Attacker can obtain write access to any federated share/public link
👉 https://hackerone.com/reports/1170024
🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: June 10, 2021, 1:41pm (UTC)
👉 https://hackerone.com/reports/1170024
🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: June 10, 2021, 1:41pm (UTC)
File drop public link can also be converted to federated share
👉 https://hackerone.com/reports/1167929
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: June 10, 2021, 1:41pm (UTC)
👉 https://hackerone.com/reports/1167929
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: June 10, 2021, 1:41pm (UTC)
HTTPS not enforced at dex.sifchain.finance
👉 https://hackerone.com/reports/1126401
🔹 Severity: Low
🔹 Reported To: Sifchain
🔹 Reported By: #zelzal
🔹 State: 🔴 N/A
🔹 Disclosed: June 10, 2021, 2:59pm (UTC)
👉 https://hackerone.com/reports/1126401
🔹 Severity: Low
🔹 Reported To: Sifchain
🔹 Reported By: #zelzal
🔹 State: 🔴 N/A
🔹 Disclosed: June 10, 2021, 2:59pm (UTC)
Private eth key found
👉 https://hackerone.com/reports/1181213
🔹 Severity: No Rating
🔹 Reported To: Sifchain
🔹 Reported By: #za_sec
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 10, 2021, 3:00pm (UTC)
👉 https://hackerone.com/reports/1181213
🔹 Severity: No Rating
🔹 Reported To: Sifchain
🔹 Reported By: #za_sec
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 10, 2021, 3:00pm (UTC)
CORS (Cross-Origin Resource Sharing) origin validation failure -Any website can issue requests made with user credentials and read the responses to th
👉 https://hackerone.com/reports/1188471
🔹 Severity: No Rating
🔹 Reported To: Sifchain
🔹 Reported By: #ic4
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 10, 2021, 3:00pm (UTC)
👉 https://hackerone.com/reports/1188471
🔹 Severity: No Rating
🔹 Reported To: Sifchain
🔹 Reported By: #ic4
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 10, 2021, 3:00pm (UTC)
CORS Misconfiguration Leads to Sensitive Exposure on Sifchain main domain
👉 https://hackerone.com/reports/1188684
🔹 Severity: No Rating
🔹 Reported To: Sifchain
🔹 Reported By: #emptymahbob
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 10, 2021, 3:01pm (UTC)
👉 https://hackerone.com/reports/1188684
🔹 Severity: No Rating
🔹 Reported To: Sifchain
🔹 Reported By: #emptymahbob
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 10, 2021, 3:01pm (UTC)
SQL injection in https://www.acronis.cz/ via the log parameter
👉 https://hackerone.com/reports/1109311
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #mmg
🔹 State: 🟢 Resolved
🔹 Disclosed: June 11, 2021, 12:58pm (UTC)
👉 https://hackerone.com/reports/1109311
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #mmg
🔹 State: 🟢 Resolved
🔹 Disclosed: June 11, 2021, 12:58pm (UTC)
Hackerone is not properly deleting user id
👉 https://hackerone.com/reports/1133118
🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #hacker_ani3s
🔹 State: 🟢 Resolved
🔹 Disclosed: June 11, 2021, 6:55pm (UTC)
👉 https://hackerone.com/reports/1133118
🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #hacker_ani3s
🔹 State: 🟢 Resolved
🔹 Disclosed: June 11, 2021, 6:55pm (UTC)
Flaws In Social media Icon on error page which can lead to financial loss to a company.
👉 https://hackerone.com/reports/1186926
🔹 Severity: No Rating
🔹 Reported To: Sifchain
🔹 Reported By: #beebeek
🔹 State: ⚪️ Informative
🔹 Disclosed: June 12, 2021, 4:55pm (UTC)
👉 https://hackerone.com/reports/1186926
🔹 Severity: No Rating
🔹 Reported To: Sifchain
🔹 Reported By: #beebeek
🔹 State: ⚪️ Informative
🔹 Disclosed: June 12, 2021, 4:55pm (UTC)
Wrong implementation of Telegram link on the main page for PC users
👉 https://hackerone.com/reports/1194293
🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: Sifchain
🔹 Reported By: #ibrahimauwal1
🔹 State: ⚪️ Informative
🔹 Disclosed: June 12, 2021, 6:35pm (UTC)
👉 https://hackerone.com/reports/1194293
🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: Sifchain
🔹 Reported By: #ibrahimauwal1
🔹 State: ⚪️ Informative
🔹 Disclosed: June 12, 2021, 6:35pm (UTC)
XMLRPC, Enabling XPSA and Bruteforce and DOS + A file disclosing installer-logs.
👉 https://hackerone.com/reports/865875
🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #tandav
🔹 State: 🟢 Resolved
🔹 Disclosed: June 14, 2021, 8:02am (UTC)
👉 https://hackerone.com/reports/865875
🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #tandav
🔹 State: 🟢 Resolved
🔹 Disclosed: June 14, 2021, 8:02am (UTC)
Unexpected input validation of octal literals in nodejs v15.12.0 and below returns defined values for all undefined octal literals.
👉 https://hackerone.com/reports/1141623
🔹 Severity: Critical
🔹 Reported To: Node.js
🔹 Reported By: #sickcodes
🔹 State: 🔴 N/A
🔹 Disclosed: June 14, 2021, 12:46pm (UTC)
👉 https://hackerone.com/reports/1141623
🔹 Severity: Critical
🔹 Reported To: Node.js
🔹 Reported By: #sickcodes
🔹 State: 🔴 N/A
🔹 Disclosed: June 14, 2021, 12:46pm (UTC)
Cross-origin resource sharing misconfig | steal user information
👉 https://hackerone.com/reports/1183601
🔹 Severity: High
🔹 Reported To: UPchieve
🔹 Reported By: #n1had
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 4:58pm (UTC)
👉 https://hackerone.com/reports/1183601
🔹 Severity: High
🔹 Reported To: UPchieve
🔹 Reported By: #n1had
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 4:58pm (UTC)
Regex Injection from request header (Rack::Sendfile, send_file)
👉 https://hackerone.com/reports/1057216
🔹 Severity: No Rating
🔹 Reported To: Ruby on Rails
🔹 Reported By: #ooooooo_q
🔹 State: ⚪️ Informative
🔹 Disclosed: June 15, 2021, 5:43pm (UTC)
👉 https://hackerone.com/reports/1057216
🔹 Severity: No Rating
🔹 Reported To: Ruby on Rails
🔹 Reported By: #ooooooo_q
🔹 State: ⚪️ Informative
🔹 Disclosed: June 15, 2021, 5:43pm (UTC)
HTTP Host injection in redirect_to function
👉 https://hackerone.com/reports/888176
🔹 Severity: No Rating
🔹 Reported To: Ruby on Rails
🔹 Reported By: #komang4130
🔹 State: ⚪️ Informative
🔹 Disclosed: June 15, 2021, 5:44pm (UTC)
👉 https://hackerone.com/reports/888176
🔹 Severity: No Rating
🔹 Reported To: Ruby on Rails
🔹 Reported By: #komang4130
🔹 State: ⚪️ Informative
🔹 Disclosed: June 15, 2021, 5:44pm (UTC)
XSS by MathML at Active Storage
👉 https://hackerone.com/reports/429873
🔹 Severity: Medium
🔹 Reported To: Ruby on Rails
🔹 Reported By: #ooooooo_q
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 15, 2021, 5:44pm (UTC)
👉 https://hackerone.com/reports/429873
🔹 Severity: Medium
🔹 Reported To: Ruby on Rails
🔹 Reported By: #ooooooo_q
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 15, 2021, 5:44pm (UTC)
Default Nextcloud Server and Android Client leak sharee searches to Nextcloud
👉 https://hackerone.com/reports/1167916
🔹 Severity: Low | 💰 750 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:11pm (UTC)
👉 https://hackerone.com/reports/1167916
🔹 Severity: Low | 💰 750 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:11pm (UTC)
Elmah.axd is publicly accessible leaking Error Log
👉 https://hackerone.com/reports/1139340
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fdeleite
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:24pm (UTC)
👉 https://hackerone.com/reports/1139340
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fdeleite
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:24pm (UTC)
Default Admin Username and Password on █████ Server at █████████mil
👉 https://hackerone.com/reports/1195325
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #the_boschko
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:28pm (UTC)
👉 https://hackerone.com/reports/1195325
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #the_boschko
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:28pm (UTC)
XML Injection / External Service Interaction (HTTP/DNS) On https://█████████.mil
👉 https://hackerone.com/reports/1150799
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fiveguyslover
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:30pm (UTC)
👉 https://hackerone.com/reports/1150799
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fiveguyslover
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:30pm (UTC)
Reflected XSS through ClickJacking
👉 https://hackerone.com/reports/1171403
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #sazouki
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:31pm (UTC)
👉 https://hackerone.com/reports/1171403
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #sazouki
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2021, 7:31pm (UTC)