Lucene search
K
HackeroneRecent

15371 matches found

Hacker One
Hacker One
added 2019/01/15 12:53 a.m.14 views

Rockstar Games: DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features

In this report, the researcher identified a DOM-based Cross-Site Scripting vulnerability under the GTAOnline section of the main site. This could have left to theft of cookies if left unresolved. Interestingly, a core factor in this vulnerability was a regression of a previously identified and...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/01/14 8:22 p.m.22 views

Dropbox: Significant Two step verification Authentication Bypass

This report described a concern with our “Trust this Computer” feature in Dropbox web sign in. The way our “Trust this Computer” feature works, at a high level, is that while authenticating using 2FA, the user can request that this device be trusted in the future so they don’t have to use 2FA...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/01/14 4:19 p.m.40 views

Eobot: Secure Pages Include Mixed Content Issue

Description The page includes mixed content, that is content accessed via HTTP instead of HTTPS. Steps 1 Enter these two URLs https://www.eobot.com/fee https://www.eobot.com/ad 2 Open Source Code viewer You will note and Mixed Content Error. http://bitcoin.sipa.be/speed-small-lin.png Fix A page...

Exploits0
Hacker One
Hacker One
added 2019/01/14 5:15 a.m.61 views

Tron Foundation: DOS attack by consuming all CPU and using all available memory

Summary: A single request to submit a post to /wallet/deploycontract with several megabytes of bytecode along with CPU intensive long parsing will consume CPU for about 10 minutes while still holding several megabytes of bytecode in heap. With enough requests lets say 1K-10K depending upon...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/01/14 4:49 a.m.23 views

New Relic: Bypass of #447975 - view mobile application token though "Application Information" sidebar on Installation page

In 447975 I demonstrated that it was possible to view the application token for a mobile app by visiting the upgrade page - this was subsequently fixed by disallowing access completely for a restricted user to view that page. I've found a workaround to this fix, and in doing so I've enable my...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/01/14 4:33 a.m.17 views

New Relic: GET request to accounts.json on support site leaks the root account license key and the browser license key to a restricted user

Overview As a restricted user, you cannot view the main account license key. If you are logged into your restricted user account, and visit https://support.newrelic.com/, when you attempt to create a ticket the root account license key will be exposed in the request. Steps to Reproduce 1. From a...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/01/13 10:57 p.m.60 views

Weblate: No Rate Limit On Add new word

Hello I found in that there is no limit in the place of adding a new word which allows the attacker to add an infinite number of words which may cause a problem in the site and the server Steps To Reproduce : 1. Go To https://hosted.weblate.org/dictionaries/andors-trail/en/add And Fill in fields...

Exploits0
Hacker One
Hacker One
added 2019/01/13 6:5 p.m.47 views

Nextcloud: Stored XSS/HTML injection in autocomplete suggestions for sharing

encrypted report, see attached GnuPG file. I tried to send this by mail, but [email protected] told me that I'm forced sic! to signup here. Please use 7F40 5A4F FAA3 F51B FEFD EE2F CE82 B2C8 6DCE BB9F to contact me. Impact encrypted report, see attached GnuPG file...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2019/01/13 9:17 a.m.20 views

Hyatt Hotels: Hyatt WeChat Secret, Baidu AK Secret, and mysql db credentials inadvertantly made publicly available

This one is slightly odd, so I've rated it a low, as I'm not able to confirm whether or not these are active creds/secrets it's late and I don't speak/read Chinese. During recon for hyatt.com, I stumbled across this github.com repo that seems to be for hyatt's wechat setup:...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2019/01/12 4:8 p.m.15 views

ok.ru: Privilege Escalation удаляем все созданные ссылки с okl.lt

IDOR at okl.lt allowed to hide links in another user's dashboard. The short link itself remained functional. Уязвимость позволяла скрывать все созданные ссылки другими пользователями в их панеле, но ссылка продолжала работать IDOR at okl.lt allowed to hide links in another user's dashboard. The...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/01/12 11:1 a.m.33 views

Pornhub: XSS reflected on [https://www.youporn.com]

The researcher managed to obtain arbitrary javascript execution through reflected XSS on the Youtube World's RSS feed...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2019/01/12 12:46 a.m.95 views

Internet Bug Bounty: imagecolormatch Out Of Bounds Write on Heap

The link to the PHP bug: https://bugs.php.net/bug.php?id=77270 This is possible to exploit in PHP 7.0.33 and 5.6.39. I used this vulnerability to write a local safe mode bypass exploit. It is possible to write up to 1200 bytes over the boundaries of a buffer allocated in the imagecolormatch...

6.8CVSS9.1AI score0.65116EPSS
Exploits7
Hacker One
Hacker One
added 2019/01/12 12:41 a.m.49 views

Internet Bug Bounty: efree() on uninitialized Heap data in imagescale leads to use-after-free

The core bug: https://bugs.php.net/bug.php?id=77269 This bugfix actually involves two vulnerabilities: a call to efree on uninitialized data and another free based vulnerability. What is described below is a bug that was fixed in libgd two years ago CVE-2016-10166, but the patch was never applied...

7.5CVSS8.9AI score0.10687EPSS
Exploits0
Hacker One
Hacker One
added 2019/01/11 10:11 a.m.97 views

Internet Bug Bounty: buffer overread in base64 code of the xmlrpc module

Malformed input to the xmlrpcdecode function can cause an out of bounds read in the base64 code. This is fixed in the latest updates of PHP 7.3.1 etc. Report: https://bugs.php.net/bug.php?id=77380 Impact If the attacker has access to the decoded output this may leak memory contents...

5CVSS8.2AI score0.0712EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/11 10:10 a.m.79 views

Internet Bug Bounty: Use after free and out of bounds read in xmlrpc_decode()

Malformed input can lead to use after free and out of bounds memory errors. This has been fixed with the latest updates of PHP 7.1.26/7.2.14/7.3.1. Note: I reported those as separate bugs to PHP, but they had the same underlying bug and were fixed by the same commit. The release notes only mentio...

7.5CVSS9.7AI score0.10059EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/10 8:59 p.m.25 views

OLX: XSS - main page - search[user_id] parameter

Hi, how you doing? This is a pretty straight foward XSS in the main page. Affected parameter: searchuserid Direct Link: https://www.olx.pt/braga/?searchuserid=1zqjeu'":/1zqjeu;9, ;prompt9;&view=galleryWide Tested in updated firefox. Impact XSS allows a intruder to inject html and client side...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2019/01/09 10:3 p.m.59 views

Internet Bug Bounty: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile

Phar files with HALTCOMPILER; in unexpected places can lead to a buffer overrun. This is something I found while fuzzing with AFL using an ASAN instrumented PHP. The issue can be observed by disabling the ZEND allocator and using ASAN or valgrind/etc? with a crafted phar as input. I have prepared...

5CVSS8.5AI score0.0566EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/09 7:52 p.m.36 views

GitLab: Last build status and coverage leaked to unauthorized users

GitLab CI supports creating badges for the latest build/coverage on a certain branches. However, with restricted access, where users do not have access to pipelines, users still have access to the build/coverage status of any branch. This access works for different configurations: 1. For public...

5CVSS0.01911EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/09 12:16 p.m.40 views

Internet Bug Bounty: ZeroMQ libzmq remote code execution

Bug report and exploit: https://github.com/zeromq/libzmq/issues/3351 Fix by me: https://github.com/zeromq/libzmq/pull/3353 My motive for full disclosure is as follows: Is it true that it is not safe to use ZeroMQ over the internet because it will crash? Earlier versions of the ZeroMQ library befo...

9CVSS8.6AI score0.09444EPSS
Exploits2
Hacker One
Hacker One
added 2019/01/09 4:27 a.m.11 views

New Relic: IDOR allows accounts to view full name of other accounts based on email through share notes feature

This is a similar IDOR that I've reported in the past - but now that "anything goes" is in scope I looked around and tried to find other areas within the application that this might exist in. And I found it while sharing a note: Steps to Reproduce From new user creation page: 1. Add a new user to...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/01/08 4:10 p.m.44 views

Nextcloud: Private/confidential setting of calendar events is ignored on activity stream

https://github.com/nextcloud/server/pull/13331 Events that are private should not generate events for other users Events that are confidential should not leak the name to other users Impact The details are leaked to other users...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2019/01/08 11:41 a.m.17 views

Nextcloud: WordPress vulnerable to multiple attacks at https://nextcloud.com

summary: your current version of WordPress is available to multiple attacks check INFO.php available attacks: - Unauthenticated Arbitrary File Deletion - lib/IPTraf.php User-Agent Header Stored XSS - Password Creation Restriction Bypass - wp-admin/admin.php whois Parameter Stored XSS - XSS & IAA ...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2019/01/08 9:59 a.m.182 views

Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list

summary: A vulnerability classified as problematic has been found in OpenSSH 7.2p2. check INFO.pngAffected is an unknown function of the component Authentication. The manipulation of the argument Password with an unknown input leads to a information disclosure vulnerability Username. CWE is...

4.3CVSS0.88944EPSS
Exploits12
Hacker One
Hacker One
added 2019/01/07 11:12 p.m.28 views

MariaDB: CRLF injection at https://mariadb.org/.

A CRLF injection vulnerability was discovered on our website that could lead to attacks such as client side cookie injection. This has been resolved by adjusting the offending rewrite rule in our web server configuration...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2019/01/07 8:34 p.m.47 views

Internet Bug Bounty: Buffer over-write in finfo_open with malformed magic file.

https://bugs.php.net/bug.php?id=71527 This bug causes a segfault when running with environment variable USEZENDALLOC set to 0, and also when compiled with ASAN with USEZENDALLOC set and unset. To reproduce, run the following PHP file, with the example magic file below. $ cat magic-open.php Magic...

7.5CVSS8.6AI score0.04985EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/07 8:25 p.m.30 views

Internet Bug Bounty: Negative size parameter in mb_split

https://bugs.php.net/bug.php?id=77367 mbsplit doesn't correctly detect the length when the $string has an unfinished multibyte character at the end of the string. This causes a crash due to a negative parameter to addnextindexstringl, which calls zendstringinit and memcpy. Could reproduce on...

7.5CVSS8.7AI score0.03058EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/07 8:15 p.m.74 views

Internet Bug Bounty: Heap overflow in utf32be_mbc_to_code

https://bugs.php.net/bug.php?id=77418 Buffer overflow in mbctocode functions for UTF32BE, UTF32LE, UTF16BE, and UTF16LE due to incorrect length assumptions of a buffer. Provided a patch that was adapted to check the length of the buffer prior to using it. Impact Memory leakage and/or corruption...

7.5CVSS9.4AI score0.09317EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/07 7:11 p.m.14 views

Uber: SQLI on desafio5estrelas.com

Vendor created and managed site desafio5estrelas.com had a SQLI vulnerability which could potentially expose sensitive data. A time-based blind MYSQL SQLI vulnerability existed at the endpoint https://desafio5estrelas.com/login in the URL parameters "codigo". Basic SQLI that was found on an uber...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/01/07 5:45 p.m.35 views

HackerOne: Response program can display "eligible for bounty" in scope area in program policy

Hello Hackerone Team and @jobert First of all, Happy new year to everyone. Summary Response program can also display "eligible for bounty" assets on program policy. It's basically causing from backend in terms of GRAPHQL mutation query for eligible in bounty:true which stays forever on response...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2019/01/07 8:54 a.m.70 views

Internet Bug Bounty: heap buffer overflow in phar_detect_phar_fname_ext

The original report is here https://bugs.php.net/bug.php?id=77247 txt USEZENDALLOC=0 ./php-src-PHP-7.2.13/sapi/cli/php -r "vardumpnew Pharfilegetcontents'poc.phar',0,'test.phar';" txt ================================================================= ==44888==ERROR: AddressSanitizer:...

7.5CVSS8.9AI score0.10059EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/06 11:40 p.m.15 views

Rockstar Games: DOM Based xss on https://www.rockstargames.com/ ( 1 )

In this report the researcher identified a DOM-based Cross-Site Scripting vulnerability on the main rockstargames.com site. This could have been exploited to steal victim's cookies. The XSS vulnerability was discovered by combining multiple lower-severity vulns, such as directory traversal and an...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/01/06 12:32 a.m.16 views

VK.com: Логирование ответов запросов VK API в приложении Клевер

Просмотр логов в режиме дебага...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/01/05 10:26 p.m.12 views

RATELIMITED: Apache mod_negotiation filename bruteforcing https://api.ratelimited.me

The Apache modnegotiation module allowed for filename bruteforcing and information disclosure through a 406 Not Acceptable error response. This vulnerability has been fixed by disabling the MultiViews directive in Apache's configuration file and restarting the server...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2019/01/05 5:51 p.m.13 views

Nextcloud: Github repo's wiki publicly editable

Hello Team, Github repo's wiki page is publicly editable. This enables an attacker to edit the wiki pages of the affected repo's. Adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead users. POC link...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2019/01/05 5:12 p.m.14 views

GitLab: A profile page of a user can be denied from loading by appending .html to the username

Summary: I was able to create a user with the username "dashboard.html". Once, the account is set up, when the user clicks on his profile, the actual dashboard will show up instead of his profile page. Same can be done for all the HTML pages in GitLab. Steps To Reproduce: 1. Register a new user...

Exploits0
Hacker One
Hacker One
added 2019/01/05 9:4 a.m.47 views

CFP Time: Missing Two Factor Authentication in /admin/login

Hello Team, First of all this report is just mainly concern for Suggested security improvements based on your policy page. If and only if not mean possible, please do let me know. Thanks! INTRODUCTION Administrative panel is one of the main entry point for the website owner to manage their web ap...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2019/01/05 2:46 a.m.157 views

Liberapay: User Enumeration

@offgouvea reported a user enumeration issue. User enumerations are out-of-scope as mentioned in our program's policy...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2019/01/04 7:53 p.m.25 views

Rockstar Games: CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/

In this report, the researcher identified a Cross-Site Request Forgery vulnerability that could have allowed attackers to link a Facebook account to another user's Social Club account, and thus gain the ability to log in as the victim. We implemented an anti-CSRF token as part of the...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2019/01/04 5:57 p.m.17 views

Khan Academy: Subdomain takeover on healthyhackathon.khanacademy.org and hackweek.khanacademy.org

Summary : healthyhackathon.khanacademy.org can be took over, since it points to a bucket in S3 but that bucket does not exists. I know this domain is used to host information of healthyhackathon which is held by khanacademy, but you will not be able to do this anymore if someone is going to claim...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2019/01/04 3:36 p.m.81 views

CFP Time: Content spoofing on error pages or text injection

Poc: https://www.cfptime.org/%20is%20not%20available%20anymore%20,%20pls%20go%20to%20WWW.EVIL.COM%20because%20this%20site. Steps to reproduce: 1: Just browse this target on any browser 2: Target: http://www.cfptime.org/ 3: add any content after For example: this is not available anymore pls check...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/01/04 1:49 p.m.307 views

HackerOne: Cross-site Scripting (XSS) on HackerOne careers page

Dear HackerOne team, Summary: I found DOM XSS at endpoint https://www.hackerone.com/careers, but can not bypass CSP. It's work on IE and Edge. Steps To Reproduce - JS file is "Masonry js file", vulnerability code: javascript //Checking for potential Lever source or origin parameters var pageUrl =...

Exploits0
Hacker One
Hacker One
added 2019/01/03 5:42 p.m.31 views

CFP Time: Error Page Content Spoofing or Text Injection

Description: hello sir, i found that one you once you write any thing after / in www.cfptime.org/ is reflected in the error page example go to www.cfptime.org/texthere you will see test here in the 404 error page Steps To Reproduce: 1.go...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2019/01/03 10:28 a.m.15 views

Ruby on Rails: XSS due to incomplete JS escaping

ActionView::Helpers::JavaScriptHelper inside rails/actionview/lib/actionview/helpers/javascripthelper.rb provides JS escaping in Rails, but fails to protect template literal strings. As such, there are two ways XSS can occur: XSS via template literal break out: 1 Create a view with the following...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2019/01/02 3:34 p.m.26 views

Rockstar Games: Race condition vulnerability on "This Rocks" button.

In this report, the researcher brought to our attention a misbehavior in the "This Rocks" button that we use on the Social Club site. Using curl and a proxy tool such as Burp Suite, an attacker could invoke the "This Rocks" API call multiple times rapidly, and the system would accept multiple...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/01/02 10:50 a.m.17 views

Keybase: XSS on Desktop Client

Steps to reproduce 1. Create a file named as 'alert1v.SS'.mp4 in the keybase public/private folder. 2. On the desktop client open the file as a preview. 3. An alert box pops up. gif poc: F399836 The Problem The client/shared/fs/filepreview/av-view.desktop.js file contains a template literal with...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/01/02 3:20 a.m.858 views

Ruby on Rails: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)

Since ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor use Marshal as the default serializer, I confirmed that RCE is possible by object injection. ruby https://github.com/rails/rails/blob/v5.2.2/activesupport/lib/activesupport/messageverifier.rbL110 def initializesecret, option...

7.5CVSS0.4AI score0.92144EPSS
Exploits13
Hacker One
Hacker One
added 2019/01/01 5:17 p.m.43 views

Node.js third-party modules: [bower] Arbitrary File Write through improper validation of symlinks while package extraction

I would like to report file write in arbitrary locations via install command in bower It allows attackers to write arbitrary files when a malicious package is extracted. Module module name: bower version: 1.8.4 npm page: https://www.npmjs.com/package/bower Module Description Bower offers a generi...

5CVSS0.8AI score0.02566EPSS
Exploits1
Hacker One
Hacker One
added 2019/01/01 4:18 p.m.9 views

RATELIMITED: Cross Site Request Forgery in auth in https://auth.ratelimited.me/

Hi there i found a vulnerable post that an attacker can execute csrf into the victim. Steps to reproduce: 1º login into your account and with burp on intercept the request off update profile. csrf1.jpg 2º Send the post request to the generator csrf poc and alter the details. history.pushState'',...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2019/01/01 11:18 a.m.30 views

Starbucks: Bug in GraphQL and API integration leads to limited user address disclosure

A modified GraphQL query to fetch a user's address book entries led to a limited disclosure of user address book entries. The modified query resulted in a backend API request with undefined as a parameter. The response contained address lists of accounts with a username of undefined. We were not...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/12/31 10:54 p.m.42 views

VK.com: доступ к com.vk.usersstore.UsersContentProvider, возможна утечка exchange_token на android < 21

Подмена разрешений на старых версиях Android...

6.9AI score
Exploits0
Total number of security vulnerabilities15371