Lucene search
K
HackeroneRecent

15369 matches found

Hacker One
Hacker One
added 2020/03/15 10:22 p.m.16 views

GitLab: Initial mirror user can be assigned by other user even if the mirror was removed

Summary Even if the mirror was removed, project.mirroruser still will be persisted. So any maintainer can create "pull" mirror with initial mirror user: safemirrorparams.rb def validmirroruser?mirrorparams return true unless mirrorparams:mirroruserid.present?...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/03/15 9:55 p.m.137 views

Nextcloud: Missing ownership check on remote wipe endpoint

On settings/user/security You can mark a device for wipe out that does not belong to you. Steps: 1. Create 2 accounts one for the hacker and one for the victim 2. On both accounts add devices with different names 3. On the hacker account, while intercepting with burpsuite, select the option to wi...

6.8CVSS1.7AI score0.01773EPSS
Exploits1
Hacker One
Hacker One
added 2020/03/15 6:51 p.m.21 views

Razer: SQL injection at https://sea-web.gold.razer.com/ajax-get-status.php via txid parameter

The tester determined the Razer Gold TH site suffered from a SQL injection issue. Razer thanks the tester for his due diligence and clear report...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/15 6:50 p.m.133 views

Razer: Source Code Disclosure

The tester discovered a PHP file with source code exposed. There was no known exploit...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/15 5:34 p.m.77 views

Kubernetes: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

This bug report mostly concerns the default CNI plugins https://github.com/containernetworking/plugins but I believe affects many K8S clusters. Because the CNI team still doesn’t provide an explicit way to report security bugs, I hope the K8S security team doesn’t mind doing the coordination job...

9.3CVSS7AI score0.14555EPSS
Exploits0
Hacker One
Hacker One
added 2020/03/15 5:10 p.m.12 views

Mail.ru: [api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет.

A 302 reply for non-authenticated request to api.33slona.ru could leak some static content with HTML body...

Exploits0
Hacker One
Hacker One
added 2020/03/15 10:52 a.m.14 views

U.S. Dept Of Defense: Improper Access Controls Allow PII Leak via ████

Summary: Dashboards in ██████████ allow a user to add widgets and obtain large amounts of information to include PII and diagnostic information. Additionally, a user is able to make changes to certain catalogs via these widgets. Description: Impact An adversary can gain access to PII to include...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/14 9:53 p.m.36 views

Mail.ru: xss in ub.icq.net

XSS in ub.icq.net via HTML file upload. icq.net is a sandbox API domain without cookies or HTTP authentication...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/14 6:49 p.m.36 views

Revive Adserver: Cross Site Scripting and Open Redirect in affiliate-preview.php file

Summary: Stored XSS can be submitted on the Website using Default Manager, and anyone who will check the report the XSS and Open Redirect will trigger. Description: Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injecte...

3.5CVSS5AI score0.02123EPSS
Exploits2
Hacker One
Hacker One
added 2020/03/14 5:52 p.m.35 views

Zomato: Mathematical error found in meals for one

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out th Wrong calculation is done by the...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/14 5:9 p.m.540 views

Mail.ru: mailgun subdomain takeover on "email.mail.geekbrains.ru"

Unused email.mail.geekbrains.ru domain was delegated to Mailgun and was not claimed, allowing to use it Mailgun service...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2020/03/14 4:0 p.m.35 views

Greenhouse.io: Open S3 Bucket Accessible by any Aws User

hi team, vulnerable URL: http://grnhse-marketing-site-assets.s3.amazonaws.com/ There is no authentication required to access the AWS bucket of the website. As your site was associated with AWS, any AWS user can view the content , navigate through directories and download files, public access is...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2020/03/14 5:13 a.m.114 views

X (Formerly Twitter): character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error

Summary: If you are creating a new moment on https://twitter.com/username/moments you get redirected to https://twitter.com/i/moments/edit/moments-id. There you can set a title, a description and also you can add, if you want, a Tweet to your Moment. The title and also the description are...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/13 9:56 p.m.27 views

Mail.ru: SQL Injection [unauthenticated] with direct output at https://news.mail.ru/

Unsafe usage of GET parameter led to SQL injection in news.mail.ru...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/13 5:7 p.m.41 views

HackerOne: Read-only team members can read all properties of webhooks

Description: A team member can view all properties of webhooks despite not needing them. Steps To Reproduce 1. Have an admin of a program setup webhooks 2. As a team member read-onlylog in 3. Run the following graphql query: query teamhandle: "security" name webhooks nodes id secret url 4. See th...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2020/03/12 9:19 p.m.27 views

Mail.ru: MCS Graphite SSRF: internal network access

Blind SSRF in mcs.mail.ru via unpatched Graphite...

3.5AI score
Exploits0
Hacker One
Hacker One
added 2020/03/12 8:35 p.m.6 views

Glassdoor: Open Redirect ████████

The URL with the 'redirectUrl' parameter was found to be vulnerable to an open redirect attack. The parameter was not properly validated, allowing an attacker to redirect users to a malicious website of their choice...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2020/03/12 5:33 a.m.12 views

MTN Group: Weak/Auto Fill Password

Summary: https://mtnc-selfservice.mtncameroon.net The following url has admin/admin as user name and password Steps To Reproduce: 1. open the url in any browser of your choice 1. enter admin as user name and password 1. booom .... full asset to super admin full panel Supporting Material/Reference...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/03/12 12:41 a.m.22 views

Monero: Hardware Wallets Do Not Check Unlock TIme

Summary: The hardware wallet implementations using the monero wallet do not check the unlock time when signing. This allows malware on the user's computer which the hardware wallet should protect from to permanently lock-up all the user's funds if the user signs a transaction on the device with a...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2020/03/12 12:38 a.m.72 views

Nord Security: The Linux binaries (nordvpn and nordvpnd) don't use PIE/ASLR

Summary: The Linux binaries nordvpn and nordvpnd don't have PIE/ASLR enabled. A such feature is used to harden programs against the exploitation of memory corruption bugs and should be enabled. The use of ASLR has long been debated among the Golang community. However, it seems that it's becoming...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/11 3:26 p.m.61 views

Glassdoor: web.xml configuration file disclosure

Information disclosed via https://www.glassdoor.com/web.xml which has been resolved. Thanks, @stregh for your report and find. Looking forward to more reports from you. CVE-2021-34429 CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N...

5CVSS0.3AI score0.99298EPSS
Exploits6
Hacker One
Hacker One
added 2020/03/11 2:12 p.m.135 views

Visma Bug Bounty Program: SSRF in img export

The researcher has found a SSRF vulnerability in the application's image export functionality. The app would take all the html as input and generate an image based on that. By manipulating the html code and adding a src tag, it was possible to trigger a SSRF...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2020/03/11 10:27 a.m.51 views

Internet Bug Bounty: CVE-2020-10938-buffer overflow/out-of-bounds write in compress.c:HuffmanDecodeImage()

Hello, There is an out-of-bounds write that is likely exploitable while performing Huffman decoding of Fax images. The technical details are as follows. Type: integer underflow produces out of bounds heap/etc write Platform: 32-bit Details: 390 MagickExport MagickPassFail HuffmanDecodeImageImage...

7.5CVSS9.6AI score0.05226EPSS
Exploits0
Hacker One
Hacker One
added 2020/03/11 7:13 a.m.31 views

QIWI: SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the USERID parameter of the TRateObject.AddForOffice method to inject arbitrary SQL statements. This...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2020/03/10 7:57 p.m.32 views

QIWI: SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the SCENID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/03/10 6:24 p.m.15 views

Slack: Team members can trigger arbitrary code execution in Slack Desktop Apps via HTML Notifications

A vulnerability in Slack's desktop clients allowed a user within a Slack team to send a malicious link to a teammate which would cause code to be executed on that victim's local computer. The issue hinged on a special type of Slack notification called HTML notifications. We resolved the issue by...

4AI score
Exploits0
Hacker One
Hacker One
added 2020/03/10 5:49 p.m.19 views

HackerOne: A team member of the program with Report rights can ban the Admin

Summary: Our team has conducted a number of studies tests in the field of permission Report. We noticed that a team member of the program with such permission can ban a member with Admin rights Steps To Reproduce: 1 Admin submit new report in program 2 A team member with Report rights can use the...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/10 4:14 p.m.23 views

QIWI: Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete"

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the ID parameter to inject arbitrary SQL statements into the underlying prepared statement. This leads ...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/10 2:58 a.m.22 views

Valve: Unauthorized updates to extended_info properties in /store/ajaxpackagesave

Due to incorrectly-implemented access control, partners were able to set the "extendedinfo" value on their own packages. This in turn enabled other security-impacting issues such as the ability to create externally-grantable and other special package types...

4.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/09 4:24 p.m.102 views

HackerOne H1P BBP1: Testing

asdajnsdjasndkjas...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/09 1:56 p.m.78 views

HackerOne: Account creation with invalid email addresses / email is accepting % and %0d%0a line termination chars

An account creation vulnerability was found where invalid email addresses containing '%' and '%0d%0a' line termination characters were accepted, allowing multiple unverified accounts to be created...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/03/09 1:43 p.m.41 views

Node.js third-party modules: [Limited bypass of #793704] Blind SSRF in Ghost CMS

Blind SSRF vulnerability in Ghost allows for internal port scanning, or reading oembed contents from internal network...

5.5CVSS2.4AI score0.0122EPSS
Exploits1
Hacker One
Hacker One
added 2020/03/09 5:14 a.m.152 views

Nord Security: Account deletion requests not entirely honoured. Misinformation even after seeking clarification from customer support.

Summary: Requesting account deletion from NordVPN customer support that is supposed to have "removed your account from our database." does not truly remove account from database. Even after asking if critical information such a billing information is removed, which customer support confirms...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2020/03/09 3:37 a.m.20 views

U.S. Dept Of Defense: Unrestricted File Upload to ███████SubmitRequest/Index.cfm?fwa=wizardform

Summary: An attacker is able to upload files of any type to ███SubmitRequest/Index.cfm?fwa=wizardform as long as they are less than 5 MB. Description: The █████ ████ Request System allows a user to submit requests to the ██████████ ███ for event support. An attacker can exploit this request form ...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/09 2:16 a.m.55 views

Mail.ru: [staging.tarantool.org] Github Pages Subdomain-take-over

Unused staging.tarantool.org subdomain was delegated to github pages and was not claimed...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2020/03/08 9:16 p.m.20 views

Razer: Subdomain takeover at iosota.razersynapse.com via Amazon S3

The tester discovered a dangling DNS record for iosota.razersynapse.com that was no longer in use and demonstrated a subdomain takeover. Subdomain takeovers by themselves are not in the scope of our program, but Razer thanks the tester for their diligence and clear report...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/08 8:42 p.m.23 views

HackerOne: Changes to data in a CVE request after draft via GraphQL query

Summary: Our team has conducted a number of studies tests in the field of CVE Request. We found several statuses of such requests Awaiting Publication, Pending HackerOne approval, Cancelled . At the time of creating the request , we can change the data. However, we noticed that we can 't change...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2020/03/08 7:55 p.m.119 views

Endless Group: Lets Encrypt Certificates affected by CAA Rechecking Incident

Summary: Lets encrypt released a statement regarding 3 million certificates being revoked due to a issue in the CA signing process, Looking at your subdomains it appears that you are affected by this incident. When the revoking occurs the certificates the certificates are no longer valid. This ma...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/08 1:50 p.m.23 views

Helium: Cleartext Transmission of Sensitive Information Leads to administrator access

The weakness of the program is Cleartext Transmission of Sensitive Information through URL Leads to administrator access. This program is having one feature like we can add users like administrator and read-only, these are roles, into organizations. Here I get the administrator role at same...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/08 1:6 a.m.31 views

curl: curl still vulnerable to SMB access smuggling via FILE URL on Windows

Summary: The released fix for CVE-2019-15601, SMB access smuggling via FILE URL on Windows, leaves curl still vulnerable to SMB access smuggling via FILE URLs. - FILE URLs formatted as file:////smbserver/smbshare/file are not filtered. - FILE URLs which point to the global DOS name space, ??, and...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2020/03/07 8:10 p.m.31 views

Urban Dictionary: Bypass voting restriction due to HTTP Header Injection

It is possible to bypass the voting restriction by adding a specially crafted HTTP-Header. The underlying algorithm uses the ip address to restirct the voting of a user. However, by manipulating the IP-Adress via adding the HTTP-Header "X-Forwarded-For" it is possible to vote a entry up or down...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2020/03/07 1:51 p.m.103 views

Nextcloud: Denial of Service by requesting to reset a password

Description: I believe that this is posible due to the brute force protection that makes all request last for 30 seconds which in this case is using all the PHP workers avalible in the pool, so the only way to defend yourself is setting up a limit or having a lot of resources. How to reproduce: I...

5CVSS7.5AI score0.01807EPSS
Exploits1
Hacker One
Hacker One
added 2020/03/07 3:32 a.m.12 views

U.S. Dept Of Defense: Sensitive Information Leaking Through Navy Website. [█████]

Summary: While performing recon work on websites owned by DoD i came up with a Navy website which is leaking sensitive information. Description: The website is leaking information such as- first name and last name, email address, phone number, location, rank, and other information of trainees in ...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2020/03/06 7:27 p.m.21 views

Brave Software: Username Information Disclosure via Json response - Using parameter number Intruder

Summary: Hi , Brave Team we found vulnerability's in your websites , I Found all username disclosed using Json Response parameter-number. Platforms Affected: website . https://community.brave.com/c/brave-feature-requests.json . https://community.brave.com/c/beta-builds/38.json Steps To Reproduce:...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/06 1:5 p.m.26 views

Visma Public: Access control on https://eaccounting.stage.vismaonline.com/

The researcher was able to find an access control issue in the application by checking if the permissions are correctly replicated in the active sessions for the user...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2020/03/06 10:9 a.m.21 views

Rocket.Chat: SAML authentication bypass

Summary When using SAML authentication, responses are not checked properly. This allows attacker to inject/modify any assertions in the SAML response and thus, for example, authenticate as administrator. Description Following code snippets are from app/meteor-accounts-saml/server/samlutils.js Whe...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2020/03/06 8:56 a.m.14 views

Nextcloud: xss on setup config page

Nextcloud version: 18.0.1 In setup config page,setting mysql Username with payloadalert1, and set others. F739076 then submit . F739077 this gif will show poc: F739069 Impact This is because the code does not filter dangerous characters. so dangerous characters need to be escaped...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2020/03/05 11:34 p.m.157 views

Mail.ru: Brute-force any email account through allods.mail.ru

!!! Полная версия отчета со скриншотами находится во вложенном PDF-файле. Vulnerability Technical description ========================= По адресу https://allods.mail.ru/account.php находится форма регистрации нового пользователя в игре. В процессе заполнения формы, посылается Ajax POST-запрос в...

7AI score
Exploits0
Hacker One
Hacker One
added 2020/03/05 7:59 p.m.147 views

Visma Bug Bounty Program: [IDOR]Ability to Pause & Resume the Invoice of other users If GUID is known.

Insecure Direct Object Reference IDOR vulnerability is discovered via a certain endpoint and the application exposes a reference to an internal implementation object. It reveals the real identifier and format/pattern used of the element in the storage backend side...

4.4AI score
Exploits0
Hacker One
Hacker One
added 2020/03/05 5:30 p.m.102 views

Node.js: Node.js: TLS session reuse can lead to hostname verification bypass

The Node.js TLS library supports client side reuse of TLS sessions when multiple connections to the same server are opened. Code that wants to use this feature can listen for the 'session' event https://nodejs.org/api/tls.htmltlseventsession on a tls.TLSSocket to get notified of newly created TLS...

5.8CVSS7.3AI score0.06065EPSS
Exploits1
Total number of security vulnerabilities15369