Lucene search
K
HackeroneRecent

15372 matches found

Hacker One
Hacker One
added 2018/07/26 4:18 a.m.22 views

GSA Bounty: [idp.fr.cloud.gov] Open Redirect

Description: Open Redirect Domain: idp.fr.cloud.gov Steps To Reproduce: Open URL: https://idp.fr.cloud.gov//blackfan.ru/..;/css HTTP Response HTTP/1.1 302 Found ... Location: //blackfan.ru/..;/css/ ... Impact A web application accepts a user-controlled input that specifies a link to an external...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/26 3:48 a.m.29 views

HackerOne: Private program policy page still accessible after user left the program

Hi Team, Summary: I have found a critical sensitive information disclosure, I'm not sure if this is a result of a new hackerone UI update, I observed that some of the UI has been change such as Hacktivity etc. BUG: Now all private program policy page together with the updates is visible to me...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/25 8:41 p.m.52 views

Node.js third-party modules: [flintcms] Account takeover due to blind MongoDB injection in password reset

I would like to report a privilege escalation vulnerability in flintcms. It allows to reset a known user password, extract its password reset token and reset its password to then access the account. Module module name: flintcms version: v.1.1.9 npm page: https://www.npmjs.com/package/flintcms...

7.5CVSS10AI score0.0379EPSS
Exploits1
Hacker One
Hacker One
added 2018/07/25 5:19 p.m.21906 views

Chaturbate: Login form on non-HTTPS page on http://stream.highwebmedia.com/auth/login/

Dear Team, Summary A page on a http://stream.highwebmedia.com/auth/login/ is not fully protected by an SSL certificate. This could allow an attacker in a Man-in-the-Middle position to obtain usernames and passwords of users visiting the site. Note the warning in screenshot 1, firefox has identifi...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/07/25 9:15 a.m.22 views

Rocket.Chat: Slack Token exposed over internet (Github)

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: Slack token is...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/25 7:20 a.m.11 views

Semmle: Email Not Completely Deleted after Deleting an account

Description: If one of the user deletes their account it should be fully deleted in account while semmle doesnt delete it completely. Steps To Reproduce: Register email1 After registering, confirm your account. once email1 is confirmed. add another email which we will name as email2 Now Verify th...

1.9AI score
Exploits0
Hacker One
Hacker One
added 2018/07/25 6:50 a.m.19 views

Augur: Augur UI data can be completely replaced by an attacker which can lead to fund and reputation loss

Summary: A third party attacking site can fake UI data - markets, categories and other Description: A third party site can include a hidden iframe which can override "augur-node" configuration variable of a running augur application. This variable is persisted in localStorage. In the case of...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/07/25 5:23 a.m.88 views

Ubiquiti Inc.: Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7

AirMax XW.v6.2.0 and prior containing multiple end-points with parameters vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. These vulnerabilities were found on AirMax AirMax AirOS v6.2.0 and prior...

4.3CVSS0.4AI score0.0102EPSS
Exploits0
Hacker One
Hacker One
added 2018/07/25 3:34 a.m.13 views

New Relic: [NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions

This bug requires a bunch of pre-setup, and a few conditions to make it work, but I'll do my best to write it out without making this a novel. You will need: 1. Account that is an admin 2. Account that is a "Restricted" user, without any synthetics permissions so, can't view monitors, can't edit...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 7:8 p.m.3006 views

Chaturbate: Users may still able to view chat room panel of password protected rooms

The hacker found that the chat room panel could be accessed without the user having the room password. This was resolved. An attacker may able to view a password protected chat room panel by requesting the api endpoint for room panel. It discloses information depends on what app they use...

1.6AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 6:19 p.m.881 views

Chaturbate: Reflected XSS on ssl-ccstatic.highwebmedia.com via player.swf

Hey there, There's a SWF based XSS on ssl-ccstatic.highwebmedia.com. You may want to update/remove the file. POC https://ssl-ccstatic.highwebmedia.com/jwplayer/player.swf?playerready=alertdocument.domain Thanks, Ben Impact...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 6:2 p.m.253 views

Chaturbate: CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS

Hi there, There's a CSS injection here: https://chaturbate.com/embed/admin/?bgcolor=%7D%7Bbackground:red&tour=nvfS&disablesound=0&campaign=iNSGX body, divmain, div.content, div.block, div.section margin: 0px; padding: 0px; body min-width:800px; div.content width: 100%; body background:...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 3:39 p.m.85 views

Slack: Bypass of the SSRF protection in Event Subscriptions parameter.

The vulnerability is present in the "Event Subscriptions" parameter where: "Your app can subscribe to be notified of events in Slack for example, when a user adds a reaction or creates a file at a URL you choose. ". URL: https://api.slack.com/apps/YOUAPPCODE/event-subscriptions? When we add a sit...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 9:26 a.m.14 views

MariaDB: xmlrpc.php on mariadb.org can lead to DDOS and brute force attacks

XMLRPC was enabled and accessible on our website. Since we don't need any of the functionality provided by the Wordpress XMLRPC protocol, we were already trying to block XMLRPC requests to our site via our web server configuration, however, due to a syntactic error our enforcing rule did not appl...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 8:33 a.m.33 views

VK.com: Bypass User Interaction to initiate a VoIP call to Another User

Initialization a call by a third-party application...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 6:11 a.m.180 views

Chaturbate: CSV Injection with the CSV export feature

Hi there, hope you are well, The "Download as a CSV" feature of does not properly "escape" fields. So that particular field is vulnerable to CSV injection. Steps of POC Step 1 : Go to any chat room and donate any token to some and in note insert =4+4. Step 2 : Now go to on this link and download...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 5:59 a.m.34 views

Vanilla: [allhiphop.vanillacommunities.com] XSS Request-URI

Summary: Reflected XSS via Request-URI for Internet Explorer. Steps to reproduce: 1. Open URL in Internet Explorer tested on IE 11 https://blackfan.ru/x?r=https://allhiphop.vanillacommunities.com/xxx%22-alertdocument.domain-%22xxx/%252e%252e/ blackfan.ru/x - a simple redirection script that is...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/07/24 4:31 a.m.12 views

Mail.ru: [rm.mail.ru] Request-Path XSS

Reflected XSS via GET paramters. rm.mail.ru is not covered by bug bounty program...

4.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/23 3:39 p.m.44 views

New Relic: Missing security best practices (leads to further impact)

Vulnerabilities:- 1.Use of old passwords is possiblecurrent password can be used as new password. 2.Email notification is not being sent to linked mail account while changing passwords steps to reproduce the two issues create account with password example badcracker@123 change password to...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/07/23 2:14 p.m.42 views

Open-Xchange: store xss in calendar via upload filename

reproduce step 1.access url https://sandbox.open-xchange.com/appsuite/app=io.ox/calendar/scheduling 2.create appointment 3.upload file ,the file name with payload '"img src=x onerror=alertdocument.domain.svg' 4.access...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/23 12:48 p.m.55 views

Chaturbate: Rate limit missing at room login

Hello there, User are able to protect there broadcasting with password, so only password granted visitor can login to broadcast room. I notice that rate limit are missing at the endpoint /roomlogin/user/ which enable me to brute force on password field. I made 1k+ request but still server not blo...

Exploits0
Hacker One
Hacker One
added 2018/07/23 12:6 p.m.19 views

Chaturbate: Homograph attack on redirect URL

Hello Team There is no Homography protection on redirect URL URL: https://m.chaturbate.com/externallink/?url=http://ebаy.com In Homograph attack basically attacker may able to inject some malicious script with URL. Here i made homograph link for the ebay.com, when normal user see this link its lo...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/07/23 7:32 a.m.53 views

WordPress: Open API For Username enumeration

We Can do username enumeration, Reproduce: 1. Go any wordpress site. 2.www.site.com/?author=1 type ?author=1 at end of site 3. You will get www.site.com/author/admin now, admin is username of login panel of that site Thanks, Sameer Phad Impact -...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/22 8:48 p.m.268 views

Chaturbate: Add non-existent room moderator

Description A broadcaster can add or remove a non-existent user as a moderator. This is submitted using the testbed as it wasn't possible to initiate a broadcast on the production site. Steps 1. As a broadcaster add a moderator to the broadcast attachment 1. 2. Observe the request sent to the...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/22 12:50 p.m.112 views

Chaturbate: Blind SSRF on image proxy camo.stream.highwebmedia.com

The hacker discovered that our secure image proxy camo.stream.highwebmedia.com could be used to access https endpoints on internal ips. The application was patched to not allow access to internal ips. In this case these servers are in a separate cluster with no access to other services so possibl...

2.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/22 9:7 a.m.47 views

Chaturbate: Homograph attack on redirect URL (https://chaturbate.com/external_link/?url)

Hi There, Hope you are doing good, As i was just playing around with chaturbate.com and found that you guys does not have proper configuration for malicious script injection in website. In Homograph attack basically attacker may able to inject some malicious script with URL. Here i made homograph...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/21 8:20 p.m.24 views

Nextcloud: Missing SPF flags for customerupdates.nextcloud.com

Hey, I just checked for SPF records for the customerupdates.nextcloud.com domain, and there are none. The fake message reaches the inbox from this domain. Not spam. You can validate by testing yourself here: http://www.kitterman.com/spf/validate.html This subdomain too: update.nextcloud.com Impac...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/21 3:3 p.m.19 views

Vanilla: jsConnect Plugin: Takeover of existing account

Description ----------- The current version 1.5.5 of the official jsConnect plugin allows the takeover of an existing account that wasn't created using SSO - eg a previously existing admin user - by registering an account with the same name using SSO. A successfull attack requires one request to ...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/07/21 12:34 p.m.28 views

Node.js third-party modules: http-live-simulator npm module is prone to path traversal attacks

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Path Traversal...

5CVSS0.6AI score0.02833EPSS
Exploits0
Hacker One
Hacker One
added 2018/07/21 9:42 a.m.103 views

LocalTapiola: F5 BigIP Backend Cookie Disclosure

Basic report information Summary: The Same issue was reported on www.myynti.lahitapiolarahoitus.fi by another reporter. It was fixed for that. But when I test the same issue on lahitapiolarahoitus.fi. It is also causing leakage of information. Description: I just identify F5 BigIP load balancers...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/21 7:33 a.m.33 views

New Relic: stamp2-azure-ext.newrelic.com is vulnerable to MS12-020

Hi security team member, On stamp2-azure-ext.newrelic.com, there is running Windows Server 2008, which is vulnerable to MS12-020. F322944 Step to reproduce To show exploit, the server will shut down. 1- Download the attached file with the name MS12-020.rb 2- Run the below command on terminal ruby...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/07/21 6:59 a.m.18 views

Mail.ru: [target.my.com] CRLF Injection -> XSS

CRLF injection via GET paramaters in target.my.com target.my.com is not currently covered by Bug Bounty program...

4.5AI score
Exploits0
Hacker One
Hacker One
added 2018/07/21 2:41 a.m.53 views

Internet Bug Bounty: DoS for HTTP/2 connections by crafted requests (CVE-2018-1333)

modhttp2 can be tricked by specially crafted requests to hold server resources longer than necessary. A simple demonstration of this for a server with h2c enabled is as follows: for x in seq 0 500; do echo...

5CVSS6.5AI score0.17103EPSS
Exploits0
Hacker One
Hacker One
added 2018/07/21 12:22 a.m.13 views

Chaturbate: Stored XSS against all Chaturbate users using an application name

The hacker discovered that the tooltip on the app page did not protect against XSS attack in the application name. We quickly resolved this issue. The impact for a new attacker was limited as they would only appear under new apps. This vulnerability was discovered using a simple XSS payload in th...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2018/07/20 8:54 p.m.22 views

LocalTapiola: User Information Disclosure via the REST API - /?_method=GET

Basic report information Summary: browser access to www.lahitapiolarahoitus.fi/wp-json is restricted for general public but it is still be accessible through which User information is leaked. Description: By default Wordpress allow public access to Rest API to get information about all users...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/07/20 6:31 p.m.47 views

Internet Bug Bounty: linkinfo - openbasedir bypass on Windows PHP

Upstream bug - windows linkinfo lacks openbasedir check === https://bugs.php.net/bug.php?id=76459 Summary == Description: ------------ linkinfo function on windows doesn't implement openbasedir check, it can be seen by reviewing the source code. This could be abused to find files on paths outside...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/07/20 2:31 p.m.49 views

Vanilla: Bypassing the Trusted Link Alert System

Summary: I have discovered a means of bypassing the system that will alert users of an untrusted link utilizing the Right to Left Overrride unicode character. The alert looks like this: https://i.imgur.com/9rp1K7b.mp4 Description: For this demonstration, I have added "facebook.com" to the trusted...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/20 11:20 a.m.24 views

Rocket.Chat: XSS (stored) Wizard is saving executable code

issue: xssstored Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The stored input is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/20 7:20 a.m.68 views

Internet Bug Bounty: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c

This bug was reported to PHP last month and a fix was public last week:https://bugs.php.net/bug.php?id=76423 Heap OverFlow in exifthumbnailextract of exif.c This vulnerability can be triggered by exifreaddata in any 32-bit system. exif.c:2947: if ImageInfo-Thumbnail.offset +...

5CVSS8.2AI score0.08975EPSS
Exploits1
Hacker One
Hacker One
added 2018/07/20 6:32 a.m.19 views

Mail.ru: Possible to Upload Local Arbitrary Private File to the Cloud against User's Will

Unchecked permission in file sharing functionality could allow malicious application user-assisted access to arbitrary file in Mail.Ru Cloud android application...

3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/19 9:42 p.m.14 views

U.S. Dept Of Defense: SQL Injection vulnerability located at ████████

Summary: I have found a SQL Injection at ███████ in the ████ Portal. Description: The SQL injection is being caused by the unsanitized parameter of itemID= i immediately stopped testing when i verified it was possible to get the Current user and version of the Database. 1.The vulnerable url is :...

8.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/19 7:20 p.m.18 views

GSA Bounty: Redirect on authorization allows account compromise

Login.gov had a bug in validating the redirecturi in the /openidconnect/authorize endpoint, which allowed specially crafted subdomains to be incorrectly validated when they began with a valid hostname. For example, a redirecturi with a hostname of agency.gov.example.com would validate a URL as if...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2018/07/19 5:54 p.m.32 views

Zomato: Phishing user to download malicious app could lead to leakage of User Access Token, Email, Name and Profile photo via exported RemoteService

Thanks @shivasurya for helping us keep @zomato secure : One of the service components in the Zomato Android app was open to bind a service connection AIDL So, if an attacker would have phished a user to download a malicious app, it could have lead to leakage of access token of the user that leads...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/07/19 5:49 p.m.16 views

GitLab: Stored XSS on Issue details page

Summary: The detail page of Issue the page that provides the content of an Issue is vulnerable to Stored XSS. Description: The two exploits are via the function of submittin an issue or the function of editing an issue. This vulnerability is reproduced in Firefox andChrome. IE11 andEdge are not. ...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/07/19 3:51 p.m.90 views

Internet Bug Bounty: heap-buffer-overflow (READ of size 48) in exif_read_data()

exifreaddata in PHP 5.6.36, 7.1.x and 7.2.x is vulnerable to a heap buffer overflow when fed a specially crafted JPEG. Any online service that reads EXIF data from uploaded JPEGs is potentially vulnerable to this flaw. This has been fixed with the release of PHP 7.2.8 today. Other releases are...

4.3CVSS7.3AI score0.04306EPSS
Exploits0
Hacker One
Hacker One
added 2018/07/19 10:54 a.m.50 views

WordPress: xss - reflected

vulnerable url: http://masterplan.wordpress.net/store/checkout/ payload: 1 Main Streetzbn0b"alertdocument.cookiek8ez0 vulnerable parameter: billing-address Request: POST /store/checkout/ HTTP/1.1 Host: masterplan.wordpress.net Accept-Encoding: gzip, deflate Accept: / Accept-Language: en...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2018/07/19 10:17 a.m.15 views

Imgur: Go.imgur.com can be used to phish for account information

Right now the go.imgur.com domain is pointing to godoc.org/go.imgur.com but there is nothing at this resource. It is possible with encoded double dots to redirect go.imgur.com URLs to pages that phish for imgur account information. Proof of Concept === PoC 1:...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/07/19 9:49 a.m.70 views

Node.js third-party modules: url-parse package return wrong hostname

Jul 19th 2018 - lolwaleet submitted a report to Node.js third-party modules. I would like to report url-parse package return wrong hostname in url-parse. Module module name: url-parse version: 1.4.1 npm page: https://www.npmjs.com/package/url-parse Module Description The url-parse method exposes...

7.5CVSS0.2AI score0.03805EPSS
Exploits0
Hacker One
Hacker One
added 2018/07/19 3:32 a.m.56 views

Starbucks: Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com

Hello, This is fairly close to this report however these are different subdomains than the one in the report. This can be pretty serious since I can server virtually anything I want. In the 45 minutes I've held the domain I have served to 341 unique IP addresses. Two starbucks.com subdomains are...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/18 2:16 p.m.275 views

Valve: SQL Injection in report_xml.php through countryFilter[] parameter

An unvalidated parameter on an partner reporting page reportxml.php could be used to read certain SQL data from a single backing database. Blind SQL Injection && Akamai WAF Bypass. Wait for the write-up ;...

2.4AI score
Exploits0
Total number of security vulnerabilities15372