Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2016/11/20 4:47 p.m.43 views

Pornhub: Race Condition Vulnerability On Pornhubpremium.com

The researcher discovered a race condition which allowing for gift code reuse across using multiple accounts to gain Premium access. I was able to create unlimted accounts and redeem already used gift cards to give the accounts as many days of subscription as I wanted to which could then be used ...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2016/11/14 3:58 p.m.43 views

Udemy: Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com

Howdy, @udemy! Summary: ======= I am writing to inform you of a critical information disclosure bug via an exposed Jenkins dashboard located at https://jenkins101.udemy.com. Upon navigating to this address, I was asked to authenticate with my Github account. After authenticating, I was surprised ...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/11/02 8:25 a.m.43 views

Open-Xchange: Tab nabbing via window.opener

Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. POC: Edit your contact details, with the website URL of http://davenport.net.nz/test.html, which has the following htm...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2016/09/05 9:36 p.m.43 views

Envoy: Abuse of API can Lead to DoS

Issue Description The researcher identified that it is possible to abuse the manual creation of employees via the api, meaning that a malicious attacker can create a trial account and use this to mass spam users' with emails, the screenshot below shows the mass amount of emails that can be sent i...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2016/06/20 10:42 p.m.43 views

Nextcloud: Authentication Issue

UserA creates a password protected share 2. UserA shares this link with UserB 3. UserB accessed the share with the password 4. UserA changes the password 5. Now userB can still access the share. At step 5 userB should be prompted to authenticate again...

3.5CVSS1.5AI score0.00891EPSS
Exploits0
Hacker One
Hacker One
added 2016/05/26 5:34 a.m.43 views

drchrono: SSL/TLS BEAST ATTACK

Supported versions: TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites ORDER IS NOT SIGNIFICANT: TLSv1.0 RSAWITH3DESEDECBCSHA RSAWITHAES128CBCSHA RSAWITHAES256CBCSHA TLSECDHERSAWITH3DESEDECBCSHA TLSECDHERSAWITHAES128CBCSHA TLSECDHERSAWITHAES256CBCSHA TLSv1.1: idem TLSv1.2...

3.1AI score
Exploits0
Hacker One
Hacker One
added 2016/05/12 12:11 p.m.43 views

Zomato: Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI)

Once a user connects his Zomato account to Instagram via OAuth2, the page https://www.zomato.com/php/instagramtagrelay leaks the Instagram OAuth2 Access Token issued to Zomato: PoC: https://www.zomato.com/php/instagramtagrelay?callback=aaabc Result personal data x'ed: HTTP/1.1 200 OK...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2016/04/26 6:34 a.m.43 views

Automattic: WordPress Flash XSS in *flashmediaelement.swf*

Intro == WordPress is vulnerable against a reflected XSS that stems from an insecure URL sanitization problem performed in the file flashmediaelement.swf. The code in the file attempts to remove flashVars ¹ in case they have been set GET parameters but fails to do so, enabling XSS via...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2016/04/25 5:2 p.m.43 views

Zendesk: XSS In /zuora/ functionality

Hello there, I wanted to report a XSS vulnerability in the /zuora/ functionality on the zendesk application. Affected URL: -...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2016/04/22 1:23 a.m.43 views

Bumble: AWS S3 Bucket hotornot-images permissions allow for listing and removing files

We do not use amazon AWS but @yaworsk wanted to disclose his report anyway. Why not, we can do. ---- Hi All, Though I'm not 100% sure you own the bucket - and if not, I would appreciate being able to close this myself - I believe you may own the S3 bucket hotornot-images. If so, using the AWS CLI...

Exploits0
Hacker One
Hacker One
added 2016/04/01 7:4 p.m.43 views

HackerOne: New hacktivity view discloses report IDs of non-public reports

url: https://hackerone.com/hacktivity.json this url reveals information of reporters Report id ./...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2016/03/22 7:0 p.m.43 views

Uber: LIsting of http://archive.uber.com/pypi/simple/

Hope the below link is not for public Directory/File listing with all files Sample files http://archive.uber.com/pypi/simple/...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2016/03/09 11:47 a.m.43 views

Xero: Vulnerability : XSS Vulnerability

A single instance of self-XSS was reported in the Xero application, which affected a text field behind Authentication. This was relatively easy to mitigate and no risk to Customer Data was identified...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2016/03/08 9:11 p.m.43 views

Bumble: Broken Authentication on Badoo

Please watch the attached video. It contains all necessary steps and demo of this vulnerability. Please fix this issue as soon as possible, it is highly severe. Looking forward for reply. Best Regards, Darshit varotaria...

3.7AI score
Exploits0
Hacker One
Hacker One
added 2015/11/24 12:31 a.m.43 views

Radancy: RC4 cipher suites detected

A group of researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found new attacks against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical fla...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2015/11/20 1:8 p.m.43 views

Shopify: CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com

Hi , I have found that when a user tries to Export list of current users who installed his apps through: https://app.shopify.com/services/partners/apiclients//exportinstalledusers the fields of the CSV file are not properly escaped. which makes them vulnerable to CSV Excel Macro Injection...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2015/06/09 7:20 p.m.43 views

Internet Bug Bounty: Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player

Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player This vulnerability CVE-2015-3100 was reported to Adobe on March 10, 2015 and has been patched today via APSB15-11 https://helpx.adobe.com/security/products/flash-player/apsb15-11.html. Following is the original...

10CVSS6.8AI score0.07715EPSS
Exploits0
Hacker One
Hacker One
added 2015/05/12 7:27 p.m.43 views

Sandbox Escape: Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability

Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability =================================================================================== Full source code demonstrating the escape from IE's sandbox -- by launching a medium-integrity calc at login -- is attached with...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2015/05/05 9:25 a.m.43 views

Concrete CMS: Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1

Concrete5 is vulnerable to a Local File Inclusion because it fails to properly validate the path for incoming requests during the dispatching process. This vulnerability exists because the path is retrieved using the Request::getPathInfo method from the Symfony framework, which allows to specify...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2015/02/06 11:8 p.m.43 views

Vimeo: subdomain takeover 1511493148.cloud.vimeo.com

The researcher found a DNS entry pointing to an unused IP address. This was a domain hijacking issue and was resolved by removing the DNS entry...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2014/05/20 12:50 p.m.43 views

Faceless: Account hijacking possible through ADB backup feature

It was found that if an attacker had access to an unlocked phone, they could take any data from the application's sandbox through ADB's backup feature. Normally ADB backup allows applications to be backed up to the cloud. This means that if a user replaces or wipes their phone, they can restore a...

7AI score
Exploits0
Hacker One
Hacker One
added 2014/03/25 7:2 p.m.43 views

Concrete CMS: XSS in Theme Preview Tools File

https://github.com/concrete5/concrete5/blob/master/web/concrete/tools/themes/preview.phpL7 Note that one of those values near the end is not escaped...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2024/06/27 5:35 p.m.42 views

Rocket.Chat: NoSQL injection leaks visitor token and livechat messages

The Rocket.Chat application was affected by two NoSQL injection vulnerabilities. The first vulnerability allowed leaking visitor tokens by exploiting the livechat:loginByToken method, while the second vulnerability enabled leaking livechat messages by exploiting the livechat:loadHistory method...

6.5CVSS7AI score0.00523EPSS
Exploits0
Hacker One
Hacker One
added 2024/04/18 2:32 p.m.42 views

HackerOne: Session Not Expire / 2FA Bypass

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2024/03/04 4:31 p.m.42 views

Internet Bug Bounty: CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID(2.0) is in use as AUTH_TYPE

CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID2.0 is in use as AUTHTYPE. When OpenID2.0 was used as the Authentication Type, an attacker could forge authentication to any existing account in the target Airflow installation by deceiving the backend to trust arbitrary Open...

9.1CVSS9.2AI score0.00857EPSS
Exploits0
Hacker One
Hacker One
added 2024/02/26 5:59 a.m.42 views

Internet Bug Bounty: Proxy-Authorization header is not cleared in cross-domain redirect in undici

Proxy-Authorization header not cleared on cross-origin redirect in Undici. Impacted versions = v6.0.0 = v6.6.0. Patched in v5.28.3 and v6.6.1. No known workarounds...

4.5CVSS5.5AI score0.00765EPSS
Exploits0
Hacker One
Hacker One
added 2024/01/08 5:33 p.m.42 views

Mars: Datadog api keys exposed can be used to do all the read and write access to the instance

A vulnerability was identified where Datadog API keys were exposed in a JavaScript file, which could have enabled unauthorized access to Datadog services. The issue was responsibly disclosed along with a proof-of-concept demonstration...

7AI score
Exploits0
Hacker One
Hacker One
added 2023/12/11 6:28 p.m.42 views

Teleport: access list owner can escalate his role to the highest roles

Summary: 1. Go to your-domain.teleport.sh/web/accesslists. 2. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. 3. Add a user as the Access List Owner. 4. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating the...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2023/11/09 8:35 a.m.42 views

Nextcloud: App PIN code can be bypassed in Files iOS

A vulnerability was discovered in the PIN code implementation of the Files iOS app version 4.9.1 that allowed an attacker to bypass the PIN code protection via brute force due to lack of rate limiting, enabling unauthorized access to the app...

4.3CVSS4.3AI score0.00288EPSS
Exploits0
Hacker One
Hacker One
added 2023/10/05 6:29 a.m.42 views

Mozilla: Subdomain takeover on one of the subdomain under mozaws.net

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2023/08/23 12:49 a.m.42 views

Internet Bug Bounty: Dependency Policy Bypass via process.binding

A vulnerability was discovered in Node.js that allowed for the bypassing of permissions policies via the use of the process.binding API. This vulnerability allowed an attacker to run arbitrary code outside of the limits defined in a policy.json file. The vulnerability affected all users using the...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2023/07/24 6:51 a.m.42 views

U.S. Dept Of Defense: Blind Sql Injection in https://█████/qsSearch.aspx

A blind SQL injection vulnerability was discovered in the qsSearch.aspx page of the application. An attacker could exploit this vulnerability to bypass authentication and retrieve sensitive information from the database. The vulnerability has been mitigated by implementing appropriate security...

7.9AI score
Exploits0
Hacker One
Hacker One
added 2023/07/13 4:48 p.m.42 views

HackerOne: HackerOne Support System Doesn't Require Any Authentication May Lead Unauthorized Action

The HackerOne support system did not require any authentication, allowing anyone to open a support ticket for another user's account. This could potentially lead to unauthorized actions being taken on the account...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2022/12/07 12:38 a.m.42 views

Glassdoor: Cache Poisoning allows redirection on JS files

A cache poisoning vulnerability was discovered in Glassdoor's design website. By sending a specific request, an attacker could redirect the /test.js file to a malicious website. This could potentially lead to a stored cross-site scripting XSS attack if other Glassdoor websites import javascript...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2022/12/04 5:20 p.m.42 views

Hiro: Security Issue into Wallet lock protection

Description While testing wallet extension i generally try to test multiple endpoints, so 2 tabs were open of wallet on chrome-extension://ldinpeekobnhjjdofggfgjlcehhmanlj/popup.html So i tried to lock Wallet extension buti found that i can still use browser in 2nd tab, why i had already locked...

7AI score
Exploits0
Hacker One
Hacker One
added 2022/11/13 4:24 a.m.42 views

AMBER AI: Open redirect that can lead to malicious websites

go to a picture in website inspect that picture and you can see a tag change the tag with the command it will redirect !! kindly watch the POC attaching to it Impact redirect to any malicious web sites may have a chance for account takeover...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2022/11/08 8:5 p.m.42 views

Nextcloud: Exposed Log File Lead to Full Internal path disclosure at [https://nextcloud.com/wp-content/debug.log]

Hi team , i found wp-content/debug.log endpoint public accessible That lead to full path disclosure Steps : Open : https://nextcloud.com/wp-content/debug.log You can See Internal paths disclosed and date is : 02-Nov-2022 02-Nov-2022 08:50:36 UTC PHP Fatal error: Uncaught Error: Call to undefined...

Exploits0
Hacker One
Hacker One
added 2022/11/05 7:16 p.m.42 views

Yelp: Public Github Repo Leaking Internal Credentials

Summary: In Github I found some credentials to use in a mesos.apache.org Github: https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-secrets https://github.com/Yelp/Tron/blob/master/yelppackage/itestdockerfiles/mesos/mesos-slave-secret POC ss F2021070 F2021071 Login...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2022/10/12 5:32 p.m.42 views

GitHub: Github app Privilege Escalation to Administrator/Owner of the Organization

Vulnerability description not provided...

7.2CVSS6.9AI score0.01097EPSS
Exploits0
Hacker One
Hacker One
added 2022/09/25 9:0 p.m.42 views

Nextcloud: XSS in Desktop Client in call notification popup

Summary: The Nextcloud Desktop Client application does not properly neutralize the name of a group conversation before using it. Steps To Reproduce: Server Machine: 1. Install the Nextcloud Server application 2. Create an administrator account 3. Create a user account Client Machine: 4. Install t...

5.8CVSS1.1AI score0.00882EPSS
Exploits1
Hacker One
Hacker One
added 2022/09/08 7:43 p.m.42 views

Node.js: Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Similar to...

5CVSS6.2AI score0.0173EPSS
Exploits1
Hacker One
Hacker One
added 2022/06/28 2:17 a.m.42 views

Cloudflare Public Bug Bounty: Basic XSS [WAF Bypasses]

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2022/06/07 11:12 a.m.42 views

Cloudflare Public Bug Bounty: Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts

The OIDC JWT token issued on a new Sign in with Apple ID to the Cloudflare Dashboard had an excessive lifetime. When intercepted by a malicious actor, it enabled impersonation of the affected user on multiple devices during the entire token validity period without the need to re-authenticate. The...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2022/01/13 9:8 a.m.42 views

Recorded Future: Dom Xss vulnerability

Summary: Dom Xss vulnerability Steps To Reproduce: add details for how we can reproduce the issue 1. Go to this link: https://api.recordedfuture.com/index.html 2. Open chrome devtool and go to console tab 3. Type: document.write'...alert1...'; 4. And boom! Alert 1! Impact XSS can have huge...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2021/11/24 8:25 p.m.42 views

Lark Technologies: Full read SSRF via Lark Docs `import as docs` feature

A SSRF server side request forgery vulnerability was found in the LarkDocs using the "import as docs" feature, which could have potentially been used to access services running on the internal network. We thank @sirleeroyjenkins for reporting this to our team and confirming the resolution...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2021/11/19 8:1 a.m.42 views

UPchieve: CORS origin validation failure

Hi team, I hope you are doing well on the other side. Summary: I found that https://hackers.upchieve.org/ is using cross-origin resource sharing in an insecure way. The web application fails to properly validate the Origin header and returns the header Access-Control-Allow-Credentials: true. This...

7AI score
Exploits0
Hacker One
Hacker One
added 2021/11/17 2:30 a.m.42 views

Nextcloud: Control character filtering misses leading and trailing whitespace in file and folder names

Summary: It is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection. In lib/private/Files/Storage/Common.php, t...

5CVSS0.3AI score0.01229EPSS
Exploits0
Hacker One
Hacker One
added 2021/09/13 7:57 p.m.42 views

Nextcloud: User files is disclosed when someone called while the screen is locked

Summary: User files in the server is disclosed while the screen is locked when someone called. Steps To Reproduce: add details for how we can reproduce the issue 1. Make 2 Accounts, Lets call them Account A and Account B 2. Using Account A login to https://nextcloud/apps/spreed/ 3. Using Account ...

2.1CVSS0.00297EPSS
Exploits0
Hacker One
Hacker One
added 2021/09/07 11:21 a.m.42 views

Nextcloud: Cards in Deck are readable by any user

Sensitive deck card contents were readable by any user, allowing unauthorized access to the information...

8.1CVSS8AI score0.01293EPSS
Exploits0
Hacker One
Hacker One
added 2021/06/30 6:24 p.m.42 views

Engel & Völkers Technology GmbH: HTML Injection in Email

Description: Hi team I have found a HTML Injection vulnerability in your system. Steps to Reproduce: 1. Navigate to https://seller-pages.engelvoelkers.com/ 2. Go to the bottom of the webpage and click on message box at right corner. 3. Fill out the form and enter the HTML payload in First Name an...

0.2AI score
Exploits0
Total number of security vulnerabilities5000