views

Aspen: client_secret Token disclosure

Greetings, I think I've discovered a clientsecret token disclosure. Proof of concept: 1. Go to https://github.com/AspenWeb/experimental-javascript-version/blob/master/www/blog/index.html 2. At the line 6, a clientsecret token it's disclosed...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 9:47 p.m.46 views

Brave Software: Download of (later executed) .NET installer over insecure channel

NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: Execution of file NDP-KB2901954-Web.exe fetched via...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 7:16 p.m.46 views

Razer US: Reflected XSS on the https://deals.razerzone.com/json/translation endpoint

Thanks to SP1D3RS for the great report and working with the team on this one. This was a trivial POST-XSS, caused by using text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input. Why I disclosed it if this is a trivial issue? I pretty...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/20 9:12 p.m.46 views

Razer US: Open redirect on oauth2.razerzone.com caused by server misconfiguration when using triple slash after hostname

Another solid report form this tester, who helped us nail down the issue when it was only intermittently reproducible. We appreciate the hard work. I discovered the Open Redirect on the oauth2.razerzone.com due to improper handling of multiple/encoded slashes and dots in the URL path. POC link:...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/01 5:49 p.m.46 views

Concrete CMS: 'cnvID' parameter vulnerable to Insecure Direct Object References

Installation Information === IIS 8, PHP 5.5, Concrete5 5.7.5.7 Default install Issue POC An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/viewajax with incremental 'cnvID' integers. 1. An example blog with permission...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/07/31 10:29 a.m.46 views

Legal Robot: Null Byte Injection in all fields of Profile

Hi Team, Null byte injection is possible in all the fields of Edit Profile functionality. Affected URL: https://app.legalrobot.com/account Description: Possible Injection of control characters, such as Null Byte 0x00, \000, \x00, \z, or the Unicode representation \u0000 into vulnerable fields in...

7.7AI score
Exploits0
Hacker One
Hacker One
added 2017/05/23 12:57 p.m.46 views

Gratipay: CSP "script-src" includes "unsafe-inline" in https://gratipay.com

SUMMARY: Related Report: 225833 Gratipay is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Proof Of Concept By Using cURL: curl -I https://gratipay.com The results See m...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/05/02 1:24 p.m.46 views

Weblate: Incorrect HTTPS Certificate

Weblate appears to have a public facing git repository located at git.weblate.org that utilises HTTPS when viewed in the browser. As a side note, netcat to port 80 results in the default debian landing page. 77.78.107.252 - git.weblate.org The site has an incorrectly configured certificate, and...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/02/27 4:10 p.m.46 views

Automattic: Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand

Product / URL https://instagram-brand.com/register/reset/?email= Description and Impact After a user clicks on the password reset link obtained in inbox, the page for password resetting functionality opens. If you monitor the HTTP Requests that are done while that page is loaded, you will come to...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/01/02 9:17 a.m.46 views

Uber: lert.uber.com: Few default folders/files of AURA Framework are accessible

There were a few default folders/files of the AURA Framework accessible on lert.uber.com. The specified files/folders in the AURA framework were supposed to be accessible, so we did not make any changes here. However, we do appreciate the time taken to submit this report and are disclosing per th...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2016/12/15 11:41 a.m.46 views

X (Formerly Twitter): CRLF and XSS stored on ton.twitter.com

Hey, 1 CRLF: It's similar to 52042 but weaker to reproduce go to: https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC you will find that test cookie with the val...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2016/11/12 5:58 p.m.46 views

LocalTapiola: SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)

Vulnerable script: /webApp/omaconf Vulnerable parameter: ctxvarsemail Database: PostgreSQL PoC http POST /webApp/omaconf HTTP/1.1 Host: viestinta.lahitapiola.fi Content-Type: application/x-www-form-urlencoded Content-Length: 1131...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/09/06 8:29 p.m.46 views

Yelp: Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot

On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/08/25 9:31 a.m.46 views

Instacart: WordPress Authentication Denial of Service

Hi, I found out that you are using WordPress version 4.5.3. Researchers found out 5 days ago, that this version has a vulnerability, a Path traversal in WordPress Core Ajax handlers. Intro WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2016/08/16 9:19 a.m.46 views

Internet Bug Bounty: stack buffer overflows in the curses module

I found two stack buffer overflows in the curses module. These vulnerabilities have been reported to the PSRT and were fixed here: https://hg.python.org/cpython/rev/d5f6bc45b376 https://hg.python.org/cpython/rev/85b35300f200 Below are copies of the mails I sent to the PSRT. They describe the...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2016/08/10 3:24 p.m.46 views

Trello: File access using image tragick

While Trello had patched our image libraries to prevent the RCE vulnerability in ImageMagick, we had not applied a patch to prevent arbitrary file reads via labels in mvg files. After resolving the issue, we were able to determine that no files had actually been accessed using this vulnerability,...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/05/13 1:10 a.m.46 views

Internet Bug Bounty: Adobe Flash Player ContentFactory class Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platfor...

7.6CVSS8.6AI score0.09561EPSS
Exploits0
Total number of security vulnerabilities5000