Lucene search
K
HackeroneRecent

15371 matches found

Hacker One
Hacker One
added 2018/12/03 5:57 p.m.49 views

Mail.ru: [e.mail.ru] Stored xss in Mpop cookie

XSS on e.mail.ru domain via cookie content XSS in cookie via mitm. Good article - https://habr.com/en/post/460101/ by @w2w...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/12/03 3:53 p.m.78 views

Node.js third-party modules: Prototype pollution attack through jQuery $.extend

I would like to report prototype pollution in jQuery. It allows an attacker to inject properties on Object.prototype. Module module name: jquery version: 3.3.1 npm page: https://www.npmjs.com/package/jquery Module Description jQuery is a fast, small, and feature-rich JavaScript library. Module...

4.3CVSS1.1AI score0.87218EPSS
Exploits4
Hacker One
Hacker One
added 2018/12/02 12:31 p.m.16 views

Node.js third-party modules: [harp] File access even when they have been set to be ignored.

I would like to report information disclosure through file access in harp. It allows to access files that are supposed to be ignored according to the harp server rules. Module module name: harp version: 0.29.0 npm page: https://www.npmjs.com/package/harp Module Description zero-configuration web...

5CVSS4.8AI score0.01313EPSS
Exploits1
Hacker One
Hacker One
added 2018/12/02 10:32 a.m.10 views

Node.js third-party modules: [harp] Unsafe rendering of Markdown files

I would like to report Cross Site Scripting vulnerablity in harp module It allows to execute arbitrary JavaScript due to unsafe rendering of markdown files. Similar to 404126 Module module name: harp version: 0.29.0 npm page: https://www.npmjs.com/package/harp Module Description zero-configuratio...

Exploits0
Hacker One
Hacker One
added 2018/12/02 10:4 a.m.42 views

PayPal: Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android]

A Bug Bounty researcher identified an issue where a JSON wrapper could be used to instantiate arbitrary Java objects. This could lead to circumstances where a class called in the PayPal Android app could be read by a malicious app on the same mobile device. A specific user’s session data could...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/12/01 10:3 a.m.54 views

Node.js: Fix for CVE-2018-12122 can be bypassed via keep-alive requests

Summary: Fix for CVE-2018-12122 can be bypassed via keep-alive requests Description: I'm not a security expert, neither I'm familiar with Node.js core, so please forgive me if this report is inaccurate and in that case, sorry for your time. While investigating the issue 515I checked out the fix t...

5CVSS7.5AI score0.41288EPSS
Exploits0
Hacker One
Hacker One
added 2018/11/30 8:57 p.m.20 views

U.S. Dept Of Defense: HTML Injection + XSS Vulnerability - https://████████/ | Proof of Concept [PoC]

Hello U.S. Dept Of Defense Security Team, My name is Ismail Tasdelen. As a security researcher. I found a html injection and xss vulnerability. Url address : https://█████████/ HTML Injection + XSS Payload = html+injection+xss"Ismail Tasdelen Descripton : The server reads data directly from the...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/30 8:5 p.m.51 views

Mail.ru: sql

SQL interface for web analytics was available at terrhq.ru subdomain...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/30 5:5 a.m.32 views

HackerOne: Inline banner on Report page discloses whether organization runs a private program

Summary: Hi team , @jobert Description: Your engineers have created inscription - You are participating in a private program for ████████. Please do not publicly discuss the program until the program goes public. When a hacker creates a report in an external program with a private page, we will s...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/30 4:6 a.m.47 views

HackerOne: A user can bypass approval step in Hacker Publishing feature, allowing them to publish reports immediately

Summary: Hi team Description: Hacker can request agree-on-going-public publish report Steps To Reproduce 1. Create publish report 2. https://hackerone.com/reports/bulk POST...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/11/30 12:23 a.m.50 views

Liberapay: Import of repositories from GitHub is tied to username instead of immutable ID

When a user verifies a Github account at /edit/elsewhere the final result is a Github username tied to a Liberapay account. The issue is Github usernames are mutable. Consider the scenario. 1. I create an account called ed-liberapay something likely to be claimed in the future 2. Verify that I ow...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/29 9:50 p.m.64 views

Nextcloud: Expired reshare links allow access to all files in share

After a reshared subfolder link has expired, the link allows access to the full folder. I found the Problem in Nextcloud 14.0.3, but it still persists in 14.0.4 Steps: 1. share folder "A" with an nextcloud group 2. reshare a subfolder "B" of this folder with another user on this group in this cas...

5.5CVSS1.3AI score0.01036EPSS
Exploits1
Hacker One
Hacker One
added 2018/11/29 9:22 p.m.38 views

VK.com: Уязвимый класс WebView

Activity issue. Opening of webview that may lead to phishing attacks...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/29 5:16 p.m.24 views

Lyft: My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft

During a trip to a conference, I discovered that the Lyft app allowed users to create expense reports by exporting business ride history as a PDF or CSV file. Being an active Lyft user, this was excellent news to me since it made my life easier by simplifying the tedious process of work travel...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/11/29 2:55 p.m.25 views

Vimeo: Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv

By modifying the Content-Type to be blank, during a PUT command, the researcher was able to upload files to the CDN. This has been resolved. It was possible to write and overwrite arbitrary files to the CDN vpe.cdn.vimeo.tv used for JS scripts delivery on the various in-scope assets using the PUT...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/29 2:11 a.m.57 views

Mail.ru: ОДМИН ТЭСТ

Test script on jw-cn-test-1.ext.terrhq.ru could be used to disclosure local database account. Database itself was not accessible...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/29 1:54 a.m.48 views

Mail.ru: сервант статус

Apache server status was available at jw-cn-test-1.ext.terrhq.ru...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/28 3:0 p.m.81 views

Mail.ru: source code leak

A fragment of source code was available for download on flash.terrhq.ru...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/28 1:26 p.m.40 views

Infogram: User account blocking by Internal Server error

If you send a language=en in https://infogram.com/api/users/me user be forever get an Internal Server error EVEN AFTER re-logining: https://youtu.be/AxYa11lEiWA I idk why does hackerone can't upload this video so I uploaded this video privately to the youtube! In this video, I'm trying to relogin...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/27 10:43 p.m.26 views

Starbucks: Able to bypass information requirements before launching a Chat.

Summary: Bypass of mandatory fields before a Chat session can begin. Description: URL allows for bypass straight into chat, and Chat personnel won't know my name, just that they are chatting with someone. Platforms Affected: website/mobile app - please include browsers and app versions used for...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/27 8:3 p.m.26 views

PayPal: XSSI on refer.xoom.com allows stealing email addresses and posting to Twitter on behalf of victim

Due to a cross-origin configuration, the application at refer.xoom.com could be embedded in script tags on other websites. If a malicious site were open in the same browser as refer.xoom.com, the malicious site could see and extract data from the referral page. This included the email addresses...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/27 4:34 p.m.60 views

Mail.ru: xss

XSS was reported for bb.cdn.gmru.net domain. This domain is considered sandbox with no security impact for XSS, but same XSS also existed in bb.mail.ru subdomain...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/27 1:12 p.m.50 views

Zendesk: Blind XSS via Suspended Ticket Recovery

A cross-site scripting XSS vulnerability was reported to us. We validated the issue, investigated to ensure it wasn't exploited, and implemented a remediation to all customers. Big thanks to @trimatra-sec who was a pleasure to work with!...

3.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/27 11:45 a.m.34 views

Aeternity: Remote Code Execution in epoch via epmd

Summary: Remote Code Execution in epoch via exposed erlang ports epmd Description: Known Erlang cookie allows connecting to other Erlang nodes. Contrary to assumptions from https://github.com/aeternity/aetmodel/blob/master/ThreatModel.md, starting node with -sname does not prevent remote...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/27 8:8 a.m.16 views

U.S. Dept Of Defense: XSS on www.██████ alerts and a number of other pages

Summary: If an action on ███████ results in an error, an error dialog is shown. This dialog, in certain scenarios, is vulnerable to stored XSS due to a lack of sanitization. Description: In this specific example, I'll be using a GET endpoint that attempts to delete alerts based on an ID supplied...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/26 6:28 p.m.153 views

Node.js third-party modules: flatmap-stream malicious package (distributed via the popular events-stream)

I would like to report a case of malicious package flat-stream that made it's way into many other npm packages. One such popular package is event-stream user dominictarr transferred the ownership of an npm module to another user because he wasn't actively maintaining it. That user then added...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/26 1:42 p.m.23 views

Infogram: Is the 504 Gateway Time-out error ok?

Link: https://infogram.com/api/merge/auth/google/?redirectto=123&token=gulHMyL6-1H0Am4zXa4H7j0DWomPdnKPhZOk&redirectto=123 it gives 504 after a long time! Is it normal? It can be used for DOS! I use two redirectto= if I use just one redirectto= it gives the response fastly!...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/26 4:55 a.m.31 views

HackerOne: Attacker can claim credentials for private program that has a published external program

An attacker can obtain credentials for private programs that have a published external program, even when the attacker doesn't have access to the private program. Here is the regression spec to proof the security vulnerability: diff diff --git...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/26 4:2 a.m.64 views

Liberapay: Broken Authentication and session management OWASP A2

Hello @liberapay, Description: It seems now if attacker has csrf token & victim cookies then attacker can easily login to victim account without any login details. No need Of Any Username/Password Theory Proof-Of-Concept: - Go to https://liberapay.com/admin.101/edit/username any username/Self...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/25 9:32 p.m.32 views

Mail.ru: XXE крит

XXE injection in partner service with delegated my.com subdomain...

3.2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/25 8:51 p.m.15 views

Ruby: Null character at fnmatch

I confirmed that it will behave unintentionally when null characters are entered in patterns with fnmatch, fnmatch? . log $ ruby -v ruby 2.5.3p105 2018-10-18 revision 65156 x8664-darwin16 $ irb irbmain:001:0 require 'pathname' = true should not be true irbmain:002:0 File.fnmatch"x\0yz", 'x' = tru...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/25 8:39 p.m.12 views

Mail.ru: benchmark metrics available at 5.61.239.154

Benchmark data for 3rd party product was available from outside. Benchmarking was performed using generated data in isolated testing evironment, so no actual data or production information was leaked...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/25 7:57 a.m.14 views

Ruby: Command injection in Pathname

The command may be executed when the value passed to Pathname is the first character of "|". This is the same problem as https://bugs.ruby-lang.org/issues/14245, but here it is executed without warning. ruby $ ruby -v ruby 2.5.3p105 2018-10-18 revision 65156 x8664-darwin16 $ irb irbmain:001:0 ls ...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/25 7:41 a.m.29 views

Brave Software: Brave allows flash to follow 307 redirects to other origins with arbitrary content-types

Steps to reproduce: Used https://github.com/sp1d3r/swfjsoncsrf in latest available version of flash to send a post request cross-domain with a non-simple content type. Actual results: The request is sent in firefox. Expected results: The request should either not be sent or the content-type shoul...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/24 2:40 p.m.43 views

RubyGems: 65534 times efficient, Brute-force attack for api_key

I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/24 2:10 p.m.23 views

HackerOne: IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier

Hai, I've found a stored xss vulnerability via assets but unfortunately its been blocked by CSP. Steps to reproduce:- 1 Add a asset like " i Go to program -- scope -- Add asset -- select 'Others' and give " ii Check your console now. 2 Then, Go to the created program. You can check with this...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/11/23 3:5 a.m.70 views

OLX: blog.praca.olx.pl database credentials exposure

Hi, I found that the site blog.praca.olx.pl is exposing the content of wp-config.php file in plaintext due that a misconfiguration in the file-manager plugin. The information can be accessed here: http://blog.praca.olx.pl/wp-content/uploads/file-manager/log.txt The credentials are stored in the...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/22 8:35 p.m.15 views

ok.ru: Отсутствие CSRF ключа на функции Закрытый Профиль.

"Friends only" account mode could be toggled on and off with a CSRF attack. Настройка Закрытый профиль могла быть включена или выключена через CSRF...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/22 3:10 p.m.15 views

Shipt: Slack token leaking in stackoverflow and devtimes

A Shipt employee inadvertently posted a Slack Webhook URI including the authentication token on two public tech forums: Stackoverflow.com and devtimes.com. While this incoming webhook's configuration was restricted to posting in a single channel created for testing this application and only 2 Shi...

3.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/22 2:27 p.m.47 views

Mail.ru: Open Redirect In passport.maps.me/logout/?next=//fb.com/

Open redirect on passport.maps.me page...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/21 9:55 p.m.58 views

Uber: [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB

It was possible to determine open internal ports on an usuppliers.uber.com server, via examination of different error messages to a specific POST request made with various payloads. This error message discrepancy would allow an attacker to discover open internal ports, potentially allowing more...

5CVSS3.2AI score0.0392EPSS
Exploits0
Hacker One
Hacker One
added 2018/11/21 5:29 p.m.17 views

FormAssembly: xmlrpc.php file is enable it will used for (DOS) and bruteforce attack

Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The website https://www.formassembly.com/ has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. In order ...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/21 10:10 a.m.38 views

HackerOne: A user can request a report to be retested even though the program has not been verified by HackerOne

Hey Team I have some observations and issues which i found in my recent testing on h1 platform related to creation of a new private program , So here are my observations listed below - kindly have a look and revert back if you feel like these are valid and worth reporting issues. 1 Can A program...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/21 6:47 a.m.12 views

New Relic: Upgrade menu exposes the mobile application token meant to only be visible to administrators

Usually, the restricted user is not able to view the mobile application token for a mobile app - the page that this token is visible on is only accessible to administrators. However - there exists a workaround to this if you are a restricted user and you still want to obtain this token - simply...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/21 12:42 a.m.67 views

HackerOne: Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details

It's possible for an attacker to enumerate embedded submission form UUIDs through HackerOne's GraphQL node interface. In normal application behavior, an embedded submission form is queried through GraphQL with a UUID. These UUIDs are random and they're not susceptible to brute force attacks...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/20 4:11 p.m.38 views

U.S. Dept Of Defense: SQL Injection in Login Page: https://█████/█████████/login.php

Summary: I believe I've discovered an error based SQL injection in the login page for https://████/██████/login.php. Description: When browsing to the webpage https://█████/██████/login.php and entering certain control characters into the "Username" field, and SQL error Oracle is produced. Impact...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/20 5:7 a.m.51 views

Nextcloud: Share recipient can modify a share's expiration date

Vulnerable URL http://server/nextcloud/ocs/v2.php/apps/filessharing/api/v1/shares/share ID number Summary Nextcloud users can set expiration dates on documents they share with others. However, the function to update a share does not appear to properly validate the requester is the owner when...

4CVSS4.8AI score0.00684EPSS
Exploits1
Hacker One
Hacker One
added 2018/11/20 4:48 a.m.19 views

HackerOne: Corrupted Authorization header can cause logs not to be ingested properly in ████████

HackerOne ingests different logs in ██████, one of them being nginx access logs from our load balancers. The default log format of our load balancer configuration is shown below. As can be seen in the format, the HTTP user specified in the Authorization header $remoteuser is placed between the...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/20 12:0 a.m.21 views

Versa Networks: Unapproved SSH Encryption Enabled

In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks. Usage of unapproved SSH encryption protocols or cipher suites also violates the Data Protection TSR Technical Security Requirements...

4.3CVSS3.8AI score0.0031EPSS
Exploits0
Hacker One
Hacker One
added 2018/11/20 12:0 a.m.17 views

Versa Networks: Plaintext Credentials in Backups & Configs

In Versa Director, the unencrypted backup files stored on the Versa deployment contain credentials stored within configuration files. These credentials are for various application components such as SNMP, and SSL and Trust keystores...

2.1CVSS3.2AI score0.00166EPSS
Exploits0
Total number of security vulnerabilities15371