Lucene search
K
HackeroneRecent

15372 matches found

Hacker One
Hacker One
added 2017/10/20 9:2 p.m.70 views

Legal Robot: Non-HTTPS link on blog

Hi, @legalrobot I found another venturebeat.com URL without HTTPS in https://www.legalrobot-uat.com/press/ I hope you fix this Screenshot attached bellow Cheers, Ph0b0s...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/20 3:20 p.m.32 views

WePay: [stage-go.wepay.com] XSS via Request URI

PoC Open URL in Internet Explorer. This vulnerability only works in Internet Explorer and possibly in Edge, since it is necessary to send a Request-URI without a URL Encode, which is only possible in this browser via redirect...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/20 10:25 a.m.9 views

Inflection: Business Logic Flaw allowing Privilege Escalation

Researcher misunderstood the names and permissions assigned to various roles in the GoodHire application - the permissions are working as intended. Nevertheless, the researcher requested for the report to be disclosed...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/20 10:16 a.m.23 views

QIWI: apache access.log leakage via long request on https://rapida.ru/

Issue access.log is leaked by attacker who trying send many requests. Explain: Honestly i don't know how the bug is happened, but i guess if the access.log is too large, it will dump some part into the response, and attacker happily get it. Reproduce: 1. Access to https://rapida.ru/search/?q= 2...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/20 6:22 a.m.12 views

Infogram: Non Critical Code Quality Bug / Self XSS on Map Editor

Hi Team, I've found non-critical XSS on map editor. It is not for bounty just for code quality. This is my url: https://infogram.com/app/edit/c024c717-31c2-4c31-8491-1cc9534e9adb When i added map on form then edit Country name and replace with "alert1;" it is executed. Attached screenshots...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/10/20 3:17 a.m.24 views

Mail.ru: Stored self-XSS pubg.mail.ru в нескольких местах

Stored self-XSS in pubg.mail.ru via account name if login via social network is used. pubg.mail.ru is not currently in bug bounty scope...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/20 3:6 a.m.16 views

Razer US: Heart-bleed Vulnerability that leads to disclose sensitive information from the memory

Summary: Upon doing penetration testing on the Rezar domains, I have found that on of the domains is vulnerable to the heartbleed vulnerability, but I am not sure that careers.razerzone.com is in scope. Because of the dangerous of the vulnerability, I took further step to report. The Heartbleed B...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 11:50 p.m.28 views

Inflection: Fake mailing reports using mail service on [URL : mail-txn.identity.com]

Researcher discovered an unused subdomain that served as an alias for Mandrill's third-party transactional email service. Mandrill's relay server could be used to send bounceback/failed delivery messages to an arbitrary "sender", although the contents of the message itself are limited to Mandrill...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 8:36 p.m.24 views

HackerOne: Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page

Summary: Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page Description Include Impact: Since search query text can both include content of private vulnerabilities, it shouldn't be sent to Google Analytics. Furthermore, the information...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 7:37 p.m.13 views

LocalTapiola: High server resource usage on captcha (viestinta.lahitapiola.fi)

Short summary Hi, I noticed that the following report has been fixed and closed, however the bug has reappeared in different parameters: https://hackerone.com/reports/204208 Basic report information Summary: It is possible to generate a simple request which creates a high cpu/bandwidth consumptio...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 3:40 p.m.35 views

Boozt Fashion AB: No Session change on Password change

Your system does not change session id after password is changed. Reusing same session ids, after password is changed is highly risky. Example scenario: Hacker has successfully brute forced the password of a victim and has access to the account. The victim notices that something's off and chooses...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:57 p.m.23 views

Infogram: No Rate Limit on account deletion request(Leads to huge email flooding/email bombing)

Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account deletion emails for accounts on above selected domain. -As there ...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:45 p.m.15 views

Infogram: Incorrect Functionality of Password reset links

Vulnerability:- -Password reset links should work in such a way that "only the last generated password reset link should be valid" i.e; if two tokens are generated at a time, then 2nd token must work and 1st token must be invalid. -If not, another case is that "if some number of reset links are...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:35 p.m.10 views

Infogram: Email notification is not being sent while changing passwords

Vulnerabilities:- 1.Use of old passwords is possiblecurrent password can be used as new password. 2.Email notification is not being sent to linked mail account while changing passwords. Impact:- Case-1:- -whenever a user requests a reset token for recovery of his account,a reset token is being to...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:22 p.m.19 views

Infogram: Server Side Request Forgery on JSON Feed

Hi Team, I would like to report SSRF issue. PoC: 1. Navigate to https://infogram.com/app/user-project. 2. Click on edit logo fields and click on add JSON Data. 3. Enter urlopenport response is Download failed 4. Enter urlclosedport response is Invalid data source Fix: Don't give permission to por...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:15 p.m.38 views

Infogram: User Enumeration

Vulnerability:- -User enumeration is possible through forgot password feature. steps to reproduce:- -Go to the above selected domain and go to forgot password. -You can submit a mail address and check whether it is existing in your database or not. Remediation:- -It should display like "if that...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:1 p.m.32 views

Infogram: Weak Password Policy on Signup

Hi Team, i would like to let you know about password management issue. PoC: 1. Navigate to signup page. 2. Fill you details and give password as simple as 123123. 3. You can see you will be registered and there is no strong enforcement. Fix: Use complex password management. Regards, Mr.R3boot...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 1:54 p.m.17 views

Infogram: Stored Cross-Site scripting in the infographics using Data Objects links

Description Hello. This stored XSScase is different from early reported 280495, but has a very similar root cause and reproduction steps. Upon pasting the link to the Text Object not in the Add Media section, like in previous report, we can intercept the request, and change the link source to the...

6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 1:35 p.m.18 views

Infogram: Tabnabbing via window.opener

Hi Team, i would like to report tab nabbing issue on your domain. Details: When you open a link in a new tab target="blank" , the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. PoC: 1.Navigate to...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 1:24 p.m.20 views

Infogram: Stored Cross-Site scripting in the infographics using links

Description Hello. I discovered, that it is possible to conduct Stored XSS attack in the public infographics pages. Upon pasting the link, we can intercept the request, and change the link source to the malicious - which will result to the Stored XSS POC...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 12:40 p.m.27 views

Infogram: SPF Misconfiguration

I am just looking at your SPF records then found following. SPF Records missing safe check which can allow me to send mail on behalf of infogram. PoC: The TXT records found for your domain are: "v=spf1 include:spf.google.com include:spf.mandrillapp.com include:mailgun.org all" Simply anyone can u...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 10:58 a.m.21 views

Infogram: No Rate limit on Password Reset Function

Hello Infogram Security Team Description:- I have identified that when resetting the password, the request has no rate limit which then can be used to brute force through one request. Which can be annoying to the infogram users. Steps to reproduce:- Request for password reset link. Catch the abov...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 7:55 a.m.30 views

Boozt Fashion AB: No Confirmation During Email Change

Hello Team, Your system is letting to change email address without confirmation. User can change the password without any confirmation. Anyone can access or make change to any account if that account is logged in public computer. So, it is better to send email to user email and confirm the change...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 6:15 a.m.29 views

Tor: Enforce minimum master password complexity

Hi Team, Actual results: There is no password complexity set for Master password in about:preferencessecurity , Because I was able to set my password like 123,123456,www, admin etc which is really common, apart from that we can use spaces as well in master password i was able to set space as my...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/18 6:30 p.m.8 views

Weblate: Improper validation of unicode characters#2

It was reported that some Unicode chars cause Weblate to crash. Upon further investigation it has shown that the issue was unrelated to Unicode. The reported was just unlucky to perform testing while there was temporary error on the database...

3.4AI score
Exploits0
Hacker One
Hacker One
added 2017/10/18 5:59 p.m.28 views

Inflection: Malicious callback url can be set while creating application in identity

Researcher found that while creating any application in identity, you are required to provide callback url. If you provide a malicious callback url then javascript will stop you from submitting form. But their is no server side validation and we can use an application proxy to bypass the javascri...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/10/18 5:55 p.m.53 views

Boozt Fashion AB: Users Unable to login using Gmail/Facebook on https://boozt-stage1.booztx.com/login

Hi Team, when i try to login in this subdomainhttps://boozt-stage1.booztx.com/login using gmail or facebook,the login form does not redirect me to gmail/facebook,it is giving the error message since it is blacklisted by the server. Steps to Reproduce: 1 Goto https://boozt-stage1.booztx.com/login ...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/18 4:32 p.m.28 views

HackerOne: Issue with password change in Disabled Account

Hello Hackerone, Summary: I have found that 38343 is not yet fully fixed, disabled user is not always gets notification about password change when a password is changed via password reset link, then such a notification is not send to the disabled user. Description Include Impact: When a password...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/18 3:30 p.m.21 views

Nextcloud: Broken link for wrong domain entry may be leveraged for Phishing, Misinformation, Serving Malware

Hi Team, Page: https://nextcloud.com/news/16/ Broken link for incorrect DNS entry: It seems like a typo and makes the tld as .comg instead of .com. Now other than usability issue for users, it poses security risk as .comg can be claimed as a gTLD since it is not a reserved TLD Similar to...

Exploits0
Hacker One
Hacker One
added 2017/10/18 3:14 p.m.26 views

Gratipay: Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware

Hi Team, Page: https://gratipay.com/Breadcrumbel/ Broken link for stale DNS entry: Homepage Root domain breadcumbry.com has expiration date: Registrar Registration Expiration Date: 2018-06-10T18:18:30Z And also from whois: Domain Status: OK https://icann.org/eppok OK status means it has no...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/18 10:19 a.m.14 views

Legal Robot: Chat exposed using cookie

Hello Broken authentication and session management: Attacker can use cookies of an authenticated user to reads and write the chat on the behalf of user and miss guide the legalrobot team. Steps to reproduce: Sign-in https://app.legalrobot.com/sign-in Check the cookies of domain legaltobot.com...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/18 4:53 a.m.14 views

Weblate: Improper validation of unicode characters

unicode characters are not properly being validated on the https://demo.weblate.org/accounts/profile/preferences in specical character Screenshot showing this is attached below...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/17 4:41 p.m.81 views

Internet Bug Bounty: Out of bounds read in libcurl's IMAP FETCH response parser

Reported to the curl security mailing list on 6 October 2017. Acknowledged on 6 October 2017. Patched on 8 October 2017. Reported to distros@openwall on 17 October 2017. Public release on 23 October 2017. CVE Pending. Vulnerability An IMAP FETCH response line indicates the size of the returned...

6.4CVSS8.8AI score0.06224EPSS
Exploits0
Hacker One
Hacker One
added 2017/10/17 4:11 p.m.21 views

CodeIgniter: If the developer forgets to remove the built in controller welcome.php it helps the attacker to identify that the site is built with Codeigniter

The attacker can check the website's backend technology simply by typing sitename/index.php/welcome/index it will display the codeigniter welcome page if the developer dosen't removed the built in controller and view welcome.php and welcomemessage.php i attaching a screenshot below as a proof of...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/17 3:53 p.m.18 views

Inflection: Limited arbitrary text inclusion in user invite emails

When creating a GoodHire account, a fairly wide range of ASCII characters are permitted in certain fields like Company Name. This field is included in email templates that are automatically sent to new users when an account owner invites them to join a GoodHire account. Theoretically, spam conten...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/17 12:58 p.m.38 views

X (Formerly Twitter): Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv)

Summary: It's possible to get a listing of every files in the S3 bucket metrics.pscp.tv Description: The problem is using the AWS command line, it's possible to get a listing of files in the Amazon S3 Bucket with an AWS authentication. See screenshot F230035. This user authentication is easy to g...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/17 12:8 p.m.13 views

Dropbox: Dropbox employee benefits documents are available in a test Dropbox folder

This report pointed out that we had left a shared link to a copy of our employee benefits documentation in a particular iOS build. This link was likely used for ad-hoc testing at some point and accidentally left in the build. While there is little security risk here, we removed the link from...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2017/10/17 9:11 a.m.16 views

WordPress: Content Spoofing @ https://irclogs.wordpress.org/

Hello, Greetings, Today I was Free So I Decided to Do Pentest WordPress So i Found a SubDomain which is Vulnerable to Plain text Content Spoofing. PoC:- Url:- https://irclogs.wordpress.org/chanlog.php?channel=wordpress&day=Message Goes Here&sort=asca Example:-...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/17 4:35 a.m.15 views

HackerOne: Invalid Host detection at https://hackerone.com/redirect

Hello,99 Summary: Host detection at https://hackerone.com/redirect is invalid and insecure. Description : On redirection page, host is detected and highlighted to prevent phishing attacks. But that protection is weak and can be bypassed. So an attacker can redirect victim on another host instead ...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/16 8:5 p.m.23 views

arxius: API leaking infinite amount of valid Tokens.

Hi, I have found a leaking token API for the domain "https://arxius.io/" that is generating infinite amount of random valid tokens. Reproduce: 1. Go to the url: "https://arxius.io/api/account/token" 2. You can see the token generated. 3. Every time you reload the page a new random valid token is...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/16 6:5 a.m.33 views

Mail.ru: [lk-cdn.3igames.mail.ru] apc.php

APC UPS status monitoring script was available from outside on lk-cdn.3igames.mail.ru 3igames.mail.ru is not currently covered with bug bounty program...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/16 1:6 a.m.27 views

Ian Dunn: Timing Attack in Google Authenticator - Per User Prompt

Google Authenticator - Per User Prompt contains a timing attack vulnerability in how it validates the application password for a user account. if sha1 $attemptedpasswordplaintext === $validpasswordhash || wpcheckpassword $attemptedpasswordplaintext, $validpasswordhash...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/10/15 11:19 p.m.31 views

Ian Dunn: Formula injection via CSV exports in WordCamp Talks plugin

The WordCamp Talks plugin does not attempt to sanitize CSV exports, which can lead to spreadsheet formula injection via malicious inputs. POC ======== Submit a new talk with the title of =1+1. Visit the All Talks page /wp-admin/edit.php?posttype=talks Click the CSV Export link Open the downloaded...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/15 8:36 p.m.12 views

WordPress: [BuddyPress 2.9.1] Open Redirect via "wp_http_referer" parameter on "bp-profile-edit" endpoint

Hi, In a similar manner to 228569, it is currently possible to execute authenticated open redirections via the wphttpreferer parameter used in the BuddyPress extended user edit screen. Proof of concept Upon accessing the below URL, please select the "Update Profile" button, then select the "←Back...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/15 3:33 p.m.20 views

Legal Robot: XSS on app.legalrobot.com

Go to app.legalrobot.com 2. Open the browser's javascript console 3. Type alert/xss!/ and press enter 4. Profit!...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/15 1:44 p.m.45 views

Unikrn: Email abuse and Referral Abuse

Summary: Abuse of Email Invite and Referral Abuse Description: Logic Flaws : 1. Users have been provided with an option to invite friends as referrals. It is possible to abuse your email invite service by repeating the same request. It is a discredit to unikrn if someone repeatedly sends the...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/15 12:16 p.m.11 views

U.S. Dept Of Defense: SQL Injection on █████

Background: It looks like the patch for 231338 has been reverted and this subdomain is yet again vulnerable to SQL injection. Summary: An Airforce subdomain is vulnerable to SQL Injection because the application does not produce sufficient validation on user input. This allows an attacker to...

1.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/15 12:13 p.m.24 views

Inflection: Amount Manipulation Buy Unlimited Credits in just $1.00

Researcher filed a duplicate report of an issue that had already been identified by another researcher and then requested public disclosure when we closed this as a duplicate...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/15 9:48 a.m.19 views

Inflection: HTTP Host Header Injection on app.goodhire.com

Researcher reported an issue that was previously reported by a different researcher and subsequently removed from program scope and then requested that we publicly disclose the report after closing it as a duplicate...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/15 8:33 a.m.27 views

Mail.ru: blind XXE when uploading avatar in mymail phone app

Blind XML external ENTITY / DTD injection via avatar upload feature in My.Com's MyMail backend results in potential SSRF...

7.5AI score
Exploits0
Total number of security vulnerabilities15372