[https://geekbrains.ru/profile] - authenticity_token not tied to user session leads to CSRF attacks
👉 https://hackerone.com/reports/1086134
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 1:04pm (UTC)
👉 https://hackerone.com/reports/1086134
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 1:04pm (UTC)
Disk-o Cloud application (Windows) does not validate server certificate on a TLS connection
👉 https://hackerone.com/reports/1026893
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #aapo
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 1:48pm (UTC)
👉 https://hackerone.com/reports/1026893
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #aapo
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 1:48pm (UTC)
Account takeover on [support2.ucs.ru]
👉 https://hackerone.com/reports/1029877
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #tounsi_007
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 5:27pm (UTC)
👉 https://hackerone.com/reports/1029877
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #tounsi_007
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 5:27pm (UTC)
SSRF By adding a custom integration on console.helium.com
👉 https://hackerone.com/reports/1055823
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Helium
🔹 Reported By: #th0roid
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 7:26pm (UTC)
👉 https://hackerone.com/reports/1055823
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Helium
🔹 Reported By: #th0roid
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 7:26pm (UTC)
CSRF on TikTok Ads Portal
👉 https://hackerone.com/reports/1087436
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #probatorem
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 9:14pm (UTC)
👉 https://hackerone.com/reports/1087436
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #probatorem
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 9:14pm (UTC)
Ability to add arbitrary images/denoscriptions/noscripts to ohter people's issues via IDOR on getrevue.co
👉 https://hackerone.com/reports/1096560
🔹 Severity: Critical
🔹 Reported To: Twitter
🔹 Reported By: #mirhat
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 9:56pm (UTC)
👉 https://hackerone.com/reports/1096560
🔹 Severity: Critical
🔹 Reported To: Twitter
🔹 Reported By: #mirhat
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2021, 9:56pm (UTC)
SMAP bypass
👉 https://hackerone.com/reports/1048322
🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: PlayStation
🔹 Reported By: #m00nbsd
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 3:35am (UTC)
👉 https://hackerone.com/reports/1048322
🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: PlayStation
🔹 Reported By: #m00nbsd
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 3:35am (UTC)
Git Config
👉 https://hackerone.com/reports/1176174
🔹 Severity: Medium
🔹 Reported To: MariaDB
🔹 Reported By: #dtattoedhackers
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 8:12am (UTC)
👉 https://hackerone.com/reports/1176174
🔹 Severity: Medium
🔹 Reported To: MariaDB
🔹 Reported By: #dtattoedhackers
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 8:12am (UTC)
CSRF in changing password after using reset password link
👉 https://hackerone.com/reports/1086752
🔹 Severity: Low
🔹 Reported To: OpenMage
🔹 Reported By: #xenx
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 8:55am (UTC)
👉 https://hackerone.com/reports/1086752
🔹 Severity: Low
🔹 Reported To: OpenMage
🔹 Reported By: #xenx
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 8:55am (UTC)
Signedness issue in ClassInfo message handler leads to RCE on CS:GO client
👉 https://hackerone.com/reports/876719
🔹 Severity: Critical | 💰 7,500 USD
🔹 Reported To: Valve
🔹 Reported By: #chaynik
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 4:53pm (UTC)
👉 https://hackerone.com/reports/876719
🔹 Severity: Critical | 💰 7,500 USD
🔹 Reported To: Valve
🔹 Reported By: #chaynik
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 4:53pm (UTC)
RCE on CS:GO client using unsanitized entity ID in EntityMsg message
👉 https://hackerone.com/reports/584603
🔹 Severity: Critical | 💰 9,000 USD
🔹 Reported To: Valve
🔹 Reported By: #chaynik
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 4:54pm (UTC)
👉 https://hackerone.com/reports/584603
🔹 Severity: Critical | 💰 9,000 USD
🔹 Reported To: Valve
🔹 Reported By: #chaynik
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 4:54pm (UTC)
Bypass apiserver proxy filter
👉 https://hackerone.com/reports/859962
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #javierprovecho
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 7:11pm (UTC)
👉 https://hackerone.com/reports/859962
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #javierprovecho
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 7:11pm (UTC)
[VK Android] Access to app protected components leads to arbitrary code execution
👉 https://hackerone.com/reports/1095633
🔹 Severity: No Rating | 💰 1,000 USD
🔹 Reported To: VK.com
🔹 Reported By: #bagipro
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 9:40pm (UTC)
👉 https://hackerone.com/reports/1095633
🔹 Severity: No Rating | 💰 1,000 USD
🔹 Reported To: VK.com
🔹 Reported By: #bagipro
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2021, 9:40pm (UTC)
IDOR leads to See analytics of Loyalty Program in any restaurant.
👉 https://hackerone.com/reports/1137819
🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: Uber
🔹 Reported By: #0xprial
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 12:08am (UTC)
👉 https://hackerone.com/reports/1137819
🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: Uber
🔹 Reported By: #0xprial
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 12:08am (UTC)
Blocked user can see live video
👉 https://hackerone.com/reports/1067967
🔹 Severity: Medium | 💰 418 USD
🔹 Reported To: TikTok
🔹 Reported By: #sandipgyawali
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 2:22am (UTC)
👉 https://hackerone.com/reports/1067967
🔹 Severity: Medium | 💰 418 USD
🔹 Reported To: TikTok
🔹 Reported By: #sandipgyawali
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 2:22am (UTC)
DOM XSS в learning.ozon.ru
👉 https://hackerone.com/reports/1167230
🔹 Severity: No Rating
🔹 Reported To: Ozon
🔹 Reported By: #mrdruid
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 9:39am (UTC)
👉 https://hackerone.com/reports/1167230
🔹 Severity: No Rating
🔹 Reported To: Ozon
🔹 Reported By: #mrdruid
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 9:39am (UTC)
Захват домена ozoncorporate.ru
👉 https://hackerone.com/reports/1160381
🔹 Severity: No Rating
🔹 Reported To: Ozon
🔹 Reported By: #mrdruid
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 9:47am (UTC)
👉 https://hackerone.com/reports/1160381
🔹 Severity: No Rating
🔹 Reported To: Ozon
🔹 Reported By: #mrdruid
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 9:47am (UTC)
Stored XSS в профиле водителя [city-mobil.ru/taxiserv]
👉 https://hackerone.com/reports/1050017
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #kwel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 11:18am (UTC)
👉 https://hackerone.com/reports/1050017
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #kwel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 11:18am (UTC)
Stored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv]
👉 https://hackerone.com/reports/1050030
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #kwel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 11:19am (UTC)
👉 https://hackerone.com/reports/1050030
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #kwel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 11:19am (UTC)
Stored XSS на странице "Изменить клиента" [city-mobil.ru/taxiserv]
👉 https://hackerone.com/reports/1050022
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #kwel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 11:19am (UTC)
👉 https://hackerone.com/reports/1050022
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #kwel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 11:19am (UTC)
Stored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv]
👉 https://hackerone.com/reports/1050047
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #kwel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 11:19am (UTC)
👉 https://hackerone.com/reports/1050047
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #kwel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2021, 11:19am (UTC)