Lucene search
K
HackeroneRecent

15372 matches found

Hacker One
Hacker One
added 2018/01/23 11:55 p.m.27 views

Automattic: wpjobmanager - unserialize of user input

Vulnerability occurs in getjoblistings function to be more precise line 160 - 164 in wp-job-manager-functions.php. $result = new WPQuery $queryargs ; $cachedquery = false; settransient $queryargshash, $result, DAYINSECONDS ; e.g. you perform serialize on object that have escsql-ed values and afte...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/01/23 9:10 p.m.53 views

Khan Academy: CSRF token fixation and potential account takeover

Hi Team, Details: I have found that the csrftoken fkey parameter which prevent CSRF attacks is fixed in same browser and didn't changed even user login or logout , a lot of users can use the same CSRFtoken , this can be exploited such 2 ways : Shared computers: - attacker open...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2018/01/23 7:22 p.m.45 views

VK.com: Opcode Cache

Раскрытие имен некоторых файлов...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/23 12:47 p.m.185 views

Node.js third-party modules: [html-janitor] Bypassing sanitization using DOM clobbering

Module: Name: html-janitor Version: 2.0.2 Summary: Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous XSS in case user-controlled input is passed to the clean function. Description: Proof of concept: javascript var myJanitor = new HTMLJanitortags:p:; var...

4.3CVSS5.8AI score0.01038EPSS
Exploits0
Hacker One
Hacker One
added 2018/01/23 12:40 p.m.13 views

Nextcloud: Email Notification should be get while changing password on apps.nextcloud.com

Hi, There is an issue with password reset functionality with Nextcloud: user is not receiving notification when he reset password. Issue: user not always gets a notification about password change. When user change his password then a notification is not send to the user. It is good to always send...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/23 12:34 p.m.77 views

Node.js third-party modules: [html-janitor] Passing user-controlled data to clean() leads to XSS

Module: Name: html-janitor Version: 2.0.2 Summary: Passing user-controlled data to the module's clean function can result in arbitrary JS execution, because of unsafe DOM operations. The description "Cleans up your markup and allows you to take control of your HTML. HTMLJanitor uses a defined...

4.3CVSS5.9AI score0.01063EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/22 8:29 p.m.285 views

HubSpot: Reflected XSS and Server Side Template Injection in all HubSpot CMSes

Really I don't know why BugCrowd team closed my submission as N/A F337815 They mentioned that Not in Scope ?! So I reported it again in another submission But this Time I messaged the Security Company Directly and triaged and Fixed in 2 Days . Full Poc : I was found in this path /hcms/cta so this...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/22 7:7 p.m.32 views

LocalTapiola: Authorization issue on 'valtakirjat' (/e2/verkkopalvelu/)

Issue The reporter found some inconsistencies related to authorizations and access between family members. Fix The application was fixed in a monthly release. Reasoning The issue was valid and the reporter provided a lot of valuable information for us to go on including traces, screenshots and...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/22 10:42 a.m.61 views

Ruby on Rails: Path Traversal on Default Installed Rails Application (Asset Pipeline)

There is an information leak vulnerability in Sprockets. This vulnerability has been assigned the CVE identifier CVE-2018-3760. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Not affected: NONE Fixed Versions: 4.0.0.beta8, 3.7.2, 2.12.5 Impact ------ Specially crafte...

5CVSS2AI score0.26717EPSS
Exploits2
Hacker One
Hacker One
added 2018/01/21 5:17 p.m.809 views

RubyGems: Cross-Domain JavaScript Source File Inclusion

The page includes one or more script files from a third-party domain. XSSI is a fancy way of saying: you are including in your program, someone elses code; You don't have any control over what is in that code, and you don't have any control over the security of the server on which it is hosted...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/21 4:49 p.m.24 views

Keybase: Claiming ownership of GitHub handles via forked GitHub gists.

Description An attacker can claim ownership of a GitHub user's handle if the user forks the attacker's gist with a verification snippet generated by the attacker pointing towards the user's handle. PoC With my colleague's permission @jackds I claimed their GitHub handle with this gist:...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/21 4:31 p.m.38 views

Keybase: Keybase extension hostname-validation regular expression issue.

Description The following snippet in js/identities.js allows all hostnames ending in twitter.com, facebook.com, etc. to display the Keybase message window. The issue stems from the fact that you use . instead of \. in your regular expression. js service: "twitter", getUsername: functionloc return...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/21 4:7 p.m.25 views

Keybase: Difference in query string parameter processing between Hacker News and Keybase Chrome extension spawns chat to incorrect user

Hello! When using the Keybase Chrome extension and viewing a Hacker News profile page with an additional id parameter in the query string, Hacker News uses the username from the first id parameter, whereas the Keybase extension uses the username from the second id parameter. Example URL:...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/01/21 3:44 p.m.66 views

Node.js third-party modules: [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url

Hi, This report is about Arbitrary Directory Listing vulnerability I found in serve module. Vulnerability does not allow to open arbitrary file due to send module which handles file reading and implements its own validation and protection against Path Traversal attacks. However serve handles...

4CVSS5.9AI score0.0179EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/20 4:2 p.m.20 views

Showmax: Stored blind xss on showmax support team

This report describes a phishing attack. It was performed through html injection into 3rd party chat application and a bit of social engineering. The merit of the attack was in providing html code which was then executed on the support agent side. The code was able to retrieve some cookies and lu...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/01/20 11:19 a.m.53 views

Trello: Trello Gold accounts free for 1 year

It is possible to create Trello Gold accounts and use it for free for 1 year. The issue lies in credit card validation. PoC: 1. Create a new trello account 2. After verification, go to Profile Trello Gold 3. Choose billed annually, enter a valid credit card number with $0 on it. and click on...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/01/20 10:8 a.m.34 views

HackerOne: While adding a payment method - Notification email not sent to newly added email ID as well as there is no verification for new email id (Paypal)

Description: As you know hackerone allows us to add payout method. On selecting paypal we are asked to add paypal email id. On saving new email id. A hackerone account holder i.e account from which payout method was changed gets a notification email saying that "The payout method was changed form...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/20 12:52 a.m.15 views

VK.com: CSRF отредактировать карточки в посте у группы

Отсутствие хеша в запросе на редактирование рекламной карусели. Видеодемонстрация импакта: https://youtu.be/BO8lCwv01f0...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/19 3:4 p.m.26 views

Coinbase: Double Payout via PayPal

An issue with the handling of the PayPal transaction states resulted in a user being able to both withdraw money from PayPal, but not have the funds deducted from their account...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/19 7:33 a.m.25 views

Grab: Leak ██████████ information in real time through API request

The researcher identified an endpoint that was publicly accessible and contained minuscule amount of sensitive information with some dummy data. We quickly resolved the issue and rewarded the researcher. We are thankful to @severus for his continued contribution to our bug bounty program to keep...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/01/19 1:21 a.m.60 views

HackerOne: Submitted reports state logs leakage

Hi team, Summary ---------- The endpoint https://hackerone.com/ returns a JSON response containing some informations about the , the parameter signal is returned as a high precision float number up to 14 digits after the comma, the fractional part of this JSON parameter can be used to disclose so...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/19 12:52 a.m.31 views

Node.js third-party modules: [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl

Hi, This report is about Directory Traversal vulnerability I found in html-pages module. Module: html-pages is a module which allows to browse directories and serve static files in the browser. The vulnerability exists in the latest available version 2.0.7 Link to npm page:...

5CVSS0.8AI score0.02274EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/18 8:52 p.m.63 views

Pornhub: xss

The researcher found a GET parameter, the value of which was output in the page source, resulting in XSS...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2018/01/18 7:32 p.m.55 views

Phabricator: Window.opener protection Bypass

SUMMURY ======== If you create a post/comment with a link like http://x.com in fabricator then server add rel="norefferrer" to anchor tag . So child window dont have access to parent window. But it can be bypassed with url like /\x.com/index.php and child window can change the location property o...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/17 11:25 p.m.33 views

Mail.ru: reflected xss on cycloferon.health.mail.ru

Reflected XSS in http://cycloferon.health.mail.ru/ promo site. This domain is not covered by bug bounty program. Since this site is not longer supported, an access was closed as a workaround...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2018/01/17 5:42 p.m.24 views

Internet Bug Bounty: Urllib connects to a wrong host

Description ----- The inconsistent of URL parsing and URL fetching are distinct Original bug report ----- - https://bugs.python.org/issue30500 - http://python-security.readthedocs.io/vuln/bpo-30500urllibconnectstoawronghost.html Note ----- - None Thanks : Impact SSRF...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/17 5:39 p.m.16 views

Mail.ru: [e.mail.ru] XSS на странице отправки денежного перевода

Reflected XSS in https://e.mail.ru/money/send via messageid GET parameter XSS via a GET param...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2018/01/17 5:30 p.m.42 views

Internet Bug Bounty: Inappropriate URL parsing may cause security risk!

Description ----- The behaviors in parseurl and httpwrap/cURL are different Original bug report ----- - https://bugs.php.net/bug.php?id=74192 Note ----- - CVE-2017-7189 assigned Thanks : Impact SSRF...

5CVSS7.5AI score0.02492EPSS
Exploits0
Hacker One
Hacker One
added 2018/01/17 5:29 p.m.23 views

Internet Bug Bounty: Inappropriately parsing HTTP response leads to PHP segment fault!

Description ----- A NULL Pointer Deference in parsing HTTP header. It is very easy to trigger this segment fault and may be vulnerable in some scenarios. Original bug report ----- - https://bugs.php.net/bug.php?id=75535 Note ----- - None Thanks : Impact Segment fault...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/17 5:27 p.m.71 views

Internet Bug Bounty: Potential infinite loop in gdImageCreateFromGifCtx!

Description ----- It is easy to trigger in web application if the web use GD as its image library. For example, It can be triggered if a website resize the user-uploaded GIF, and ALL PHP version are affected! Original bug report ----- - https://bugs.php.net/bug.php?id=75571 Note ----- -...

4.3CVSS6.5AI score0.13204EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/17 1:29 p.m.12 views

ok.ru: Обход функций закрытого профиля, получения возможности комментировать закрытые подарки и просматривать их

Insecure direct object reference allowed posting comments to user gifts despite of privacy settings. Уязвимость позволяла создавать комментарии к подаркам пользователя даже если это запрещено настройками приватности...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2018/01/17 12:4 a.m.45 views

Slack: Information leakage and default open port

@freem0 found Prometheus plugin output that was exposed at one of our servers. The information exposed including some OS information metrics about memory usage, but no customer data was at risk and no exploit was possible. Thank you @freem0!...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2018/01/16 2:26 p.m.48 views

LocalTapiola: Malicious file upload (secure.lahitapiola.fi)

Basic report information Summary: Malicious file upload Description: Hello! I noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg: F254353 How ever if a user impersonate another user just a one example and start the conversatio...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/01/16 7:45 a.m.20 views

Yelp: ClickJacking on IMPORTANT Functions of Yelp

SUMMARY: Few Important function of yelp.com are vulnerable to ClickJacking Attack. DESCRIPTION: Please have an Introduction about the vulnerability Type: https://en.wikipedia.org/wiki/Clickjacking ClikcJacking is similar to CSRF with just an extra involvement of the victim to click somewhere on t...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/01/16 12:7 a.m.38 views

Showmax: Query string parameter modifications returned in page

NOTE BEFOREHAND: I KNOW it's not located on the core showmax.com domain, but that doesn't effect the applications of this and it still has the same risk. Summary: At https://sso.showmax.com/auth/failure?message=, you can change the message parameter to any text and it will be returned on the page...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2018/01/14 9:22 p.m.28 views

Monero: Corrupt RPC responses from remote daemon nodes can lead to transaction tracing

Dear Monero security team, We’re writing to disclose a privacy vulnerability when using monero-cli or monero-gui with an untrusted remote node. When using a remote node, the Monero client relies on the node to provide information from the blockchain, in particular the public keys and transaction...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2018/01/14 11:59 a.m.15 views

LocalTapiola: Information exposure via error pages (www.lahitapiola.fi Tomcat)

Summary: Information exposure via error pages Description: Hello there! I take the risk that this report might be closed as a N/A but because you are running outdated tomcat I wanted to take this risk and report this to you. So here we go.. When you navigate to the page e.g...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/14 8:29 a.m.25 views

Mail.ru: XSS ( Работа с письмами )

Заходим в почту. 2. Настройки - Работа с письмами. Получаем GET запросом входящие параметры...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2018/01/14 12:9 a.m.22 views

Concrete CMS: Administrators can add other administrators

Because I know you like crayons here's a token of my appreciation... :D F253771 Concrete5 version: 8.3.1 Release date: 12/20/17 Where: Core CMS Vulnerability: Privilege Escalation OTG-AUTHZ-003 Privilege escalation occurs when a user gets to access more resources than is normally allowed when it...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/13 12:16 p.m.20 views

Mail.ru: Возможность залить шелл на https://widget.operator.mail.ru

It was possible to upload a shell code to widget.operator.mail.ru via file upload feature. widget.operator.mail.ru is a part of games.mail.ru and is not currently covered by bug bounty program. Shell upload...

Exploits0
Hacker One
Hacker One
added 2018/01/12 10:26 p.m.68 views

Grab: Unrestricted access to https://██████.█████myteksi.net/

Hello again Grab Security Team ! Following my previous research, it seems that your Microservices architecture you are currently running on .█████myteksi.net is publicly exposed on another endpoint : https://█████████.█████myteksi.net. Summary: When researching and starting a new enumeration of...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2018/01/12 9:42 p.m.65 views

Internet Bug Bounty: ACME TLS-SNI-01/02 challenge vulnerable when combined with shared hosting providers

The ACME TLS-SNI-01 and TLS-SNI-02 specification assumed wrong in terms of how current major cloud providers routed and validated domains. This was reported earlier this week to Let's Encrypt, and they decided to disable the method. Today Let's Encrypt decided to sunset both TLS-SNI-01 and...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/01/12 9:30 a.m.20 views

Grab: Unrestricted access to Eureka server on ██████

Hi Grab Security Team, First of all, best wishes for 2018, empty of bugs if possible ;- Summary: I found that the following endpoint is hosting Netflix Eureka Server █████ and that even if some URLs are requiring authentication 401 code for some of thems like /metrics for example, it is still...

7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/12 12:13 a.m.20 views

Uber: ubernycmarketplace.com is vulnerable to the Heartbleed Bug

The Heartbleed Bug was a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This allows attackers to eavesdrop on communications, stea...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2018/01/11 10:15 p.m.29 views

Ubiquiti Inc.: Reflected XSS

Due to the lack of sanitisation in the commend area, with a especially crafted message, is possible to execute a XSS with the "preview" function. If a draft is save, is possible to exploit this bug using as and stored-XSS. The "New Discussion" page on the Spanish and Portuguese forums have a...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2018/01/11 8:55 p.m.34 views

Ruby: Integer Underflow @ ossl_cipher_pkcs5_keyivgen

Integer Underflow @ osslcipherpkcs5keyivgen file : ext/openssl/osslcipher.c affected parameter: iterations INFO Generates and sets the key/IV based on a password. call-seq: cipher.pkcs5keyivgenpass, salt = nil, iterations = 2048, digest = "MD5" - nil ANALYSIS iterint in osslcipherpkcs5keyivgen...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/01/11 7:40 p.m.17 views

Open-Xchange: [XSS/CSRF] filter content-type bypass in Files

Hi. I found trick for inject any content-type for files. If content-type contains , then browser Chrome, Firefox skip content-type before , e.g.: any, text/html - text/html Upload any html/xml/svg/swf without extension F253137 and update mimetype: - "file":"filemimetype":"t,text/html" -...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2018/01/11 6:48 p.m.4 views

Hiro: Missing restriction on string size of Full Name at browser.blockstack.org

Hi there Vulnerability Title: During my regular testing, I have found that there was no restriction on the amount of text that can be inserted into a user's Full name field. Security Impact: When the text size was large enough the service resulting in a momentary outage in our non-production...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/01/10 2:33 p.m.22 views

Open-Xchange: Arbitrary local system file read on open-xchange server

Hi, Summary: I found a vulnerability that can read arbritary local file and also internal resource on Open-Xchange server. Description: I can create an crafted odt file and can successfully read any local files on Open-Xchange server when previewing this odt file. Steps to Reproduce: Here is the...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/01/10 12:23 p.m.62 views

GSA Bounty: Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS

An attacker can deface various pages on catalog.data.gov, leading to them executing malicious JavaScript when visited by a normal user. The root problem is that the server trusts the X-Forwarded-Host HTTP header, and uses this to populate the 'data-site-root' and 'data-locale-root' attributes on...

7AI score
Exploits0
Total number of security vulnerabilities15372