IDOR while uploading ████ attachments at [█████████]
👉 https://hackerone.com/reports/1196976
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #prophet
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2021, 8:47pm (UTC)
👉 https://hackerone.com/reports/1196976
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #prophet
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2021, 8:47pm (UTC)
Reflected XSS on https://help.glassdoor.com/GD_HC_EmbeddedChatVF
👉 https://hackerone.com/reports/1244053
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #l0cpd
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2021, 2:48pm (UTC)
👉 https://hackerone.com/reports/1244053
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #l0cpd
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2021, 2:48pm (UTC)
Ratelimiting can be bypassed using IPv6 subnets
👉 https://hackerone.com/reports/1154003
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #sjw
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2021, 6:02pm (UTC)
👉 https://hackerone.com/reports/1154003
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #sjw
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2021, 6:02pm (UTC)
Node Installer Local Privilege Escalation
👉 https://hackerone.com/reports/1211160
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #deepsurface-robert
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2021, 8:00pm (UTC)
👉 https://hackerone.com/reports/1211160
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #deepsurface-robert
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2021, 8:00pm (UTC)
Account takeover by using abandoned email id of victim which has already been changed to new by victim himself on one.newrelic.com
👉 https://hackerone.com/reports/1021232
🔹 Severity: Low | 💰 300 USD
🔹 Reported To: New Relic
🔹 Reported By: #ashmek
🔹 State: 🟢 Resolved
🔹 Disclosed: July 2, 2021, 12:09pm (UTC)
👉 https://hackerone.com/reports/1021232
🔹 Severity: Low | 💰 300 USD
🔹 Reported To: New Relic
🔹 Reported By: #ashmek
🔹 State: 🟢 Resolved
🔹 Disclosed: July 2, 2021, 12:09pm (UTC)
Webview in LINE client for iOS will render application/octet-stream files as HTML
👉 https://hackerone.com/reports/988332
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: LINE
🔹 Reported By: #s5s
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2021, 5:01am (UTC)
👉 https://hackerone.com/reports/988332
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: LINE
🔹 Reported By: #s5s
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2021, 5:01am (UTC)
OOB read in libuv
👉 https://hackerone.com/reports/1209681
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #ericsesterhenn
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2021, 8:30am (UTC)
👉 https://hackerone.com/reports/1209681
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #ericsesterhenn
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2021, 8:30am (UTC)
Arbitrary Code Execution via npm misconfiguration – installing internal libraries from the public registry
👉 https://hackerone.com/reports/1043385
🔹 Severity: Critical | 💰 11,500 USD
🔹 Reported To: LINE
🔹 Reported By: #alexbirsan
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2021, 1:37pm (UTC)
👉 https://hackerone.com/reports/1043385
🔹 Severity: Critical | 💰 11,500 USD
🔹 Reported To: LINE
🔹 Reported By: #alexbirsan
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2021, 1:37pm (UTC)
Verification Link not expiring leading to Account Takeover.
👉 https://hackerone.com/reports/1250631
🔹 Severity: No Rating
🔹 Reported To: New Relic
🔹 Reported By: #bbunnny
🔹 State: 🔴 N/A
🔹 Disclosed: July 5, 2021, 2:49pm (UTC)
👉 https://hackerone.com/reports/1250631
🔹 Severity: No Rating
🔹 Reported To: New Relic
🔹 Reported By: #bbunnny
🔹 State: 🔴 N/A
🔹 Disclosed: July 5, 2021, 2:49pm (UTC)
[QIWI Wallet] Access to protected app components
👉 https://hackerone.com/reports/482998
🔹 Severity: High | 💰 500 USD
🔹 Reported To: QIWI
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2021, 2:11pm (UTC)
👉 https://hackerone.com/reports/482998
🔹 Severity: High | 💰 500 USD
🔹 Reported To: QIWI
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2021, 2:11pm (UTC)
Theft of arbitrary files in LINE Lite client for Android
👉 https://hackerone.com/reports/1094702
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: LINE
🔹 Reported By: #hulkvision_
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2021, 3:25pm (UTC)
👉 https://hackerone.com/reports/1094702
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: LINE
🔹 Reported By: #hulkvision_
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2021, 3:25pm (UTC)
Slack integration setup lacks CSRF protection
👉 https://hackerone.com/reports/170552
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #whhackersbr
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2021, 3:39am (UTC)
👉 https://hackerone.com/reports/170552
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #whhackersbr
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2021, 3:39am (UTC)
New link opening method makes hackerone vulnerable to tabnabbing
👉 https://hackerone.com/reports/1159398
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #recon_ninja
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2021, 8:49am (UTC)
👉 https://hackerone.com/reports/1159398
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #recon_ninja
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2021, 8:49am (UTC)
DNS Leaks when using any VPN Browser extension with Brave Shield enabled
👉 https://hackerone.com/reports/1203842
🔹 Severity: High | 💰 700 USD
🔹 Reported To: Brave Software
🔹 Reported By: #neeythann
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 4:09am (UTC)
👉 https://hackerone.com/reports/1203842
🔹 Severity: High | 💰 700 USD
🔹 Reported To: Brave Software
🔹 Reported By: #neeythann
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 4:09am (UTC)
imap: StartTLS stripping attack (CVE-2016-0772).
👉 https://hackerone.com/reports/1178562
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 3:34pm (UTC)
👉 https://hackerone.com/reports/1178562
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 3:34pm (UTC)
lib/net/ftp.rb: trusting PASV responses allow client abuse
👉 https://hackerone.com/reports/1145454
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 3:34pm (UTC)
👉 https://hackerone.com/reports/1145454
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 3:34pm (UTC)
Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store!
👉 https://hackerone.com/reports/1044285
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #superbsic
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 6:20pm (UTC)
👉 https://hackerone.com/reports/1044285
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #superbsic
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 6:20pm (UTC)
Add new managed stores without permission
👉 https://hackerone.com/reports/1167753
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #jmp_35p
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 6:25pm (UTC)
👉 https://hackerone.com/reports/1167753
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #jmp_35p
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 6:25pm (UTC)
Bypass the fix of report #1078283 due to poor validation
👉 https://hackerone.com/reports/1212337
🔹 Severity: High
🔹 Reported To: Khan Academy
🔹 Reported By: #lucenaxpl0it
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 7:25pm (UTC)
👉 https://hackerone.com/reports/1212337
🔹 Severity: High
🔹 Reported To: Khan Academy
🔹 Reported By: #lucenaxpl0it
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 7:25pm (UTC)
API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers.
👉 https://hackerone.com/reports/580268
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Uber
🔹 Reported By: #healdb
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 8:32pm (UTC)
👉 https://hackerone.com/reports/580268
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Uber
🔹 Reported By: #healdb
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 8:32pm (UTC)
Blind XSS on Twitter's internal Big Data panel at █████████████
👉 https://hackerone.com/reports/1207040
🔹 Severity: Critical | 💰 5,040 USD
🔹 Reported To: Twitter
🔹 Reported By: #iambouali
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 1:34am (UTC)
👉 https://hackerone.com/reports/1207040
🔹 Severity: Critical | 💰 5,040 USD
🔹 Reported To: Twitter
🔹 Reported By: #iambouali
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 1:34am (UTC)