Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2019/03/31 8:55 p.m.46 views

Midpoint (European Commission - DIGIT): Attacker can read password from log data

Summary: Attacker can read plain text password from log data. Steps To Reproduce: 1. From application dashboard choose Users section, I simultaneously ran process hacker to see the process disk write and read behavior. 2. change the password of one of the users, and you see in process hacker wind...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2019/03/07 8:53 p.m.46 views

Monero: (remote) exabyte allocation via load_from_binary() (DoS)

Changes introduced in commit b82efa32e can result in a denial of service if epee::serialization::portablestorage::loadfrombinary is called with untrusted data. The 'reserve' method implemented here:...

2AI score
Exploits0
Hacker One
Hacker One
added 2019/03/02 5:59 p.m.46 views

Algolia: Web Cache Deception Attack (XSS)

@testingforbugs identified an issue related to web caching which could lead to XSS attacks...

2.7AI score
Exploits0
Hacker One
Hacker One
added 2019/02/27 8:48 a.m.46 views

GitLab: Attacker is able to access commit title and team member comments which are supposed to be private

Summary: add summary of the vulnerability Description: add more details about this vulnerability Steps To Reproduce: To reproduce this vulnerability, we need two accounts, lets say those accounts are: - [email protected] - [email protected] - Create a project from account [email protected] with th...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2019/02/25 9:22 a.m.46 views

X (Formerly Twitter): url that twitter mobile site can not load

Summary: A url that twitter mobile site can not load, crushes any page containing this url Description: Invalid hex characters crushes twitter mobile site as example go to https://mobile.twitter.com/?%xx twitter won't load. 1 Sending such url on a direct message, twitter will no longer be able to...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2019/02/10 6:29 a.m.46 views

HackerOne: report id is exposed for undisclosed reports in Hacktivity

Summary: This is similar to https://hackerone.com/reports/127620 where the report Id of undisclosed report is visible on graphql query Description: The new hacktivity graphql query includes undisclosed reports, but part of the query result is the report id which is included in private information...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2019/01/07 8:34 p.m.46 views

Internet Bug Bounty: Buffer over-write in finfo_open with malformed magic file.

https://bugs.php.net/bug.php?id=71527 This bug causes a segfault when running with environment variable USEZENDALLOC set to 0, and also when compiled with ASAN with USEZENDALLOC set and unset. To reproduce, run the following PHP file, with the example magic file below. $ cat magic-open.php Magic...

7.5CVSS8.6AI score0.04985EPSS
Exploits1
Hacker One
Hacker One
added 2018/12/14 1:28 p.m.46 views

Nextcloud: Retrieval and alteration of exposed media on Android Oreo

Good afternoon. Any media downloaded from the cloud server within the Android app is subject to third party modification and server re-upload without explicit user consent. This happens at least on Android Oreo, as data is automatically stored on shared folder...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/30 4:6 a.m.46 views

HackerOne: A user can bypass approval step in Hacker Publishing feature, allowing them to publish reports immediately

Summary: Hi team Description: Hacker can request agree-on-going-public publish report Steps To Reproduce 1. Create publish report 2. https://hackerone.com/reports/bulk POST...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/11/18 4:57 a.m.46 views

GitLab: GitLab's GitHub integration is vulnerable to SSRF vulnerability

The GitHub service is vulnerable to a SSRF vulnerability. An attacker may be able to leverage this to make arbitrary POST requests in a GitLab instance's internal network. It can also be used to connect to cloud provider's instance metadata API, which may result in the ability to execute commands...

4CVSS0.3AI score0.00988EPSS
Exploits1
Hacker One
Hacker One
added 2018/10/29 5:3 p.m.46 views

Node.js third-party modules: Prototype pollution attack in just-extend

I would like to report a prototype pollution vulnerability in just-extend It allows an attacker to inject properties on Object.prototype. Module module name: just-extend version: 2.1.0, and 3.0.0 npm page: https://www.npmjs.com/package/just-extend Module Description Part of a library of...

7.5CVSS0.8AI score0.01836EPSS
Exploits1
Hacker One
Hacker One
added 2018/10/04 6:3 p.m.46 views

Mail.ru: Bypass security fixes by downgrading version of application

Version downgrade attack was possible in webagent web application webagent.mail.ru. It could allow attacker to force user to visit an older version of web application with known vulnerabilities...

4.7AI score
Exploits0
Hacker One
Hacker One
added 2018/09/27 5:13 p.m.46 views

Miniclip: xss in miniclip.com

I know this is out of scope but I thought maybe you would like to know about it. video attached Impact Steal session cookies, install keylogger etc etc...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2018/09/04 10:30 a.m.46 views

BOHEMIA INTERACTIVE a.s.: Stealing Users OAUTH Tokens via redirect_uri

Hi, I would like to report an Open redirection on oauth redirecturi which can lead to users oauth tokens being leaked to any malicious user. Detail During the OAUTH flow, the redirecturi on https://accounts.bistudio.com is not properly validating that the URL given is proper, as such a bypass of...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/08/21 6:33 a.m.46 views

Valve: Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection

With the vulnerability of the GoldSource Engine, the server is able to perform remote code execution on the client, overwriting the stack when reading the BMP file. The problem is in the LoadBMP8 function, which is executed when the player connects to the server, by loading the...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/08/13 9:11 p.m.46 views

Chaturbate: Account Takeover via billing

The hacker found that when subscribing to a fanclub the parameters could be manipulated to purchase a fanclub subscription for another user. This will set the email of the target account if they had no email on file. This could then be used to reset the password for the target user. The purchasin...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2018/07/20 6:31 p.m.46 views

Internet Bug Bounty: linkinfo - openbasedir bypass on Windows PHP

Upstream bug - windows linkinfo lacks openbasedir check === https://bugs.php.net/bug.php?id=76459 Summary == Description: ------------ linkinfo function on windows doesn't implement openbasedir check, it can be seen by reviewing the source code. This could be abused to find files on paths outside...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/06/29 9:53 p.m.46 views

Nextcloud: Accessing to download.nextcloud.com from original ip adreess | insecure Download

Hi team , Summary I found that when I can access from original ip to the web site ,.This disable Https secure connection. Description First I make DNS Lookup to find the ip adress download.nextcloud.com has address 88.198.160.133 F313820 Now When I open The website from download.nextcloud.com I s...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/05/16 6:40 a.m.46 views

Reverb.com: Api token exposed in Reverb.com's public github repository

An access token of a user account was available in a public github repo. The token was tied to an experimental project, and the account was only used for that project, so no sensitive information was able to be obtained...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2018/03/25 12:36 p.m.46 views

Internet Bug Bounty: Silent omission of certificate hostname verification in LibreSSL and BoringSSL

Abstract LibreSSL and BoringSSL implemented X509VERIFYPARAMset1host differently than OpenSSL. All applications that use the preferred and documented way to configure a TLS connection for hostname validation, silently neglect to perform hostname validation at all. As a consequence, they are...

5.8CVSS7.1AI score0.01056EPSS
Exploits0
Hacker One
Hacker One
added 2017/12/24 7:25 a.m.46 views

Unikrn: [unikrn.com] Profile updated with error":true,"success":false"

Greetings, We noticed that even if the https://unikrn.com/apiv2/user/updateprofile gave an answer that the code is on error , the post is proceeded : PoC : -- curl 'https://unikrn.com/apiv2/user/updateprofile' -XPOST -H 'Referer: https://unikrn.com/profile' -H 'Content-Type: application/json' -H...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2017/12/17 10:29 p.m.46 views

Uber: Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication

Summary Configuration file and/or source code information leakage without Uber OneLogin SSO authentication. Security Impact Misconfiguration on the server results in information leakage without authentication. Reproduction Steps...

5CVSS6.3AI score0.02856EPSS
Exploits1
Hacker One
Hacker One
added 2017/12/12 7:44 a.m.46 views

Deriv.com: Leaking Referrer in Reset Password Link

On 12th Dec flex0geek reported that binary.com was leaking password reset tokens through referer headers . At first this sight the report was closed as we had fixed this earlier and our code base seemed fine . Later on the researcher sent a video POC which did show that we were leaking password...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2017/12/11 3:51 p.m.46 views

Internet Bug Bounty: Exim use-after-free vulnerability while reading mail header involving BDAT commands

Original article is here Use-after-free in receivemsg leads to RCE Vulnerability Analysis To explain this bug, we need to start with the memory management of exim. There is a series of functions starts with store such as storeget, storerelease, storereset. These functions are used to manage...

7.5CVSS9.4AI score0.46705EPSS
Exploits6
Hacker One
Hacker One
added 2017/10/28 9:59 p.m.46 views

HackerOne: GraphQL sessions aren't immediately invalidated when user password is changed

Summary: While changing password, once user clicks on "Change password" button after giving necessary values, on https://hackerone.com/settings/pass/edit, the session expires and the user is redirected to https://hackerone.com/users/signin for logging in again with the updated/changed password. A...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/28 1:3 a.m.46 views

AlienVault : [www.threatcrowd.org] - reflected XSS in report.php

Summary: I have found a reflected XSS in https://www.threatcrowd.org/report.php in GET parameter report Browsers Verified In: Firefox 56.0.1 Steps To Reproduce: 1. Browse to https://www.threatcrowd.org/report.php?report=javascript%3aalertdocument.domain 2. Click on Visit...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/27 10:36 a.m.46 views

Infogram: Login Cross Site Request Forgery

Login form is not protected against Cross Site Request Forgery. An attacker can craft html page containing POST information to have victim sign into an attacker's account, where the victim can add information assuming he/she is logged into the correct account, where in reality, the victim is sign...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/06 8:49 a.m.46 views

RubyGems: Remote code execution on rubygems.org

When parsing a gem POSTed to the /api/v1/gems endpoint, the rubygems.org application immediately calls Gem::Package.newbody.spec inside app/models/pusher.rb. The authors of the application correctly observed that parsing untrusted YAML is dangerous since it can serialize more or less arbitrary...

7.5CVSS9.3AI score0.15853EPSS
Exploits1
Hacker One
Hacker One
added 2017/10/04 4:6 a.m.46 views

RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier

We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes... "I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which was the fix for the DNS hijacking issue CVE-2017-0902. The function still handles the DNS response in ...

6.8CVSS0.4AI score0.0475EPSS
Exploits1
Hacker One
Hacker One
added 2017/09/28 8:16 p.m.46 views

Aspen: client_secret Token disclosure

Greetings, I think I've discovered a clientsecret token disclosure. Proof of concept: 1. Go to https://github.com/AspenWeb/experimental-javascript-version/blob/master/www/blog/index.html 2. At the line 6, a clientsecret token it's disclosed...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 9:47 p.m.46 views

Brave Software: Download of (later executed) .NET installer over insecure channel

NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: Execution of file NDP-KB2901954-Web.exe fetched via...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 7:16 p.m.46 views

Razer US: Reflected XSS on the https://deals.razerzone.com/json/translation endpoint

Thanks to SP1D3RS for the great report and working with the team on this one. This was a trivial POST-XSS, caused by using text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input. Why I disclosed it if this is a trivial issue? I pretty...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/20 9:12 p.m.46 views

Razer US: Open redirect on oauth2.razerzone.com caused by server misconfiguration when using triple slash after hostname

Another solid report form this tester, who helped us nail down the issue when it was only intermittently reproducible. We appreciate the hard work. I discovered the Open Redirect on the oauth2.razerzone.com due to improper handling of multiple/encoded slashes and dots in the URL path. POC link:...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/01 5:49 p.m.46 views

Concrete CMS: 'cnvID' parameter vulnerable to Insecure Direct Object References

Installation Information === IIS 8, PHP 5.5, Concrete5 5.7.5.7 Default install Issue POC An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/viewajax with incremental 'cnvID' integers. 1. An example blog with permission...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/07/31 10:29 a.m.46 views

Legal Robot: Null Byte Injection in all fields of Profile

Hi Team, Null byte injection is possible in all the fields of Edit Profile functionality. Affected URL: https://app.legalrobot.com/account Description: Possible Injection of control characters, such as Null Byte 0x00, \000, \x00, \z, or the Unicode representation \u0000 into vulnerable fields in...

7.7AI score
Exploits0
Hacker One
Hacker One
added 2017/05/23 12:57 p.m.46 views

Gratipay: CSP "script-src" includes "unsafe-inline" in https://gratipay.com

SUMMARY: Related Report: 225833 Gratipay is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. Proof Of Concept By Using cURL: curl -I https://gratipay.com The results See m...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/05/02 1:24 p.m.46 views

Weblate: Incorrect HTTPS Certificate

Weblate appears to have a public facing git repository located at git.weblate.org that utilises HTTPS when viewed in the browser. As a side note, netcat to port 80 results in the default debian landing page. 77.78.107.252 - git.weblate.org The site has an incorrectly configured certificate, and...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/02/27 4:10 p.m.46 views

Automattic: Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand

Product / URL https://instagram-brand.com/register/reset/?email= Description and Impact After a user clicks on the password reset link obtained in inbox, the page for password resetting functionality opens. If you monitor the HTTP Requests that are done while that page is loaded, you will come to...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/01/02 9:17 a.m.46 views

Uber: lert.uber.com: Few default folders/files of AURA Framework are accessible

There were a few default folders/files of the AURA Framework accessible on lert.uber.com. The specified files/folders in the AURA framework were supposed to be accessible, so we did not make any changes here. However, we do appreciate the time taken to submit this report and are disclosing per th...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2016/12/15 11:41 a.m.46 views

X (Formerly Twitter): CRLF and XSS stored on ton.twitter.com

Hey, 1 CRLF: It's similar to 52042 but weaker to reproduce go to: https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC you will find that test cookie with the val...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2016/11/12 5:58 p.m.46 views

LocalTapiola: SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)

Vulnerable script: /webApp/omaconf Vulnerable parameter: ctxvarsemail Database: PostgreSQL PoC http POST /webApp/omaconf HTTP/1.1 Host: viestinta.lahitapiola.fi Content-Type: application/x-www-form-urlencoded Content-Length: 1131...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/09/06 8:29 p.m.46 views

Yelp: Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot

On pages https://biz.yelp.com/login and https://biz.yelp.com/forgot a malicious user can verify if a particular E-mail address is registered on biz.yelp.com. Steps to reproduce for https://biz.yelp.com/login: 1. Open https://biz.yelp.com/login 2. Enter non existing E-Mail Address 3. Enter any...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/08/25 9:31 a.m.46 views

Instacart: WordPress Authentication Denial of Service

Hi, I found out that you are using WordPress version 4.5.3. Researchers found out 5 days ago, that this version has a vulnerability, a Path traversal in WordPress Core Ajax handlers. Intro WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2016/08/16 9:19 a.m.46 views

Internet Bug Bounty: stack buffer overflows in the curses module

I found two stack buffer overflows in the curses module. These vulnerabilities have been reported to the PSRT and were fixed here: https://hg.python.org/cpython/rev/d5f6bc45b376 https://hg.python.org/cpython/rev/85b35300f200 Below are copies of the mails I sent to the PSRT. They describe the...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2016/08/10 3:24 p.m.46 views

Trello: File access using image tragick

While Trello had patched our image libraries to prevent the RCE vulnerability in ImageMagick, we had not applied a patch to prevent arbitrary file reads via labels in mvg files. After resolving the issue, we were able to determine that no files had actually been accessed using this vulnerability,...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/07/11 2:47 p.m.46 views

OLX: SQLi in Payment Request

Hi there, I have found out that one request in your API is vulnerable to SQL injection. PoC: Invalid Request: GET /api/v1.0/payments/items?ids=891048367'"&platform=desktop HTTP/1.1 Host: www.olx.com.ar User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:46.0 Gecko/20100101 Firefox/46.0 Accept:...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2016/05/13 1:10 a.m.46 views

Internet Bug Bounty: Adobe Flash Player ContentFactory class Memory Corruption Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to memory corruption because of improper validation of ContentFactory.retrieveAdPolicySelector. ------------------------------------------------------------------ II. Description Adobe Flash is a multimedia and software platfor...

7.6CVSS8.6AI score0.09561EPSS
Exploits0
Hacker One
Hacker One
added 2016/03/14 8:0 a.m.46 views

Mail.ru: bgplay.mail.ru

Potential RCE via Java object deserialization in out-of-scope service...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2016/03/01 7:8 p.m.46 views

Internet Bug Bounty: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)

https://openssl.org/news/secadv/20160301.txt...

5CVSS8.9AI score0.27022EPSS
Exploits1
Hacker One
Hacker One
added 2016/02/26 11:17 p.m.46 views

Cakebet: Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error

Hi Security Team , Your SPF record suffers from a “too many lookups” error. The specifications for the SPF record limit the number of lookups such as, translating a name to an IP address to 10. An SPF record like what is shown below will have the too many lookup errors : Found v=spf1 record for...

0.9AI score
Exploits0
Total number of security vulnerabilities5000