Lucene search
K
HackeroneRecent

15372 matches found

Hacker One
Hacker One
added 2017/10/05 12:31 p.m.66 views

Mail.ru: Unupdated ImageMagic leads to uninitialized server memory disclosure

It was possible to disclosure the part of server memory from uncontrolled location on account.my.com project via uploaded GIF image header manipulation. account.my.com is not currently in the Bug Bounty scope, reward was paid as a bonus due to potential severity. CVE-2017-15277...

4.3CVSS7.1AI score0.19193EPSS
Exploits4
Hacker One
Hacker One
added 2017/10/05 9:6 a.m.18 views

Paragon Initiative Enterprises: Invited user to a Author profile can remove the owner of that Author

SUMMURY: ------------------------------------- A user invite another user to his author by giving ownership. ------------------ Later invited user can completely remove the real owner from that author . ------------------- ----------------------------------- STEP TO REPRODUCE:...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2017/10/04 9:12 p.m.18 views

Grab: stored xss in comments : driver exam

@pareshparmar found a Stored XSS vulnerability in an out-of-scope third party web application use by Grab. We decided to make an exception of our bug bounty policy here and accepted this out-of-scope finding because we believed that the stored-XSS was a real risk for our customers. With the...

6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/04 11:56 a.m.68 views

Snapchat: Subdomain Takeover via Unclaimed WordPress site

@ysx found a bitstripsforschools CNAME entry pointing to an unclaimed WordPress domain, which could be taken over by an external party. The CNAME entry was for a product that is no longer active. An unclaimed WordPress domain mapping upgrade could be leveraged to assume the...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2017/10/04 10:47 a.m.50 views

Legal Robot: cross site web socket hijacking

In the below web-socket request successful 101 protocol handshake is working with the origin:https://app.legalrobot.com, but if you place the malicious origin in the place of https://thisdata.com which is http://evil.com or any page containing the malware, the web socket server is still giving 10...

Exploits0
Hacker One
Hacker One
added 2017/10/04 6:57 a.m.8 views

Tor: https://get.ooni.torproject.org/

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/10/04 4:6 a.m.47 views

RubyGems: Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier

We received this report via security@ from [email protected], I'm filing here for tracking and visibility purposes... "I was looking at commit 8d91516fb7037ecfb27622f605dc40245e0f8d32, which was the fix for the DNS hijacking issue CVE-2017-0902. The function still handles the DNS response in ...

6.8CVSS0.4AI score0.0475EPSS
Exploits1
Hacker One
Hacker One
added 2017/10/04 3:25 a.m.20 views

Rockstar Games: Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL]

In this report, the researcher found that due to our implementation of AngularJS on our Support site, we were susceptible to limited-scope code injection attacks. Particularly, they found that by injecting ... blocks in the comment body parameter, they were able to cause errors that could be...

3.1AI score
Exploits0
Hacker One
Hacker One
added 2017/10/03 2:36 p.m.19 views

VK.com: Хранимая XSS в функционале добавления аудио в WYSIWYG

XSS в Wiki...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/03 9:17 a.m.28 views

Legal Robot: Allowance of Meta/Null characters

Dear sir, I am very happy to report a vulnerability to legalrobot. Recently, the report 260468 is disclosed publicly and that report describes about the restriction lengths of profile fields "first name and last name". Now, i am reporting an another vulnerability regarding those profile fields...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/03 7:32 a.m.18 views

Paragon Initiative Enterprises: CSRF token does not valided during blog comment

SUMMURY ================= i tested that all post request has CSRF token. During Author profile creation also a CSRF token is posted. Now when i removed this CSRF token , show s error like bellow CSRF validation failed 0 /var/www/csprng/src/Cabin/Bridge/Controller/Author.php52:...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/10/03 2:25 a.m.25 views

VK.com: Хранимая XSS на странице "Виджет для авторизации"

Self-XSS на странице документации виджета. На счет того Self-XSS это или нет - оставляю на усмотрение общественности. Но лично мое мнение - команда vk тут все же ошибается. Для эксплуатации уязвимости атакующий должен был: Создать приложение с именем javascript:alert1;// Добавить атакуемого...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/03 12:38 a.m.45 views

Grab: www.drivegrab.com SQL injection

Summary: The website uses a WordPress plugin called Formidable Pro. I found an SQL injection in the plugin code. Description: The plugin allows the site admin to create forms to be filled by users. For this end it implements some AJAX functions, including one to preview or actually just view a...

8.2AI score
Exploits0
Hacker One
Hacker One
added 2017/10/02 9:36 p.m.12 views

Automattic: Invalidate session after password reset on https://polldaddy.com

Hi there, I found broken session bug on your website.Your website is unable to validate the session.That may lead takeover victims account. Reproduce: 1.Go to https://polldaddy.com and log into your account from two different browsers. 2.Now change password from any browser you already logged in...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/02 5:26 p.m.11 views

Tor: Content spoofing on

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/10/02 4:38 p.m.28 views

Paragon Initiative Enterprises: Improper access control lead To delete anyone comment

SUMMURY ======================== Here server dont check the owner of any comment. During Comment deletion it does not check whether the comment is created by user or not. so i can delete a comment of others user. STEP TO REPRODUCE ======================= 1. goto https://localhost:8080/blog/commen...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/02 4:29 p.m.22 views

Radancy: [werkenbijmcdonalds.nl] Unsafe-inline in "script-src" results in "bootstrapping" or passing data to JavaScript from HTML pages.

Hi Dear Maximum Team Hope you are good! Vulnerablity Summary The HTTP header of the werkenbijmcdonalds.nl website includes an unsafe-inline parameter for "script-src". Impact: However, the "script-src" parameter is set to "unsafe-inline" or "unsafe-eval", which allows injection of user passed...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/10/02 9:31 a.m.80 views

WordPress: Information / sensitive data disclosure on some endpoints

Hello team! While doing a preliminary recon on .wordpress.org I've come across a few sensitive files that should not be facing the public web; I'll leave you a list organized by criticality and some proof. High priority .travis.yml configuration file with credentials php maintenance/install.php...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/10/02 5:59 a.m.1856 views

X (Formerly Twitter): Unauthorized Access to Protected Tweets via niche.co API

Hello, Summary: Normally If user victim set to private / protect their tweets in setting Tweet privacy, other people/user will not able to see their recent or their pass status/twits when they visit his/her victim profile. people only can see their victim profile images and information about how...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2017/10/01 7:24 p.m.38 views

Gratipay: Adding Used Primary Email Address to attacker account and Account takeover

Summary I just found that the Gratipay is vulnerable for adding used Primary Email Address to attacker account and Account takeover of the Gratipay. Description I was looking at the source code of the application and I found that, "If the email address [email protected] is already added in the X...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/01 5:13 p.m.14 views

Yelp: Leaking sensitive information lead to compromise employer API keys

The configuration file of an internal IRC bot which included credentials to internal services and some external services used by Yelp developers was inadvertently included by an employee in a personal public GitHub repository. The repository was taken down and the affected credentials rotated...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/01 7:59 a.m.76 views

WakaTime: Validation of Password reset tokens

Dear sir, At first, i am very happy to report an issue. Before three months, i reported to wakatime and again i am reporting another issue now. Note:-This report is similar to 244614 which was previously reported at the start of this bug bounty program. Vulnerability:- -If two password reset toke...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/01 7:24 a.m.15 views

Shopify: ability to install paid themes for free

Hi, Discription while searching for access control issues on shopify I noticed a subdomain of shopify https://themes.shopify.io which gave me the opportunity to install and download paid themes for free. POC 1. go to https://themes.shopify.io/login and login 2. select one of the paid themes and...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/30 12:35 p.m.32 views

Ubiquiti Inc.: Authenticated RCE in ToughSwitch

In ToughSwitch v1.3.5 and prior, due to lack of validation is possible to execute an CSRF. If an authenticated user access an attacker controlled web page, it could trigger the CSRF and the resulting request could trigger an RCE. An RCE vulnerability existed in the ToughSwitch that could be...

3.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/30 5:51 a.m.5 views

Tor: Multiple Path Transversal Vulnerabilites

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/30 3:15 a.m.28 views

VK.com: XSS в товарах

Отсутствие фильтрации при поиске в товарах. Не было фильтрации некоторых символов в поиске товаров. Из-за еще одного встроенного фильтра все приравнивалось к ="" и не получалось выполнить js. Выход из ситуации был найден в тот же день, получилось выполнить js:...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/29 7:42 p.m.15 views

Shopify: User with removed manage shops permissions is still able to make changes to a shop

Description it has been noticed that when a partner account user with manage shops permissions installs app in the one of the managed shops he can still be able to make changes to the shop through that app although his manage shops permissions were revoked on partners.shopify.com. POC 1. create...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/09/29 2:33 p.m.11 views

Rockstar Games: Stored XSS via Send crew invite

In this report, the researcher was able to demonstrate a vulnerability in our Crew Invite mechanism that could have allowed an attacker to carry out a Stored XSS attack. By modifying a request in-flight and injecting unexpected characters in the Invitation message body, it was possible to escape...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/29 1:42 p.m.55 views

Aspen: Information leakage on django.aspen.io

Hi Team, I got a error message that disclose the version of nginx with OS detail, since The version of nginx is vulnerable to integer overflow. Impact: By seeing this information attacker can throw only interger overflow attack in order to get sensitive information Finally Request you to remove...

4AI score
Exploits0
Hacker One
Hacker One
added 2017/09/29 1:32 p.m.51 views

U.S. Dept Of Defense: 2 vulnerabilities of arbitrary code in ████████ - CVE-2017-5929

Summary: GitHub repo: https://github.com/████████ QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. High Severity Arbitrary Code Execution Vulnerable module: ch.qos.logback:logback-core Introduced through:...

7.5CVSS3AI score0.07501EPSS
Exploits0
Hacker One
Hacker One
added 2017/09/29 1:50 a.m.19 views

Legal Robot: External links should be served in HTTPS.

Summary: This is just for the awareness to use HTTPS everywhere, even for outgoing links - where it's possible. Treat this report with some salt, not as in hashes. Navigate to: https://www.legalrobot.com/events/2017/06/12/ICAIL/ Some of the External Links on that Page redirects to HTTPS after...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 9:50 p.m.24 views

Unikrn: Weak Session ID Implementation - No Session change on Password change

Summary: Weak session id implementation Description: Unikrn does not change session id after password is changed. Reusing same session ids, after password is changed is highly risky. Example scenario: Hacker has successfully brute forced the password of a victim and has access to the account. The...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 8:51 p.m.21 views

Boozt Fashion AB: Bruteforce Unlimited number of password attempts

Hi team, This is my first ever report. So, thank you for your patience! URL: https://www.boozt.com/login Browser: Mozilla Firefox 55.0.2 64-bit on Ubuntu Tool: Burp Intruder Boozt account created for testing purposes only. I noticed that on your login page, an attacker can Brute force a login...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 8:16 p.m.47 views

Aspen: client_secret Token disclosure

Greetings, I think I've discovered a clientsecret token disclosure. Proof of concept: 1. Go to https://github.com/AspenWeb/experimental-javascript-version/blob/master/www/blog/index.html 2. At the line 6, a clientsecret token it's disclosed...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 5:44 p.m.15 views

██████: Remote Code Execution on Proxy Service (as root)

The proxy service used to provide researchers with access to certain programs on ██████ allows access to AWS's Metadata API. This Metadata API in turn is configured to expose temporary AWS access credentials for the AWS EC2 Run Command role. When this role is assumed by an AWS client e.g. the CLI...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 5:15 a.m.50 views

Aspen: No Rate Limit (Leads to huge email flooding/email bombing)

Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account confirmation emails for accounts on above selected domain which i...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 4:8 a.m.14 views

Unikrn: CSRF in Raffles Ticket Purchasing

Description: ======== An API endpoint get executed with no CSRF prevention, the endpoint did not verify sessionid required in the post form. An attacker can crafted malicious form Poc, which is executed by authenticated user action leading to huge balance lost. Poc: === Recommendations:...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 3:11 a.m.39 views

Slack: Unauthenticated LFI revealing log information

@juji found a bug which allowed the disclosure of local files on certain servers - this included PHP files and logs. We performed a thorough investigation to ensure that this issue was not exploited, and as a precaution revoked tokens which were inadvertently logged. Thanks @juji! Write-up...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/09/28 1:5 a.m.34 views

Bitwarden: Organization Admin Privilege Escalation To Owner

Summary It seems there is an issue with your roles which allows an admin to escalate his own privileges to owner and takeover the organization. Reproduce 1. Create an account, accountA 2. Create another account, accountB 3. Create an organization under accountA and invite accountB to that...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/27 9:36 p.m.28 views

U.S. Dept Of Defense: SQL injections

Summary: An email is not well handeled and leads to sql injection. Description: This request POST /FileTransfer/Upload HTTP/1.1 Host: www.███████ The parameter from is injectable and leads to valid sql injection. Impact I didn't go all out and get a shell but, an attaker could exctract db...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/27 8:49 p.m.49 views

Internet Bug Bounty: Perl $ENV Key Stack Buffer Overflow

The CPerlHost::Add method in win32\perlhost.h is vulnerable to a stack buffer overflow. void CPerlHost::AddLPCSTR lpStr char szBuffer1024; LPSTR lpPtr; int index, length = strlenlpStr+1; forindex = 0; lpStrindex != '\0' && lpStrindex != '='; ++index szBufferindex = lpStrindex; szBufferindex = '\0...

7.5CVSS9.5AI score0.06981EPSS
Exploits1
Hacker One
Hacker One
added 2017/09/27 4:50 p.m.21 views

Aspen: Cross-origin resource sharing (CORS)

Cross-origin resource sharing CORS is a mechanism that allows restricted resources e.g. fonts on a web page to be requested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returni...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/09/27 4:6 p.m.19 views

Aspen: Server Path Disclosure

Hi Sir, I m Mahesh, Individual websecurity Researcher. i found server path disclosure in flask.io http://flask.aspen.io/en/latest/ http://flask.aspen.io/en/latest/index.html i found another path disclosure in django.io http://django.aspen.io/en/latest/ http://django.aspen.io/en/latest/index.html...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/09/27 2:0 p.m.25 views

Razer US: DOM XSS and Open Redirect on the themes.razerzone.com

We appreciate the report and look forward to working with sp1d3rs in the future. I discovered the Open Redirect on the https://themes.razerzone.com/developers/signin endpoint. The root cause of the redirect was the insecure changing of window.location without validation - the original URL paramet...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/27 1:23 p.m.17 views

Aspen: aspen | clickjacking

Hi Team, Found vulnerability of clickjacking on the domain "aspen.io". Please refer the below attached screenshot as POC. Clickjack test page Website is vulnerable to clickjacking! 2.save it as .html eg cj.html 3.and just simply open that in browser Issue Details :Clickjacking User Interface...

Exploits0
Hacker One
Hacker One
added 2017/09/27 12:35 p.m.85 views

Aspen: Password reset token leak on third party website via Referer header

Hi Security Team, Description It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/27 10:32 a.m.177 views

Bitwarden: Mailgun misconfiguration on email.bitwarden.com

Hi, While checking the subdomains i found that the subdomain email.bitwarden.com upon navigating downloads a file saying "Mailgun Magnificent API" And has the following DNS info DNS Records for email.bitwarden.com Hostname Type TTL Priority Content email.bitwarden.com SOA 899 ns-586.awsdns-09.net...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/09/27 3:28 a.m.30 views

Bitwarden: Export vault feature is vulnerable to CSV injection

Hello guys I don't know if you care about this issue but it seems that the export feature in your https://vault.bitwarden.com//tools is vulnerable to CSV injection. If a CSV contains a malicious command it may have big impact Even though there is a popup notification for users before opening the...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 9:47 p.m.47 views

Brave Software: Download of (later executed) .NET installer over insecure channel

NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: Execution of file NDP-KB2901954-Web.exe fetched via...

3.3AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 8:52 p.m.33 views

Brave Software: Arbitrary local code execution via DLL hijacking from executable installer

NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: The executable installer BraveSetup-ia32.exe is vulnerable to DLL hijacking: it...

4AI score
Exploits0
Total number of security vulnerabilities15372