Lucene search
K
HackeroneMost viewed

15369 matches found

Hacker One
Hacker One
added 2019/05/13 3:2 p.m.41 views

Nextcloud: Vulnerable W3 Total Cache plugin version in use on nextcloud.com

Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable: https://nextcloud.com/wp-content/plugins/w3-total-cache/changelog.txt W3 Total Cache makes the site vulnerable to a series of attacks, includin...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2019/04/18 8:43 a.m.41 views

pixiv: Open redirect protection (https://www.pixiv.net/jump.php) is broken for novels

Summary: I found that pixiv has a open redirect protection, any external link in illustration is converted to https://www.pixiv.net/jump.php?. For example https://i3mx4usociis8twimpcu2ty0erkh86.burpcollaborator.net/abc in https://www.pixiv.net/memberillust.php?mode=medium&illustid=74148892 is...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/04/13 8:6 p.m.41 views

OLX: web cache deception in https://tradus.com lead to name/user_id enumeration and other info

summary Hi OLX team, i found a web cache deception vulnerability in https://tradus.com. With this vulnerability an attacker can gain access to the name of the victim user, the userid and other informations. Attack scenario 1 an attacker send to the victim a link to the malicious page like the PoC...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/04/04 8:41 a.m.41 views

Node.js third-party modules: environment variable leakage in error reporting

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report the leak of...

5CVSS0.4AI score0.01181EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/16 8:31 a.m.41 views

Internet Bug Bounty: Heap-buffer-overflow in Perl__byte_dump_string (utf8.c) could lead to memory leak

With crafted regex match, I have found a heap-over-flow in function Perlbytedumpstring, which would lead to memory leak. Reported to the Perl security mailing list on 11 Sep 2017. Confirmed as a security flaw by TonyC on 24 Feb 2018 CVE-2018-6797 assigned to this flaw on 7 Feb 2018 Public securit...

7.5CVSS8.2AI score0.07425EPSS
Exploits0
Hacker One
Hacker One
added 2018/12/21 8:51 a.m.41 views

Valve: RCE on Steam Client via buffer overflow in Server Info

Introduction In Steam and other valve games CSGO, Half-Life, TF2 there is a functionality to find game servers called the server browser. In order to retrieve the information about these servers the server browser communicates with a specific UDP protocol called server queries. The protocol is we...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2018/12/02 10:4 a.m.41 views

PayPal: Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android]

A Bug Bounty researcher identified an issue where a JSON wrapper could be used to instantiate arbitrary Java objects. This could lead to circumstances where a class called in the PayPal Android app could be read by a malicious app on the same mobile device. A specific user’s session data could...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/08/03 10:44 a.m.41 views

VK.com: Узнаем несколько цифр номера телефона юзера (можно флудить смс), всего раз узнав его remixsid и его ид юзера, и установка оффлайна юзерам.

Недостаточные проверки сессии. Было можно узнать часть номера телефона юзера и отправлять ему смс с ссылкой на приложение https://vk.com/mobile всего раз узнав его remixsid, вне зависимости сколько раз были ресетнуты сессии. Самый давний валидный для этой темы remixsid был давности май 2016 года...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/07/23 2:14 p.m.41 views

Open-Xchange: store xss in calendar via upload filename

reproduce step 1.access url https://sandbox.open-xchange.com/appsuite/app=io.ox/calendar/scheduling 2.create appointment 3.upload file ,the file name with payload '"img src=x onerror=alertdocument.domain.svg' 4.access...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/13 10:4 a.m.41 views

Node.js third-party modules: Prototype pollution attack (extend)

I would like to report prototype pollution in extend It allows an attacker to inject properties on Object.prototype. Module module name: extend version: 3.0.1 npm page: https://www.npmjs.com/package/extend Module Description node-extend is a port of the classic extend method from jQuery. It behav...

7.5CVSS0.3AI score0.0305EPSS
Exploits1
Hacker One
Hacker One
added 2018/07/08 12:6 a.m.41 views

Monero: Attcker can trick monero wallet into reporting it recived twice as much with alternative tx_keypubs

Summary: multiple identical txpubkeys were patched, but you can still use alternative txpubkeys to get the same result. Description: An attacker can craft an XMR transaction which causes the receiving wallet to report that it received twice as much XMR as the attacker actually sent. The balance o...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/06/11 10:2 p.m.41 views

Upserve : OLO Total price manipulation using negative quantities

Manipulating an order request JSON object, containing an additional item with a negative quantity directly manipulates the total amount of the order. In the following JSON request, an order is submitted for 2 ChickenBurgers $12 each, as well as -1 BreadPuddings $9 each. The total price after tax...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2018/06/05 4:1 p.m.41 views

Node.js third-party modules: Arbitrary File Write through archive extraction

I would like to report arbitrary file write vulnerability in adm-zip module It allows attackers to write arbitrary files when a malicious archive is extracted. More info here: https://snyk.io/research/zip-slip-vulnerability https://github.com/snyk/zip-slip-vulnerabilityaffected-libraries Module...

4.3CVSS1.2AI score0.11917EPSS
Exploits1
Hacker One
Hacker One
added 2018/06/01 2:42 p.m.41 views

Starbucks: Information Leak - Github - JMS Information

Hi, After some research, I found a leak on GitHub that might lead to accessing sensitive data of employees or clients not sure based on the code. There is also a SAP S-user to access a cloud based HANA service. I have not confirmed what kind of data is in there to avoid potential legal issues. I...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/05/27 3:39 p.m.41 views

DuckDuckGo: SSRF in proxy.duckduckgo.com via the image_host parameter

Description https://proxy.duckduckgo.com/iur/ endpoint is vulnerable to ssrf via imagehost get parameter. Vulnerable URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://tudomanyok.hu/ Some internal URL: https://proxy.duckduckgo.com/iur/?f=1&imagehost=https://127.0.0.1:18091/...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/05/26 7:5 p.m.41 views

Mail.ru: Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/

Hi There, I have found a Clickjacking vulnerability on your site. Steps to reproduce: 1.Go to https://support.my.com this site 2.Generate a Clickjacking script, save it as .html and run into your browser Script: iframe width: 800px; height: 500px; position: absolute; top: 0; left: 0; filter:...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/05/21 11:11 p.m.41 views

Mail.ru: Modifying application settings via clickjacking on o2.mail.ru

It was possible to edit application information or delete application via clickjacking on o2.mail.ru...

3.4AI score
Exploits0
Hacker One
Hacker One
added 2018/05/21 5:15 p.m.41 views

Avito: Open Redirect via login avito.ru | Protection bypass

Open-redirect using the following vector and social auth: https://www.avito.ru/rossiyalogin?next=///...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2018/03/30 3:29 p.m.41 views

Ubiquiti Inc.: 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290)

There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...

4.3CVSS1.4AI score0.0102EPSS
Exploits0
Hacker One
Hacker One
added 2018/03/11 1:37 p.m.41 views

LocalTapiola: Reflected XSS (myynti.lahitapiolarahoitus.fi)

Basic report information Summary: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi. Description: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi website. redirect parameter is vulnerable to XSS. Impact: Steals cookies from other logged in users. Browsers / Apps Verified In:...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/03/02 5:59 p.m.41 views

Keybase: Fix bypass of different processing of usernames on Hackernews

Description In report https://hackerone.com/reports/307670 the reported identified a flow which abuses parsing differences between Keybase and Hackernews. Also the original reports is resolved there appears to be a bypass having the same impact by abusing upper-case letters. Steps to reproduce 1...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2018/02/20 1:0 a.m.41 views

Nextcloud: twofactor_auth bypassable if provider fails to load

Just want to preface this by saying that this is probably not a significant vulnerability, as it requires that the server either have recently been incorrectly upgraded or otherwise misconfigured. However in the administration of my own personal NextCloud instance I have hit this several times...

4.3CVSS1.2AI score0.00811EPSS
Exploits0
Hacker One
Hacker One
added 2017/11/28 9:1 p.m.41 views

VK.com: self-xss ads_easy_promote vk.com

Self-XSS в рекламе...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/11/10 7:23 p.m.41 views

Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300

In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/31 12:21 p.m.41 views

International Islamic University Chittagong: Union Based SQL injection in https://ieeeiiucsb.org/registration/details

Due to the lack of proper sanitization on our registration system, the researcher able to find a sql vulnerability which expose the database name & user id. We'd like to thank him for a nice catch on our system...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/08/27 7:22 a.m.41 views

GSA Bounty: Email Spoofing - SPF record set to Neutral

Hi, Introduction: There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/08/19 11:57 p.m.41 views

Mail.ru: [new.wf.mail.ru] XSS Request-URI

Reflected XSS via GET parameters in new.wf.mail.ru wf.mail.ru is not currently covered with bug bounty program...

4AI score
Exploits0
Hacker One
Hacker One
added 2017/08/12 7:41 a.m.41 views

Trello: A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to

Just found this, tested it on a whim and deeply regretted it. Sorry! So to recreate the issue: 1. Visit...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/07/24 6:40 a.m.41 views

Dropbox: Missing URL sanitization in comments can be leveraged for phishing

The report points out that a link in shared file's comments could say one thing in the text but actually point to another website. This is a risk we have always accepted: the document preview could also contain links, the legit links could point to shorteners. Additionally, Dropbox Paper supports...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/07/03 9:53 a.m.41 views

U.S. Dept Of Defense: CRLF Injection on ███████

Summary: The web application hosted on the "█████" domain is affected by a carriage return line feeds CRLF injection vulnerability that could be used in combination with others. This issue could allow XSS via Cookie, bypass Double Submit Cookie csrf protection or Session Fixation on .█████████...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/06/29 8:8 a.m.41 views

Grab: CSV Injection https://hub.grab.com

@Poison had pointed out that it was possible to perform CSV Injection on hub.grab.com which was tested on Microsoft Excel 2016. Injection occurred by adding the payload in customer name field in Grab mobile application. The payload used was =cmd|' /C calc'!A0. We fixed this issue by properly...

7.4AI score
Exploits0
Hacker One
Hacker One
added 2017/05/25 4:56 a.m.41 views

Cuvva: Clickjacking vulnerability in support-dashboard.corp.cuvva.co

Hi i found a clickjacking vulnerability in the subdomain of cuvva.com i.e, support-dashboard.corp.cuvva.co Impact: The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users possible UI redressing in the Dashboard PoC: 1. ...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/05/12 5:17 a.m.41 views

Instacart: Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=

Summary Instacart at /store/partnerrecipe?recipeurl= endpoint is vulnerable to reverse tabnabbing, since the injected link use target="blank" , this means the page that opens in a new tab can access the initial tab and change its location using the window.opener property. example: Reproduction...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/05/12 12:41 a.m.41 views

Instacart: XSS at in instacart.com/store/partner_recipe

Summary Hi team, i found that this endpoint - https://www.instacart.com/store/partnerrecipe? at param imageurl is vulnerable to XSS Reproduction Steps & PoC 1Go to...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/05/07 12:29 p.m.41 views

Paragon Initiative Enterprises: Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change

Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change ========================================================== Hello Team, While I was testing your web application "Paragon Initiative Enterprises", I came to know that it is vulnerabl...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/05/04 2:7 p.m.41 views

Nextcloud: I am because bug

I'm because I hacker found bug because I report this bug I want to report a bug and because want some $$$$ so please because you are telling me how much you pay money so I give you bug. Me because very poor :' want money because father :' F181820 Thank you wish you because pay lots $$$$$$$$...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/04/10 5:53 p.m.41 views

HackerOne: Subdomain takeover #4 at info.hacker.one

Summary: Hi team, looking the last fix released from unbounce team at https://hackerone.com/reports/217358 i've been able to bypass it and takeover the subdomain info.hacker.one with a new vulnerable ENDPOINT + PARAM COMBINATION at UnbouncePages App Actual Dns Entry: F174718 Reproduction Steps fo...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/03/04 2:7 p.m.41 views

Slack: Bypass to postMessage origin validation via FTP

@a1kmm- discovered a bypass to our postMessage origin check, wherein an attacker with existing MITM capabilities could use FTP to bypass validation and view XOXS tokens of victims on the local network. This was related to, and investigated at the same time as, a previous report. This issue is now...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2017/03/03 12:24 p.m.42 views

Open-Xchange: RTLO character in file names

DESCRIPTION ------- Hello, I have noticed that you allow the RTLO Right-To-Left-Override character is not filtered from the names of the files saved to drive, or in the attachement names, thus allowing 2 things : 1. Someone sends a malicious file html or exe or something esle via email that...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/02/24 1:55 p.m.41 views

Ubiquiti Inc.: Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter.

Dear Ubiquiti Networks bug bounty team, Short Description --- scores.ubnt.com is still vulnerable to reflected XSS, a form of client-side code injection wherein one can execute malicious scripts into a page. The fix to https://hackerone.com/reports/158484 does not suffice for some browsers mainly...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/02/17 11:45 a.m.41 views

U.S. Dept Of Defense: Insecure Direct Object Reference (IDOR) vulnerability in a DoD website

A Department of Defense website was vulnerable to an IDOR attack which may allow an attacker to modify web content or certain database parameters. @eugui was able to demonstrate this vulnerability by manipulating web objects in a clever way. Very well done. Thank you!...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2017/01/04 9:39 a.m.41 views

Internet Bug Bounty: NULL Pointer Dereference while unserialize php object

Because no checking result of objectinitex so that if user passing implement class, abstract class the result of this is FALSE and args is NULL, so that lead program crash if UNEXPECTEDclasstype-ceflags & ZENDACCINTERFACE|ZENDACCTRAIT|ZENDACCIMPLICITABSTRACTCLASS|ZENDACCEXPLICITABSTRACTCLASS if...

5CVSS8.5AI score0.05879EPSS
Exploits0
Hacker One
Hacker One
added 2016/12/18 2:46 p.m.41 views

Discourse: XSS vulnerability on Audio and Video parsers

Just like in the XSS vulnerability on Image parser, there is the same vulnerability on Audio https://github.com/discourse/onebox/blob/394409ca319cc1a1cd31fefa50c9468c990531a3/lib/onebox/engine/audioonebox.rb and Video...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2016/11/14 9:7 p.m.41 views

PortSwigger Web Security: XSS in IE11 on portswigger.net via Flash

Hello Portswigger Security Team, There is a reflective XSS vulnerability in portswigger.net. The flash file https://portswigger.net/burp/tutorials/video-js/video-js.swf is from an old video.js library version 3.2.0 which is vulnerable to XSS. This XSS will be blocked by CSP instruction object-src...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/10/26 7:40 p.m.41 views

Informatica: [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect

Hi ! I just want to report you a vulnerability in your subdomain ,,parc'' Description In this link https://parc.informatica.com/partners/apex/Cloudchat?endpoint= the vulnerable parameter is ,,endpoint''. Once the parameter takes the value of a XSS vector or a website link the code is executed aft...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2016/10/23 9:13 a.m.41 views

Bumble: Unvalidated redirect on team.badoo.com

Domain affected: https://team.badoo.com/ corp.badoo.com PoC Tested on Firefox: https://team.badoo.com/%0d%0adata:text/html;text,%3Csvg%2fonload%3Dprompt%281%29%3E F129735 Describe: team.badoo.com may vulnerable to CRLF injection, when we inject %0d%0a into url, the Location header, entire content...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2016/10/20 1:46 p.m.41 views

Mindoktor: XSS at endpoint clinic.mindoktor.se in flash cookie

Issue : XSS found at endpoint clinic.mindoktor.se/user/login Endpoint :clinic.mindoktor.se/user/login Steps of reproduction 1 . Go to above Endoint 2. enter random email and password 3. Intercept the request with a sniffer Like Burp Suit 4. Change the email parameter to...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2016/09/09 2:27 p.m.41 views

VK.com: Второй способ обхода 2FA

Недостаточная проверка пользователя при смене IP-адреса. Лазейка с релогином при смене IP у пользователя...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2016/09/02 12:15 a.m.41 views

Internet Bug Bounty: Additional information for CVE-2016-5699

I was not the first to report this issue, but the fix languished for quite some time, since no one realized quite how bad it was. I wasn't aware of the original bug report and discovered the issue independently. I was the first to report the much more serious consequences of it. The vulnerability...

4.3CVSS6.6AI score0.09887EPSS
Exploits3
Hacker One
Hacker One
added 2016/09/01 10:16 p.m.41 views

Instacart: Seemingly sensitive information at /api/v2/zones

Overview == https://www.instacart.com/api/v2/zones is accessible by a regular Instacart user and seems to return sensitive information such as names, emails, phone numbers, money amounts and dates. GET /api/v2/zones "meta": "code": 200 , "data": "zones": ... "id": 73, "name": "████", "createdat":...

0.4AI score
Exploits0
Total number of security vulnerabilities5000