Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2020/10/21 10:44 a.m.43 views

Rocket.Chat: Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app)

Persistent XSS flaw using nested markdown tags allows remote attacker to inject arbitrary JavaScript to message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app. Patched on 3.11, 3.10.5, 3.9.7, 3.8.8...

4.3CVSS4.3AI score0.017EPSS
Exploits0
Hacker One
Hacker One
added 2020/09/19 11:56 p.m.43 views

Revive Adserver: Reflected XSS on /www/delivery/afr.php (bypass of report #775693)

It is possible to bypass the first fix of this XSS by closing the script tag, and then opening a new one. cURL PoC is trivial : curl "https://revive-instance/www/delivery/afr.php?refresh=10000&alert1" The response will be : Advertisement alert1&loc="', 10000000; // -- body margin:0; height:100%;...

4.3CVSS0.03447EPSS
Exploits2
Hacker One
Hacker One
added 2020/09/10 4:50 p.m.43 views

Open-Xchange: A specially crafted message sent to the local delivery agent (LMTP) causes the LMTP child process to issue a panic (call i_panic)

Summary Sending a message to the local delivery agent with the number of MIME parts more than the dovecot core threshold of MIME parts results in ipanic. In the case of LMTP server it causes the child to abort connection. I believe that this can be quite problematic, if such a message lands in th...

5CVSS0.6AI score0.0466EPSS
Exploits1
Hacker One
Hacker One
added 2020/09/02 1:56 a.m.43 views

pixiv: Open Redirect at https://oauth.secure.pixiv.net

Summary: Hello @pixiv security team, i hope you are well, i noticed you can redirect users to another domain if you send an invalided scope. Vulnerable Url...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/09/01 2:34 p.m.43 views

Node.js third-party modules: [arpping] Remote Code Execution

I would like to report RCE in arpping It allows to execute arbitrary commands on the victim's PC Module module name: arpping version: 2.0.0 npm page: https://www.npmjs.com/package/arpping Module Description Discover and search for internet-connected devices locally using ping and arp Module Stats...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/07/23 2:14 p.m.43 views

IBM: CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com

A vulnerability in the interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense FTD was reported to IBM, analyzed and have been remediated. Thank you to Khaled 0xelkomy...

5CVSS2.2AI score0.99992EPSS
Exploits24
Hacker One
Hacker One
added 2020/07/08 8:21 p.m.43 views

Mail.ru: Open Redirect at "city-mobil.ru"

Open redirection in city-mobil.ru via URI path with '@'...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2020/07/08 5:23 p.m.43 views

Omise: Authenticity token doesnt expire after single use leading to CSRF

Summary Once you said that you ruby framework for making the authenticity-token which acts as a CSRF protection. You also send me this as to help me understand https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef . After finding i found that an authenticity-token c...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/05/19 1:47 a.m.43 views

HackerOne: GraphQL field on Team node can be used to determine if External Program runs invite-only program

On 19th May, A new parameter policymarkdownhtml been introduced inside the team Graphql query. Using Graphql query, We can able to determine External program running privately on Hackerone as policymarkdownhtml parameter was able to fetch private internal policy. Note: Using this parameter, it wa...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/02/19 4:44 p.m.43 views

U.S. Dept Of Defense: Admin Login Credential Leak for DoD Gitlab EE instance

Summary A DoD employee/contractor exposed the ███ password in a GitHub repository █████████ leading to full ███ access in a DoD DISA-associated private Gitlab EE instance ███. Description The IP address ████ recently hosted the subdomain █████████ as of 2019-09-23. ██████ Now port 80 points to a...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2020/02/14 5:37 p.m.43 views

Shopify: [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation

Summary In 791775, I submitted a bug at Sunday 5pm Canada time, it was triaged two hours later, and I got the temp fix message at around 3am the next day in Canada time. Truly awesome, the next day I retested after the first fix, and found that I - Cannot receive the email confirmation in the ema...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/01/20 9:46 p.m.43 views

Internet Bug Bounty: Squid as reverse proxy RCE and data leak

Summary: This was a very difficult experience as Squid maintainers took a long time to answer. I tried getting help from HackerOne support, Dropbox support and the Internet Bug Bounty never e-mailed me back to no avail. What could have taken a few days took months. The vulnerability concerns a...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2019/12/31 7:33 a.m.43 views

Rocket.Chat: API Keys Hardcoded in Github repository

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/09/01 4:13 p.m.43 views

Railto LLC: Administrator access to staging.railto.com

Summary: Hey team, While doing some recon for railto sub-domains. i came across a most critical bug which lets me complete access of https://staging.railto.com. i can add anything and removing anythings as i got the ADMIN level privilege. Steps 1. Go to https://staging.railto.com/admin url. 2. Se...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/07/20 4:16 a.m.43 views

Ruby: OS Command Injection via egrep in Rake::FileList

When a file which has command file name of stating with | is in Rake::FileList, then egrep will execute the command. How to reproduce PoC pocrake.rb is the following. ruby require 'rake' list = Rake::FileList.newDir.glob'' p list list.egrep/something/ Example of executing. % ls -1 Gemfile...

6.9CVSS1.6AI score0.01359EPSS
Exploits1
Hacker One
Hacker One
added 2019/07/15 11:48 a.m.43 views

Radancy: Wrong link on corne.maximum.nl

Domain and URL: corne.maximum.nl Hello, I noticed that your subdomain corne.maximum.nl links to the website "maximum.com" instead of "maximum.nl" "maximum.com" is in control of a Chinese organization as you said in your description. I think you've made a little mistake, but there is no impact :...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2019/03/15 8:45 a.m.43 views

Internet Bug Bounty: Invalid Read on exif_process_SOFn

This bug is present in exifscanthumbnail method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77540 PHP version : 7.1.26 CVE-ID : 2019-9640 Impact This bug may allow an...

5CVSS8.4AI score0.06183EPSS
Exploits1
Hacker One
Hacker One
added 2019/03/05 12:33 a.m.43 views

OLX: XSS inside HTML Link Tag

Hello, i discovered XSS in sharjah.dubizzle.com. XSS is reflected inside HTML Link tag so it need some condition to trigger the payload. Step to Reproduce - Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert1337...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/01/01 5:17 p.m.43 views

Node.js third-party modules: [bower] Arbitrary File Write through improper validation of symlinks while package extraction

I would like to report file write in arbitrary locations via install command in bower It allows attackers to write arbitrary files when a malicious package is extracted. Module module name: bower version: 1.8.4 npm page: https://www.npmjs.com/package/bower Module Description Bower offers a generi...

5CVSS0.8AI score0.02566EPSS
Exploits1
Hacker One
Hacker One
added 2018/11/24 2:40 p.m.43 views

RubyGems: 65534 times efficient, Brute-force attack for api_key

I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/05/11 1:11 a.m.43 views

Ubiquiti Inc.: Two Factor Authentication Bypass

The researcher found a method to brute-force the 2FA code request in the www.ubnt.com login page. This method still requires the username/password from the account...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2018/03/23 10:15 p.m.43 views

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

SUMMARY: ==================== The DoD https://██████/psc/EXPROD1/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution RCE and Denial of Service Attacks DoS over a Java Object Deserialization CWE-502 in the “monitor” service. Thus an attacker can generate an...

7.5CVSS0.4AI score0.43492EPSS
Exploits4
Hacker One
Hacker One
added 2018/02/20 8:59 p.m.43 views

VK.com: Просмотр приватных видео записей у Пользователей

Просмотр некоторых приватных видеозаписей. VK решил заплатить 100$ , но я переубедил.... ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/02/14 5:48 a.m.43 views

Starbucks: Able to reset other user's password in https://card.starbucks.com.sg/

Description In the website https://card.starbucks.com.sg/ there is a password reset function https://card.starbucks.com.sg/forgetPassword.php that sends the password reset link to the user's email. By using a web proxy to monitor the request, the email address can be changed to allow the attacker...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2017/10/31 11:35 a.m.43 views

International Islamic University Chittagong: Improper error handler

during the analysis it was found that when we submit the form and try to upload a txt file then it show a error page with internal path disclosure...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/30 8:34 p.m.43 views

AlienVault : DOM Based XSS in https://threatcrowd.org

Hello AlienVault security team, I found a DOM Based XSS in https://threatcrowd.org via report function. Proof of Concept Steps to reproduce: 1. https://threatcrowd.org/report.php?report= 2. Fill in with this payload: javascript:promptdocument.domain 3. Send link to victim, when victim click in to...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/19 10:42 a.m.43 views

Nextcloud: Banner Grabbing - Apache Server Version Disclousure

Hello Nextcloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://customerupdates.nextcloud.com an...

Exploits0
Hacker One
Hacker One
added 2017/09/15 11:41 p.m.43 views

Internet Bug Bounty: CVE-2017-13008 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().

Reported to the devs on 6 March 2017. Tcpdump 4.9.2 released on 8 September 2017. Patch: https://github.com/the-tcpdump-group/tcpdump/commit/5edf405d7ed9fc92f4f43e8a3d44baa4c6387562 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-80211.c:parseelements. ./tcpdump -n ...

7.5CVSS9AI score0.03354EPSS
Exploits0
Hacker One
Hacker One
added 2017/06/11 4:40 a.m.43 views

Algolia: SAUCE Access_key and User_name leaked in Travis CI build logs

hello algolia team, I founded the SAUCE AccessKey and Username was leaked in Travis CI build logs of instantsearch.js product Line-249-&-250. This can be used to perform every API calls of sauce-lab.e.g Creating a Sub account. I created a test account for testing. sorry for this ; . You should...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2017/05/31 12:7 a.m.43 views

Internet Bug Bounty: heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()

Reported to the Perl security mailing list on 25 August 2016. ==17057==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b978 at pc 0x0000004a9201 bp 0x7ffe97551890 sp 0x7ffe97551048 READ of size 61 at 0x60800000b978 thread T0 0 0x4a9200 in interceptormemcmp...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/02/15 3:12 p.m.43 views

Automattic: Broken Authentication - Security token gets captured via man in the middle attack

Product / URL http://en.instagram-brand.com/register/reset/?email= Description and Impact The password reset links issues by Instagram Brand gets delivered to users inbox with a http scheme and NOT https scheme. This causes an attacker stealing those links and performing mass account takeovers an...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2017/02/10 1:37 p.m.43 views

Nextcloud: Missing SPF Flags on nextcloud.com

Hello NextCloud Details i just test your domain which is nextcloud.com and i surprised that i can send a legit email to a user. Impact Attacker can use this to send a Legit Email to the Victim and attacker can send a Malicious Web Links and Phishing Sites. Video Proof of Concept...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/01/18 8:30 a.m.43 views

Nextcloud: Group admin can remove user from all his groups via API

Steps 1. As admin make user1 group admin for group1 and group2 2. As user1 create a new user user2 3. As user1 try to remove the user from both groups via the UI 4. Take the first togglegroup.php request and replay it with group2 on curl Expected Should not work Actual The group-admin can escape...

3.2AI score
Exploits0
Hacker One
Hacker One
added 2016/11/17 4:22 a.m.43 views

Boozt Fashion AB: Email link poisoning / Host header attack

Description ------------- It is possible to poison the link of the password reset email. This is generally done by altering the Host header, but in this case, the WAF is successfully blocking it. The trick here is to add an X-Forwarded-Host header in the request so the server is using this value...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/11/14 3:58 p.m.43 views

Udemy: Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com

Howdy, @udemy! Summary: ======= I am writing to inform you of a critical information disclosure bug via an exposed Jenkins dashboard located at https://jenkins101.udemy.com. Upon navigating to this address, I was asked to authenticate with my Github account. After authenticating, I was surprised ...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/11/02 8:25 a.m.43 views

Open-Xchange: Tab nabbing via window.opener

Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. POC: Edit your contact details, with the website URL of http://davenport.net.nz/test.html, which has the following htm...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2016/09/05 9:36 p.m.43 views

Envoy: Abuse of API can Lead to DoS

Issue Description The researcher identified that it is possible to abuse the manual creation of employees via the api, meaning that a malicious attacker can create a trial account and use this to mass spam users' with emails, the screenshot below shows the mass amount of emails that can be sent i...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2016/06/27 2:12 a.m.43 views

Coinbase: Application error message

poc url:https://developers.coinbase.com/api/%e3h This page contains an error/warning message that may disclose sensitive information.The message can also contain the location of the file that produced the unhandled exception.This may be a false positive if the error message is found in...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/06/20 10:42 p.m.43 views

Nextcloud: Authentication Issue

UserA creates a password protected share 2. UserA shares this link with UserB 3. UserB accessed the share with the password 4. UserA changes the password 5. Now userB can still access the share. At step 5 userB should be prompted to authenticate again...

3.5CVSS1.5AI score0.00891EPSS
Exploits0
Hacker One
Hacker One
added 2016/05/26 5:34 a.m.43 views

drchrono: SSL/TLS BEAST ATTACK

Supported versions: TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites ORDER IS NOT SIGNIFICANT: TLSv1.0 RSAWITH3DESEDECBCSHA RSAWITHAES128CBCSHA RSAWITHAES256CBCSHA TLSECDHERSAWITH3DESEDECBCSHA TLSECDHERSAWITHAES128CBCSHA TLSECDHERSAWITHAES256CBCSHA TLSv1.1: idem TLSv1.2...

3.1AI score
Exploits0
Hacker One
Hacker One
added 2016/04/26 6:34 a.m.43 views

Automattic: WordPress Flash XSS in *flashmediaelement.swf*

Intro == WordPress is vulnerable against a reflected XSS that stems from an insecure URL sanitization problem performed in the file flashmediaelement.swf. The code in the file attempts to remove flashVars ¹ in case they have been set GET parameters but fails to do so, enabling XSS via...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2016/04/25 5:2 p.m.43 views

Zendesk: XSS In /zuora/ functionality

Hello there, I wanted to report a XSS vulnerability in the /zuora/ functionality on the zendesk application. Affected URL: -...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2016/04/01 7:4 p.m.43 views

HackerOne: New hacktivity view discloses report IDs of non-public reports

url: https://hackerone.com/hacktivity.json this url reveals information of reporters Report id ./...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2016/03/08 9:11 p.m.43 views

Bumble: Broken Authentication on Badoo

Please watch the attached video. It contains all necessary steps and demo of this vulnerability. Please fix this issue as soon as possible, it is highly severe. Looking forward for reply. Best Regards, Darshit varotaria...

3.7AI score
Exploits0
Hacker One
Hacker One
added 2016/03/01 7:4 p.m.43 views

Pornhub: Unprotected Memcache Installation running

The consultant was able to connect to the stage.pornhub.com subdomain via port 60893, it was determined that the target host was running memcached and required no authentication...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2015/11/24 12:31 a.m.43 views

Radancy: RC4 cipher suites detected

A group of researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found new attacks against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical fla...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2015/11/20 1:8 p.m.43 views

Shopify: CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com

Hi , I have found that when a user tries to Export list of current users who installed his apps through: https://app.shopify.com/services/partners/apiclients//exportinstalledusers the fields of the CSV file are not properly escaped. which makes them vulnerable to CSV Excel Macro Injection...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2015/06/09 7:20 p.m.43 views

Internet Bug Bounty: Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player

Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player This vulnerability CVE-2015-3100 was reported to Adobe on March 10, 2015 and has been patched today via APSB15-11 https://helpx.adobe.com/security/products/flash-player/apsb15-11.html. Following is the original...

10CVSS6.8AI score0.07715EPSS
Exploits0
Hacker One
Hacker One
added 2015/05/12 7:27 p.m.43 views

Sandbox Escape: Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability

Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability =================================================================================== Full source code demonstrating the escape from IE's sandbox -- by launching a medium-integrity calc at login -- is attached with...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/02/06 11:8 p.m.43 views

Vimeo: subdomain takeover 1511493148.cloud.vimeo.com

The researcher found a DNS entry pointing to an unused IP address. This was a domain hijacking issue and was resolved by removing the DNS entry...

1.3AI score
Exploits0
Total number of security vulnerabilities5000