Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2020/09/10 4:50 p.m.43 views

Open-Xchange: A specially crafted message sent to the local delivery agent (LMTP) causes the LMTP child process to issue a panic (call i_panic)

Summary Sending a message to the local delivery agent with the number of MIME parts more than the dovecot core threshold of MIME parts results in ipanic. In the case of LMTP server it causes the child to abort connection. I believe that this can be quite problematic, if such a message lands in th...

5CVSS0.6AI score0.0466EPSS
Exploits1
Hacker One
Hacker One
added 2020/07/08 5:23 p.m.43 views

Omise: Authenticity token doesnt expire after single use leading to CSRF

Summary Once you said that you ruby framework for making the authenticity-token which acts as a CSRF protection. You also send me this as to help me understand https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef . After finding i found that an authenticity-token c...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/05/19 1:47 a.m.43 views

HackerOne: GraphQL field on Team node can be used to determine if External Program runs invite-only program

On 19th May, A new parameter policymarkdownhtml been introduced inside the team Graphql query. Using Graphql query, We can able to determine External program running privately on Hackerone as policymarkdownhtml parameter was able to fetch private internal policy. Note: Using this parameter, it wa...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/05/17 1:27 a.m.43 views

Starbucks: Singapore - Account Takeover via IDOR

ko2sec discovered that an alternate site shared database and cookie credentials with card.starbucks.com.sg. By exploiting an endpoint on the alternate site, ko2sec was able to copy a PHPSESSID cookie value from that site over to card.starbucks.com.sg and then see user information, update the...

2AI score
Exploits0
Hacker One
Hacker One
added 2020/02/19 4:44 p.m.43 views

U.S. Dept Of Defense: Admin Login Credential Leak for DoD Gitlab EE instance

Summary A DoD employee/contractor exposed the ███ password in a GitHub repository █████████ leading to full ███ access in a DoD DISA-associated private Gitlab EE instance ███. Description The IP address ████ recently hosted the subdomain █████████ as of 2019-09-23. ██████ Now port 80 points to a...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2020/02/14 5:37 p.m.43 views

Shopify: [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation

Summary In 791775, I submitted a bug at Sunday 5pm Canada time, it was triaged two hours later, and I got the temp fix message at around 3am the next day in Canada time. Truly awesome, the next day I retested after the first fix, and found that I - Cannot receive the email confirmation in the ema...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/01/20 9:46 p.m.43 views

Internet Bug Bounty: Squid as reverse proxy RCE and data leak

Summary: This was a very difficult experience as Squid maintainers took a long time to answer. I tried getting help from HackerOne support, Dropbox support and the Internet Bug Bounty never e-mailed me back to no avail. What could have taken a few days took months. The vulnerability concerns a...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2019/12/31 7:28 p.m.43 views

Affirm: Absence of Token expiry leads to Unauthorized login Access

Summary While doing the testing for the mobile app, I observed out that it is possible to bypass the authentication and gain unauthorized access to the user's account bu brute-forcing the PIN due to lack of login token expiry. The way affirm mobile login works is that, User inputs the phone numbe...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2019/12/31 7:33 a.m.43 views

Rocket.Chat: API Keys Hardcoded in Github repository

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/10/16 11:24 a.m.43 views

curl: curl successfully matches IP address literal in URL against IP address literal in certificate Common Name

Summary: A user may invoke the curl command line utility with an IP address literal in the URL, such as https://192.168.124.2/... If the HTTPS server presents a certificate whose Common Name matches this IP address literal as a string that is, Common Name is the ASCII string 192.168.124.2, then...

4CVSS0.01366EPSS
Exploits0
Hacker One
Hacker One
added 2019/09/20 12:49 a.m.43 views

New Relic: Host Header Injection

Reproduction 1- open reset link https://login.newrelic.com/passwords/forgot 2- Enter the victim's email address and click Reset and Email Password 3- Intercept the HTTP request in Burp Suite & add X-Forwarded Host Header and write attacker.com/.newrelic.com link will be like...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2019/09/01 4:13 p.m.43 views

Railto LLC: Administrator access to staging.railto.com

Summary: Hey team, While doing some recon for railto sub-domains. i came across a most critical bug which lets me complete access of https://staging.railto.com. i can add anything and removing anythings as i got the ADMIN level privilege. Steps 1. Go to https://staging.railto.com/admin url. 2. Se...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/07/20 4:16 a.m.43 views

Ruby: OS Command Injection via egrep in Rake::FileList

When a file which has command file name of stating with | is in Rake::FileList, then egrep will execute the command. How to reproduce PoC pocrake.rb is the following. ruby require 'rake' list = Rake::FileList.newDir.glob'' p list list.egrep/something/ Example of executing. % ls -1 Gemfile...

6.9CVSS1.6AI score0.01359EPSS
Exploits1
Hacker One
Hacker One
added 2019/07/15 11:48 a.m.43 views

Radancy: Wrong link on corne.maximum.nl

Domain and URL: corne.maximum.nl Hello, I noticed that your subdomain corne.maximum.nl links to the website "maximum.com" instead of "maximum.nl" "maximum.com" is in control of a Chinese organization as you said in your description. I think you've made a little mistake, but there is no impact :...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2019/07/03 8:15 a.m.43 views

Weblate: HTML injection and information disclosure in support panel

Hello Weblate Team! I found HTML injection and information disclosure in support panel Description There is a form to weblate.org and hosted.weblate.org to send to support I poisoned the request, where I inserted such payload in all fields: " After that, when my payload got into the support panel...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2019/03/28 3:41 p.m.43 views

curl: libcurl: SMTP end-of-response out-of-bounds read - CVE-2019-3823

libcurl contains a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtpendofresp isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol call reads beyond the allocated buffer. The read conten...

5CVSS0.2AI score0.04286EPSS
Exploits1
Hacker One
Hacker One
added 2019/03/05 12:33 a.m.43 views

OLX: XSS inside HTML Link Tag

Hello, i discovered XSS in sharjah.dubizzle.com. XSS is reflected inside HTML Link tag so it need some condition to trigger the payload. Step to Reproduce - Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert1337...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/02/24 3:49 p.m.43 views

Starbucks: XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx

Description: Hi,guys,when i was visited the jobs of starbucks websites in Chinahttps://ecjobs.starbucks.com.cn, i found a features of uploaded user's photo.Thought the bypass the security restrictions of upload,i can upload html|xhtml|xml|config files etc.The uploaded html file can realize the...

Exploits0
Hacker One
Hacker One
added 2019/01/01 5:17 p.m.43 views

Node.js third-party modules: [bower] Arbitrary File Write through improper validation of symlinks while package extraction

I would like to report file write in arbitrary locations via install command in bower It allows attackers to write arbitrary files when a malicious package is extracted. Module module name: bower version: 1.8.4 npm page: https://www.npmjs.com/package/bower Module Description Bower offers a generi...

5CVSS0.8AI score0.02566EPSS
Exploits1
Hacker One
Hacker One
added 2018/11/24 2:40 p.m.43 views

RubyGems: 65534 times efficient, Brute-force attack for api_key

I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/10/21 8:0 p.m.43 views

Chaturbate: Missing Rate Limitation at /photo_videos/photoset/create

Hello,I discovered that one is able to create an unlimited number of albums Via /photovideos/photoset/create/ Steps To Reproduce: 1.Login And Go to http://fr.chaturbate.co /photovideos/photoset/create/ 2.Fill the form 3.Enable a proxy interception tool e.g Burp Suite 4.Click Save 5.Send the POST...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/09/13 10:58 p.m.43 views

Grammarly: "More on Wikipedia" link disclose "Referrer" and leak `window.opener` reference for arbitrary websites

Summary: "Referrer" leak http:// link to Wikipedia transferring Referrer header allows a remote attacker with MITM access to sniff Referrer URL for important tokens after following "More on Wikipedia" link. Controllable page MITM with window.opener pointing to the navigation-initiated webpage...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/11 1:46 p.m.43 views

Mail.ru: ДОБАВЛЕНИЕ СВОИХ ДАТ В КАЛЕНДАРЬ ПОЛЬЗОВАТЕЛЮ !

Reporter pointed to possibility to mark scheduled meeting request sent via ICS file as accepted in calendar via CSRF by bruteforcing attachment id. Currently, this behavior is not believed to introduce real additional security risks, because meeting can be added anyway without user's intervention...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/23 3:39 p.m.43 views

New Relic: Missing security best practices (leads to further impact)

Vulnerabilities:- 1.Use of old passwords is possiblecurrent password can be used as new password. 2.Email notification is not being sent to linked mail account while changing passwords steps to reproduce the two issues create account with password example badcracker@123 change password to...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/07/06 8:26 p.m.43 views

Mail.ru: [e.mail.ru] XSS в поиске

Reflected XSS in e.mail.ru via GET paramters Multiple reflected XSS in the mailbox via the search param Timeline: Friday, July 6 2018, 23:26 – reported Saturday, July 7 2018, 01:13 – triaged Saturday, July 7 2018, 11:12 – temporary fix Monday, July 23 2018, 14:25 – resolved...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2018/06/15 10:5 a.m.43 views

Mail.ru: слепая XSS в админ панели torg.mail.ru через отзыв

Blind XSS in admin panel for torg.mail.ru. torg.mail.ru is not in bug bounty program's scope, a bounty was awarded due to high potential impact. Недостаточная фильтрация приводит к XSS в административной панели в одном из поддоменов mail.ru через имя пользователя при оставлении отзыва...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/05/29 8:10 a.m.43 views

Zomato: [www.zomato.com] SQLi on `order_id` parameter

@saltedfish found that a parameter orderid was vulnerable to SQLi. POC for everyone to learn from this disclosed report - There was an endpoint which had orderid as one of the parameters. - Requesting '-if1=2,'0','1'-' in orderid parameter changed the Response Length and upon further investigatio...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/05/11 1:11 a.m.43 views

Ubiquiti Inc.: Two Factor Authentication Bypass

The researcher found a method to brute-force the 2FA code request in the www.ubnt.com login page. This method still requires the username/password from the account...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2018/05/10 6:10 a.m.43 views

Valve: Aapp name leakage on economy history page

App name leakage on economy history page Partners with authorization to view economy logs for their own titles could be presented with a list of all game titles that have used economy features...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2018/04/03 8:49 p.m.43 views

Reverb.com: Persistent XSS in https://sandbox.reverb.com/item/

Description I found a Persistent XSS in a listing page. The flaw is in the SoundCloud link that the listing owner can attachThe parameter is called productsoundcloudlinkattributeslink. There's no encoding on the user input and it looks like there's only client-side validation. PoC The payload:...

Exploits0
Hacker One
Hacker One
added 2018/03/23 10:15 p.m.43 views

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

SUMMARY: ==================== The DoD https://██████/psc/EXPROD1/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks DoS over a Java Object Deserialization CWE-502 in the “monitor” service. Thus an attacker can generate an...

7.5CVSS0.4AI score0.43492EPSS
Exploits4
Hacker One
Hacker One
added 2018/03/18 4:28 p.m.43 views

HackerOne: Extra program metrics disclosed via /PROGRAM_NAME json response

Summary: The response to www.hackerone.com/PROGRAM.json includes slamissedcount slafailedcount and researchercount. Description: Viewing the response from a program's json endpoint includes the values for slamissedcount, slafailedcount and researchercount. With regards to the SLA metrics, these a...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/02/20 8:59 p.m.43 views

VK.com: Просмотр приватных видео записей у Пользователей

Просмотр некоторых приватных видеозаписей. VK решил заплатить 100$ , но я переубедил.... ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/02/18 10:55 a.m.43 views

RubyGems: Delete directory using symlink when decompressing tar

In 2.7.6, the safety of symlink is confirmed with mkdirpsafe, Before that FileUtils.rmrf destination is running. Therefore, if tmp/dir is specified after tmp - /tmp, the following /tmp/dir is deleted. Proof of concept builder.rb ruby require 'rubygems/package' class GemBuiler def initialize spec,...

8.8CVSS0.8AI score0.04212EPSS
Exploits1
Hacker One
Hacker One
added 2018/02/17 8:54 a.m.43 views

Mail.ru: CSRF on lootdog.io

CSRF vulnerability for phone/email change action. On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2018/02/14 5:48 a.m.43 views

Starbucks: Able to reset other user's password in https://card.starbucks.com.sg/

Description In the website https://card.starbucks.com.sg/ there is a password reset function https://card.starbucks.com.sg/forgetPassword.php that sends the password reset link to the user's email. By using a web proxy to monitor the request, the email address can be changed to allow the attacker...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/01/31 6:40 p.m.43 views

Informatica: [http://www.informatica.com]- info disclosure

Researcher has identified and reported an sensitive information leakage in one of our domain. He helped us in resolving the issue...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/01/25 5:33 p.m.43 views

WordPress: Open Redirect on the nl.wordpress.net

Description Hello. I discovered an Open redirect vulnerability on the nl.wordpress.org. Root cause The 301 Redirect contains full hostname, followed with @ without trailing slash, when using: GET /@google.com HTTP/1.1 Host: nl.wordpress.net User-Agent: Mozilla/5.0 Windows NT 6.1; Win64; x64;...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/12/19 4:42 p.m.43 views

HackerOne: Domain spoofing in redirect page using RTLO

Summary: Hello, Domains can be spoofed on redirect page using RTLO. Description Include Impact: Using http://[email protected] & RTLO method, i found a way where redirect page host detection can be spoofed Steps 1. Insert this on report Just Click Here 2. On click of link, it will redirect to...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/31 11:35 a.m.43 views

International Islamic University Chittagong: Improper error handler

during the analysis it was found that when we submit the form and try to upload a txt file then it show a error page with internal path disclosure...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/30 8:34 p.m.43 views

AlienVault : DOM Based XSS in https://threatcrowd.org

Hello AlienVault security team, I found a DOM Based XSS in https://threatcrowd.org via report function. Proof of Concept Steps to reproduce: 1. https://threatcrowd.org/report.php?report= 2. Fill in with this payload: javascript:promptdocument.domain 3. Send link to victim, when victim click in to...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/19 10:42 a.m.43 views

Nextcloud: Banner Grabbing - Apache Server Version Disclousure

Hello Nextcloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://customerupdates.nextcloud.com an...

Exploits0
Hacker One
Hacker One
added 2017/09/15 11:41 p.m.43 views

Internet Bug Bounty: CVE-2017-13008 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().

Reported to the devs on 6 March 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/5edf405d7ed9fc92f4f43e8a3d44baa4c6387562 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-80211.c:parseelements. ./tcpdump -n ...

7.5CVSS9AI score0.03354EPSS
Exploits0
Hacker One
Hacker One
added 2017/09/06 11:45 a.m.43 views

Coinbase: New Device Confirmation Bug

Device auto-confirmation appeared to be an issue, but was intended functionality...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/06/15 4:56 a.m.43 views

HackerOne: Updating payout preference to CurrencyCloud doesn't notify user via email

When change payment method in user's payments, then a notification about Change payment method is sent to the user email. However, user not always gets a notification about change payment method - when change payment method via add payout method on Payout Methods, then such a notification is not...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/06/11 4:40 a.m.43 views

Algolia: SAUCE Access_key and User_name leaked in Travis CI build logs

hello algolia team, I founded the SAUCE AccessKey and Username was leaked in Travis CI build logs of instantsearch.js product Line-249-&-250. This can be used to perform every API calls of sauce-lab.e.g Creating a Sub account. I created a test account for testing. sorry for this ; . You should...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2017/05/31 12:7 a.m.43 views

Internet Bug Bounty: heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()

Reported to the Perl security mailing list on 25 August 2016. ==17057==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b978 at pc 0x0000004a9201 bp 0x7ffe97551890 sp 0x7ffe97551048 READ of size 61 at 0x60800000b978 thread T0 0 0x4a9200 in interceptormemcmp...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/04/16 6:5 a.m.43 views

GlobaLeaks: Information Disclosure

I have observed that the application is leaking information while accessing "https://demo.globaleaks.org/l10n/en". It does not restrict access to file, which can possibly provide an attacker with information such as default credentials test:test, username for accessing administrative functions,...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/02/15 3:12 p.m.43 views

Automattic: Broken Authentication - Security token gets captured via man in the middle attack

Product / URL http://en.instagram-brand.com/register/reset/?email= Description and Impact The password reset links issues by Instagram Brand gets delivered to users inbox with a http scheme and NOT https scheme. This causes an attacker stealing those links and performing mass account takeovers an...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2017/02/10 1:37 p.m.43 views

Nextcloud: Missing SPF Flags on nextcloud.com

Hello NextCloud Details i just test your domain which is nextcloud.com and i surprised that i can send a legit email to a user. Impact Attacker can use this to send a Legit Email to the Victim and attacker can send a Malicious Web Links and Phishing Sites. Video Proof of Concept...

7AI score
Exploits0
Total number of security vulnerabilities5000