Lucene search
K
HackeroneRecent

15371 matches found

Hacker One
Hacker One
added 2019/06/30 3:11 a.m.80 views

U.S. Dept Of Defense: Root Remote Code Execution on https://███

Summary: Atlassian Crowd is a centralized identity management application that allows companies to "Manage users from multiple directories - Active Directory, LDAP, OpenLDAP or Microsoft Azure AD - and control application authentication permissions in one single location." A DOD installation is...

7.5CVSS2.3AI score0.95355EPSS
Exploits6
Hacker One
Hacker One
added 2019/06/29 12:45 p.m.33 views

GitLab: Server Side Request Forgery mitigation bypass

Summary This vulnerability allows attacker to send arbitrary requests to local network which hosts GitLab and read the response. This is possible due to flawed DNS rebinding protection. The attack is possible due to flaw here:...

7.5CVSS0.02803EPSS
Exploits1
Hacker One
Hacker One
added 2019/06/29 10:19 a.m.266 views

Zomato: Self-Stored XSS - Chained with login/logout CSRF

NOTE! This report explains taking over an account in a single click by chaining stored XSS, WAF bypass, login and logout CSRF. Summary: Attacker can takeover someone's account by stealing their facebook / google login tokens chaining multiple vulnerabilities. Description: Attacker leaves a review...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/29 7:4 a.m.162 views

Valve: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message

Overview Counter-Strike: Global Offensive's UI is built of a framework called Panorama which is heavily influenced by modern HTML/CSS with JS capabilities. Because of these properties, the UI becomes easily vulnerable to different types of code injection, most notably XSS. Previously, it was...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/06/28 6:46 p.m.15 views

Lyst: Web Cache poisoning attack leads to User information Disclosure and more

Hello Your Web-Server is vulnerable to web cache poisoning attacks. This means, that the attacker are able to get another user Information. If you are logged in and visit this website For example: https://www.lyst.com/shop/trends/mens-dress-shoes/blahblah.css Then the server will store the...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/06/28 2:48 p.m.34 views

TomTom: Listing of Amazon S3 Bucket accessible to any amazon authenticated user (vector-maps-e457472599)

Summary: It's possible to get a listing of every files in the S3 bucket vector-maps-e457472599 Description: The problem is using the AWS command line, it's possible to get a listing of files in the Amazon S3 Bucket with an AWS authentication. See screenshot vector-maps-e457472599publics3bucket.pn...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2019/06/28 8:20 a.m.32 views

Informatica: Public Github Repo Leaking Internal Credentials Leading To DiscoveryIQ Docker Access

Researcher has identified and reported public github repo leaking internal information...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2019/06/28 5:16 a.m.37 views

Nextcloud: Some HTML Tags are Getting Executed in com.nextcloud.client

What is the Vulnerability? HTML Tags such as , , and are Getting Executed in Next Cloud Client Mobile Application for Android which can then Results to Code Injection. Reproduction Steps 1. Using Next Cloud Client Mobile App on Android, Rename a Folder to test Our HTML tag Was Executed F518303...

4.6CVSS0.7AI score0.00495EPSS
Exploits1
Hacker One
Hacker One
added 2019/06/28 3:1 a.m.18 views

Nextcloud: Passcode Protection in Android Devices Can be Bypassed.

What is The Vulnerability? The Passcode can be bypassed by calling a MainLoginActivity which is com.owncloud.android.ui.activity.FileDisplayActivity , We have successfully bypassed the passcode and are redirected to the App's User Interface. of the user’s credentials: Android Version: 9 Non Roote...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/27 7:10 p.m.24 views

Monero: Monero Wallet Gui for Windows (Arbitrary Code Execution)

Summary: The windows version of the monero-wallet-gui.exe application allows for code injection. The monero-wallet-gui.exe utilizes a precompiled OpenSSL library called libeay32.dll. This OpenSSL library is trying to read a configuration file that doesn’t exist. By default, on windows systems,...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2019/06/27 6:55 a.m.33 views

PuTTY (European Commission - DIGIT): Heap overflow happen when receiving short length key from ssh server using ssh protocol 1

Summary: There's no check in ssh1loginprocessqueue function when read servkey and hostkey length from packet which may cause heap overflow. Remote code execution may be possible. Steps To Reproduce: 1. To test this issue, I downloaded openssl6.8 to compile to craft packets, using below command to...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/26 11:28 p.m.37 views

OLX: Reflected XSS on https://www.olx.co.id/iklan/*.html via "ad_type" parameter

I found Reflected XSS on https://www.olx.co.id/ - Vulnerability URL : https://www.olx.co.id/iklan/.html - Payloads: " Proof of Concept: 1. Try to find every URL like this URL structure https://www.olx.co.id/iklan/.html 2. And add the payloads in adtype parameter, example:...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/06/26 8:51 p.m.21 views

Vercel: User personal data disclosure via API

Summary: As a normal user, the API allows me to obtain information about other users by passing their email address as a query parameter which then returns their name, username, uid, avatar hash, and email in the HTTP response body. Under GDPR regulations this information disclosure is categorize...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/26 8:19 p.m.134 views

Node.js third-party modules: Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function

Hi Guys, It's been a while : I would like to report Command Injection in pm2.import function when tar.gz archive is installed with a name provided as user controlled input. Due to lack of proper validation of tar.gz archive filename, this vulnerability allows to inject arbitrary commands and...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/26 6:30 p.m.33 views

ZEIT: Access control bypass leads to domain information disclosure

Summary: By leveraging the domain verification endpoint I can obtain sensitive information about the user who registered the domain within the zeit UI including username, email address, userId, and customerId. In addition, some high level information about the domain is included as well such as...

Exploits0
Hacker One
Hacker One
added 2019/06/26 3:58 p.m.30 views

Nextcloud: CSRF vulnerability that allows an attacker to modify encryption settings

The POST request to /ocs/v2.php/apps/provisioningapi/api/v1/config/apps/core/encryptionenabled is missing a unique token, so that if an attack can trick an admin user with an active session to visit an attacker controlled website, he/she can control the core application setting "encryptionenabled...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/06/26 8:34 a.m.19 views

Grammarly: Lack of CSRF header validation at https://g-mail.grammarly.com/profile

Hello! Description I found that setting up a CORS in some places will check the protocol, but it allows using http scheme. In addition, any subdomain is considered trusted. If the origin is http://www.grammarly.com, then the server will respond: Access-Control-Allow-Origin:...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2019/06/26 7:59 a.m.14 views

Node.js: loader.js is not secure

Summary: Node.js loader.js can be exploited by an attacker The vulnerability https://github.com/nodejs/node/blob/a33c3c6d33fa81fa59a5aa95246d7f599e6abdd3/lib/internal/modules/cjs/loader.jsL892 js Module.initPaths = function var homeDir; var nodePath; if isWindows homeDir = process.env.USERPROFILE...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/26 7:5 a.m.41 views

Starbucks: Reflected cross-site scripting on multiple Starbucks assets.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Please indicate NA, if not applicable. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling...

Exploits0
Hacker One
Hacker One
added 2019/06/26 1:29 a.m.14 views

Yelp: PURGE is not authenticated

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/25 3:35 p.m.52 views

Shopify: any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store

Hi, I found this cool behavior by mistake when I was testing for some GraphQL, any user have ability to comment in discounts code at discounts section can turn off comments to the other staff members include the admin/manager of the store. this happens because when the GraphQL used to create a...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/06/25 1:40 p.m.83 views

New Relic: CSTI fix (#587829) bypass leading to stored XSS at plugins again

@skavans discovered a workaround for previous XSS mitigations. This led to a more robust approach to filtering dangerous content in Angular templates...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2019/06/25 12:18 p.m.85 views

Chainlink: No Valid SPF Records.

Hiii, There is any issue No valid SPF Records Desciprition : There is a email spoofing vulnerability.Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/24 5:18 p.m.17 views

Node.js third-party modules: Application level denial of service due to shutting down the server

Module module name: http-live-simulator version: 1.0.7 npm page: https://www.npmjs.com/package/http-live-simulator Description I've found a way to crash the server due to the way it parses URL Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the server :...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/06/24 1:23 p.m.12 views

curl: Integer overlow in "header_append" function

Summary: The function headerappend contains an integer overflow, it can bypass the check on the length and can lead to a subsequent heap buffer overflow. Steps To Reproduce: I don't have PoC, but here there is a little description of the problem vulnerable code static CURLcode headerappendstruct...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/06/22 10:59 p.m.20 views

New Relic: Stored XSS via "my recent queries" selector in NRQL dashboard builder

This is a pretty simple one. Within NR One, there is a stored XSS via the dashboard builder. It appears in the "My recent queries" dropdown. You can attack other users with this bug by having them navigate to the link, I'll show an example below. Steps to Reproduce: 1. From NR1, navigate to the...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/22 9:51 a.m.17 views

Unikrn: Open Redirection leads to redirect Users to malicious website

--- Summary --- I found an open redirect bug on unikoingold.com .First, I create an account on unikoingold.com , I fill all the forms with the required information First name,Birth,etc..., until I came on the final step to verify my account , there was a mechanism to send a verification link to m...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/22 12:4 a.m.63 views

Nextcloud: Wordpress Users Disclosure

Information Using REST API, we can see all the WordPress users/author with some of their information. Step to Reproduce You can get user info by entering below url in your browser: https://nextcloud.com/wp-json/wp/v2/users Reference: 356047 Impact Authors : LTR , LTREditor can be created scenario...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/21 3:11 p.m.20 views

Uber: Chained vulnerabilities create DOS attack against users on desafio5estrelas.com

On a vendor created and managed site desafio5estrelas.com, by controlling the value of the gender parameter on the /salvargenero endpoint via CSRF, an attacker was able to prevent a user from ever logging into their account again. Fun chained CSRF that caused a DOS on user’s account. Check out my...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/21 12:11 p.m.36 views

Mail.ru: XSS in messages on geekbrains.ru

Stored XSS via data URI in messages on geekbrains.ru. geekbrains.ru is in extended Ext.B scope, XSS reports for this scope are accepted without bounty. Description Stored XSS in messages on a large IT training portal GeekBrains, the vulnerability allowed to execute JavaScript code in the victim's...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/21 2:53 a.m.58 views

Internet Bug Bounty: Uninitialized read in gdImageCreateFromXbm

This bug is present in gdImageCreateFromXbm method of ext/gd/libgd/gdxbm.c file. This method contains below mentioned lines. c ... unsigned int b; ... sscanfh, "%x", &b; for bit = 1; bit = maxbit; bit = bit 1 gdImageSetPixelim, x++, y, b & bit ? 1 : 0; ... So when sscanf method is not able to rea...

5CVSS6.2AI score0.04332EPSS
Exploits1
Hacker One
Hacker One
added 2019/06/20 7:15 p.m.14 views

Urban Company: Private ip leaking through response

Name of Vulnerability: Information desclosure User Details: +91 ████ Summary: Private ip addresses are leaking through response in urban clap. Description: Hi team. During my research i found some IP address from the response.After finding the origin of the ip i found that these ip addresses are...

Exploits0
Hacker One
Hacker One
added 2019/06/20 6:51 p.m.279 views

U.S. Dept Of Defense: https://█████████ Vulnerable to CVE-2018-0296 Cisco ASA Path Traversal Authentication Bypass

Summary: https://█████ is an ASA running software vulnerable to CVE-2018-0296 which allows a remote attacker to exploit a path traversal vulnerability and bypass authentication to sensitive files. The attacker can use this to enumerate the ASA VPN web directory structure and exploit privileged...

5CVSS2.1AI score0.99903EPSS
Exploits18
Hacker One
Hacker One
added 2019/06/20 3:20 p.m.29 views

Nextcloud: Arbitrary code execution in desktop client via OpenSSL config

Summary: The nextcloud windows desktop application utilizes a precompiled OpenSSL library called libeay32.dll. This OpenSSL library attempts to load c:\usr\local\ssl\openssl.cnf when the nextcloud windows application is launched. The c:\usr\local\ssl\openssl.cnf file does not exist. By default, o...

4.6CVSS0.2AI score0.00659EPSS
Exploits1
Hacker One
Hacker One
added 2019/06/20 12:4 p.m.57 views

PayPal: DoS on PayPal via web cache poisoning

On https://paypal.com/, you could impact core functionality by using an invalid Transfer-Encoding header to replace JavaScript files from www.paypalobjects.com with the message '501 Not Implemented'. This was patched and awarded a $9,700 bounty. By the time you read this, there should be a full...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/06/20 11:47 a.m.19 views

Mail.ru: пхпинфо

Test script with phpinfo output was available in russianaicup.ru...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/20 11:35 a.m.14 views

Mail.ru: SVN repository

SVN repository for static web files was available on terrhq.ru subdomain...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/20 11:34 a.m.15 views

Mail.ru: xss

Reflected XSS via GET parameters in terrhq.ru subdomain...

5AI score
Exploits0
Hacker One
Hacker One
added 2019/06/19 9:15 p.m.24 views

shopify-scripts: NULL pointer dereference in `mrb_check_frozen`

PoC === The following demonstrates a crash: 3735928559.removeinstancevariable '@a' Debug info ========== Valgrind suggests the crash happens due to an invalid read in mrbcheckfrozen: ==4882== Memcheck, a memory error detector ==4882== Copyright C 2002-2017, and GNU GPL'd, by Julian Seward et al...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2019/06/19 5:57 a.m.26 views

Unikrn: Rate Limit workaround in the message of the phone number verification

There was a to more or less trivial workaround to the SMS resend rate limit. Thx @drakm !...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2019/06/19 4:50 a.m.93 views

Nextcloud: User with read-only access to a share can gain write access to sub-folders in the share

user0 creates folders /test and /test/sub user0 creates file /test/sub/file.txt user0 shares folder /test with user1 with read+share permissions 17 user1 receives the folder /test and can read-download /test/sub/file.txt - good user1 creates a link share of /test/sub - it has permissions 1...

4CVSS6.8AI score0.01056EPSS
Exploits0
Hacker One
Hacker One
added 2019/06/18 3:53 p.m.55 views

ZEIT: Open redirection in https://zeit.co/login?next=

you have a open redirection bug in https://zeit.co/login?next= now i want to redirect the victem to https://www.google.com https://zeit.co/login?next=\www.google.com done !! it will redirected F511594 Impact redirect the victems to any page and it can be xss bug...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/06/18 9:14 a.m.103 views

Shopify: Stored XSS in Discounts section

self-xss Impact 1.add Products, shop name is '"'' 2.click Discounts-code, https://mosuan-img-src-x.myshopify.com/admin/discounts/367541518396 3.add comments, Choose the goods just now. 4.alert...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2019/06/18 7:51 a.m.49 views

GitLab: Bypass Email Verification using Salesforce -- Reproducible in gitlab.com

Summary The salesforce login integration allows attacker to bypass email verification -- user is able to signup with any email domain they want, effectively bypass all email domain whitelist/blacklist restriction or any other 3rd party using gitlab instance's email address. It is possible because...

6.5CVSS0.7AI score0.01511EPSS
Exploits1
Hacker One
Hacker One
added 2019/06/17 10:31 p.m.124 views

Collibra: Access to the database on onboarding.collibra.com

Summary: During the study, it was discovered that port 9306 was open on this server, which is open to the Sphinx service. I was able to connect to the internal database. Steps To Reproduce: 1. Discovery of open port 9306, on which service Sphinx is running screenshot 0 2. Connection to the databa...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2019/06/17 6:51 p.m.90 views

Uber: Arbitrary File Reading on Uber SSL VPN

The hacker has found a series of 0 day related to Pulse Secure SSL VPN...

7.5CVSS1.2AI score0.99999EPSS
Exploits38
Hacker One
Hacker One
added 2019/06/17 1:4 a.m.50 views

Concrete CMS: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"

Hi concrete5 Team, Summary I've identified Stored XSS vulnerability in concrete5 Conversations module, when Active Conversation Editor is set to "Rich Text". An attacker is able to input malicious JavaScript, which is run in both client agains any site visitor as well as against any user logged...

3.5CVSS5.2AI score0.00499EPSS
Exploits0
Hacker One
Hacker One
added 2019/06/15 4:23 p.m.20 views

GSA Bounty: Blind Stored XSS In "Report a Problem" on www.data.gov/issue/

Step To Produce : 1. Open : https://www.data.gov/issue/ 2. fill "Issue Title" and "Description" With XSSHunter Payload 3. XSS Fired In https://labs.data.gov/crm/admin/report/662445 Impact Can steal admin cookies...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/15 1:2 p.m.22 views

Quantopian: Cross-site scripting on algorithm collaborator

Hi again my favorite VDP team. I bring you 8th bug and 4th cross-site scripting. Currently trying to upload python code via self-serve data, not looking for XSS'es only, but they're a thing still, right? Summary: By sending specially crafted websockets request attacker can run javascript in...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2019/06/15 9:19 a.m.22 views

Flickr: CSRF in Account Deletion feature (https://www.flickr.com/account/delete)

CSRF was missing in Account Deletion form due to switching login providers. @asad0x01 found the vulnerability and reported it concisely, even with a video POC. The issue was fixed with 60 days, but we were slow to resolve the ticket and disclose. Sometimes you just get lucky. When Flickr was owne...

0.5AI score
Exploits0
Total number of security vulnerabilities15371