Lucene search
K
HackeroneMost viewed

15370 matches found

Hacker One
Hacker One
added 2016/08/06 1:29 a.m.44 views

New Relic: Login CSRF vulnerability

Hi New Relic security team, While doing pentesting on your website, I found that while logging into the account the "authenticitytoken" was not properly validated. I was able to login into my account even without "authenticitytoken". Impact: High Steps to Reproduce: 1 Login to your account. 2 Whi...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2016/08/02 2:23 p.m.44 views

Uber: XSS At "pages.et.uber.com"

Vulnerable Domain : ------------------- https://pages.et.uber.com/ Vulnerable Link : ----------------- https://pages.et.uber.com/icecream/?langid=5 Edited Link With Payload : -------------------------- https://pages.et.uber.com/icecream/?langid=5%22%20onmouseover%3dpromptdocument.domain%20bad%3d%...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2016/06/19 11:33 p.m.44 views

Nextcloud: Uploading files to a folder where invited user don't have any EDIT privilege

Hi, Any invited user to a shared folder with no edit privilege can create files in it through copy feature of Nextclod android app. Steps to reproduce it + Create any folder and invite a user in it without any edit privilege. + Now login from invited user account through android app. + Copy any...

4CVSS0.8AI score0.02EPSS
Exploits1
Hacker One
Hacker One
added 2016/06/15 8:20 a.m.44 views

Uber: Bruteforce INVITE codes easy way

As soon as i read the vulnerability disclosed on h1 regarding Possibility to brute force invite codes in riders.uber.com "https://hackerone.com/reports/125505" . I have found similar & easy way to bruteforce invite codes but in different manner . Also, 1680 public invites are waiting for...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2016/05/12 12:11 p.m.44 views

Zomato: Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI)

Once a user connects his Zomato account to Instagram via OAuth2, the page https://www.zomato.com/php/instagramtagrelay leaks the Instagram OAuth2 Access Token issued to Zomato: PoC: https://www.zomato.com/php/instagramtagrelay?callback=aaabc Result personal data x'ed: HTTP/1.1 200 OK...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2016/05/09 2:56 p.m.44 views

Sucuri: CRLF/HTTP header injection www.sucuri.net

I would like to report a security vulnerability on www.sucuri.net. The domain appears to be vulnerable for CRLF or HTTP header injection. This allows attackers to construct a URL that injects HTTP headers in the server's response. One of the things an attacker can do is injecting a "Set-Cookie"...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2016/04/22 1:23 a.m.44 views

Bumble: AWS S3 Bucket hotornot-images permissions allow for listing and removing files

We do not use amazon AWS but @yaworsk wanted to disclose his report anyway. Why not, we can do. ---- Hi All, Though I'm not 100% sure you own the bucket - and if not, I would appreciate being able to close this myself - I believe you may own the S3 bucket hotornot-images. If so, using the AWS CLI...

Exploits0
Hacker One
Hacker One
added 2016/04/11 9:8 p.m.44 views

Slack: Authentication bypass leads to sensitive data exposure (token+secret)

@secalert discovered an information disclosure on our server which took advantage of an authorization error that allowed the viewing of sensitive information on the server. We mitigated the issue and no longer expose such information, and performed an investigation to verify that no unauthorized...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2016/03/22 7:0 p.m.44 views

Uber: LIsting of http://archive.uber.com/pypi/simple/

Hope the below link is not for public Directory/File listing with all files Sample files http://archive.uber.com/pypi/simple/...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2016/03/09 11:47 a.m.44 views

Xero: Vulnerability : XSS Vulnerability

A single instance of self-XSS was reported in the Xero application, which affected a text field behind Authentication. This was relatively easy to mitigate and no risk to Customer Data was identified...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/01/20 10:42 p.m.44 views

Mail.ru: [allods.my.com] SSRF / XSPA

Доброго времени суток. Уязвимость находится в функции загрузки аватара. Можно загрузить аватарку с удаленного хоста. PoC http://allods.my.com/forum/index.php?form=AvatarEdit Download avatar: http://localhost:80 - You have selected a corrupt image. порт открыт http://localhost:3306 - You have...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2016/01/06 8:34 a.m.44 views

Ruby on Rails: Validation bypass for Active Record and Active Model

Possible Input Validation Circumvention in Active Model There is a possible input validation circumvention vulnerability in Active Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. Versions Affected: 4.1.0 and newer Not affected: 4.0.13 and older Fixed Versions:...

5CVSS1.1AI score0.07157EPSS
Exploits0
Hacker One
Hacker One
added 2015/12/15 4:47 a.m.44 views

Square Open Source: Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone

While testing git-fastclone for the ext protocol issues in my other report, I looked at the source code and immediately noticed you're using the Cocaine0 library unsafely. Cocaine will protect from command injection but it "only does that for arguments interpolated via run, NOT arguments passed...

10CVSS9.5AI score0.04801EPSS
Exploits1
Hacker One
Hacker One
added 2015/09/04 5:21 p.m.44 views

ownCloud: Full Path Disclosure

When I was trying to upload a html file as profile picture as a non admin user. then it popped up with a message containing full path . Like that "Could not obtain lock type 1 on "/opt/lampp/htdocs/owncloud/data/12/files/opt/lampp/htdocs/owncloud/data/12/cache/avatarupload"." Thanks...

4CVSS0.5AI score0.01774EPSS
Exploits0
Hacker One
Hacker One
added 2015/06/05 10:22 p.m.44 views

Coinbase: Two-factor authentication (via SMS)

Hello Coinbase Security Team I just found a problem in Two-factor authentication mechanism, here is the details and how to reproduce this issue: I have two accounts with two emails on coinbase.com i active 2FA on the both of two emails with this phone number +201066462288. From Chrome i will try ...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/05/05 9:25 a.m.44 views

Concrete CMS: Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1

Concrete5 is vulnerable to a Local File Inclusion because it fails to properly validate the path for incoming requests during the dispatching process. This vulnerability exists because the path is retrieved using the Request::getPathInfo method from the Symfony framework, which allows to specify...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2014/06/13 2:30 p.m.44 views

Internet Bug Bounty: Multiple issues in looking-glass software (aka from web to BGP injections)

During the month of May 2014 we performed an offensive security analysis, trying to find how hard would it be for a low-to-medium skilled attacker to disrupt the core of the Internet ie. achieve the largest possible impact at the lowest common layer, with minimal resource. This is a confidential...

7.5CVSS8.7AI score0.26572EPSS
Exploits1
Hacker One
Hacker One
added 2014/05/02 1:24 a.m.44 views

Coinbase: CSRF on "Set as primary" option on the accounts page

On navigating to the Accounts page, a Coinbase user can create multiple accounts. The user can then make any of these accounts as their primary account. There are also other options of renaming and deleting these accounts. Although there is a CSRF token being sent as a POST parameter for the dele...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2014/04/28 9:20 a.m.44 views

HackerOne: Flooding mailbox of user

There seems to be no prevention from sending multiple password reset links to a selected e-mail. As a result mailbox of the user can be flooded with these mails. I would recommend to add CAPTCHA in forgot password functionality...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2014/04/17 4:10 p.m.44 views

Automattic: Session Cookie without Secure flag set

vulnerability-Session Cookie without Secure flag set Vulnerability description This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection...

Exploits0
Hacker One
Hacker One
added 2014/03/26 10:36 a.m.44 views

Yahoo!: From Unrestricted File Upload to Remote Command Execution

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2014/03/22 6:15 a.m.44 views

Slack: Open Redirect in Slack

This link shall redirect to google.co.in: http://prakhar.slack.com/link?url=http%3A%2F%2Fgoogle.co.in Straight, open redirection! Thanks!...

Exploits0
Hacker One
Hacker One
added 2014/03/18 12:4 a.m.44 views

Yahoo!: XSS Vulnerability (my.yahoo.com)

Thank you for your submission to the Yahoo Bug Bounty program. We were able to reproduce the issue you reported and have implemented appropriate fixes. We appreciate your adherence to responsible disclosure guidelines and look forward to your future participation in the program...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2014/03/03 5:30 p.m.44 views

Phabricator: CSRF token valid even after the session logout of a particular user

Hi, To reproduce the issue: 1 Login to your https://secure.phabricator.com account and copy your Anti CSRF token. 2 Now logout and again login after sometime. 3 Open up your burp suite to modify the request and now submit any form with your old CSRF token. The request will be completed. So let's...

7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 2:27 a.m.43 views

Rocket.Chat: Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check

Vulnerability description not provided...

7.5CVSS5.8AI score0.00283EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/30 7:5 a.m.43 views

curl: MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length

I'm not sure if this is a vulnerability or intended behavior, but I noticed that curl MQTT implementation accepts CONNACK packets with Remaining Length values greater than 2, which appears to violate the MQTT v3.1.1 specification. According to the MQTT spec, CONNACK packets should have a Remainin...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2024/10/12 5:41 a.m.43 views

U.S. Dept Of Defense: [ CVE-2018-1000129 ] RXSS At `https://███████` via the URI

The CVE-2018-1000129 vulnerability allowed remote cross-site scripting RXSS at the specified URL. The vulnerability was due to improper sanitization of user input, which enabled the execution of arbitrary scripts in the victim's browser...

6.1CVSS6.3AI score0.25459EPSS
Exploits1
Hacker One
Hacker One
added 2024/04/18 2:32 p.m.43 views

HackerOne: Session Not Expire / 2FA Bypass

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2024/03/05 5:5 p.m.43 views

curl: HTTP/2 PUSH_PROMISE DoS

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2024/02/20 4:22 p.m.43 views

HackerOne: Creation of bounties through Customer API leads to private email disclosure

The creation of bounties through the Customer API led to the disclosure of private email addresses. The vulnerability was demonstrated by using both the API and GraphQL requests to award a program bounty to a user, which then exposed the email address of that user in the response...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2024/02/15 8:52 p.m.43 views

MTN Group: CVE-2010-1429 JBoss Insecure Storage of Sensitive Information on ips.mtn.co.ug

The JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allowed remote attackers to obtain sensitive information about deployed web contexts via a request to the status servlet, as demonstrated by a full=true query string. This issue was caused by a regression fr...

7.5CVSS7.1AI score0.99903EPSS
Exploits27
Hacker One
Hacker One
added 2024/01/08 5:33 p.m.43 views

Mars: Datadog api keys exposed can be used to do all the read and write access to the instance

A vulnerability was identified where Datadog API keys were exposed in a JavaScript file, which could have enabled unauthorized access to Datadog services. The issue was responsibly disclosed along with a proof-of-concept demonstration...

7AI score
Exploits0
Hacker One
Hacker One
added 2023/12/11 6:28 p.m.43 views

Teleport: access list owner can escalate his role to the highest roles

Summary: 1. Go to your-domain.teleport.sh/web/accesslists. 2. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. 3. Add a user as the Access List Owner. 4. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating the...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2023/10/05 6:29 a.m.43 views

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/09/19 1:37 p.m.43 views

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/07/24 6:51 a.m.43 views

U.S. Dept Of Defense: Blind Sql Injection in https://█████/qsSearch.aspx

A blind SQL injection vulnerability was discovered in the qsSearch.aspx page of the application. An attacker could exploit this vulnerability to bypass authentication and retrieve sensitive information from the database. The vulnerability has been mitigated by implementing appropriate security...

7.9AI score
Exploits0
Hacker One
Hacker One
added 2023/05/08 2:0 p.m.43 views

Internet Bug Bounty: Privilege Esacalation at Apache Airflow 2.5.1

A vulnerability was found in Apache Airflow before version 2.6.0 that allowed local Linux users to access sensitive files, such as SSH private keys, owned by the account that operates Airflow. The issue was caused by Airflow setting log files to vulnerable privileges, allowing any Linux user on t...

9.8CVSS8.8AI score0.0228EPSS
Exploits0
Hacker One
Hacker One
added 2023/04/27 8:51 a.m.43 views

Omise: Subdomain takeover http://accessday.opn.ooo/

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/12/28 7:33 p.m.43 views

Equifax-vdp: reflected XSS in [www.equifax.com]

A reflected XSS vulnerability was found in an endpoint of Equifax's website. An attacker could execute malicious JavaScript code on victims who visit a specially crafted link, potentially stealing their cookies...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2022/11/05 7:16 p.m.43 views

Yelp: Public Github Repo Leaking Internal Credentials

Summary: In Github I found some credentials to use in a mesos.apache.org Github: https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-secrets https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-slave-secret POC ss F2021070 F2021071 Login...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2022/09/25 9:0 p.m.43 views

Nextcloud: XSS in Desktop Client in call notification popup

Summary: The Nextcloud Desktop Client application does not properly neutralize the name of a group conversation before using it. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Create an administrator account 3. Create a user account Client Machine: 4. Install t...

5.8CVSS1.1AI score0.00882EPSS
Exploits1
Hacker One
Hacker One
added 2022/07/15 10:52 a.m.43 views

GitHub: Command injection in GitHub Actions ContainerStepHost

GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands wa...

6.5CVSS2.4AI score0.01474EPSS
Exploits0
Hacker One
Hacker One
added 2022/06/07 11:12 a.m.43 views

Cloudflare Public Bug Bounty: Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts

The OIDC JWT token issued on a new Sign in with Apple ID to the Cloudflare Dashboard had an excessive lifetime. When intercepted by a malicious actor, it enabled impersonation of the affected user on multiple devices during the entire token validity period without the need to re-authenticate. The...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2022/03/30 8:27 p.m.43 views

GitHub Security Lab: [Java]: CWE-200 - Query to detect insecure WebResourceResponse implementation

This bug was reported directly to GitHub Security Lab...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2022/03/22 3:38 a.m.43 views

Evernote: Reflected XSS in the shared note view on https://evernote.com

Summary: There is a reflected XSS vulnerability on https://evernote.com, in the shared web note view, triggered through the view and ionUrl parameters of the /shard/sSHARDNUMBER/client/snv endpoint. Description: When a user creates a note and shares it, it is stored in the following endpoint, bei...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2021/12/09 12:18 a.m.43 views

lemlist: [app.lemlist.com] Improper handling of payment lead to bypass payment

Summary: Hello Team, I truly hope it treats you awesomely on your side of the screen : due to improper handling of payment methods, an attacker can easily bypass the payment and benefit from a paid plan. Steps To Reproduce: 1. Log to your account 1. Go to the billing page 1. Fill in the address t...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2021/11/24 8:25 p.m.43 views

Lark Technologies: Full read SSRF via Lark Docs `import as docs` feature

A SSRF server side request forgery vulnerability was found in the LarkDocs using the "import as docs" feature, which could have potentially been used to access services running on the internal network. We thank @sirleeroyjenkins for reporting this to our team and confirming the resolution...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2021/11/21 8:11 p.m.43 views

U.S. Dept Of Defense: Rxss on █████████ via logout?service=javascript:alert(1)

Description: I found open redirect and xss Rxss at the ██████████ logout page, https://████/██████████/logout?service=https://google.com It also allows javascript URIs, leading to Xss Impact Attacker can trick users to visit malicious websites or can lead to phishing and many other type of attack...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/10/22 3:49 a.m.43 views

Kubernetes: Ingress-nginx annotation injection allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

I submitted the following report to [email protected]: I've been exploring CVE-2021-25742 and believe I've discovered a variant although it appears there may be many. Most template variables are not escaped properly in nginx.tmpl, leading to injection of arbitrary nginx directives. For...

5.5CVSS1.2AI score0.01784EPSS
Exploits1
Hacker One
Hacker One
added 2021/10/16 8:22 p.m.43 views

GitLab: IDOR in "external status check" API leaks data about any status check on the instance

Summary The API endpoint for returning approval from an external status check contains an IDOR that lets a user list information about all external status checks on the GitLab instance. The feature is an Ultimate feature, but can be accessed by starting an Ultimate trial on GitLab.com. So the...

6.3AI score
Exploits0
Total number of security vulnerabilities5000