Lucene search
K
HackeroneRecent

15371 matches found

Hacker One
Hacker One
added 2018/11/19 12:0 a.m.26 views

Versa Networks: Privilege Escalation Using Cron Jobs

In Versa Analytics, the cron jobs are used for scheduling tasks by executing commands at specific dates and times on the server. If the job is run as the user root, there is a potential privilege escalation vulnerability. In this case, the job runs a script as root that is writable by users who a...

7.2CVSS4.4AI score0.00228EPSS
Exploits0
Hacker One
Hacker One
added 2018/11/18 12:19 p.m.14 views

Node.js: Node.js HTTP/2 Large Settings Frame DoS

Hi, I would like to report a vulnerability in the http2 module of Node.js. In section 10.5 of the HTTP/2 RFC an attack is described where an attacker is sending large SETTINGS frames that includes many settings inside it. We tested this scenario by opening many connections to the server and sendi...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/11/18 4:57 a.m.47 views

GitLab: GitLab's GitHub integration is vulnerable to SSRF vulnerability

The GitHub service is vulnerable to a SSRF vulnerability. An attacker may be able to leverage this to make arbitrary POST requests in a GitLab instance's internal network. It can also be used to connect to cloud provider's instance metadata API, which may result in the ability to execute commands...

4CVSS0.3AI score0.00988EPSS
Exploits1
Hacker One
Hacker One
added 2018/11/18 3:13 a.m.26 views

GitLab: Exfiltrate and mutate repository and project data through injected templated service

The GitLab import feature contains a vulnerability that allows an attacker to import a project that creates a service template. Service templates can normally only be created by a GitLab instance Administrator. When a new project is created, service templates are automatically initialized for the...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/11/17 11:29 a.m.16 views

Mail.ru: [o2.mail.ru] nginx alias traversal

Invalid nginx configuration allowed limited path traversal in o2.mail.ru...

4.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/17 8:41 a.m.160 views

OLX: SQL Injection https://www.olx.co.id

I found the SQL Injection security hole on the website https://www.olx.co.id, this is a critical finding. here is the POC from the findings that I got Affectect:https://www.olx.co.id/ajax/buybundle/getbundle/ POC: Request DATA POST /ajax/buybundle/getbundle/ HTTP/1.1 Host: www.olx.co.id User-Agen...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/17 7:30 a.m.37 views

X (Formerly Twitter): CRLF injection

Hello twiiter security team, on the domain ads.twitter.com http response splitting is vulnerability. PoC: https://ads.twitter.com/subscriptions/mobile/landing?ref=gl-tw-tw-promote-mode?t=%0d%0atest:tested Impact an attacker can set new header...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/17 3:1 a.m.18 views

GitLab: EXIF metadata not stripped from JPG group logos

Summary: When uploading JPEG images as group logos on Gitlab, the EXIF metadata is not removed or changed in any way. Description: When setting up a group on Gitlab, you can upload a logo, and if you upload a JPEG with EXIF metadata on it, it isn't stripped. This can lead to disclosure of locatio...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/11/16 8:54 p.m.9 views

Khan Academy: Take over of accounts created using Google or Facebook

When a user creates an account using Google or Facebook and does not set an additional password, it is possible to set their passwords via CSRF. Since the account is created using a social media account, no existing password check is needed and the CSRF check on the endpoint is broken. To...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/16 5:55 p.m.34 views

HackerOne: Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report

Hi Hackerone team, I am still able to access other program details etc. when i'm authenticated to HackerOne through SAML . I'm not sure if it's the same bug i reported earlier or there is some weak authorization check in place. PFA for more info i can access related to ██████████ etc. See the dat...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/15 2:24 p.m.12 views

QIWI: https://teamplay.qiwi.com/ накрутка баллов => финансовые убытки для компании

Накрутка баллов в teamplay.qiwi.com...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/15 10:55 a.m.155 views

Smule: Missing Rate Limit in Forgot Password can Lead to email address leakage of all smule accounts

Hello Smule, I have found a vulnerability by which an attacker can get access of all the gmail accounts associated with Smule. The forgot password parameter can be brute forced through which an attacker can get the email address. Steps to Reproduce Enter your email address and for the forgot...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/11/15 5:33 a.m.60 views

GitLab: CRLF injection & SSRF in git:// protocal lead to arbitrary code execution

Summary: The implementation of git:// protocal in GitLab is vulnerable to CRLF injection and Server-Side Request Forgery. If the redis server is configured to listen on TCP socket eg. port 6379, an attacker can abuse SSRF to manipulate redis server, injecting malicious payload into systemhookpush...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/11/14 10:16 p.m.9 views

PortSwigger Web Security: Privilege Escalation by abusing non-existent path. (Windows)

Vulnerability Overview When Burpsuite runs, it tries to load some DLLs in the path C:\Program%20Files. Because the folder doesn't exists, it can be created by a low-privileged user which can inject arbitrary DLL into the process when another privileged user runs Burpsuite. I have verified the...

2.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/14 3:25 p.m.18 views

Valve: Potential buffer overflow in demoplayer module of GoldSource Engine

Introduction Hey. There's a potential vulnerability in the GoldSource Engine that allows to write data to stack of arbitrary size, thereby causing a buffer overflow and the ability to execute assembler code using .dem files. Description The problem is located in the DemoPlayer::ReadDemoMessage...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/14 2:56 p.m.31 views

Mail.ru: [Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge

Hi, Mail.Ru app registers permission writecontacts xml but uses write xml which is unclaimed, has normal protection level by default and automatically granted to all apps. It means that any third-party apps have ability to insert any data into that database PoC xml java ContentValues contentValue...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/14 11:6 a.m.17 views

Starbucks: Starbucks China Android app cloud storage service leaks a credential.

k3mlol found a credential encoded in the Starbucks China mobile application for Android phones, which provided access to a cloud-hosted service that was used to upload information for customer service requests. This credential allowed for read/write access. The credential has since been disabled,...

2.7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/14 7:30 a.m.14 views

Smule: Missing Rate Limit in Password Change

Incorrect or missing rate limits related to account features...

2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/14 5:29 a.m.63 views

Smule: Open Redirect on smule.com

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: Open Redirect at smule.com You...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/13 12:17 p.m.18 views

Shopify: Stored XSS on demo app link

Hi, I found stored XSS in apps.shopify.com in the DEMO URL of the apps you create. POC 1. go to your partner account and create a new app 2. go to DEMO link in https://apps.shopify.com/services/appsubmissions/edit of your app put the payload you see below: F374863 and when pressing on preview...

Exploits0
Hacker One
Hacker One
added 2018/11/13 11:4 a.m.34 views

Nextcloud: Event privacy level does not work in Thunderbird

Events in shared calendar with changed privacy level to any other than public are shown in Thunderbird as public anyway with all details How to reproduce: 1 - create an event in user A's calendar shared to user B 2 - change privacy setting of this event to any other than public 3 - open Thunderbi...

4CVSS0.9AI score0.00714EPSS
Exploits0
Hacker One
Hacker One
added 2018/11/13 3:44 a.m.12 views

GitLab: Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR)

Summary & Description : If you have a private project or private group then no non member should be able to access any information.But Adding Labels in your Private boards API request is vulnerable to IDOR attack which is leading to add private group/project labels and access it. Vulnerable Reque...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/12 9:18 a.m.92 views

OLX: Cross-site Scripting (XSS) - Reflected

Dear Security OLX team, I want to report the findings of the security gap on the olx.co.id website, the detailed findings are as follows: impact:https://www.olx.co.id/adminpanel/login/ Payload : ope8i"alert1grpo8 POC: paramter = userpassword POST /adminpanel/login/?ref0action=index&ref0method=ind...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/12 12:14 a.m.20 views

Uber: Access to SQL server of ubergreen.pt through password disclosure from different domain on same IP

The uber microsite http://ubergreen.pt has an open MYSQL port on 3306. ubergreen.pt itself is hosted on the IP 109.71.41.173. After some research, it was found that this IP also hosts many other domains. As of yesterday 11/10/18, this included the domain apps.etnos.co. This domain existed on the...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/11 9:56 p.m.18 views

QIWI: account takeover https://teamplay.qiwi.com

Здравствуйте. Нашел баг, как украсть аккаунт на данном сайте. Для того, чтобы это провернуть нам нужно знать эмайл вашего пользователя. Предположим что пользователь зашел на ваш сайт через аккаунт ВКонтакте, к его странице привязана почта [email protected] Мы идем на https://www.faceit.com и...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/11 6:46 p.m.26 views

HackerOne: Verbose PHP error messages exposed on a blog article

Hey guys! For what its worth, warning messages aren't suppressed on the /blog/ endpoint, giving verbose PHP error messages when visiting a blog article such as https://www.hackerone.com/blog/H1-702-2018-makes-history-over-500K-bounties-paid. F374066 Impact Not much impact, just disclosures of pat...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/11 2:45 p.m.23 views

Node.js third-party modules: Prototype pollution attack (upmerge)

Hi team, I would like to report a prototype pollution vulnerability in upmerge that allows an attacker to inject properties on Object.prototype. Module module name: upmerge version: 0.1.7 npm page: https://www.npmjs.com/package/upmerge Module Description JavaScript Object Merge and Clone for Clie...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/11 2:18 p.m.23 views

Node.js third-party modules: Prototype pollution attack (lutils-merge)

Hi team, I would like to report a prototype pollution vulnerability in lutils-merge that allows an attacker to inject properties on Object.prototype. Module module name: lutils-merge version: 0.2.6 npm page: https://www.npmjs.com/package/lutils-merge Module Description Merge javascript objects...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/11 1:39 p.m.24 views

Node.js third-party modules: Prototype pollution attack (mergify)

Hi team, I would like to report a prototype pollution vulnerability in mergify that allows an attacker to inject properties on Object.prototype. Module module name: mergify version: 1.0.2 npm page: https://www.npmjs.com/package/mergify Module Description Merge objects deeply Vulnerability...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/11 12:7 p.m.32 views

HackerOne: Open redirect vulnerability in index.php

Summary: Hello Team i would like to report an open redirect on hackerone.com with reference to report 320376. In report 320376 it shows vulnerability i mitigated but still i am able to reproduce it. so all the summary and description remains the same. Redirection is performed by HackerOne website...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/11 6:41 a.m.15 views

Semrush: Web cache deception attack - expose earning state information

Hello, I have found new Vulnerability in your website which called Web cache deception attack. It's found first time in Paypal. Web Cache Deception Attack Websites often tend to use web cache functionality to store files that are often retrieved, to reduce latency from the web server. Let's see a...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/10 9:47 p.m.232 views

Khan Academy: Cross site scripting (content-sniffing)

Your website may be vulnerable to cross site scripting attacks HTTP request: GET...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/09 5:45 p.m.60 views

HackerOne: Accidental Access to Programs Information via SAML Login

On November 8th, 2018, HackerOne released software to production that contained a bug which impacted our Security Assertion Markup Language SAML authentication system. As a result of the bug, the SAML JIT Just-In-Time provisioning mechanism granted users of one customer program read-only access t...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/11/09 5:34 p.m.32 views

X (Formerly Twitter): Information Exposure Through Directory Listing vulnerability on 8 vcache**.usw2.snappytv.com websites

Summary: Researcher has found directory listing exposure to several vcache.usw2.snappytv.com websites. A directory listing provides an attacker with the complete index of all the resources located inside of the directory as well as download or access its contents. While the researcher did not dig...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/11/09 4:5 p.m.15 views

Node.js third-party modules: Prototype pollution attack (smart-extend)

Hi team, I would like to report a prototype pollution vulnerability in smart-extend that allows an attacker to inject properties on Object.prototype. Module module name: smart-extend version: 1.7.3 npm page: https://www.npmjs.com/package/smart-extend Module Description smart-extend is an extensio...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/11/09 2:12 p.m.31 views

Starbucks: Reflected Cross site Scripting (XSS) on www.starbucks.com

Summary: Reflected Cross site Scripting XSS on https://www.starbucks.com/account/signin?ReturnUrl Description: The attacker can execute javascript on the victims account just after the authentication process. Platforms Affected: www.starbucks.com www.starbucks.ca www.starbucks.com.br...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/09 8:44 a.m.19 views

Concrete CMS: SVG file that HTML Included is able to upload via File Manager

Concrete5 has the whitelist for restricting that malicious file is uploaded. concrete/config/concrete.php, Line no. 8688 The extension whitelist allows to upload SVG file. However, SVG can has the HTML elements in its code. Ref. https://www.w3.org/TR/SVG2/intro.htmlW3CCompatibility If web browser...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/09 4:7 a.m.23 views

FanDuel: Passive mixed content issues on the site https://*.fanduel.com

Hello. Summary: While browsing the sites https://www.fanduel.com and https://subscriptionapi.fanduel.com found a mixed content error on the site with HTTPS. This error is located at https://www.fanduel.com/press and https://subscriptionapi.fanduel.com/press. Image are uploaded to the site via HTT...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/08 2:39 p.m.17 views

GitLab: Instant open redirect on Live preview WEB Ide opening

Hello Gitlab team! Asset is my own gitlab installation for Ubuntu. The issue I want to report is lack of sandbox attribute in iframe pointing to codesandbox. This results content inside iframe redirect top level window on load. How to reproduce: 1. create index.js with following content:...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/08 9:53 a.m.16 views

WordPress: RCE as Admin defeats WordPress hardening and file permissions

This vulnerability was found when I found myself in the following scenario: My collegue set up WordPress on his local machine and challenged me to hack it. Before he gave me admin access he used the following hardeing mechanisms: 1. PHP Safe mode 2. The entire web directory was not writable 3...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/11/07 1:52 p.m.50 views

Phabricator: TOTP Key is shorter than RFC 4226 recommended minimum

mongoose Observed Behavior: When creating a TOTP secret a 16 character base32 encoded string is presented to the user. Expected Behavior: I would expect a 32 character base32 secret to be presented. The RFC recommends 160 bits of entropy, which is 32 character x 5 bits per character in a base32...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/11/07 11:33 a.m.34 views

Kaspersky: Kaspersky Password Manager is vulnerable to HTML injection in the browser action pop-up via user name

Note: According to https://www.securityweek.com/kaspersky-adds-password-manager-bug-bounty-program and some other sources, Kaspersky Password Manager is in scope for this program. The program description doesn't reflect this however. Summary There is a stored XSS vulnerability in popover.html the...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/07 2:32 a.m.34 views

Imgur: Ability to login to the Nexus Repo Manager from https://nexus.imgur.com/

Hello Imgur Administrators, I am not sure if this falls in your scope but I wanted to alert you that your Nexus Repository Manager can be accessed through https://nexus.imgur.com/ Usually the default user/pass for the NRM are admin/admin123 but there is an alternative way to login using the below...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/06 7:43 p.m.21 views

Grammarly: Reflected Cross Site Scripting (XSS)

hi there, here is the link that fired XSS https://www.grammarly.com/blog/search/" Impact stealing cookies stealing data etc...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/11/06 4:52 p.m.1995 views

HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter

The embeddedsubmissionformuuid parameter in the /graphql endpoint is vulnerable to a SQL injection. Execute the following command to reproduce the behavior: Locally: curl -X POST http://localhost:8080/graphql?embeddedsubmissionformuuid=1%27%3BSELECT%201%3BSELECT%20pgsleep\30%3B--%27...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/11/06 10:4 a.m.17 views

X (Formerly Twitter): Incorrect details on OAuth permissions screen allows DMs to be read without permission

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: The OAuth screen can be tricke...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/11/06 6:45 a.m.20 views

Open-Xchange: No session expiry after log-out and session id exposed in URL

Hi, There is no session expiry after log-out which can help an attacker to take-over the full account by reusing it. The JSESSIONID which is vulnerable can be used unlimited times even after the password change. The server will keep on creating an unlimited number of sessions after each log-in...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/11/06 5:11 a.m.39 views

X (Formerly Twitter): Global defaming of any twitter user

Private tweets can be used to keep any user's tweet secret from rest of twitter world. Once the user changes his setting from private tweets to public tweets, all his secret tweets become visible. This can become a major issue causing global distributed attacks Steps to Reproduce 1. Assume the...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/11/06 2:59 a.m.22 views

Hanno's projects: Text injection at https://media.hboeck.de

Text injection possible at https://media.hboeck.de if we craft url like this: https://media.hboeck.de/?c=http://www.example.com We can see the output on web app. Impact Defacement of website by following crafted link...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/11/05 6:45 a.m.18 views

X (Formerly Twitter): Opportunity to post hidden comments

Twitter allows to comment on anyone's tweet. While testing this feature, observed that one can post comment on tweet which will be invisible to the victim whom the reply was posted and would be visible to any other twitter user. This can allow an Attacker to abuse victim on a tweet. The catch her...

6.7AI score
Exploits0
Total number of security vulnerabilities15371