Stored DOM XSS via Mermaid chart
👉 https://hackerone.com/reports/1103258
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #taraszelyk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1103258
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #taraszelyk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 11:00pm (UTC)
Client-Side DOS via Mermaid Prototype Pollution vulnerability
👉 https://hackerone.com/reports/1106238
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #taraszelyk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1106238
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #taraszelyk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2021, 11:00pm (UTC)
OS Command Injection in 'rdoc' documentation generator
👉 https://hackerone.com/reports/1161691
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 7:38am (UTC)
👉 https://hackerone.com/reports/1161691
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 7:38am (UTC)
Stored-XSS on wiki pages
👉 https://hackerone.com/reports/1087061
🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 8:35am (UTC)
👉 https://hackerone.com/reports/1087061
🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 8:35am (UTC)
Stored-XSS in merge requests
👉 https://hackerone.com/reports/977697
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 8:38am (UTC)
👉 https://hackerone.com/reports/977697
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 8:38am (UTC)
FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com
👉 https://hackerone.com/reports/1092230
🔹 Severity: High | 💰 6,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #ajxchapman
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 1:15pm (UTC)
👉 https://hackerone.com/reports/1092230
🔹 Severity: High | 💰 6,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #ajxchapman
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 1:15pm (UTC)
[Bypass fixed #664038 and #519059] Application settings change settings that have been set by the user
👉 https://hackerone.com/reports/712344
🔹 Severity: Medium | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 5:47pm (UTC)
👉 https://hackerone.com/reports/712344
🔹 Severity: Medium | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2021, 5:47pm (UTC)
Error Page Content Spoofing or Text Injection
👉 https://hackerone.com/reports/1245051
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #princej_76
🔹 State: 🟢 Resolved
🔹 Disclosed: July 14, 2021, 12:21pm (UTC)
👉 https://hackerone.com/reports/1245051
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #princej_76
🔹 State: 🟢 Resolved
🔹 Disclosed: July 14, 2021, 12:21pm (UTC)
Scoped apptokens can be changed by that very apptoken
👉 https://hackerone.com/reports/1193321
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 7:10pm (UTC)
👉 https://hackerone.com/reports/1193321
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 7:10pm (UTC)
User deletion is not handled properly everywhere
👉 https://hackerone.com/reports/1200700
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 7:12pm (UTC)
👉 https://hackerone.com/reports/1200700
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 7:12pm (UTC)
Admin audit is not properly logging unsetting of expiration date
👉 https://hackerone.com/reports/1200810
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 7:13pm (UTC)
👉 https://hackerone.com/reports/1200810
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 7:13pm (UTC)
[Java]: CWE 295 - Insecure TrustManager - MiTM
👉 https://hackerone.com/reports/1264781
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 10:59pm (UTC)
👉 https://hackerone.com/reports/1264781
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 10:59pm (UTC)
[Java]: CWE-665 Insecure environment during RMI/JMX Server initialisation - All for one bounty
👉 https://hackerone.com/reports/1250320
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #timolesml
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1250320
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #timolesml
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
[Java] JShell Injection
👉 https://hackerone.com/reports/1250307
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jessforfun
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1250307
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jessforfun
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
[Java]: CWE 295 - Insecure TrustManager - MiTM
👉 https://hackerone.com/reports/1250306
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1250306
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
[Java] CWE-918: Added URLClassLoader and WebClient SSRF sinks
👉 https://hackerone.com/reports/1250305
🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #p0wn4j
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:01pm (UTC)
👉 https://hackerone.com/reports/1250305
🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #p0wn4j
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:01pm (UTC)
Ransomware protection is missing extentions take 2
👉 https://hackerone.com/reports/1200785
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 16, 2021, 8:42am (UTC)
👉 https://hackerone.com/reports/1200785
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 16, 2021, 8:42am (UTC)
[go]: Add query for detecting CORS misconfiguration
👉 https://hackerone.com/reports/1266540
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 16, 2021, 10:02pm (UTC)
👉 https://hackerone.com/reports/1266540
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 16, 2021, 10:02pm (UTC)
Leak arbitrary file under nextcloud android client privacy directory
👉 https://hackerone.com/reports/1142918
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #wester0x01
🔹 State: 🟢 Resolved
🔹 Disclosed: July 17, 2021, 10:32am (UTC)
👉 https://hackerone.com/reports/1142918
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #wester0x01
🔹 State: 🟢 Resolved
🔹 Disclosed: July 17, 2021, 10:32am (UTC)
Information Disclosure .htaccess accesible for public
👉 https://hackerone.com/reports/1241849
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #alone_breecher
🔹 State: 🟢 Resolved
🔹 Disclosed: July 18, 2021, 2:00pm (UTC)
👉 https://hackerone.com/reports/1241849
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #alone_breecher
🔹 State: 🟢 Resolved
🔹 Disclosed: July 18, 2021, 2:00pm (UTC)
OS Command Injection in '/lib/un.rb -- Utilities to replace common UNIX commands in Makefiles etc'
👉 https://hackerone.com/reports/1158824
🔹 Severity: Medium
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: ⚪️ Informative
🔹 Disclosed: July 19, 2021, 9:54am (UTC)
👉 https://hackerone.com/reports/1158824
🔹 Severity: Medium
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: ⚪️ Informative
🔹 Disclosed: July 19, 2021, 9:54am (UTC)