Lucene search
K
HackeroneRecent

15372 matches found

Hacker One
Hacker One
added 2017/09/26 8:0 p.m.14 views

Razer US: Reflected XSS in deals.razerzone.com via the interesting parameter.

Summary --- deals.razerzone.com is vulnerable to Reflected XSS via the interesting parameter. Affected Code --- html var ThisPageOn = "recommended", pageNum = 2, isLoading = false, delIntresItem = 0, delNotIntresItem = 0, delOwnedItem = 0, intres = -1 abba alert1 ; var ownedLang = "OWNED",...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 7:16 p.m.47 views

Razer US: Reflected XSS on the https://deals.razerzone.com/json/translation endpoint

Thanks to SP1D3RS for the great report and working with the team on this one. This was a trivial POST-XSS, caused by using text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input. Why I disclosed it if this is a trivial issue? I pretty...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 4:44 p.m.19 views

Internet Bug Bounty: Interger overflow in eval trigger write out of bound

Hi security team, i reported some samples triggered crash in eval funtion in perl. The bug come because variable start and items used type I32 which takes half the range of linet and folds it into negative numbers, leading to trying to store the lines at negative indexes...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 4:40 p.m.18 views

GSA Bounty: SSRF/XSPA in labs.data.gov/dashboard/validate

Hi. This vulnerability allows access to all ports locally. Which is not visible from the web. 1We need an interim site file index.php 2Next we write in index.php 3Next go to https://labs.data.gov/dashboard/validate And write url - for example http://example/index.php If the port will be open...

Exploits0
Hacker One
Hacker One
added 2017/09/26 3:51 p.m.103 views

Dropbox: Android - Access of some not exported content providers

The report indicates a flaw in our Android application that would allow a malicious app to gain read/write access to some cached files provided the attacker knows the name of the files and other minor pieces of information. The vulnerability was caused by not validating the package name of an...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 1:17 p.m.50 views

Rockstar Games: Client-side Template Injection in Search, user email/token leak and maybe sandbox escape

In this report, the researcher was able to perform AngularJS Template Injection on our Support site in order to retrieve data, including email address, userid and tokens. Typically, a user is always able to retrieve this information about themselves and on its own, this is known behavior. However...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 12:14 p.m.19 views

Legal Robot: Improper Implementation of Password strength checker

Hi, I have seen Improper Implementation of Password strength checker for registration and login page. Once it suggest complex password, one can alter the password but the complexity remain the same Its usually related to Ajax or auto-reload implementation. PoC ------------------------------------...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/26 9:30 a.m.22 views

MapsMarker.com e.U.: facebook button URL should be HTTPS

hi team .. l click to facebook button on https://www.mapsmarker.com/ outgoing links not use HTTPS please fix soon This is just for the awareness to use HTTPS everywhere, even for outgoing links - where it's possible. Treat this report with some salt, not as in hashes. POC screenshot...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/25 9:45 p.m.25 views

New Relic: Bypass of my two other reports #267636 + #255894 - (IDOR) Ability to see full name associated with other New Relic accounts

@jonbottarini discovered an issue where names associated with arbitrary existing email addresses can be revealed in the Alerts Notification Channel UI. As with similar previously-reported issues, this was resolved by obfuscating that information before it's presented...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/25 8:35 p.m.32 views

Shopify: Stored XSS in partners dashboard

Hello Stored XSS and UI redressing on https://partners.shopify.com/partnerID/confirm. PoC: 1.Change your First Name and Last Name with XSS payload on https://accounts.shopify.com/account 2.Create an account on https://partners.shopify.com/ or if you have an account on...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/25 6:16 p.m.22 views

Rockstar Games: Leak IP internal

The researcher found an old marketing web application for one of our previous titles that was not properly decommissioned. As a result, an internal IP address and a set of DB credentials were being exposed. Fortunately, the database in question had already been decommissioned so the credentials...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/25 2:43 p.m.65 views

Instacart: Bruteforcing password reset tokens, could lead to account takeover

Hey Instacart security team, Description When resetting a new password on https://shoppers.instacart.com/password you will receive an email with a reset link. when clicking on this link. you go to this page: https://shoppers.instacart.com/password/edit?resetpasswordtoken=YourToken when entering a...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/25 12:54 p.m.16 views

HackerOne: Banned researcher gets email updates on a private program.

Hi Team, I found out that after getting banned from the program, I still getting email updates about the private program, e.g. access of beta product, new scope changes etc. Those private messages can contain some important data that program doesn't want to share with the banned researcher for ex...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/25 6:21 a.m.16 views

Zomato: Admin Access to a domain used for development and admin access to internal dashboards on that domain

@prateek0490 Was able to find our development server without any authentication. Which leads to leak the user data and some internal dashboards...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/25 3:15 a.m.18 views

New Relic: NR Internal_API call allows me to read the events/violations/policies/messages of ANY New Relic account (AND pull data from infrastructure)

@jonbottarini identified an issue with an API used to populate the UI across different products. This API wasn't properly validating the account ID for certain requests, returning information for any ID presented. I wrote up a quick overview about this issue here:...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/25 2:56 a.m.47 views

Zomato: Potential server misconfiguration leads to disclosure of vendor/ directory

Hi, Apologies for the weakness label, it was the closest I could find for what appears to be a server misconfiguration. Typically, in MVC frameworks like Slim which I see you are using here, Symfony, Laravel, etc., the front controller is the only thing exposed, leaving vendor/, logs/, and others...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/24 7:31 p.m.19 views

Avito: [avito.ru] Утекают креды от платежных провайдеров

Происходила утечка реквизитов от внешних систем в исходном коде страницы сайта...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/24 7:10 p.m.15 views

Avito: [avito.ru] ImageMagick uninitialized image palette

Привет! При подаче объявления можно загружать фотографии. Они обрабатываются уязвимой версией ImageMagick. Для эксплуатация запускаем https://github.com/neex/gifoeb Генерируем payload. r=640x480 mkdir -p forupload && for i in seq 1 10; do ./gifoeb gen $r forupload/$i.gif; done Загружаем наши...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2017/09/24 4:13 p.m.23 views

Internet Bug Bounty: Format string implementation vulnerability, resulting in code execution

In a security audit to the sprintf implementation in perl version 5.24.1 I found a major security vulnerability, here are the full details. Timeline: ====== 6th of May, 2017 - disclosure to the PERL security mailing list 8th of May, 2017 - vulnerability confirmed by PERL's security group, found...

7.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/24 3:25 p.m.98 views

HackerOne: Homograph fix Bypass

Hello Hackerone! I have possibly found a way to bypass your current Homograph Attack Fix. Lets look at two HACKERONE Redirect URL: CASE 1: https://hackerone.com/redirect?signature=829727b4188c43dcf394fd841fd19a8b7f391bd1&url=https%3A%2F%2Fwww.yelp.com%2F Got the above link generated by posting...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/09/24 4:36 a.m.12 views

Nextcloud: NextCloud is also Accepting OCTET-STREAM Type of Documents instead of jpg or Imge Files Only

Summary: I noticed that NextCloud is accepting OCTET-STREAM Type of Files Where you have Background/Logo Upload Option. I Believe that NextCloud is Checking for Such Type of Files but i can upload application/octet-stream Type of Documents by Crafting a Special Type of File In this case i created...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2017/09/23 9:6 p.m.50 views

Zomato: SSRF in https://www.zomato.com████ allows reading local files and website source code

@nbsp found a SSRF vulnerability which leads to read local files from the web server source code & system files. We have resolved the issue quickly and rewarded the researcher...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/23 2:41 p.m.24 views

Lyst: Bypassing one-time checkout router page (revealing payment information)

Description: ======== When user submits for a checkout, the checkout router page /checkout-router/ID/ is accessible only once, which can be bypassed by crafting the checkout ID in cookie basketkey send to the page /new/checkout/order/. combining with brute-force attack, if the ID is valid a resul...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 8:53 p.m.140 views

Automattic: [app.simplenote.com] Stored XSS via Markdown SVG filter bypass

Hi, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript in the app.simplenote.com context. Proof of concept Before proceeding to reproduce this vulnerability, please log in to app.simplenote.com and create a new note with...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 8:33 p.m.50 views

GitLab: [Markdown] Stored XSS via character encoding parser bypass

Hi @briann and team, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript on GitLab 10.0 hosts. Given the nature of this injection, which makes use of a rather esoteric filter bypass, the scope for exploitation may vary...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 8:23 p.m.28 views

HackerOne: resolved bugs in a program are public despite the program settings

Summary: when navigating to https://hackerone.com/YOURPROGRAMHANDLE/displayoptions and unchecking the Reports resolved checkbox, the resolved bugs number won't be public at the program page, but going to https://hackerone.com/directory?query=YOURPROGRAMHANDLE , the number of the resolved bug will...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 7:52 p.m.153 views

Shopify: Shopify admin authentication bypass using partners.shopify.com

@uzsunny reported that by creating two partner accounts sharing the same business email, it was possible to be granted "collaborator" access to any store without any merchant interaction. We tracked down the bug to incorrect logic in a piece of code that was meant to automatically convert an...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 6:30 p.m.12 views

Informatica: [marketplace.informatica.com] - Sensitive Data Exposure

The researcher has identified and reported a Sensitive Data Exposure vulnerability in one of the Informatica's domain, and helped us in resolving the issue...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 7:4 a.m.27 views

Legal Robot: Clickjacking in Legalrobot app

Dear Team, POC Please find attached screenshots Steps to reproduce: create index.html file with following content: Open index.html in browser Actual result: Legalrobot email verification page is viewed in iframe. Remediation: Frame busting technique is the better framing protection technique...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/22 1:21 a.m.18 views

Razer US: Reflected XSS in razer-id.razerzone.com

The researcher discovered a reflective XSS that allowed the injection of a javascript scheme into a URL on the razer-id server. This was reported on 9/21 and the fix deployed to production on 10/19...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/09/21 8:55 a.m.18 views

VK.com: Узнаем название и аватарку частной группы, по ID приложения.

Просмотр названия и аватарки частной группы. Отображение названия частной группы и миниатюры аватарки...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/21 2:34 a.m.21 views

RubyGems: Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations

Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations The RubyGems installer attempts to prevent a gem from writing any files outside the install directory; however it is possible to bypass the check with a symbolic link in a crafted gem. Example structure of malicio...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/21 2:26 a.m.14 views

RubyGems: Installer can modify other gems if gem name is specially crafted

Installer can modify other gems if gem name is specially crafted The installlocation function allows writing to certain files outside the installation directory. The installlocation function in lib/rubygems/package.rb attempts to ensure that files are not installed outside destinationdir. However...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/21 1:42 a.m.27 views

WordPress: Reflected Swf XSS In ( plugins.svn.wordpress.org )

Hello , I have found XSS in flash File video-js.swf in plugins.svn.wordpress.org and Content Spoofing Vulnerability in moxieplayer.swf POC https://plugins.svn.wordpress.org/1player/tags/1.3/players/video-js/video-js.swf?readyFunction=alert%27Hello%27 F222664...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/09/21 1:10 a.m.22 views

Internet Bug Bounty: Denial of service in libxml2, using malicious lzma file to consume available system memory

Reported to the libxml2 devs on 23 August 2017 Patched on 7 September 2017 It was discovered through fuzzing that malicious LZMA compressed files could consume large amounts of memory when decompressed thus posing a DoS risk. I am unsure if a CVE will be assigned in this case. od -tx1 ./test000...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/20 11:54 p.m.16 views

Razer US: Database credentials leak on the https://razer-id.razerzone.com/

The tester discovered database parameters left around in a YAML file that was publicly visible. The credentials were for a database that was no longer in use and never stored sensitive data, but we consider this a good find anyway because this was out of bounds of our security practices. I...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/20 9:26 p.m.35 views

Razer US: Open redirect on oauth2.razerzone.com due to missing verification of redirect-uri paramether on /thirdparty endpoint

Thanks to SP1D3RS for a great report. Although there was some initial difficulty verifying this vulnerability in triage, he was very professional and helpful working with the team to make sure this was understood. This was fixed in production on 10/16. I discovered the Open Redirect on the...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/09/20 9:12 p.m.47 views

Razer US: Open redirect on oauth2.razerzone.com caused by server misconfiguration when using triple slash after hostname

Another solid report form this tester, who helped us nail down the issue when it was only intermittently reproducible. We appreciate the hard work. I discovered the Open Redirect on the oauth2.razerzone.com due to improper handling of multiple/encoded slashes and dots in the URL path. POC link:...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/09/20 3:38 p.m.25 views

VK.com: XSS в приглашении в группу

Отсутствие фильтрации параметров при приглашении в группу. Дыра в меню приглашения друзей в группу, позволявшая встраивать код через url...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/20 3:20 p.m.56 views

Zomato: [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint

Hacker is able to get the PIPersonal Information of any Zomato user...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/20 2:58 p.m.12 views

Kaspersky: Keys

Check the attachment...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/19 11:46 p.m.33 views

Nextcloud: WordPress < 4.8.2 vulnerable to multiple attacks

Hello team, Summary: I observed that your website https://nextcloud.com still uses WP less than 4.8.2 which is vulnerable to multiple attacks, i reported it so that the team will be aware of it, below are the new discovered bug that you can find on this release:...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/19 6:4 p.m.264 views

Internet Bug Bounty: Optionsbleed / CVE-2017-9798

Bug has been disclosed here: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html poc code: https://github.com/hannob/optionsbleed Apache is currently preparing 2.4.28, which will contain the fix, a patch is available in their svn repo...

5CVSS7.8AI score0.94999EPSS
Exploits9
Hacker One
Hacker One
added 2017/09/19 2:1 p.m.35 views

HackerOne: Report Private Links Leaks to Google Analytics via Query String Param

Hello HackerOne Team, According to HackerOne privacy HackerOne sometimes partners with third-party services which may use various tracking technologies to provide certain services or features, including targeted online marketing. These technologies allow a partner to recognize your computer or...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2017/09/19 12:46 p.m.19 views

ownCloud: Banner Grabbing - Apache Server Version Disclousure

Hello ownCloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://marketplace.owncloud.com/ and...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/19 11:46 a.m.26 views

Mail.ru: XSS в письме, в теле письма.

Здравствуйте! XSS срабатывает на e.mail.ru, m.mail.ru, light.mail.ru и в мобильном приложении. Уязвимость присутствует в параметрах стилей, в ...здесь... срабатывает, если экранировать символы. Рабочий вектор здесь одиночные бэкслэш, в примере ещё ниже хостинг обрезал до одиночных: i\\ Отправка...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/19 10:42 a.m.43 views

Nextcloud: Banner Grabbing - Apache Server Version Disclousure

Hello Nextcloud, I'd like to report a nice little bug. Banner Grabbing is a technique used to gain information about a remote server. Additionally, this technique is use to get information about remote servers. I've captured the HTTP request while visiting https://customerupdates.nextcloud.com an...

Exploits0
Hacker One
Hacker One
added 2017/09/19 7:37 a.m.14 views

Tor: Tor Project - Full Path Disclosure

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2017/09/18 10:15 p.m.42 views

Mail.ru: XSS on https://account.mail.ru/login via postMessage

Обработчик сообщений на страничке https://account.mail.ru/login не проверяет источник, что позволяет вызвать любую доступную команду с произвольного ресурса: js // https://img.imgsmail.ru/ag/0.3.3/authGate.js:formatted function ca a = a || window.event; var c, d, h = , i = a.data, j = a.source; i...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/09/18 10:6 p.m.10 views

Tor: SQL Injection in parameter REPORT

Vulnerability description not provided...

7.1AI score
Exploits0
Total number of security vulnerabilities15372