Lucene search
K
HackeroneMost viewed

15371 matches found

Hacker One
Hacker One
added 2021/03/10 5:13 a.m.41 views

Mail.ru: Stored xss in calendar via call link

Call link URI schema in calendar.mail.ru web application was filtered improperly, allowing malicious javascript: links...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2021/02/12 8:43 a.m.42 views

Concrete CMS: Stored unauth XSS in calendar event via CSRF

crayons Description The description parameter in the scenario /index.php/ccm/calendar/dialogs/event/add/save is affected by Stored XSS due to lack of user supplied data filtration. Also in should be mentioned that this endpoint does not verify CSRF token ccmtoken, which leads to an ability to...

6.8CVSS7.9AI score0.00483EPSS
Exploits0
Hacker One
Hacker One
added 2021/02/01 11:56 a.m.41 views

OpenMage: Very long names on demo.openmage.org could redirect victim users to malicious url redirects via email contacts.

Summary: We found that the maximum length of the first and last name fields was not set to 32 characters at registration and to 1000 characters when using the profile update form. The attacker can use this method as a malware attack, the user will redirect to a website that contains malware or...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/10/17 8:41 a.m.41 views

TikTok: [CSRF] TikTok Careers Portal Account Takeover

A missing CSRF protection and open redirect vulnerability was reported in the TikTok Careers portal single sign on flow which is used by applicants to apply for TikTok positions. This flaw was quickly remediated and does not impact TikTok.com or mobile application. We thank @lauritz for reporting...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2020/10/02 1:48 p.m.41 views

RBKmoney: Apple Pay cryptogram replay and amount tampering

During Apple Pay in-app or on-site payments the device generates a payment cryptogram, which contains a transaction ID, encrypted payment data, etc. This is an example of the cryptogram which the phone passes to the internet acquiring service on api.transferwise.com: "token": "paymentData":...

Exploits0
Hacker One
Hacker One
added 2020/09/28 12:24 a.m.41 views

Mail.ru: Stored XSS through fileupload

Stored XSS in view uploaded file functionality on static.donationalerts.ru...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2020/09/22 3:31 p.m.41 views

Basecamp: stored XSS in hey.com message content

Hi I found a stored xss using messagecontent parameter when forwarding an email or saving it as draft , and when the victim click on the email to view it, it gets executed . I used this payload as the message content : From: "f" To: [email protected] Message-ID: Subject:...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/09/14 6:26 p.m.41 views

Concrete CMS: Fetching the update json scheme from concrete5 over HTTP leads to remote code execution

Hi, I noticed that concrete5 fetches the update JSON scheme from www.concrete5.org over HTTP. The fetched json defines the download URL, so we can simply tamper with this JSON in order to make the update URL point to a server controlled by us. Combining this with the possibility to set an arbitra...

6.5CVSS7.3AI score0.02011EPSS
Exploits0
Hacker One
Hacker One
added 2020/09/12 9:50 p.m.41 views

Mail.ru: Path traversal lead to LFR via [CVE-2019-3394]

Path traversal lead to Local File Read via CVE-2019-3403 in confluence.plazius.ru...

5CVSS3.8AI score0.52637EPSS
Exploits2
Hacker One
Hacker One
added 2020/08/11 3:51 p.m.41 views

Mail.ru: Stored XSS in address on [corporate.city-mobil.ru]

Stored XSS in address setting functionality on corporate.city-mobil.ru...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2020/08/07 11:1 a.m.41 views

Zomato: [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query

Disclosing it as per the request from @zzzhacker13. This report is identical to 844428 but this one was on a different endpoint. POC - - :v2/red/homepage.json?lat=&lon=&cityid=!dismax+df=cityid86&androidcountry=US&lang=en&androidlanguage=en Zomato Security Team...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2020/05/28 7:30 p.m.41 views

Nextcloud: The password of a mail share is not hashed if the password is given when the share is created

Create a new mail share with a password by using the OCS endpoint with something like: curl -u admin:admin -X POST -H "OCS-APIRequest: true" "http://localhost/ocs/v1.php/apps/filessharing/api/v1/shares?path=welcome.txt&shareType=4&[email protected]&password=plainTextPassword" - Check the...

5CVSS7.4AI score0.01889EPSS
Exploits1
Hacker One
Hacker One
added 2020/05/21 2:16 a.m.41 views

Mail.ru: MySQL username and password leaked on [2017.russianaicup.ru]

Configuration file available via web interface could disclosure potenrially sensitive inormation Configuration file available via web interface could disclosure potentially sensitive information...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2020/05/13 6:5 p.m.41 views

Concrete CMS: Stored XSS in the file search filter

Download Concrete5 8.5.2 and install it 2. Log into your Concrete5 instance as admin 3. Go to Dashboard Files Search 4. In the file search bar, click Advanced 5. In the window that appears, enter a phrase and click the save button, paste the following payload: and click the save button 6. In the...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/04/20 6:18 p.m.41 views

X (Formerly Twitter): 暴力破解用户密码没有速率控制

http://www.twitter.com的登录功能存在一个问题,只限制了单个用户尝试登录系统的错误次数,并不限制用固定的密码去尝试登录不同用户,或者是撞库 请您跟着视频操作,否则无法复现到此问题 Impact 暴力破解用户密码没有速率控制...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/04/03 4:56 a.m.41 views

Shopify: Session works after logout from Shopify account and password of online store is displayed

When a user creates a Shopify Lite Plan account, in the product creation stage when the account has not been upgraded, the store's password is enabled such that any visitor who wants to access the store is required to enter password before being granted access to view the products listed in the...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/18 8:0 p.m.41 views

HackerOne: Attacker may be able to bounce enough emails which suspend HackerOne's SES service and cause a DoS of HackerOne's email service

This was a DoS based on triggering a lot of bounced emails via SES service which could put our email sending up for review with AWS. The vulnerability was due to unrestricted invitations on sandbox programs which allowed an attacker to generate an infinite number of bounced emails. We had applied...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/09 1:43 p.m.41 views

Node.js third-party modules: [Limited bypass of #793704] Blind SSRF in Ghost CMS

Blind SSRF vulnerability in Ghost allows for internal port scanning, or reading oembed contents from internal network...

5.5CVSS2.4AI score0.0122EPSS
Exploits1
Hacker One
Hacker One
added 2020/02/27 9:46 p.m.41 views

GitLab: Stored XSS in blob viewer

Summary I found a Stored-XSS in blob viewer when viewing a json file. In particular, when viewing an openapi file, openapiviewer is called to transfer the file's data to SwaggerUIBundle to render. SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/02/05 11:30 a.m.41 views

Nord Security: Past payments using the Direct Debit method keep subscriptions active even if payments fail

I think this is a vulnerability that has no impact but it violates I found many accounts that are actively subscribed even though the payment failed, this is because the payment uses the Direct Debit method, and you have deleted it. Because Direct Debit payments have been deleted and no longer wo...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/12/11 1:43 p.m.41 views

Nord Security: Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance

Summary: The debug subdomain uses Sentry for application monitoring and error tracking. This software comes with a feature known as source code scraping turned on by default which makes it is possible to make blind get requests from the server on which it is running. Steps To Reproduce: add detai...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/08/27 2:51 p.m.41 views

U.S. Dept Of Defense: Unrestricted File Upload

Summary: The endpoint at https://███████/ui/core/index.html required authentication, but navigating to https://█████/ui/core/index.html?mode=publicexpl-tabl./SHARED/rpchllmd/CSAT allow for read/write access. Description: The endpoint at...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/07/28 11:34 a.m.41 views

Nextcloud: Talk - Leak of password-protected room name via already existent resource addition

CVSS ---- Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description ----------- Affected: Talk / Spreed 6.0.3 The name of shared but password-protected rooms leaks to low-privileged authenticated users. An attacker does not need to guess room IDs, but can simply iterate over IDs to gath...

4CVSS3.8AI score0.00766EPSS
Exploits0
Hacker One
Hacker One
added 2019/07/18 9:31 p.m.41 views

Kaspersky: Stored credentials instantly autofilled within sandboxed iframes

Summary Stored credentials are instantly autofilled within sandboxed iframes, disregarding effective origin of sandboxed iframes and the expected cross-origin restrictions Description Kaspersky is expected to obey cross-origin restrictions which apply to sandboxed iframes. However, the Kaspersky...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2019/06/26 7:5 a.m.41 views

Starbucks: Reflected cross-site scripting on multiple Starbucks assets.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Please indicate NA, if not applicable. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling...

Exploits0
Hacker One
Hacker One
added 2019/05/13 3:2 p.m.41 views

Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com

Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2019/04/13 8:6 p.m.41 views

OLX: web cache deception in https://tradus.com lead to name/user_id enumeration and other info

summary Hi OLX team, i found a web cache deception vulnerability in https://tradus.com. With this vulnerability an attacker can gain access to the name of the victim user, the userid and other informations. Attack scenario 1 an attacker send to the victim a link to the malicious page like the PoC...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/04/04 8:41 a.m.41 views

Node.js third-party modules: environment variable leakage in error reporting

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report the leak of...

5CVSS0.4AI score0.01181EPSS
Exploits1
Hacker One
Hacker One
added 2018/12/21 8:51 a.m.41 views

Valve: RCE on Steam Client via buffer overflow in Server Info

Introduction In Steam and other valve games CSGO, Half-Life, TF2 there is a functionality to find game servers called the server browser. In order to retrieve the information about these servers the server browser communicates with a specific UDP protocol called server queries. The protocol is we...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2018/07/13 10:4 a.m.41 views

Node.js third-party modules: Prototype pollution attack (extend)

I would like to report prototype pollution in extend It allows an attacker to inject properties on Object.prototype. Module module name: extend version: 3.0.1 npm page: https://www.npmjs.com/package/extend Module Description node-extend is a port of the classic extend method from jQuery. It behav...

7.5CVSS0.3AI score0.0305EPSS
Exploits1
Hacker One
Hacker One
added 2018/06/11 10:2 p.m.41 views

Upserve : OLO Total price manipulation using negative quantities

Manipulating an order request JSON object, containing an additional item with a negative quantity directly manipulates the total amount of the order. In the following JSON request, an order is submitted for 2 ChickenBurgers $12 each, as well as -1 BreadPuddings $9 each. The total price after tax...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2018/05/27 3:39 p.m.41 views

DuckDuckGo: SSRF in proxy.duckduckgo.com via the image_host parameter

Description https://proxy.duckduckgo.com/iur/ endpoint is vulnerable to ssrf via imagehost get parameter. Vulnerable URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://tudomanyok.hu/ Some internal URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://127.0.0.1:18091/...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/05/26 7:5 p.m.41 views

Mail.ru: Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/

Hi There, I have found a Clickjacking vulnerability on your site. Steps to reproduce: 1.Go to https://support.my.com this site 2.Generate a Clickjacking script, save it as .html and run into your browser Script: iframe width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter:...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/05/21 11:11 p.m.41 views

Mail.ru: Modifying application settings via clickjacking on o2.mail.ru

It was possible to edit application information or delete application via clickjacking on o2.mail.ru...

3.4AI score
Exploits0
Hacker One
Hacker One
added 2018/03/30 3:29 p.m.41 views

Ubiquiti Inc.: 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290)

There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...

4.3CVSS1.4AI score0.0102EPSS
Exploits0
Hacker One
Hacker One
added 2018/03/02 5:59 p.m.41 views

Keybase: Fix bypass of different processing of usernames on Hackernews

Description In report https://hackerone.com/reports/307670 the reported identified a flow which abuses parsing differences between Keybase and Hackernews. Also the original reports is resolved there appears to be a bypass having the same impact by abusing upper-case letters. Steps to reproduce 1...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2018/02/20 1:0 a.m.41 views

Nextcloud: twofactor_auth bypassable if provider fails to load

Just want to preface this by saying that this is probably not a significant vulnerability, as it requires that the server either have recently been incorrectly upgraded or otherwise misconfigured. However in the administration of my own personal NextCloud instance I have hit this several times...

4.3CVSS1.2AI score0.00811EPSS
Exploits0
Hacker One
Hacker One
added 2017/11/10 7:23 p.m.41 views

Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300

In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/31 12:21 p.m.41 views

International Islamic University Chittagong: Union Based SQL injection in https://ieeeiiucsb.org/registration/details

Due to the lack of proper sanitization on our registration system, the researcher able to find a sql vulnerability which expose the database name & user id. We'd like to thank him for a nice catch on our system...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/17 5:42 a.m.41 views

Brave Software: Homograph Attack Bypass [ Tested on Linux & Windows ]

Summary: at 175286 you has been patched, and i try it work, but i've another way to bypass it. when we add a site to our Homepage with @, it's not validate a url properly, make sure it's display the punycode. Products affected: Brave 0.18.36 Linux & Windows Steps To Reproduce: 1. In browser add...

Exploits0
Hacker One
Hacker One
added 2017/08/27 7:22 a.m.41 views

GSA Bounty: Email Spoofing - SPF record set to Neutral

Hi, Introduction: There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/08/19 11:57 p.m.41 views

Mail.ru: [new.wf.mail.ru] XSS Request-URI

Reflected XSS via GET parameters in new.wf.mail.ru wf.mail.ru is not currently covered with bug bounty program...

4AI score
Exploits0
Hacker One
Hacker One
added 2017/08/12 7:41 a.m.41 views

Trello: A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to

Just found this, tested it on a whim and deeply regretted it. Sorry! So to recreate the issue: 1. Visit...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/07/24 6:40 a.m.41 views

Dropbox: Missing URL sanitization in comments can be leveraged for phishing

The report points out that a link in shared file's comments could say one thing in the text but actually point to another website. This is a risk we have always accepted: the document preview could also contain links, the legit links could point to shorteners. Additionally, Dropbox Paper supports...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/07/17 9:43 a.m.41 views

Legal Robot: User enumeration

A security researcher discovered that an unrelated upgrade in our authentication process caused a potential user enumeration vulnerability. The vulnerability was mitigated by existing rate limiting processes, but an attacker could determine which users already had an account based on the error co...

3.9AI score
Exploits0
Hacker One
Hacker One
added 2017/07/03 9:53 a.m.41 views

U.S. Dept Of Defense: CRLF Injection on ███████

Summary: The web application hosted on the "█████" domain is affected by a carriage return line feeds CRLF injection vulnerability that could be used in combination with others. This issue could allow XSS via Cookie, bypass Double Submit Cookie csrf protection or Session Fixation on .█████████...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/06/29 8:8 a.m.41 views

Grab: CSV Injection https://hub.grab.com

@Poison had pointed out that it was possible to perform CSV Injection on hub.grab.com which was tested on Microsoft Excel 2016. Injection occurred by adding the payload in customer name field in Grab mobile application. The payload used was =cmd|' /C calc'!A0. We fixed this issue by properly...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2017/05/25 4:56 a.m.41 views

Cuvva: Clickjacking vulnerability in support-dashboard.corp.cuvva.co

Hi i found a clickjacking vulnerability in the subdomain of cuvva.com i.e, support-dashboard.corp.cuvva.co Impact: The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users possible UI redressing in the Dashboard PoC: 1. ...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/05/18 11:42 a.m.41 views

Nextcloud: Email Spoofing Vulnerability from nextcloud.

Hi nextcloud, Here is Shaifullah Shaon BlackEyE, An Ethical Hacker. a white hat cyber security researcher from Bangladesh reporting a serious 3'rd ranking in OWASP security vulnerability on your system. There is an Email Spoofing Vulnerability from nextcloud. Steps to reproduce: 1 Go to...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/05/12 12:41 a.m.41 views

Instacart: XSS at in instacart.com/store/partner_recipe

Summary Hi team, i found that this endpoint - https://www.instacart.com/store/partnerrecipe? at param imageurl is vulnerable to XSS Reproduction Steps & PoC 1Go to...

7AI score
Exploits0
Total number of security vulnerabilities5000