Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store!
👉 https://hackerone.com/reports/1044285
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #superbsic
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 6:20pm (UTC)
👉 https://hackerone.com/reports/1044285
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #superbsic
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 6:20pm (UTC)
Add new managed stores without permission
👉 https://hackerone.com/reports/1167753
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #jmp_35p
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 6:25pm (UTC)
👉 https://hackerone.com/reports/1167753
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #jmp_35p
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 6:25pm (UTC)
Bypass the fix of report #1078283 due to poor validation
👉 https://hackerone.com/reports/1212337
🔹 Severity: High
🔹 Reported To: Khan Academy
🔹 Reported By: #lucenaxpl0it
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 7:25pm (UTC)
👉 https://hackerone.com/reports/1212337
🔹 Severity: High
🔹 Reported To: Khan Academy
🔹 Reported By: #lucenaxpl0it
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 7:25pm (UTC)
API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers.
👉 https://hackerone.com/reports/580268
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Uber
🔹 Reported By: #healdb
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 8:32pm (UTC)
👉 https://hackerone.com/reports/580268
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Uber
🔹 Reported By: #healdb
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2021, 8:32pm (UTC)
Blind XSS on Twitter's internal Big Data panel at █████████████
👉 https://hackerone.com/reports/1207040
🔹 Severity: Critical | 💰 5,040 USD
🔹 Reported To: Twitter
🔹 Reported By: #iambouali
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 1:34am (UTC)
👉 https://hackerone.com/reports/1207040
🔹 Severity: Critical | 💰 5,040 USD
🔹 Reported To: Twitter
🔹 Reported By: #iambouali
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 1:34am (UTC)
No Rate Limit On Forgot Password Page
👉 https://hackerone.com/reports/1245529
🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #technical_junkie
🔹 State: 🔴 N/A
🔹 Disclosed: July 9, 2021, 1:25pm (UTC)
👉 https://hackerone.com/reports/1245529
🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #technical_junkie
🔹 State: 🔴 N/A
🔹 Disclosed: July 9, 2021, 1:25pm (UTC)
Cache Posioning leading do Denial of Service on `www.█████████`
👉 https://hackerone.com/reports/1198434
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #brumens
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 6:20pm (UTC)
👉 https://hackerone.com/reports/1198434
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #brumens
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 6:20pm (UTC)
CVE-2017-13041 The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp6.c:icmp6_nodeinfo_print().
👉 https://hackerone.com/reports/964583
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #karas
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 8:12pm (UTC)
👉 https://hackerone.com/reports/964583
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #karas
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 8:12pm (UTC)
CVE-2017-13040 The MPTCP parser in tcpdump before 4.9.2 has a buffer over-read in print-mptcp.c, several functions.
👉 https://hackerone.com/reports/964582
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #karas
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 8:15pm (UTC)
👉 https://hackerone.com/reports/964582
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #karas
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 8:15pm (UTC)
Heap buffer overflow vulnerability while processing a malformed TIFF file.
👉 https://hackerone.com/reports/1047086
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #hardik05
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 8:21pm (UTC)
👉 https://hackerone.com/reports/1047086
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #hardik05
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2021, 8:21pm (UTC)
Blocked user can send notification by liking the message due to Logical Bug
👉 https://hackerone.com/reports/1083421
🔹 Severity: Low
🔹 Reported To: TikTok
🔹 Reported By: #sandipgyawali
🔹 State: 🟢 Resolved
🔹 Disclosed: July 10, 2021, 1:07am (UTC)
👉 https://hackerone.com/reports/1083421
🔹 Severity: Low
🔹 Reported To: TikTok
🔹 Reported By: #sandipgyawali
🔹 State: 🟢 Resolved
🔹 Disclosed: July 10, 2021, 1:07am (UTC)
Exposed Prometheus instance at prometheus.qa.r3.com
👉 https://hackerone.com/reports/1200583
🔹 Severity: Medium
🔹 Reported To: R3
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 8:40am (UTC)
👉 https://hackerone.com/reports/1200583
🔹 Severity: Medium
🔹 Reported To: R3
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 8:40am (UTC)
Reflected XSS in https://www.topcoder.com/blog/category/community-stories/
👉 https://hackerone.com/reports/1194301
🔹 Severity: Low
🔹 Reported To: Topcoder
🔹 Reported By: #c0mbo
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 12:54pm (UTC)
👉 https://hackerone.com/reports/1194301
🔹 Severity: Low
🔹 Reported To: Topcoder
🔹 Reported By: #c0mbo
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 12:54pm (UTC)
your-store.myshopify.com preview link is leak on third party website lead to preview all action from store owner Without store Password.
👉 https://hackerone.com/reports/997350
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 8:33pm (UTC)
👉 https://hackerone.com/reports/997350
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 8:33pm (UTC)
Stored DOM XSS via Mermaid chart
👉 https://hackerone.com/reports/1103258
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #taraszelyk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1103258
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #taraszelyk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 11:00pm (UTC)
Client-Side DOS via Mermaid Prototype Pollution vulnerability
👉 https://hackerone.com/reports/1106238
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #taraszelyk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1106238
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #taraszelyk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 11:00pm (UTC)
OS Command Injection in 'rdoc' documentation generator
👉 https://hackerone.com/reports/1161691
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 7:38am (UTC)
👉 https://hackerone.com/reports/1161691
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 7:38am (UTC)
Stored-XSS on wiki pages
👉 https://hackerone.com/reports/1087061
🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 8:35am (UTC)
👉 https://hackerone.com/reports/1087061
🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 8:35am (UTC)
Stored-XSS in merge requests
👉 https://hackerone.com/reports/977697
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 8:38am (UTC)
👉 https://hackerone.com/reports/977697
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 8:38am (UTC)
FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com
👉 https://hackerone.com/reports/1092230
🔹 Severity: High | 💰 6,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #ajxchapman
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 1:15pm (UTC)
👉 https://hackerone.com/reports/1092230
🔹 Severity: High | 💰 6,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #ajxchapman
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 1:15pm (UTC)
[Bypass fixed #664038 and #519059] Application settings change settings that have been set by the user
👉 https://hackerone.com/reports/712344
🔹 Severity: Medium | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 5:47pm (UTC)
👉 https://hackerone.com/reports/712344
🔹 Severity: Medium | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 5:47pm (UTC)