Lucene search
K
HackeroneRecent

15371 matches found

Hacker One
Hacker One
added 2018/09/24 3:35 p.m.69 views

Chaturbate: Open redirect on chaturbate.com (tipping/purchase_success)

Hi, I would like to report an open redirect issue on https://chaturbate.com/ Description An attacker can redirect a user to any external website using the parameter prejoindata, this parameter seems to miss sanitization. Steps to Reproduce Visit the following url:...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/24 2:55 p.m.55 views

Chaturbate: Reflected XSS on secure.chaturbate.com

The hacker found that an external asset used for fraud detection on secure.chaturbate.com was not sanitizing input parameters and could be used for reflected XSS. This external asset was removed...

3.4AI score
Exploits0
Hacker One
Hacker One
added 2018/09/24 12:58 p.m.39 views

Ruby on Rails: Untrusted strings that are cache fetched with raw option are automatically marshal loaded

This vulnerability effects application code that caches a string from an untrusted source using the raw: true option. For example, vulnerable application code might looks something like the following ruby body = Rails.cache.fetchkey, raw: true, expiresin: ttl do res = Net::HTTP.getresponseremoteu...

7.5CVSS9.6AI score0.45732EPSS
Exploits5
Hacker One
Hacker One
added 2018/09/24 6:52 a.m.24 views

Mail.ru: Блокированный ящик ( Обход )

It was possible to bypass administrative lock for mailbox e.g. lock set by biz.mail.ru domain administrator by pre-requesting recovery link...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/23 5:15 p.m.57 views

Dropbox: Stored XSS in dropboxforum.com

This report described a vulnerability where an attacker could put a specially crafted payload into the reply section of threads on dropboxforum.com to bypass the HTML filter on the site. This enabled a stored XSS attack against anyone viewing the message. This was an issue in Lithium forum...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/09/23 4:19 p.m.23 views

8x8: CRLF injection agentcrm.8x8.com

The agent application was vulnerable to a response splitting attack when parsing line feed characters in a given URL...

4AI score
Exploits0
Hacker One
Hacker One
added 2018/09/23 12:23 p.m.15 views

8x8: Stored Cross Site Scripting.

Hellow team I got Stored based XSS on your web :D Here Is Step : 1. Go to https://www.easycontactnow.com/ 2. Click "Try For Free" Sign Up 3. It will told you "Enter your details to get started". So Enter your full name like : "alert1 Then put all the other details. 4. Then Confirm your id and...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2018/09/23 7:24 a.m.15 views

HackerOne: Hacker can request mediation for published reports

Hi team, @jobert Summary: After creating the publish report, we do not have a field to send the requested meditation from HackerOne Support Description: Steps To Reproduce 1. Create publish report for any program ████████ 2. Use query https://hackerone.com/reports/numberpublishreport/hackerhelp M...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/22 12:13 p.m.14 views

8x8: Hardcoded credentials in Android App

The mobile applications contained a URL that included credentials to a third party bug capture API. Access was restricted to pushing bug information...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/22 11:34 a.m.14 views

8x8: XSS (Cross site scripting) on https://apimgr.8x8.com

The domain apimgr.8x8.com hosted an outdated version of WSO2 Data Analytics Server...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/22 7:6 a.m.49 views

Khan Academy: Creating Unlimited Fake Accounts.

Hello @khanacademy, Anyone can create unlimited fake accounts using temp mails. i,e https://temp-mail.org/en/ 1- Go to https://temp-mail.org/en/ 2- Select an mail 3- Enter that mail while creating an account in khanacademy 4- You will get confirm mail from khanacademy on https://temp-mail.org/en/...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/09/22 6:36 a.m.55 views

Internet Bug Bounty: XML hash collision DoS vulnerability in Python's xml.etree module

Python's standard library uses libexpat to parse XML. Internally the expat library has a hash table implementation to efficiently store and lookup DTD elements like entities, elements, attributes, etc. Hash tables are potentially vulnerable to hash collision Denial-of-Service attacks, which turns...

5CVSS7.8AI score0.10911EPSS
Exploits0
Hacker One
Hacker One
added 2018/09/21 5:44 p.m.949 views

Chaturbate: No rate limit in stats api token endpoint

Brute force on statsapi endpoint to view stats of an user Steps To Reproduce: 1. Stats api token can be generated at https://chaturbate.com/statsapi/authtoken/ https://chaturbate.com/statsapi/?username=hackeronetestchat&token=vulnerable I've used my profile and and my token to check brute force T...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/09/21 3:53 p.m.54 views

Grammarly: Permissive CORS policy trusting arbitrary extensions origin

@foobar7 identified that misconfigurations in CORS and CSRF handling allowed malicious browser extensions, which have permission to interact with grammarly.com domain, to impersonate the user. The vulnerability was resolved with improved CSRF/CORS handling...

3.6AI score
Exploits0
Hacker One
Hacker One
added 2018/09/21 3:35 p.m.27 views

Starbucks: China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability

1, Summary During the test, I found ecjobsdc.starbucks.com.cn this site has an upload vulnerability, you can upload html and shtml format files, so you can read the server's intranet IP, the physical address of the website application and read the website web.config file. 2, Vulnerability scope...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/20 7:53 p.m.35 views

HackerOne: User with privilege to maintain External Programs can update certain churned HackerOne programs

Summary: You wrote that some programs are behind, but you are trying to get them back sorry maybe bad translation Description: Apparently because of a system error, I have access to change information in the public program. This option is given only for external programs.But here is a public...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/09/20 7:4 p.m.5002 views

Chaturbate: Leaking Username and Password in the URLs via Virustotal, can leads to account takeover

Hi Dear @chaturbate team Vulnerability Type Critical Information Leakage in URLs via Virustotal. Vulnerability Severity High. Description During my regular testing, went to https://www.virustotal.com/%2Fdomain%2Fchaturbate.com After reviewing all URLs more and more, I got 2 Interesting and Critic...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/09/20 5:4 p.m.65 views

Chaturbate: Blind SSRF at https://chaturbate.com/notifications/update_push/

In the application at https://chaturbate.com/notifications/updatepush/ there is a functionality to subscribe any cam model which will trigger the provided request. Using this Request an attacker can execute SSRF attack and also steal sensitive Token / Keys of the internal web server Steps to...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/09/20 2:55 p.m.982 views

Chaturbate: Password protected rooms total number of viewers disclosure to unauthorized members

Summary Password protected rooms are supposed to be completely private, no information should be exposed if you do not have the room's password, and the UI looks like this. F348826 However, through the following endpoint, It is possible to know the total number of viewers of the room even if it i...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/09/20 10:33 a.m.146 views

Chaturbate: Open redirection at https://chaturbate.com/auth/login/

Hi, Summary An attacker can redirect vicitm on an external website using https://chaturbate.com/auth/login/ endpoint because next parameter is not being validated properly. There is a protection existed but it's weak and can be bypassed. http keyword is detected and protection works if payload...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/20 9:0 a.m.18 views

Alliance of American Football : Stored xss in address field in billing activity at https://shop.aaf.com/Order/step1/index.cfm

Dear Team, Summary: add summary of the vulnerability After looking into https://shop.aaf.com/Order/step1/index.cfm i get to know that there is address field is vulnerable to stored xss which can lead to steal any user's cookie and can lead to complete account takeover Description: add more detail...

Exploits0
Hacker One
Hacker One
added 2018/09/20 8:30 a.m.845 views

Chaturbate: View Failed Approval and Pending videos other users

See videos uploaded by a user. The video is available when it waits for confirmation or is not accepted. Steps To Reproduce: 1 - Go victim page : https://chaturbate.com/p/akaxanxa/?tab=bio 2 - Open video : https://chaturbate.com/photovideos/photo/big/username/contentid/ 3 - Get random requests -...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/20 3:40 a.m.83 views

Chaturbate: Form Replay in customer information form

The hacker found that the server replays some form field data back in the response when there were form validation errors, which could be cached or viewed by someone with physical access to the same device used to complete the form. The fix was to delete the form data from showing in the response...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/19 6:10 p.m.22 views

RubyGems: DNS SRV lookup of file:// sources enables local hijacking of gems

Summary gem makes a DNS SRV query for each of its configured sources; the response is allowed to override the source URL in certain ways. The SRV query happens not only for http:// and https:// sources, but also for s3:// and file://. In the case of file://, the SRV response may add a prefix to t...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/09/19 2:41 p.m.27 views

Mail.ru: Чтение файлов на сервере и раскрытие директорий mediator.media

It was possible to access some internal addresses and special URI schemes due to lack of URI filteint on page submission. mediator.media it not in the Bug Bounty scope, the bounty was issued due to problem severity...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2018/09/19 11:6 a.m.25 views

Node.js third-party modules: [http-live-simulator] Path traversal vulnerability

Module module name: http-live-simulator version: 1.0.6 npm page: https://www.npmjs.com/package/http-live-simulator Description this vulnerability is a bypass for the one found in this report in version 1.0.5 Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the...

5CVSS0.4AI score0.0165EPSS
Exploits1
Hacker One
Hacker One
added 2018/09/19 7:34 a.m.5 views

Hyperledger: Brute Force of fabric-ca server admin account

fabric-ca server - Default configuration maxenrollments value -1enable outside enrollment - Listening 0.0.0.0:7054easily discoved and can be reached - No limit to wrong password try Above conditions result in brute force to CA server admin account Impact Attack gain a high-level permissioned...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2018/09/19 5:13 a.m.1318 views

Chaturbate: Forget password link not expiring after email change.

I found a token miss configuration flaw in chaturbate.com, When we reset password for a user a link is sent to the registered email address but incase it remain unused and email is updated by user from setting panel then too that old token reset link sent at old email address remains valid. A...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/19 3:54 a.m.21 views

Valve: code injection, steam chat client

The steam chat client allows oEmbed, apparently based on a whitelist. One of the whitelisted oEmbedis codepen. When a codepen is created, it can be sent as a link to another steam user, and the code inside the codepen will execute within the privileged Steam Chat context. You can send these codep...

8.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/18 9:59 p.m.24 views

Informatica: Cisco RCE

The researcher was able to complete RCE attack and download sensitive files. We have mitigated it by hardening the machine and port. There are opened classical cisco smart install service, which was successfully exploited. Informatica is a fAsTeSt!!! bug fixer in my life. Closing vulnerability in...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2018/09/18 5:35 p.m.28 views

Vanilla: Vanilla Forums AddonManager getSingleIndex Directory Traversal File Inclusion Remote Code Execution Vulnerability

Summary: An authenticated admin user can trigger a directory traversal to require call leading to local file inclusion which can allow an attacker to gain remote code execution. Notes: - You need to have an admin session to run this poc. - You can use the directory traversal to reach outside of t...

7.9AI score
Exploits0
Hacker One
Hacker One
added 2018/09/18 1:14 p.m.31 views

Vanilla: Abusing "Report as abuse" functionality to delete any user's post.

Hi Team, Greetings!! Description: I would like to report a vulnerability that can be used to delete any user’s post by abusing “Report an abuse” function within application. After specific number of reports submitted to server, it automatically deletes that post of user. Application has...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/09/18 12:22 p.m.39 views

ExpressionEngine: License verification mechanism can be bypassed

@unbaiat discovered that an invalid license file could be accepted as valid in certain circumstances. @unbaiat gave a detailed report with step-by-step instructions for replicating, enabling a speedy resolution to the issue...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/18 12:7 p.m.30 views

ExpressionEngine: Persistent XSS via malicious license file

@unbaiat discovered that the display of the license file information was not properly sanitized leaving it vulnerable to XSS. @unbaiat gave a detailed report with step-by-step instructions for replicating, enabling a speedy resolution to the issue...

3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/17 11:5 p.m.69 views

Vanilla: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)

Summary: An unauthenticated attacker can inject an serialized payload into a phar archive and trigger read access to it via an unprotected getimagesize. The attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - THIS BUG IS UNAUTHENTICATED, however you...

8.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/17 4:5 p.m.19 views

Mail.ru: [moba.my.com] phpinfo, logs

PHP info and fragment of access logs were available...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2018/09/17 3:49 p.m.184 views

Mail.ru: [sj.my.com] Source Code Disclosure /.svn/wc.db

Available SVN files for sj.my.com led to source code disclosure. sj.my.com is not currently covered by Bug Bounty program...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/09/17 8:2 a.m.25 views

Starbucks: Unauthorized access to a system used for CI/CD processes

@k3m reported a vulnerability allowing unauthorized access to a system used for CI/CD processes. Our teams quickly restricted access and fixed the vulnerability. Thank you @k3m for a detailed report...

4AI score
Exploits0
Hacker One
Hacker One
added 2018/09/17 5:54 a.m.60 views

HackerOne: User login page doesn't implement any form of rate limiting

Hi Team, Summary: As a best practice a login page should have a rate limitting just like hackerone.com Vulnerable Request POST /auth/postlogin HTTP/1.1 Host: ctf.hacker101.com User-Agent: Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ctf.hacker101.com/...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/09/16 2:35 p.m.13 views

IBM: Reflected XSS and Blind out of band command injection at subdomain dstuid-ww.dst.ibm.com

I found an XSS and Blind OS based injection issue due to the incorrect handling of the characters in THE EMAIL get& post parameters. A injected and a sleep command succesfully executed, the following link works as a PoC that alerts the string in the script: I reproduced the same on Firefox and IE...

2AI score
Exploits0
Hacker One
Hacker One
added 2018/09/16 6:34 a.m.60 views

HackerOne: Missing Certificate Authority Authorization rule

Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/09/16 5:21 a.m.19 views

Vanilla: Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability

Summary: An authenticated admin user can inject an serialized payload into a phar archive and trigger read access to it via an unprotected fileexists. An attacker can leverage this to deserialize untrusted data and gain remote code execution. Notes: - You need to have an admin account to run this...

Exploits0
Hacker One
Hacker One
added 2018/09/16 12:41 a.m.26 views

Valve: unlock self-lock by brute force

Due to a missing protection on the self account unlock feature, self unlock codes could be bruteforced - leading to unrestricted access to the account. The endpoint issue has been corrected...

2.8AI score
Exploits0
Hacker One
Hacker One
added 2018/09/15 10:22 p.m.49 views

Vanilla: Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability

Summary: An authenticated admin user can inject an unserializable password in a another users account. Later when attempting a login with that user, the attacker can trigger a call to an unserialize in the splitHash function. By using a custom pop chain to write into the constants.php file, an...

Exploits0
Hacker One
Hacker One
added 2018/09/15 7:10 p.m.117 views

Uber: Full Path and internal information disclosure+ SQLNet.log file disclose internal network information

The site at lab.usuppliers.uber.com was intended only for authenticated users, but certain internal pages did not enforce an authentication requirement. The log file at /OAHTML/bin/sqlnet.log disclosed internal Uber IP addresses, hostnames, and one internal username. Thanks again for this report...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/09/15 2:41 p.m.23 views

U.S. Dept Of Defense: Account takeover due to CSRF in "Account details" option on █████████

Summary: Hi DoD team, similarly to the previous CSRF that I've reported, I've found another CSRF in the same domain, but on the Account details option. Description: The CSRF issue allows me to modify the datas of every victim that is targeted using the CSRF file, and leading to account takeover...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/09/15 1:52 p.m.49 views

Tor: Expose user IP if TOR crashs

Greetings, I have noticed that for unpredictable reason a TOR relay can exposes the IP of an user. I noticed this by going to the server http://195.176.3.24/ and getting information about the headers. I arrived to this header who is : "X-Your-Address-Is" . How : -- - So I went to this tor-relay...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/09/15 6:49 a.m.12 views

HackerOne: Discrepancy in hacker profile report count may reveal existence of a private program by publishing a report

Hi team , @pei, @jobert , @bencode Summary: Again We have publish report page https://hackerone.com/hacktivity/publish But we have bypass query 401476 this description The profile page counts the number of created your reports. But it does not consider the reports that are created in the sandbox...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2018/09/15 4:40 a.m.130 views

Internet Bug Bounty: Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS

Hey, Chunked requests can trigger xss and html injection at any end point because the APRBRIGADEINSERTTAILbrigade, bucket is getting destroyed by other handlers. Affected versions: Any OS: Any https://bugs.php.net/bug.php?id=76 Prashanths-MacBook-Pro: prashanthvarma$ nc localhost 80 POST /lol.php...

4.3CVSS6.5AI score0.04103EPSS
Exploits1
Hacker One
Hacker One
added 2018/09/15 2:34 a.m.24 views

Shopify: Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation

Summary GraphQL LiveView operation doesn't properly check for permissions before returning data. This allows "No Access" users to access some store settings and data by providing complete Shop schema fields in the request string. Steps to reproduce 1. Log into an attacker account of a test store...

7AI score
Exploits0
Total number of security vulnerabilities15371