Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2018/02/07 5:13 p.m.42 views

Valve: Xss was found by exploiting the URL markdown on http://store.steampowered.com

Hello guys I found an xss vulnerability on store.steampowered.com markdown POC http://store.steampowered.com/widget/386360/?t=url=google.com:/onclick=%27alertdocument.domain%27url=xss/url Here is my exploit url=google.com:/onclick='alertdocument.domain'url=xss/url Steps 1 - go to any product 2 -...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/02/04 3:5 p.m.42 views

Mail.ru: Error in processing gif images

Application crash on malformed GIF image parsing in ICQ for Desktop...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2018/01/31 1:35 p.m.42 views

Node.js third-party modules: [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server

Hi Guys, There is Path Traversal in general-file-server module. It allows to read content of arbitrary files on the remote server. Module general-file-server This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

5CVSS0.3AI score0.01764EPSS
Exploits1
Hacker One
Hacker One
added 2017/12/18 8:30 p.m.42 views

Open-Xchange: SSRF - RSS feed, blacklist bypass (301 re-direct)

FYI - Tested on local installation of App Suite 7.8.4 REV 17 Hello, There appears to be another SSRF re-direct vulnerability, similar to my earlier reports that will allow scanning of the App Suite local ports or internal hosts, regardless of blacklist protection in place. The endpoint is the...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/11/28 9:1 p.m.42 views

VK.com: self-xss ads_easy_promote vk.com

Self-XSS в рекламе...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/31 6:46 a.m.42 views

International Islamic University Chittagong: Full Path Disclosed

Hi, i want to say that you have not fixed the previous report properly i can still find the path fix it properly the paths should be hidden text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://119.18.148.140/hrd/login.php? Cookie:...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/18 10:15 p.m.42 views

Mail.ru: XSS on https://account.mail.ru/login via postMessage

Обработчик сообщений на страничке https://account.mail.ru/login не проверяет источник, что позволяет вызвать любую доступную команду с произвольного ресурса: js // https://img.imgsmail.ru/ag/0.3.3/authGate.js:formatted function ca a = a || window.event; var c, d, h = , i = a.data, j = a.source; i...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/01 11:24 p.m.42 views

Rockstar Games: Stored XSS on support.rockstargames.com

In this report, the researcher was able to demonstrate a proof-of-concept exploit for a Stored XSS vulnerability on our Support site at support.rockstargames.com. The POC consisted of two parts; the setup and the trigger. The setup required entering a particular XSS payload in the Title for a new...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2017/08/09 9:3 a.m.42 views

Slack: The Custom Emoji Page has a Reflected XSS

The Custom Emoji Page has a Reflected XSS in building flash message. The following is the PoC. https://team.slack.com/customize/emoji?added=1&name=vuln"alert0;...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/07/31 11:21 a.m.42 views

Phabricator: Credential gets exposed

Create a repo 2. Mirror it to an URL 3. Assign a credential to the mirror 4. I've now had an existing repo, and wanted to change it to mirror only, so that phabricator pulls from an URL instead of self-hosting. I now recived this error msg: Pull of 'Luke081515Bot' failed: Working copy at...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/07/18 5:33 a.m.42 views

Legal Robot: [New Feature] Password history check

A security researcher discovered that old passwords could be reused and suggested that Legal Robot check new passwords against previous passwords. i discovered that old passwords could be reused and suggested that Legal Robot check new passwords against previous passwords. i really thank legal...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2017/07/16 11:58 a.m.42 views

ExpressionEngine: Image lib - unescaped file path

Under ./system/ee/legacy/libraries/Imagelib.php There are function from CodeIgniter to manipulate images. The issue is that the PHP function exec is used two times in two different functions: imageprocessimagemagick and imageprocessnetpbm In both cases the fullsrcpath and fulldstpath are given...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2017/06/28 7:13 p.m.42 views

Nextcloud: Password of failed (2FA) login attempt is stored in log

If I try to log in on Webdav with my usual Nextcloud password, it doesn't work due to 2FA. I need an application password. The password of a failed login attempt by any user is stored plain text in the log: ...OCA\\DAV\\Connector\\Sabre\\Auth-validateUserPass'matthes', 'THEPASSWORD'... Even...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/05/29 11:17 p.m.42 views

Weblate: API Does Not Apply Access Controls to Translations

Summary ======= The /api/ does not enforce access control on the translation files, allowing anyone to download full translation files. See the screenshot for an example project being viewed by an anonymous account that is configured to have no permissions. Description ======= On my local setup...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/05/25 10:17 a.m.42 views

Coinbase: Open redirect on sign in

Sir I make a video for clear understand. Watch that video. Thanks Best Regards Anirban Singha...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/05/12 5:17 a.m.42 views

Instacart: Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=

Summary Instacart at /store/partnerrecipe?recipeurl= endpoint is vulnerable to reverse tabnabbing, since the injected link use target="blank" , this means the page that opens in a new tab can access the initial tab and change its location using the window.opener property. example: Reproduction...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/05/08 7:37 p.m.42 views

Harvest: [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters

Hi @jorgeleria, I came across a potential reflected XSS vector while exploring platform.harvestapp.com functionality. At present, I have been unable to locate a functional payload, so would like to report this as HTML injection. Proof of Concept Steps to reproduce 1. Visit the below Demonstration...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/04/27 2:5 p.m.42 views

Weblate: Bypassing captcha in registration on Hosted site

Hello again, I believe the captcha on the user registration form is very simple and can be easily bypassed to automatically register any number of accounts. A program can read the math captcha, solve it and submit the form with the answer and the other required parameters & headers. Note: I read...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/04/16 5:28 a.m.42 views

X (Formerly Twitter): HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter

Overview The imagesrc parameter on amp.twimg.com accepts images from any arbitrary host, therefore, enabling attackers to supply image destinations that respond with a "HTTP 401 Unauthorized" response. Description HTTP 401 attacks occur when there is no whitelisting or proxying images and/or page...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/04/12 4:11 a.m.42 views

Nextcloud: Delete All Data of Any User

If you are user have permission manage useradmin group, you can delete all data off website. step: 1. Create new user with username is '.'. 2. Delete user, who just have been created. Cause: when you create new use, nextcloud app will make a new folder same name with username, which have been...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/04/06 9:24 p.m.42 views

VK.com: Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер.

Уязвимость в библиотеке приложения VK на Android, позволяющая получить на свой номер код для восстановления некоторых страниц. Из-за уязвимости можно было отправить код восстановления любой страницы на чужой номер, спасала только двухфакторная аутентификация...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/04/02 2:33 a.m.42 views

Shopify: XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app

Description The Shopify Embedded App SDK is used to facilitate limited interactions with parent page /admin/apps/$id from an embedded app within the shop admin interface. The SDK has multiple methods which allow an app to interact with the user which execute in the context of the admin domain and...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/03/28 4:31 p.m.42 views

shopify-scripts: SIGABRT - in free

PoC ------------------- The following code triggers the bug attached as free.rb: a= h=""=0 ha,"h00000000h000000=0000000 0000ht00000=00t0000 0000h000000=000000 00000"=0 a0="z" ha,"h00000000h000000=0000000 0000ht00000=00t0000 0000h000000=000000 00000"=0 h.dup Backtrace - mirb -------------------...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/03/04 2:7 p.m.42 views

Slack: Bypass to postMessage origin validation via FTP

@a1kmm- discovered a bypass to our postMessage origin check, wherein an attacker with existing MITM capabilities could use FTP to bypass validation and view XOXS tokens of victims on the local network. This was related to, and investigated at the same time as, a previous report. This issue is now...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2017/02/15 8:12 p.m.42 views

Pornhub: XSS via login cookie

The researcher discovered a persistent client-side XSS using the session cookie as a vector. The researcher demonstrated a plausible exploit scenario by crafting a link which exploits an unrelated a meta tag injection vulnerability to arbitrarily modify the user's cookie...

3.6AI score
Exploits0
Hacker One
Hacker One
added 2017/02/11 12:44 p.m.42 views

GitLab: [Textile] XSS in project README files

Hi, Another parser bypass here – I discovered that Textile markup can be used to inject a stored JavaScript payload into a project README.textile file : Steps to Reproduce 1. Create a new GitLab project 2. Initialise the project by creating a README file 3. Set the file title to README.textile 4...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/02/09 3:59 p.m.42 views

Grab: Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App

Description: After my previous report about 2FA bypass on the Profile Edit endpoint i was interested to find enpoint, which will allow me horizontal privileges escalation. So, I found the endpoint using android app https://p.grabtaxi.com/api/passenger/v2/profiles/activationsms which allow me to...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2017/01/26 2:10 p.m.42 views

Internet Bug Bounty: CVE-2017-3730: Bad (EC)DHE parameters cause a client crash

https://www.openssl.org/news/secadv/20170126.txt https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-client-denial-of-service-affects-servers-as-well-poc/...

5CVSS7.6AI score0.55294EPSS
Exploits5
Hacker One
Hacker One
added 2016/12/18 2:46 p.m.42 views

Discourse: XSS vulnerability on Audio and Video parsers

Just like in the XSS vulnerability on Image parser, there is the same vulnerability on Audio https://github.com/discourse/onebox/blob/394409ca319cc1a1cd31fefa50c9468c990531a3/lib/onebox/engine/audioonebox.rb and Video...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2016/11/30 6:19 a.m.42 views

Starbucks: Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record

Hi, I discovered that happymondays.starbucks.com DNS CNAME record is pointing to S3 AWS bucket which doesn't exist. Here's the screenshot of vulnerable domain: F138556 As happymondays.starbucks.com was free to register on AWS S3 service and DNS-setup is already correct set-up: F138557 I was able ...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2016/11/14 10:39 a.m.42 views

Pushwoosh: Nginx server version disclosure

Design Issue, Information Disclosure, Low Severity...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2016/11/13 5:0 p.m.42 views

Mail.ru: [qpt.mail.ru] CRLF Injection / Open Redirect

Уязвимый сценарий: /tests/ Уязвимый параметр: qptquestionurl Пример Open Redirect:...

Exploits0
Hacker One
Hacker One
added 2016/10/13 12:40 a.m.42 views

Shopify: Able to Login deactivated staff account in shopify app mobile

Hi Shopify, Deactivated staff account is able to login in shopify mobile app. STEPS 1. Login your owner account 2. Go to Staff Accounts and deactivate your staff account 3. Login to your staff account in your shopify mobile app As you can see you were able to login even the staff account was...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2016/09/11 6:18 a.m.42 views

Internet Bug Bounty: CVE-2016-7163 OpenJPEG opj_pi_create_decode Integer Overflow Vulnerability

OpenJPEG opjpicreatedecode Integer Overflow Vulnerability 1. About OpenJPEG OpenJPEG is an open-source JPEG 2000 codec written in C language. It's widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at...

6.8CVSS8.1AI score0.07114EPSS
Exploits1
Hacker One
Hacker One
added 2016/09/01 6:58 a.m.42 views

Mail.ru: Same origin policy bypass on e.mail.ru via Cross-Site Flashing

Hello Mail.Ru Security Team, There is a Cross-Site Flashing vulnerability in e.mail.ru. this vulnerability is similar to XSS except it is Flash script execution. Ref : https://www.owasp.org/index.php/TestingforCrosssiteflashingOTG-CLIENT-008 This allow an attacker to execute requests to the...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/07/19 7:52 a.m.42 views

Internet Bug Bounty: Out of bound read in exif_process_IFD_in_MAKERNOTE

I have found some vulnerable code that lacks check size of buffer may lead to memory out of read or write. Take a look at : static int exifprocessIFDinMAKERNOTEimageinfotype ImageInfo, char valueptr, int valuelen, char offsetbase, sizet IFDlength, sizet displacement SNIP switch makernote-offsetmo...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2016/07/05 7:44 a.m.42 views

Ubiquiti Inc.: Reflected Xss in AirMax [Nanostation Loco M2]

Dear James, I've found a reflected xss in nanostation Loco M2. just open this link and xss will execute. http://172.98.67.89:22057/survey.cgi?iface=%22%3E%3Cimg%20src=x%20onerror=promptdocument.cookie%3E F103333 Best Regard Shubham...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2016/03/16 4:52 a.m.42 views

Veris: Security Vulnerability - SMTP protection not used

Hi, I'm checking your website found SPF record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...

7AI score
Exploits0
Hacker One
Hacker One
added 2016/03/01 8:3 a.m.42 views

Internet Bug Bounty: Adobe Flash Player ASnative(900,1).call(TextField) Use-After-Free Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use-After-Free. ------------------------------------------------------------------ II. Description If the ASnative900,1 is invoked with TextField instance and getter properties associated with swfRoot where the getter method...

9.3CVSS8.3AI score0.05929EPSS
Exploits0
Hacker One
Hacker One
added 2016/02/28 6:54 a.m.42 views

Uber: Open Redirection on Uber.com

There seems to be an open redirection on Uber.com When a user uses https://www.uber.com//google.com/cities it will lead to a Page Not Found on the Uber website but if the google.com is changed to an IP address such as https://www.uber.com//216.58.217.206/param it will lead to either a 404 or an S...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/02/26 10:8 p.m.42 views

X (Formerly Twitter): Tweet Deck XSS- Persistent- Group DM name

Hello Group names in tweetdeck.twitter.com aren't filtered properly, giving scope for Cross site vulnerability attacks. Challenge I have faced while escalating the xss: - group name can only be 9 character long. How i bypassed it: Set multiple group names with different payloads, which means we c...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2016/02/24 8:6 p.m.42 views

HackerOne: CSV Injection at the CSV export feature

Hi there, I have find a way to bypass the mitigation done in 72785 and 111192. What happens if an attacker creates a Ticket with the Tittle ":";-3+3+cmd|' /C calc'!D2. The ; will break the field making excel think that there are two fields. Although, you are using "" to encapsulate a field and , ...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2016/01/11 2:12 a.m.42 views

Udemy: CSRF in Udemy.com

The investigator removed cookies that are not used by our site and thought he had found a bypass. We were greatly delayed in getting this response to him...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2015/11/27 1:32 a.m.42 views

ok.ru: Same-Origin Policy bypass on main domain - ok.ru

Hello, I've just found a way to bypass Same-Origin Policy mechanism using vulnerability in one of swf files on your cdn. Let me explain this in details: 1. First of all - your Crossdomain which defines from what domains Flash files can read content on ok.ru. Crossdomain file is located here -...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2015/11/05 2:2 a.m.42 views

HackerOne: Cross-domain AJAX request

Hi, Two weeks ago, I found a Cross-domain AJAX request, but due to the fact that you uses a very strict Content Security Policy, I hesitated to send this. Today, I noticed that bug has been fixed. But this fix can be bypassed. This example not working now screenshot 1:...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2015/10/05 8:27 p.m.42 views

Bumble: Tokens from services like Facebook can be stolen

Description This file https://mus1.badoo.com/cb.html looks for the parameters accesstoken, token and code in the URL and send the value back to the window.opener using window.opener.postMessagemessage, '';. Because you specified as the value of the second parameter of postMessage, the browser is...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2015/09/03 8:9 a.m.42 views

Shopify: www.shopify.com XSS on blog pages via sharing buttons

social sharing buttons facebook and linkedin vulnerable to xss at www.shopify.com/guides/ www.shopify.com/videos/ and www.shopify.com/success-stories/ steps to reproduce: - go to page https://www.shopify.com/videos/pop-up-shop?x=';alert1// - share this page by clicking facebook or linkedin sharin...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2015/08/20 5:16 p.m.42 views

ownCloud: apps.owncloud.com: SSL Session cookie without secure flag set

URL: https://apps.owncloud.com/usermanager/login.php Issue detail The following cookie was issued by the application and does not have the secure flag set: PHPSESSID=27caghhkfjvuso3mmiqajqt2n4; path=/; HttpOnly The cookie appears to contain a session token, which may increase the risk associated...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2015/08/18 8:1 p.m.42 views

ownCloud: owncloud.com: Content Sniffing not disabled

URL :- https://owncloud.com Issue description :- There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are define...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2015/06/10 9:27 a.m.42 views

Mail.ru: Possible xWork classLoader RCE: shared.mail.ru

Ее похоже аффектит https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2014-05-21 classLoader пролетает, то есть фикса на уровне регулярок нет версия в уязвимом скоупе Я конечно попробую в выходные реально код исполнить, но по внешним признакам оно там есть Все версии меньше...

Exploits0
Total number of security vulnerabilities5000