[Java]: CWE-665 Insecure environment during RMI/JMX Server initialisation - All for one bounty
👉 https://hackerone.com/reports/1250320
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #timolesml
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1250320
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #timolesml
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
[Java] JShell Injection
👉 https://hackerone.com/reports/1250307
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jessforfun
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1250307
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jessforfun
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
[Java]: CWE 295 - Insecure TrustManager - MiTM
👉 https://hackerone.com/reports/1250306
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
👉 https://hackerone.com/reports/1250306
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:00pm (UTC)
[Java] CWE-918: Added URLClassLoader and WebClient SSRF sinks
👉 https://hackerone.com/reports/1250305
🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #p0wn4j
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:01pm (UTC)
👉 https://hackerone.com/reports/1250305
🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #p0wn4j
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2021, 11:01pm (UTC)
Ransomware protection is missing extentions take 2
👉 https://hackerone.com/reports/1200785
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 16, 2021, 8:42am (UTC)
👉 https://hackerone.com/reports/1200785
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 16, 2021, 8:42am (UTC)
[go]: Add query for detecting CORS misconfiguration
👉 https://hackerone.com/reports/1266540
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 16, 2021, 10:02pm (UTC)
👉 https://hackerone.com/reports/1266540
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: July 16, 2021, 10:02pm (UTC)
Leak arbitrary file under nextcloud android client privacy directory
👉 https://hackerone.com/reports/1142918
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #wester0x01
🔹 State: 🟢 Resolved
🔹 Disclosed: July 17, 2021, 10:32am (UTC)
👉 https://hackerone.com/reports/1142918
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #wester0x01
🔹 State: 🟢 Resolved
🔹 Disclosed: July 17, 2021, 10:32am (UTC)
Information Disclosure .htaccess accesible for public
👉 https://hackerone.com/reports/1241849
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #alone_breecher
🔹 State: 🟢 Resolved
🔹 Disclosed: July 18, 2021, 2:00pm (UTC)
👉 https://hackerone.com/reports/1241849
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #alone_breecher
🔹 State: 🟢 Resolved
🔹 Disclosed: July 18, 2021, 2:00pm (UTC)
OS Command Injection in '/lib/un.rb -- Utilities to replace common UNIX commands in Makefiles etc'
👉 https://hackerone.com/reports/1158824
🔹 Severity: Medium
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: ⚪️ Informative
🔹 Disclosed: July 19, 2021, 9:54am (UTC)
👉 https://hackerone.com/reports/1158824
🔹 Severity: Medium
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: ⚪️ Informative
🔹 Disclosed: July 19, 2021, 9:54am (UTC)
Stored XSS in custom emoji
👉 https://hackerone.com/reports/1198517
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: July 19, 2021, 1:06pm (UTC)
👉 https://hackerone.com/reports/1198517
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: July 19, 2021, 1:06pm (UTC)
Reflected XSS via "Error" parameter on https://admin.acronis.com/admin/su/
👉 https://hackerone.com/reports/970878
🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #samincube
🔹 State: 🟢 Resolved
🔹 Disclosed: July 19, 2021, 5:59pm (UTC)
👉 https://hackerone.com/reports/970878
🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #samincube
🔹 State: 🟢 Resolved
🔹 Disclosed: July 19, 2021, 5:59pm (UTC)
Stored-XSS in merge requests
👉 https://hackerone.com/reports/1261148
🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #tester12rtg
🔹 State: ⚪️ Informative
🔹 Disclosed: July 19, 2021, 7:03pm (UTC)
👉 https://hackerone.com/reports/1261148
🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #tester12rtg
🔹 State: ⚪️ Informative
🔹 Disclosed: July 19, 2021, 7:03pm (UTC)
Multiple server ssh usernames leaked in your github repository
👉 https://hackerone.com/reports/1265225
🔹 Severity: Medium
🔹 Reported To: Ian Dunn
🔹 Reported By: #praalsanthpro
🔹 State: 🔴 N/A
🔹 Disclosed: July 19, 2021, 7:37pm (UTC)
👉 https://hackerone.com/reports/1265225
🔹 Severity: Medium
🔹 Reported To: Ian Dunn
🔹 Reported By: #praalsanthpro
🔹 State: 🔴 N/A
🔹 Disclosed: July 19, 2021, 7:37pm (UTC)
CVE-2021-22922: Wrong content via metalink not discarded
👉 https://hackerone.com/reports/1213175
🔹 Severity: Medium | 💰 700 USD
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 4:28pm (UTC)
👉 https://hackerone.com/reports/1213175
🔹 Severity: Medium | 💰 700 USD
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 4:28pm (UTC)
CVE-2021-22923: Metalink download sends credentials
👉 https://hackerone.com/reports/1213181
🔹 Severity: Medium | 💰 700 USD
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 4:28pm (UTC)
👉 https://hackerone.com/reports/1213181
🔹 Severity: Medium | 💰 700 USD
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 4:28pm (UTC)
CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport
👉 https://hackerone.com/reports/1234760
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 4:29pm (UTC)
👉 https://hackerone.com/reports/1234760
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 4:29pm (UTC)
CVE-2021-22924: Bad connection reuse due to flawed path name checks
👉 https://hackerone.com/reports/1223565
🔹 Severity: High | 💰 1,200 USD
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 4:30pm (UTC)
👉 https://hackerone.com/reports/1223565
🔹 Severity: High | 💰 1,200 USD
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 4:30pm (UTC)
Broken Authentication and Session Management lead to take over account
👉 https://hackerone.com/reports/1271710
🔹 Severity: High
🔹 Reported To: Phabricator
🔹 Reported By: #thund3r17
🔹 State: 🔴 N/A
🔹 Disclosed: July 21, 2021, 4:32pm (UTC)
👉 https://hackerone.com/reports/1271710
🔹 Severity: High
🔹 Reported To: Phabricator
🔹 Reported By: #thund3r17
🔹 State: 🔴 N/A
🔹 Disclosed: July 21, 2021, 4:32pm (UTC)
Exfiltrating a victim's exact location (to within 5m)
👉 https://hackerone.com/reports/1234406
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Bumble
🔹 Reported By: #robertheaton
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 6:41pm (UTC)
👉 https://hackerone.com/reports/1234406
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Bumble
🔹 Reported By: #robertheaton
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 6:41pm (UTC)
CVE-2021-22925: TELNET stack contents disclosure again
👉 https://hackerone.com/reports/1223882
🔹 Severity: Low | 💰 800 USD
🔹 Reported To: curl
🔹 Reported By: #thoger
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 8:41pm (UTC)
👉 https://hackerone.com/reports/1223882
🔹 Severity: Low | 💰 800 USD
🔹 Reported To: curl
🔹 Reported By: #thoger
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 8:41pm (UTC)
pam_ussh does not properly validate the SSH certificate authority
👉 https://hackerone.com/reports/1177356
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Uber
🔹 Reported By: #penguinsaretasty
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 9:19pm (UTC)
👉 https://hackerone.com/reports/1177356
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Uber
🔹 Reported By: #penguinsaretasty
🔹 State: 🟢 Resolved
🔹 Disclosed: July 21, 2021, 9:19pm (UTC)