Lucene search
K
HackeroneRecent

15372 matches found

Hacker One
Hacker One
•added 2017/11/16 5:12 p.m.•20 views

HackerOne: Information Disclosure when /invitations/<token>.json is not yet accepted

Hi Team, Summary: First, i just want to clarify that this finding seems a purely human mistake from one of the hackerone member team who created a summary of this report: 283309 --- I have found that you guys HackerOne was disclosing email address and private program as part of this report summar...

7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/16 2:2 p.m.•14 views

Aspen: Session does't get expired after changing the password in https://readthedocs.org

Session does't get expired after changing the password in https://readthedocs.org...

7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/16 8:44 a.m.•21 views

Infogram: Persistent XSS in share button

Persistent XSS in "Share" button was found: 1. In custom link field for "Share" button add: ". 2. Share the infographic publicly, navigate to its public URL and click the "Share" button. 3. See that pop-up window activates...

6.3AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/14 6:54 a.m.•22 views

Mail.ru: CSRF на biz.mail.ru

Š—Š“Ń€Š°Š²ŃŃ‚Š²ŃƒŠ¹Ń‚Šµ, ŠÆ Š¾Š±Š½Š°Ń€ŃƒŠ¶ŠøŠ» CSRF на biz.mail.ru PoC: система Š“ŃƒŠ¼Š°ŠµŃ‚ что мы хотели Š“Š¾Š±Š°Š²ŠøŃ‚ŃŒ ŃŃ‚Šø Гомены в свой Š°ŠŗŠŗŠ°ŃƒŠ½Ń‚ через час мы ŠæŠ¾Š»ŃƒŃ‡ŠøŠ¼ майли: "ŠŃƒŠ¶Š½Š° ŠæŠ¾Š¼Š¾Ń‰ŃŒ с поГтвержГением Гомена .com?" F239336 Š‘Š»Š°Š³Š¾Š“Š°Ń€ŃŽ за внимание. Š” уважением, Š”Š¶ŠµŠ¹Ń…ŃƒŠ½ Джафаров c37hun...

0.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/14 5:6 a.m.•66 views

Trello: Able to run script on https://trello-attachments.s3.amazonaws.com/ [N/A]

HI Trello Security Team this pratik From India ------------------------------------------------------------------------------ I have Founded Stored XSS On your Website critical issue need to be patched before someoneattacker exploit this...

6.2AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/13 1:44 p.m.•26 views

U.S. Dept Of Defense: X-XSS-Protection -> Misconfiguration

Hi there, URL: https://www.sfl-tap.army.mil/ I have seen that the website is using the X-XSS-Protection Header. But it has a strange configuration. When I take a look at securityheaders, I've seen that you guys use this as configuration. X-XSS-Protection: DENY DENY is used for the X-Frame Option...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/13 12:1 p.m.•19 views

Automattic: Improper markup sanitization.

Summary One can inject HTML into a note and create a login form that sends the user's details to a third-party server. This was a fun issue to play around with. I will let the PoC do most of the talking for a change. PoC Paste the following HTML into a Simplenote. I am using the Simplenote app...

6.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/12 8:51 a.m.•11 views

HackerOne: Program profile metrics endpoint contains mean time to triage, even when turned off

Description Include Impact: when a bug bounty program disables its profile metrics which shows the Response Efficiency, there still some data leaked in the response of the the following endpoint: hackerone.com/PROGRAMHANDLE/profilemetrics.json this endpoint leaks the meantimetotriage although the...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/11 1:10 a.m.•26 views

Concrete CMS: Reflected XSS vulnerability in Database name field on installation screen

"Leave me in a room with some crayons and I'll draw on the wall." Platform information Issue: Core CMS issue Version: Concrete5 - 8.2.1 md500080d5a625ddbaece643894f67d57b1 downloaded today from official download site2 Short description There is reflected XSS vulnerability in Database Name filed o...

6.1AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 11:6 p.m.•10 views

RubyGems: [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec

Hi, A JavaScript URL injection in the homepage field within a Gemspec file can be leveraged to achieve stored XSS on the default gem server web interface, referenced here. When you install RubyGems, it adds the gem server command to your system. This is the fastest way to start hosting gems. As...

6.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 7:23 p.m.•42 views

Ubiquiti Inc.: Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300

In AirOS 6.1.5 and prior, due to lack of validation is possible to bypass the CSRF in certain web pages. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could modify the device configuration and creating stored-XSS, with the XSS...

2.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 6:29 p.m.•106 views

Semrush: Following links are vulnerable to clickjacking

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: The below list...

7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 2:54 p.m.•25 views

Legal Robot: Exposes a series of other private credentials

Hi, I found a Javascript file where have many private credentials. JS File https://app.legalrobot.com/meteorruntimeconfig.js Code meteorruntimeconfig = "meteorRelease":"[email protected]","meteorEnv":"NODEENV":"production","TESTMETADATA":"","PUBLICSETTINGS":"analyticsSettings":"Google...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 2:41 p.m.•28 views

AlienVault : DNS pinning SSRF

Hello there, this is for the otx.alienvault.com domain, but I couldn't mark it in the drop down menu. I saw the note about the 2 weeks so I decide to report this. Summary: I've found that you can perform a SSRF attackwith DNS pinning and read the response from url http://169.254.169.254 Browsers...

6.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 9:41 a.m.•21 views

Urban Dictionary: Stored XSS on urbandictionary.com

hi team, I have found an XSS flaw on your site in add page. POC in this video...

6.2AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 7:19 a.m.•35 views

GSA Bounty: Subdomain Takeover

@picklepwns discovered a subdomain takeover attack. Technically, the domain was out of scope for our Vulnerability Disclosure Policy. We want to remind hackers to please limit their testing to domains explicitly listed in that scope which is repeated on our HackerOne program page for convenience...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 12:51 a.m.•69 views

Bitwarden: Vulnerable exported broadcast receiver

Good evening, This is actually in your code base this time. : Since the following broadcast receiver has export=true it can be exploited by 3rd parties. Vulnerability com.x8bit.bitwarden.PackageReplacedReceiver has exported set to true making the receiver vulnerable to tampering. F238236 POC I wa...

6.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/10 12:10 a.m.•47 views

Internet Bug Bounty: SSL_peek() hang on empty record (CVE-2016-6305)

As described here: https://www.openssl.org/news/secadv/20160922.txt...

5CVSS8.5AI score0.15997EPSS
Exploits1
Hacker One
Hacker One
•added 2017/11/09 9:44 p.m.•120 views

X (Formerly Twitter): POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)

Summary: POODLE SSLv3 bug on multiple twitter smtp servers Description: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle...

4.3CVSS5.2AI score0.99999EPSS
Exploits7
Hacker One
Hacker One
•added 2017/11/09 8:52 p.m.•35 views

IRCCloud: [IRCCloud Android] Theft of arbitrary files leading to token leakage

Bug description Hi, I'd like to report a vulnerability which allows to theft arbitrary protected files and as a result takeover account, because all tokens will be leaked, similar to my bug reported to Harvest https://hackerone.com/reports/161710 This one is really tricky, passed two days to...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/09 8:38 p.m.•23 views

HackerOne: Additional bypass allows SSRF for internal netblocks

It turns out there is another bypass in the privateaddresscheck gem. The gem does not include 0.0.0.0 in the exclusion list in the first place. irbmain:001:0 require 'privateaddresscheck' = true irbmain:002:0 PrivateAddressCheck.privateaddress?"0.0.0.0" = false I was able to bypass your filter by...

7.5CVSS8.9AI score0.02032EPSS
Exploits0
Hacker One
Hacker One
•added 2017/11/09 6:8 p.m.•135 views

Semrush: Cross-origin resource sharing

Issue:Cross-origin resource sharing: arbitrary origin trusted The application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain. The application allowed access from the requested origin https://hhgdhgjgbrg.com Since the Vary: Origin...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/09 3:57 p.m.•21 views

Infogram: Bruteforcing Coupons

Hi, while i was fuzzing for an API endpoints i found this endpoint: https://infogram.com/api/discounts the first thing came on my mind is bruteforcing the coupon codes so i gave it a try and it worked! there's no rate limit on that endpoint so an attacker could use it to bruteforce the coupon cod...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/09 9:7 a.m.•28 views

Aspen: Email Spoofing

There is an Email Spoofing Vulnerability. Steps to reproduce: 1 Go to http://emkei.cz/ 2 Fill "From Email" field to [email protected] or any other aspen email. 3 Fill the victim's address your address to "TO" field and fill in other details as you wish. You will receive email from aspen admin...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/09 8:57 a.m.•22 views

Phabricator: Command injection on Phabricator instance with an evil hg branch name

Hi phabricator, I found an evil branch name of hg a repo can lead to arbitrary command injection on phabricator instance. Here is the reproduction steps: 1. Monitor a remote mercurial repo with phabricator; 2. Create a branch and called "--config=hooks.pre-log=wget" on the remote; 3. After...

7.5AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/09 12:41 a.m.•132 views

AlienVault : Puplic .htaccess/.htpasswd/.canvas files leads to password disclosure.

iam a big fan of fuzzing/bruteforcing after my last submission 288533 on http://data.alienvault.com, i decided to go further, after some bruteforcing i came across this directory which looked kinda interesting for me http://data.alienvault.com/snort/ when u try to access the directory you will ge...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/08 9:0 p.m.•9 views

Zomato: User Profiles Leak PII in HTML Document for Mobile Browser User Agents

@chriszielinski found that user personal information was leaking when you make a request using mobile user agent...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/08 4:48 p.m.•18 views

VK.com: CSRF созГание опроса от имени ŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Ń‚ŠµŠ»Ń, Š·Š½Š°Ń id ŠæŃ€ŠøŠ»Š¾Š¶ŠµŠ½ŠøŃ. + небольшой Ń„Š»ŃƒŠ“ ŃŠ¾Š¾Š±Ń‰ŠµŠ½ŠøŃŠ¼Šø на ŃŃ‚ŠµŠ½Ńƒ

CSRF на созГание опроса от ŠæŃ€ŠøŠ»Š¾Š¶ŠµŠ½ŠøŃ...

7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/08 4:37 p.m.•16 views

AlienVault : Server Side Request Forgery protection bypass ā„– 2

Hi, you haven't fixed the vulnerability.The bypass of this report 287762 This is a classic example of url bypass. POC https://www.threatcrowd.org/domain.php?domain=173.0302.0x2c.70 https://www.threatcrowd.org/domain.php?domain=0xad.0xc2.0x2c.0x46...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/08 12:3 p.m.•30 views

Rockstar Games: SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE

In this report, the researcher found that by submitting crafted SVG files, he was able to establish a listener on our server that enabled SSRF attacks. This potentially could have been pivoted to carry out more damaging attacks as well. We improved our validation of user-submitted SVG files to...

7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/08 3:36 a.m.•71 views

Valve: LFI in pChart php library

Local File Inclusion LFI vulnerability in the pChart php library...

1.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/07 8:7 p.m.•18 views

AlienVault : SSRF bypass #2 (using octal encoding) on the https://www.threatcrowd.org/domain.php

Description The latest SSRF fixes can be bypassed, using octal encoding of the AWS IP. There is other more general bypass, which can't be fixed using blacklisting - it's reported in the 288183. POC https://www.threatcrowd.org/domain.php?domain=0251.00376.000251.0000376 F237500 Suggested fix As wa...

6.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/07 6:15 p.m.•18 views

Moneybird: Open Redirection while saving User account Settings

Hi team , I got a Open redirection while saving account setting . This could lead to serious issues . Endpoint :- https://moneybird.com/user/edit?returnto=//evil.com Reproduce :- Visit https://moneybird.com/user/edit?returnto=//evil.com and click on Save . You will be take to evil.com . Impact :-...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/07 4:37 p.m.•51 views

AlienVault : DNS pinning SSRF bypass

Summary: this issue is a bypass for this report: https://hackerone.com/reports/285380 . It is a SSRF bypass with DNS pinning. Description: We can bypass the SSRF protection with a simple domain that is resolving to 169.254.169.254 , like: ssrf-cloud.localdomain.pw Browsers Verified In: Firefox 56...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/07 4:14 p.m.•39 views

AlienVault : SSRF bypass for https://hackerone.com/reports/285380 (query AWS instance)

Description The SSRF fix can be bypassed, using domain, pointed to the AWS IP 169.254.169.254, like metadata.nicob.net. POC https://www.threatcrowd.org/domain.php?domain=metadata.nicob.net F237437 Suggested fix While there is no 100% way to validate the domains using only string-based checks, you...

6.6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/06 7:54 p.m.•21 views

BOHEMIA INTERACTIVE a.s.: 217.147.95.145 NFS Exposed with Zeus Server configs

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Description:...

Exploits0
Hacker One
Hacker One
•added 2017/11/06 7:44 p.m.•20 views

Ruby: Resolv::getaddresses bug that can be abused to bypass security measures.

Description Resolv::getaddresses is OS-dependent, therefore by playing around with different IP formats one can return blank values. This bug can be abused to bypass exclusion lists often used to protect against SSRF. | šŸ’» Machine 1 | šŸ’» Machine 2 | |--------------|---------------| | ruby 2.3.3p222...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/06 5:42 p.m.•19 views

BOHEMIA INTERACTIVE a.s.: IDOR to view User Order Information

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Description: There is a...

1AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/06 4:8 p.m.•23 views

AlienVault : SSRF protection bypass

As said in report 285380, using the decimal IP notation is bypassing the fix : https://www.threatcrowd.org/domain.php?domain=2852039166...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/06 4:0 p.m.•22 views

Infogram: Bypass insecure password validation

Hi Team, Summary: Registration is checking the password creation if the password is insecure , but the password reset page was not doing the same validation, so when i input an insecure password using the password reset, the validation on the password creation can be bypass because the password...

7.1AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/06 10:35 a.m.•9 views

Infogram: Stored XSS On Wordpress Infogram plugin

Hello Team, There is a Stored XSS Vulnerability On Wordpress Infogram plugin. Wordpress version : 4.5 Infogram plugin version : 1.5.1 After installing wordpress and infogram plugin. I created a project to infogram with the following name " and I Created a simple report. Then I go back to my...

6AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/06 9:13 a.m.•67 views

Internet Bug Bounty: CVE-2017-13090 wget heap smash

The retr.c:fdreadbody function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in piec...

9.3CVSS8.3AI score0.36563EPSS
Exploits0
Hacker One
Hacker One
•added 2017/11/06 9:3 a.m.•35 views

Internet Bug Bounty: CVE-2017-13089 wget stack smash

The http.c:skipshortbody function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then...

9.3CVSS8.3AI score0.79855EPSS
Exploits3
Hacker One
Hacker One
•added 2017/11/05 1:35 p.m.•16 views

Infogram: Stored XSS in content when Graph is created via API

Summary It is possible for an attacker to insert javascript code into Graphs by creating a project via the API Steps to reproduce Login Go to API Settings Copy your Key + Secret Go to API Documentation Download one of the official libraries I chose JAVA In the "main" method add the Key + Secret y...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/05 3:11 a.m.•31 views

Infogram: Internal Ports Scanning via Blind SSRF (URL Redirection to beat filter)

Summary --------------------- This is a blind SSRF that lets you scan internal ports. Technical Details -------------------- Inspired by 281950, I found a way to evade the filter for the api endpoint webresource by using a URL Redirection service. I used tinyurl to create a url that linked to...

6.5AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/04 2:56 p.m.•15 views

Mail.ru: Self-xss via drag&drop in email form

User-assisted XSS in message composer's drag-n-drop feature via alt property of emoji-style image...

6.3AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/04 2:20 p.m.•22 views

Mail.ru: Possibility to view subdepartments for arbitrary domain

By directly referencing to department ID in biz.mail.ru, it was possible to see the names of departments without knowledge of which organization this department belongs to Leakage of every existing department/unit of every domain via changing parameters directly in http request...

6.8AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/03 11:32 p.m.•180 views

HackerOne: Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver.

Summary HackerOne allows bug bounty programs to integrate their reports queue with issue tracking tools such as Jira and Phabricator. By abusing a bug that I discovered in Ruby's native resolver, I am able to bypass the SSRF filter and could potentially scan your internal network. Vulnerability...

6.8CVSS7.7AI score0.02415EPSS
Exploits0
Hacker One
Hacker One
•added 2017/11/03 4:44 p.m.•16 views

Trello: CSV injection [N/A]

Hello, We can inject commands in the name field of a board =210 or =cmd|'/C calc'!AO for example, and when it's exported to CSV it will be evaluated to 20 in the corresponding cell, this enables an attacker to spread malware and execute system level commands on a victim's machine if the victim...

7.1AI score
Exploits0
Hacker One
Hacker One
•added 2017/11/03 4:3 p.m.•35 views

Trello: Subdomain Takeover Possible [N/A]

Hello , Team Trello Security Today == 04/11/2017 , 03:52 , I Discovred A Issue in Your Website , i found this error In : http://d2k1ftgv7pobq7.cloudfront.net/ ======================================================= ERROR The request could not be satisfied. Bad request. Generated by cloudfront...

6.7AI score
Exploits0
Total number of security vulnerabilities15372