Lucene search
K
HackeroneRecent

15369 matches found

Hacker One
Hacker One
added 2025/11/09 10:40 p.m.10 views

Rocket.Chat: Open Redirect in Rocket.Chat

An open redirect vulnerability was identified in Rocket.Chat. The /saml/sloRedirect/:provider endpoint included the redirect query string value directly in the Location header for a 302 redirect without any server-side validation. This issue was fixed in v8.4.0...

5.3CVSS5.9AI score0.00322EPSS
Exploits0
Hacker One
Hacker One
added 2025/11/09 8:26 p.m.13 views

Django: Potential SQL Injection when annotating FilteredRelation on PostgreSQL

A potential SQL injection vulnerability was discovered in Django's annotation of FilteredRelation on PostgreSQL. The vulnerability was caused by an incomplete regular expression filter in the FORBIDDENALIASPATTERN. This allowed user input to be interpreted as raw strings, potentially enabling the...

9.8CVSS8.3AI score0.15602EPSS
Exploits4
Hacker One
Hacker One
added 2025/11/09 4:8 p.m.10 views

Node.js: FS Permissions Bypass

A flaw was discovered in Node.js's Permissions model that allowed attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory could escape the allowed path a...

9.1CVSS5.7AI score0.01633EPSS
Exploits2
Hacker One
Hacker One
added 2025/11/09 2:26 p.m.14 views

lemlist: Authentication Bypass in Subscription Management Endpoint

A vulnerability was identified in the subscription management functionality that allowed unauthorized access to customer billing information. The issue stemmed from insufficient authentication and authorization controls on an API endpoint. The vulnerability was classified as an Insecure Direct...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/09 5:51 a.m.14 views

curl: libcurl MQTT `CURLOPT_POSTFIELDSIZE_LARGE` overflow leads to immediate DoS

Summary An attacker can crash or forcefully abort any application that uses libcurl's MQTT support by setting an excessively large value for CURLOPTPOSTFIELDSIZELARGE. The MQTT publish logic lib/mqtt.c::mqttpublish trusts this value without validating it against the protocol's maximum remaining...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2025/11/06 12:7 p.m.20 views

curl: SMTP CRLF Command Injection in CURLOPT_MAIL_FROM and CURLOPT_MAIL_RCPT

libcurl's SMTP implementation accepts CR \r and LF \n bytes in mailbox address inputs without validation. These control characters are inserted directly into SMTP commands, allowing attackers to inject arbitrary SMTP protocol commands. This enables envelope manipulation, adding unauthorized...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/11/06 11:53 a.m.12 views

U.S. Dept Of Defense: DNN - Unrestricted Arbitrary File Upload #████████

A vulnerability was discovered in versions of DNN formerly DotNetNuke prior to 10.1.1. The vulnerability was caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting of existing files. This could have led to website defacement and cross-site scripting attac...

10CVSS6.2AI score0.44656EPSS
Exploits3
Hacker One
Hacker One
added 2025/11/06 8:45 a.m.14 views

Revive Adserver: Unrestricted setPerPage allows huge result sets / resource exhaustion / mass log retrieval

Description: The setPerPage query parameter controls pagination for the log viewer but is not validated or capped on the server. An attacker can supply an extremely large numeric value for example setPerPage=100000000000000000 and the application will attempt to honor that value when building the...

6.5CVSS6.6AI score0.00346EPSS
Exploits1
Hacker One
Hacker One
added 2025/11/06 4:12 a.m.15 views

Revive Adserver: Username normalization missing allows visually indistinguishable accounts (Whitespace-Based Impersonation)

Version: ==revive-adserver 6.0.2== Summary: Revive Adserver allows creation of usernames containing leading or trailing whitespace e.g. "admin" or " admin". The UI does not visibly differentiate such usernames from admin, producing visually identical accounts. This can be used to impersonate...

5.4CVSS6.7AI score0.00215EPSS
Exploits1
Hacker One
Hacker One
added 2025/11/05 9:32 a.m.10 views

Revive Adserver: Stored-XSS in campaign name displayed in Banners modal

Description: A low-privilege authenticated user can create or edit advertiser/campaign names containing HTML/JavaScript. Those values are stored in the application and later rendered without proper HTML escaping in the admin Inventory → Banners advertiser/campaign picker. When an administrator...

6.5CVSS6.7AI score0.0018EPSS
Exploits1
Hacker One
Hacker One
added 2025/11/03 5:46 a.m.23 views

curl: HackerOne

HackerOne Impact HackerOne...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/03 5:38 a.m.19 views

curl: Hi Hacker

Hi Hacker Impact Summary:...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/01 8:40 p.m.23 views

curl: Directory Traversal Vulnerability in cURL via Content-Disposition Header Processing

Vulnerability Description The parsefilename function in src/toolcbhdr.c does not adequately validate and sanitize filenames extracted from HTTP Content-Disposition headers, allowing directory traversal attacks when the -O remote-name and -J remote-header-name options are used together. Vulnerable...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2025/10/31 9:48 p.m.11 views

curl: curl built with GnuTLS backend defaults to weak crypto parameters

Summary: Curl configured with GnuTLS backend --with-gnutls defaults using "NORMAL" as the base level of the library cryptographic security. From GnuTLS documentation: The message authenticity security level is of 64 bits or more, and the certificate verification profile is set to GNUTLSPROFILELOW...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/10/30 4:55 p.m.13 views

curl: Buffer over-read,, Missing NUL termination in addvariable() causes undefined behavior

Summary: In addvariable used by setvariable, the code allocates memory for p-name without space for a null-terminator and copies nlen bytes directly. Later, functions like varcontent call strlen on this name, assuming it is null-terminated. This can lead to out-of-bounds memory reads, causing...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/10/30 1:39 p.m.8 views

Node.js: Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled

A flaw in Node.js's buffer allocation logic was discovered, where buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations under specific timing conditions...

7.1CVSS5.7AI score0.03493EPSS
Exploits0
Hacker One
Hacker One
added 2025/10/30 2:36 a.m.10 views

Revive Adserver: Stored-XSS in Banner Name field

Version: ==revive-adserver 6.0.0== Summary: A stored Cross-Site Scripting XSS vulnerability exists in the Banner → Name field. An attacker can create or edit a banner with a malicious payload in the Name field; that payload is stored and later executed in the browser of users who were added to th...

5.4CVSS5.2AI score0.0038EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/29 1:33 p.m.14 views

curl: SOCKS5 Heap Buffer Overflow via Malicious HTTP Redirect with Oversized Hostname

Summary: A heap-based buffer overflow vulnerability exists in curl's SOCKS5 proxy handshake implementation when processing HTTP redirects containing hostnames exceeding 255 characters. When curl is configured to use SOCKS5 with hostname resolution socks5h:// scheme and follows an HTTP redirect to...

8.3AI score
Exploits0
Hacker One
Hacker One
added 2025/10/29 10:51 a.m.12 views

curl: Logical Flaw in curl_url_set Leads to Inconsistent Query Parameter Encoding

Hello curl security team, First, thank you for your incredible work on maintaining such a critical and robust piece of software. We have been conducting a deep-dive source code audit of libcurl and believe we have identified a subtle logical flaw in the curlurlset API that has security...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/10/29 6:55 a.m.10 views

Revive Adserver: Reflected XSS in /admin/banner-zone.php (v6.0.0+)

Description: A Reflected Cross-Site Scripting Reflected XSS vulnerability. User-supplied input from the banner search fields "Website" is reflected into the page without proper context-aware encoding Step: 1. When I create Banners, I click it and click 'Linked Zones'. At that, I insert payload...

6.1CVSS5.7AI score0.00351EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/29 4:0 a.m.11 views

Revive Adserver: Information Disclosure via Verbose Error Messages

Version: ==revive-adserver 6.0.0== Summary: Revive Adserver v6.0.0 exposes sensitive technical details through verbose error messages, revealing the exact MySQL/MariaDB version, SQL queries, and PHP environment details. Attackers can use this information to identify known vulnerabilities or craft...

4.3CVSS7.4AI score0.00307EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/27 5:29 p.m.10 views

Revive Adserver: IDOR Vulnerability in Banner Deletion

Summary I found an IDOR vulnerability in Revive Adserver's banner deletion endpoint that lets any Manager delete banners belonging to other Managers. The code validates access to the parent campaign but doesn't check if the user owns the specific banner being deleted. This means Manager A can...

7.1CVSS7.3AI score0.00275EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/27 3:0 p.m.8 views

Revive Adserver: Information Disclosure via “Add user” lookup in Account Management (User Access)

Version: ==revive-adserver 6.0.0== Flow Administrator Account ├── Management 1 │ ├── User A1 │ └── User A2 └── Management 2 ├── User B1 leak email, contacname └── User B2 leak email, contacname Summary: When a user under Management 1 navigates to User Access → Add user and enters a username, the...

4.3CVSS6.7AI score0.00252EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/27 6:55 a.m.17 views

curl: CURLX_SET_BINMODE(NULL) can call fileno(NULL) and cause undefined behavior / crash

Summary ------- Calling the CURLXSETBINMODEstream macro with stream == NULL leads to an unguarded call to filenoNULL in toolbinmode.h, which is undefined behavior and may crash the process. This is a robustness/UB issue and should be corrected by guarding against NULL streams before calling filen...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2025/10/27 4:9 a.m.15 views

curl: curl’s persistence files inherit world-readable/writable perms from umask, leaking and tampering with cookies/HSTS/Alt-Svc caches

Executive Summary Curlfopen clones the permissions of any pre-existing persistence file when creating its temporary file. When the persistence file does not exist, it first creates one with the process umask typically 022, i.e., 0644. That mode is then copied to the temp file via 0600 | sb.stmode...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/10/26 7:51 p.m.11 views

Revive Adserver: Stored XSS in Conversion Statistics via Tracker Name

I found stored XSS on the conversion statistics page. Advertisers can inject malicious JavaScript through tracker names, which executes when admins view conversion reports www/admin/stats-conversions.php:356. I was able to steal admin session cookies using this vulnerability. This is a privilege...

8.7CVSS6.6AI score0.00445EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/26 10:48 a.m.11 views

Nextcloud: Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute)

The Nextcloud Desktop Client was found to automatically include user credentials Authorization header with username and password in Base64 when downloading files via the "directDownloadUrl" feature. This allowed a malicious Nextcloud server to specify an attacker-controlled URL, causing the clien...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2025/10/26 10:44 a.m.11 views

Discourse: Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint

A Denial of Service DoS vulnerability was identified in the /drafts.json endpoint on the Discourse forum. Large payloads around 800,000 characters or more submitted to create drafts caused the server to process the request, return a 502 Bad Gateway error, but still save the draft. Submitting...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2025/10/25 9:24 p.m.10 views

Revive Adserver: Stored XSS on inventory-retrieve.php

A Cross-site Scripting XSS vulnerability was discovered on the inventory-retrieve.php and campaign-edit.php pages. The vulnerability allowed an attacker to inject malicious code that would be executed when the page was loaded...

5.4CVSS6.5AI score0.00312EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/25 8:12 p.m.16 views

curl: Integer Overflow to Heap Overflow in DoH Response Handling

Summary: An integer overflow vulnerability exists in the dohprobewritecb function in lib/doh.c. This function is used as a write callback for DNS-over-HTTPS DoH responses. When a malicious DoH server sends a response with a crafted size, the multiplication of size and nmemb can overflow. This lea...

8AI score
Exploits0
Hacker One
Hacker One
added 2025/10/25 4:42 a.m.11 views

Revive Adserver: Improper sanitisation of input in the settings could cause DoS

A vulnerability was found in the settings functionality of the application where attacker-controlled values in the emailfromName and emailfromCompany fields were persisted and later rendered to pages without proper output encoding. This could have led to the execution of arbitrary JavaScript in t...

2.7CVSS6.8AI score0.00366EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/25 3:23 a.m.10 views

Revive Adserver: Reflected XSS in account-preferences-plugin.php

A reflected cross-site scripting RXSS vulnerability was discovered in revive-adserver-6.0.1/www/admin/account-preferences-plugin.php via the group query parameter. Untrusted input was reflected without proper output encoding or context-aware escaping, allowing injection of JavaScript into the...

6.3CVSS6.4AI score0.00427EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/24 9:41 p.m.9 views

Nextcloud: Improper input validation On Exported deep-link handler crashes `FileDisplayActivity` on crafted external URL — Denial-of-Service

A vulnerability was discovered in the Nextcloud Android client application where improper input validation in the exported deep-link handler caused a null dereference in the FileDisplayActivity component. This resulted in an unhandled NullPointerException and application crash when the deep-link...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2025/10/24 3:14 p.m.10 views

Revive Adserver: Authorization bypass allows changing email address of other users

The Revive Adserver 6.0.0 was found to have an authorization bypass vulnerability that allowed changing the email address of other users without requiring the account password. The vulnerability was present in the admin panel endpoint /admin/agency-user.php, which accepted a POST request that...

8.8CVSS6.8AI score0.00579EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/23 10:29 a.m.10 views

curl: libcurl MQTT PUBLISH length overflow (heap overflow)

Summary: Heap-based buffer overflow in libcurl’s MQTT PUBLISH assembly lib/mqtt.c::mqttpublish due to unchecked sizet arithmetic when computing the MQTT “Remaining Length”. If payloadlen + 2 + topiclen wraps sizet, libcurl allocates a too-small buffer and then memcpy’s payloadlen bytes into it,...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/10/22 9:30 p.m.18 views

curl: Use of Deprecated strcpy() with User-Controlled Environment Variable in Memory Debug Initialization

Discovery Method Step 1: Initial Security Scan Find all files using dangerous string functions find src/ -name ".c" -exec grep -l "strcpy|strcat|sprintf|gets" ; OUTPUT: src/toolprogress.c src/toolmain.c Step 2: Locate Vulnerable Code in Main.c Find exact strcpy usage in toolmain.c grep -n...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2025/10/22 9:18 p.m.18 views

Revive Adserver: Error-Based & Time-Based SQL Injection in 'keyword' Parameter of admin-search.php Allowing Full Database Access in Revive Adserver v6.0.0

==Cricetinae== Summary: A critical SQL Injection vulnerability has been identified in Revive Adserver's administrative search functionality, specifically in the admin-search.php file. The vulnerability exists in the handling of the keyword GET parameter, which is passed to multiple database queri...

8.8CVSS9.1AI score0.00931EPSS
Exploits1
Hacker One
Hacker One
added 2025/10/22 9:13 p.m.13 views

curl: Use of Deprecated strcpy() with Fixed-Size Buffers in Progress Time Formatting

Step 2: Locate Vulnerable Code in Progress.c Find exact strcpy usage in toolprogress.c grep -n "strcpy" ./src/toolprogress.c OUTPUT: 94: strcpyr, "--:--:--"; Step 3: Analyze the Vulnerable Function View complete time2str function sed -n '/^static void time2str/,/^/p' ./src/toolprogress.c Vulnerab...

7.7AI score
Exploits0
Hacker One
Hacker One
added 2025/10/22 5:23 a.m.14 views

Rocket.Chat: SSRF via improper validation after DNS name resolution in the link-preview feature

The link-preview feature in Rocket.Chat version 7.11.0 did not properly validate the IP address after DNS resolution. This allowed an attacker to obtain a domain that pointed to an internal IP address, triggering SSRF and enabling access to internal hosts that would otherwise be unreachable...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2025/10/21 11:41 p.m.12 views

curl: Memory leak in Curl_auth_create_ntlm_type3_message

Summary: When handling NTLMv2, if the decoded type-2 “TargetInfo” is large enough that ntresplen+headersize exceeds NTLMBUFSIZE 1024, the code returns early without freeing ntlmv2resp, causing a memory leak...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/10/21 7:39 a.m.15 views

curl: Buffer Overflow in WebSocket Handshake (lib/ws.c:1287)

Summary: Buffer overflow vulnerability in curl's WebSocket implementation due to unsafe use of strcpy in the handshake process. The vulnerability is located at lib/ws.c:1287 where strcpykeyval, randstr is called without proper bounds checking, despite having a bounds check earlier in the code. AI...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/10/19 2:58 p.m.7 views

Node.js: fs.futimes() Bypasses Read-Only Permission Model

A flaw in Node.js's permission model was discovered that allowed a file's access and modification timestamps to be changed via futimes even when the process had only read permissions. Unlike utimes, futimes did not apply the expected write-permission checks, which meant file metadata could be...

5.3CVSS6.6AI score0.00227EPSS
Exploits0
Hacker One
Hacker One
added 2025/10/16 7:34 p.m.25 views

curl: SMTP Command Injection Vulnerability in libcurl 8.16.0 via RFC 3461 Suffix

Executive Summary libcurl version 8.16.0 contains a critical SMTP command injection vulnerability CVE-quality in the implementation of RFC 3461 Delivery Status Notification DSN parameter support. The vulnerability allows an attacker to inject arbitrary SMTP commands by including CRLF \r\n...

7.9AI score
Exploits0
Hacker One
Hacker One
added 2025/10/15 4:45 p.m.8 views

Nextcloud: Predictable proposal participant tokens enable unauthorized access and vote submission

A vulnerability was discovered in predictable proposal participant tokens, which enabled unauthorized access and vote submission...

6.5CVSS6.7AI score0.00246EPSS
Exploits0
Hacker One
Hacker One
added 2025/10/15 9:59 a.m.7 views

SingleStore: Insufficient checks in the file path parameter allow writing to unauthorized directories

A directory traversal vulnerability was identified in the file upload functionality. Authenticated users could write files to parent directories outside the intended upload location by manipulating the path parameter. The issue was classified as Low severity due to limited impact. The vulnerabili...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2025/10/14 10:20 p.m.15 views

arkadiyt-projects: Arbitrary File Write

A path traversal vulnerability was discovered in the protodump tool. The vulnerability allowed for arbitrary file writes outside the intended output directory due to insufficient validation of the gopackage option extracted from embedded protobuf descriptors. The Filename function extracted the...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2025/10/14 4:25 p.m.12 views

arkadiyt-projects: DNS Rebinding Attack

Hi, there is a DNS rebinding vulnerability in your SSRF filter. F4891755 You validate the hostname's IP address, but then pass the hostname to Net::HTTP.start, which does its own DNS lookup. An attacker can control a DNS server that returns a safe public IP during validation, then returns 127.0.0...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2025/10/14 4:8 p.m.17 views

Rocket.Chat: SSRF via Improper Redirect Validation in Rocket.Chat oEmbed Function

A vulnerability was discovered in Rocket.Chat version 7.10.1 where the oEmbed feature did not properly validate redirected URLs. This allowed an attacker to bypass SSRF protections and access internal network resources that would otherwise be unreachable...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2025/10/14 9:39 a.m.29 views

AWS VDP: Responsible disclosure - public S3 bucket exposing JSON/config files

A publicly listable S3 bucket was discovered, exposing various JSON and configuration files. The bucket listing and file metadata were retrievable without authentication...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/10/13 6:50 p.m.7 views

Nextcloud: BOLA/IDOR in Out-of-Office API allows any authenticated user to read other users' absence data

Summary The Out-of-Office OOO API endpoints at /ocs/v2.php/apps/dav/api/v1/outOfOffice/userId and /ocs/v2.php/apps/dav/api/v1/outOfOffice/userId/now suffer from a Broken Object Level Authorization BOLA vulnerability. Any authenticated user can retrieve the out-of-office data of any other user by...

5.9AI score
Exploits0
Total number of security vulnerabilities15369