Lucene search
K
HackeroneRecent

15369 matches found

Hacker One
Hacker One
•added 2022/06/26 8:46 a.m.•47 views

curl: CVE-2022-35252: control code in cookie denial of service

Summary: I took a look at https://github.com/curl/curl/pull/9048/commits/d7bcbc7d8d4b6d972d3da12d54819169a19c287b a sneak peek on a vulnerability to be announced tomorrow. My guess for that vulnerability is that since cookies are persistent, someone who can trick curl into storing cookies can sto...

2.6CVSS5.9AI score0.01788EPSS
Exploits1
Hacker One
Hacker One
•added 2022/06/25 5:13 p.m.•22 views

Stripo Inc: Non-revoked API Key Information disclosure via Stripo_report()

Talking about 983331 reports where a security researcher reported secret API key leakage vulnerability in a JavaScript file at Stripo. This report is disclosed on HackerOne, and the team at Stripo have forgotten to blur the API keys from the report before disclosing it to the public. The API keys...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/23 1:21 p.m.•18 views

TikTok: Improper user validation on mentions and hashtags

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/23 3:5 a.m.•56 views

GitLab: RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag)

Summary The DecompressedArchiveSizeValidator is used to check the size of a archive before extracting it: https://gitlab.com/gitlab-org/gitlab/-/blob/v15.1.0-ee/lib/gitlab/importexport/decompressedarchivesizevalidator.rbL82 ruby def command "gzip -dc @archivepath | wc -c" end def validate pgrp =...

7.5CVSS9.4AI score0.76884EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/23 2:7 a.m.•21 views

Judge.me : Improper Access Control in Ali Express Importer

An improper access control vulnerability was found in the Ali Express Review Importer app, which allowed staff members with no access to the Judge.me app to view all reviews, including hidden and archived ones, from the Judge.me app. The vulnerability was exploited by intercepting and replacing t...

7AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/22 1:19 p.m.•18 views

Reddit: Rate limit is implemented in Reddit , but its not working .

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/22 1:59 a.m.•21 views

LinkedIn: IDOR allows an attacker to delete anyone's featured photo.

An Insecure Direct Object Reference IDOR vulnerability allowed an attacker to delete anyone's featured photo on LinkedIn by manipulating the parameters in the delete request. This vulnerability was exploited by obtaining the necessary parameters from the victim's profile link and replacing them i...

7AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/21 8:8 a.m.•16 views

Krisp: Authentication bypass for ███ leads to take over any users account.

@n0m3rcy has identified and reported an account takeover issue which required no user interaction. We would like to thank @n0m3rcy for reporting it responsibly to our bug bounty program !...

6.9AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/21 12:57 a.m.•76 views

Nextcloud: SSRF via potential filter bypass with too lax local domain checking

Summary: Hi. Reviewing the code for filtering for ssrf, in preventLocalAddress, we can see that it calls the function ThrowIfLocalAddress. It has three common checks, first, it checks if the string is localhost, or if it ends in .local or .localhost php // Disallow localhost and local network if...

5CVSS0.6AI score0.00739EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/20 8:44 p.m.•192 views

8x8: CVE-2019-11248 on http://â–ˆ.â–ˆ.â–ˆ.â–ˆ:9100/debug/pprof/goroutine

@mrk0anti reported to us an exposed debugging endpoint /debug/pprof over the unauthenticated Kubelet healthz port 9100. No sensitive information has been disclosed & the affected host belonged to our staging environment. The issue has been rectified...

6.4CVSS6.8AI score0.61139EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/20 4:3 p.m.•28 views

Omise: Unauthorized Access - downgraded admin roles to none can still edit projects through brupsuite

hi team, I found that your site is vulnerable to Unauthorized Access lead to privilege escalation, where when the owner invites a user with admin roles, the user can still edit anything with admin access, via brupsuite, it should get an error message because the admin role has been removed...

0.3AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/20 2:37 p.m.•66 views

LinkedIn: Add me email address Authentication bypass

hi, this vulnerability can able to access user account without email verification in linkedins' add me email address function page. user add mail2 email address. without mail2 email address verification user can fully access mail1 linkedin account using mail2 email address. In linkedin mobile...

0.5AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/20 2:31 p.m.•151 views

Nextcloud: @nextcloud/logger NPM package brings vulnerable ansi-regex version

Summary: Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to the sub-patterns \;? and ?:;-a-zA-Z\d\/&.:=?%@. Details: Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate...

7.8CVSS1.6AI score0.03304EPSS
Exploits1
Hacker One
Hacker One
•added 2022/06/20 2:4 p.m.•27 views

Panther Labs: Twitter Account hijack through broken link in https://runpanther.io

Summary: A linkhttps://twitter.com/runpanther in https://runpanther.io was broken and anyone could create that account which leads to account impersonate Steps To Reproduce: 1.Go to https://runpanther.io 2.Scroll down to bottom there you can see that twitter icon. 3.Click on that icon, you will...

7AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/20 9:28 a.m.•26 views

Nextcloud: Generated passwords are not fully validated by HIBPValidator

Summary: If the Nextcloud server generates a secure random password e.g. for sharing files, the validation is checked before the shuffle function strshuffle is called. In very rare cases it could happen, that a password is validated by HIBPValidator before strshuffle, but would not validate after...

3.3CVSS0.7AI score0.0037EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/20 9:10 a.m.•60 views

Reddit: Unrestricted File Upload on reddit.secure.force.com

Summary: Reddit.secure.force.com is Reddit SalesForce instance. Attacker is able to send attachments of disallowed filetypes to this server. The attacker is able to send malicious documents such as CVE-2022-30190 Follina to the victim. Impact: Attacker can send malicious files to whoever handles...

9.3CVSS7.6AI score0.99374EPSS
Exploits62
Hacker One
Hacker One
•added 2022/06/18 7:23 p.m.•31 views

U.S. Dept Of Defense: XSS DUE TO CVE-2020-3580

Hello Team, During my research, I found multiple hosts to be vulnerable to Cisco ASA XSS CVE-2020-3580, This vulnerability targets the saml service within the VPN. It is triggered via a POST request to domain/+CSCOE+/saml/sp/acs?tgname=a References...

2.6CVSS0.9AI score0.85439EPSS
Exploits2
Hacker One
Hacker One
•added 2022/06/18 5:59 p.m.•76 views

Internet Bug Bounty: CVE-2022-27781: CERTINFO never-ending busy-loop

Published Advisory: https://curl.se/docs/CVE-2022-27781.html Original Report: https://hackerone.com/reports/1555441 Impact Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information...

7.5AI score0.02434EPSS
Exploits1
Hacker One
Hacker One
•added 2022/06/18 3:12 p.m.•15 views

Shopify: store internal email disclosed through shopify-data-exporter

Summary: Hey Shopify, When a store install shopify-data-exporter app to export various data of the store a link is sent to the store internal email. This internal email is disclosed via the below request to anyone json GET /?shop=yourstore.myshopify.com HTTP/2 Host:...

0.9AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/18 11:14 a.m.•29 views

Cloudflare Public Bug Bounty: I found another way to bypass Cloudflare Warp lock!

It was possible to bypass Lock WARP switch feature on WARP iOS mobile client by enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" switches at once in the application settings. Such configuration caused WARP client to disconnect and allowed the user to bypass...

6.4CVSS1.4AI score0.0037EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/17 8:51 a.m.•74 views

Hyperledger: Remote denial of service in HyperLedger Fabric

This issue was caused by a missing check of nil. An orderer to orderer consensus message that contains an empty inner message crashes the node because it attempts to figure out its type and the mere action of determining the type of a nil pointer, causes a panic. Thank you to Haosheng Wang of OPP...

5CVSS1.1AI score0.01612EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/16 9:19 p.m.•38 views

Nextcloud: Information exposure in in guzzlehttp/guzzle (https://github.com/nextcloud/3rdparty/tree/master/guzzlehttp/guzzle)

Summary: Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade, this depency is out of date and it can leat to still authorization header. Steps To Reproduce:...

5CVSS1.6AI score0.00606EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/15 2:54 p.m.•18 views

GitHub Security Lab: PYTHON: CWE-079 - Add query for email injection

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/15 2:54 p.m.•11 views

GitHub Security Lab: CPP: Pam Authorization Bypass

Vulnerability description not provided...

7.1AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/15 12:40 a.m.•29 views

Panther Labs: reflected XSS on panther.com

Summary: When visiting runpanther.io I got redirected to panther.com and the application failed to sanitise user's input resulting into HTML injection and possible XSS. Steps To Reproduce: F1774502 1. Go to...

7.2AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/14 5:22 p.m.•28 views

Acronis: HTML Injection in E-mail Not Resolved ()

Summary On this report " https://hackerone.com/reports/1536899 " You closed the report and changed the status to Resolved. But it's Not Resolved The Bug It's Still there Steps To Reproduce 1.Please register at https://www.acronis.com/en-us/products/cyber-protect/trial/registration with the victim...

1.5AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/14 4:11 a.m.•113 views

Internet Bug Bounty: Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag

It seems to be a problem caused by a difference between the nokogiri java implementation and the ruby implementation. jruby9.3.3.0 nokogiri java, use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag code tags = %wselect style puts...

4.3CVSS6.2AI score0.2914EPSS
Exploits1
Hacker One
Hacker One
•added 2022/06/13 3:7 p.m.•47 views

Internet Bug Bounty: Undici ProxyAgent vulnerable to MITM

Full GitHub advisory summarizing the issue is here: https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33 The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1583680 This was fixed & disclosed in Undici v5.5.1. This primarily affects Undici, a...

6.7AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/13 12:10 p.m.•22 views

TikTok: TikTok's pixel/sdk.js leaks current URL from websites using postMessage

A vulnerability was found where an oauth token could have been leaked due to an origin check bypass in the TikTok Pixel SDK. We thank @fransrosen for reporting this to our team...

1.6AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/12 7:57 p.m.•21 views

HackerOne: Stored XSS on www.hackerone.com due to deleted S3-bucket from old page_widget

A stored XSS vulnerability was found on www.hackerone.com due to a deleted S3-bucket from an old pagewidget. An attacker could claim the bucket and run JavaScript on the website, potentially allowing them to steal user data or perform actions on behalf of the user. The vulnerability was reported ...

5.9AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/10 8:16 p.m.•30 views

GitHub Security Lab: Golang : Add Query To Detect PAM Authorization Bugs

This bug was reported directly to GitHub Security Lab...

1.2AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/10 3:28 p.m.•4 views

Insightly: Stored XSS in Email Notifcation

A stored XSS vulnerability was discovered in the email notification feature of the crm.na1.insightly.com platform. The vulnerability allowed an attacker to inject malicious code into the email subject, which was then executed when users viewed the notification. The vulnerability was caused by...

6.4AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/10 11:34 a.m.•21 views

Nextcloud: Brute force protections don't work

Summary: Most of the brute force protections don't actually throttle the response and so they are not logging negative attempts Search for functions with the @BruteForceProtection annotation and check that they call throttle on the response at least conditionally. Impact Brute force protection is...

5CVSS0.6AI score0.00597EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/10 8:37 a.m.•32 views

Nextcloud: Lack of Brute force protection while joining video call in talk section which is password protected

Advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pf36-jvpv-4hwq...

5CVSS1.2AI score0.0105EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/10 8:27 a.m.•20 views

Reddit: Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application.

ads.reddit.com is an ads creating and managing application for reddit. The application has the feature to invite other members to the organization and give different roles at ad management. Testing around the role management functionalities, I have noticed that a user with the same email can get...

0.6AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/10 6:54 a.m.•176 views

Nextcloud: Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

Summary: Call to registerReceiver misses the broadcastPermission argument - no permissions will be checked for the broadcaster, which allows a malicious application to communicate with the broadcast receiver. Supporting Material/References: Screenshot Snyk report references to fixes in other repo...

6.8CVSS0.8AI score0.0083EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/09 8:12 p.m.•79 views

Internet Bug Bounty: DoS via lua_read_body() [zhbug_httpd_94]

Greetings. I have found a bug that can crash httpd 2.4.53, causing a denial of service. The bug is that luareadbody modules/lua/luarequest.c uses the value of the Content-Length header to allocate memory. While apreadrequest limits Content-Length's value to a non-negative |aprofft| via a call to...

5CVSS8.5AI score0.05678EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/09 6:42 p.m.•28 views

Nextcloud: Calendar name length not validated before writing to database

Security advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v...

5CVSS0.2AI score0.00846EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/09 4:44 p.m.•25 views

Nextcloud: Missing character limitation allows to put generate a database error

Hi Security Team, Summary: ========= There is no limit to the number of characters in the display name, which allows a DoS attack. The DoS attack affects server-side. Description ========= On the input form of Username in nextcloud.com/settings/user there's no Input validation using this you can...

4CVSS6.3AI score0.00663EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/09 11:59 a.m.•11 views

Judge.me : XSS in Widget Review Form Preview in settings

Summary: Hi team, I found a XSS vulenrability in the widget review form preview. The payload is added in the success message and triggers when you preview the form Steps To Reproduce: 1. Login to your Shopify account and open Judge.Me App 1. Go to 'Settings' - 'Review Widget' - 'Widget Form' 1. G...

6AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/08 11:34 p.m.•64 views

Internet Bug Bounty: Read beyond bounds via ap_rwrite() [zhbug_httpd_47.2]

Greetings. I have found that aprwrite /server/protocol.c can cause a read beyond bounds with the extra data sent to an attacker. The bug is that aprwrite passes its |int nbyte| argument to bufferoutput, where bufferoutput's corresponding |len| argument isa |aprsizet|. Thus, a negative |nbyte| val...

5CVSS7.5AI score0.04428EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/08 11:19 p.m.•87 views

Internet Bug Bounty: Read beyond bounds in mod_isapi.c [zhbug_httpd_41]

Greetings. I have found a read-beyond-bounds bug in httpd that arises from an apparent logic error. The bug is in /modules/arch/win32/modisapi.c, on lines 979 and/or 983, which use the length of the path to the ISAPI DLL |strlenr-filename| to index into the string specified by the ISAPI DLL itsel...

5CVSS7.1AI score0.03398EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/08 11:2 p.m.•110 views

Internet Bug Bounty: Controllable read beyond bounds in lua_websocket_readbytes() [zhbug_httpd_126]

Greetings. I have found a read-beyond-bounds bug in luawebsocketreadbytes that permits an attacker to exfiltrate a controllable amount of heap data if the victim site runs a suitable LUA program. The bug is due to misuse of apgetbrigade and aprbucketread. The following code from v2.4.53 assumes...

5CVSS8.7AI score0.04687EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/08 10:35 p.m.•75 views

Internet Bug Bounty: Read beyond bounds in ap_strcmp_match() [zhbug_httpd_47.7]

Greetings. I have found a read-beyond-bounds attack against httpd that allows an attacker to search httpd's memory for strings matching an attacker-specified pattern 1. The attack arises from an overflow in apstrcmpmatch server/util.c. 2 The vulnerability can be reached via an LUA program that us...

6.4CVSS9.4AI score0.05729EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/08 2:53 p.m.•41 views

GitHub Security Lab: Golang : Hardcoded secret used for signing JWT

This bug was reported directly to GitHub Security Lab...

0.3AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/08 2:50 p.m.•26 views

Nextcloud: Unauthenticated SSRF in 3rd party module "cerdic/csstidy"

Summary: The mail extension in nextcloud includes a module called "cerdic/csstidy" which basically ships with a publicly accessible test/example interface to play with the CSS formatter and optimiser /apps/mail/vendor/cerdic/css-tidy/cssoptimiser.php. This module allows contacting any remote serv...

7.5CVSS0.1AI score0.00604EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/08 10:29 a.m.•257 views

Internet Bug Bounty: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions...

5CVSS8.6AI score0.19008EPSS
Exploits1
Hacker One
Hacker One
•added 2022/06/07 4:19 p.m.•30 views

GitHub: [Git Gud] GitHub.com Svnbridge memcached deserialization vulnerability chain leading to Remote Code Execution

A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery SSRF that would let an attacke...

6.5CVSS5.5AI score0.01892EPSS
Exploits0
Hacker One
Hacker One
•added 2022/06/07 11:12 a.m.•43 views

Cloudflare Public Bug Bounty: Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts

The OIDC JWT token issued on a new Sign in with Apple ID to the Cloudflare Dashboard had an excessive lifetime. When intercepted by a malicious actor, it enabled impersonation of the affected user on multiple devices during the entire token validity period without the need to re-authenticate. The...

1.4AI score
Exploits0
Hacker One
Hacker One
•added 2022/06/07 11:0 a.m.•49 views

Cloudflare Public Bug Bounty: Sign in with Apple works on existing accounts, bypasses 2FA

It was possible to bypass configured Cloudflare 2FA when logging in to a Cloudflare account using Apple ID authentication flow. A malicious actor could access a Cloudflare account by setting up an Apple ID account using e-mail address matching the one used to set up the targeted account. The issu...

1.9AI score
Exploits0
Total number of security vulnerabilities15369