When uploading attachments, unencrypted file names are made available to the server
👉 https://hackerone.com/reports/1206799
🔹 Severity: No Rating
🔹 Reported To: Bitwarden
🔹 Reported By: #jjlin
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 1:52pm (UTC)
👉 https://hackerone.com/reports/1206799
🔹 Severity: No Rating
🔹 Reported To: Bitwarden
🔹 Reported By: #jjlin
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 1:52pm (UTC)
CSRF on /api/graphql allows executing mutations through GET requests
👉 https://hackerone.com/reports/1122408
🔹 Severity: High | 💰 3,370 USD
🔹 Reported To: GitLab
🔹 Reported By: #az3z3l
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 7:10pm (UTC)
👉 https://hackerone.com/reports/1122408
🔹 Severity: High | 💰 3,370 USD
🔹 Reported To: GitLab
🔹 Reported By: #az3z3l
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 7:10pm (UTC)
[Java] CWE-601: Add Spring URL Redirect ResponseEntity sink
👉 https://hackerone.com/reports/1287577
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #p0wn4j
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 8:59pm (UTC)
👉 https://hackerone.com/reports/1287577
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #p0wn4j
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 8:59pm (UTC)
[Python]: Add SqlAlchemy support for SQL injection query
👉 https://hackerone.com/reports/1287576
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 9:00pm (UTC)
👉 https://hackerone.com/reports/1287576
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 9:00pm (UTC)
[Python] CWE-287: LDAP Improper Authentication
👉 https://hackerone.com/reports/1287575
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jorgectf
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 9:00pm (UTC)
👉 https://hackerone.com/reports/1287575
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jorgectf
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 9:00pm (UTC)
[Java] CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
👉 https://hackerone.com/reports/1287574
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 9:00pm (UTC)
👉 https://hackerone.com/reports/1287574
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 9:00pm (UTC)
Java: Unsafe deserialization with Jackson
👉 https://hackerone.com/reports/1287573
🔹 Severity: High | 💰 4,500 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #artem
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 9:00pm (UTC)
👉 https://hackerone.com/reports/1287573
🔹 Severity: High | 💰 4,500 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #artem
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2021, 9:00pm (UTC)
Improper Sanitization leads to XSS Fire on admin panel
👉 https://hackerone.com/reports/1011888
🔹 Severity: High
🔹 Reported To: Informatica
🔹 Reported By: #montypythin
🔹 State: 🟢 Resolved
🔹 Disclosed: August 3, 2021, 11:32am (UTC)
👉 https://hackerone.com/reports/1011888
🔹 Severity: High
🔹 Reported To: Informatica
🔹 Reported By: #montypythin
🔹 State: 🟢 Resolved
🔹 Disclosed: August 3, 2021, 11:32am (UTC)
Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback
👉 https://hackerone.com/reports/1264725
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #brdoors3
🔹 State: 🟢 Resolved
🔹 Disclosed: August 3, 2021, 6:43pm (UTC)
👉 https://hackerone.com/reports/1264725
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #brdoors3
🔹 State: 🟢 Resolved
🔹 Disclosed: August 3, 2021, 6:43pm (UTC)
Private application files can be uploaded to Slack via malicious uploader
👉 https://hackerone.com/reports/375083
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Slack
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2021, 2:35pm (UTC)
👉 https://hackerone.com/reports/375083
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Slack
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2021, 2:35pm (UTC)
Disclosure of internal information using hidden NTLM authentication leading to an exploit server
👉 https://hackerone.com/reports/853284
🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #light4kira
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2021, 2:49pm (UTC)
👉 https://hackerone.com/reports/853284
🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #light4kira
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2021, 2:49pm (UTC)
Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header
👉 https://hackerone.com/reports/727487
🔹 Severity: Medium | 💰 1,250 USD
🔹 Reported To: Snapchat
🔹 Reported By: #sicarius
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2021, 9:18pm (UTC)
👉 https://hackerone.com/reports/727487
🔹 Severity: Medium | 💰 1,250 USD
🔹 Reported To: Snapchat
🔹 Reported By: #sicarius
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2021, 9:18pm (UTC)
Internal Gitlab Ticket Disclosure via External Slack Channels
👉 https://hackerone.com/reports/1273292
🔹 Severity: High | 💰 7,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #none_of_the_above
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2021, 11:48pm (UTC)
👉 https://hackerone.com/reports/1273292
🔹 Severity: High | 💰 7,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #none_of_the_above
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2021, 11:48pm (UTC)
Acronis True Image (Windows) does not validate server certificate on a TLS connection
👉 https://hackerone.com/reports/1056144
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Acronis
🔹 Reported By: #aapo
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 12:53pm (UTC)
👉 https://hackerone.com/reports/1056144
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Acronis
🔹 Reported By: #aapo
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 12:53pm (UTC)
Mishandling of hackerone clear background checks resulting in disclosure of other hacker's information
👉 https://hackerone.com/reports/1240162
🔹 Severity: Medium
🔹 Reported To: HackerOne
🔹 Reported By: #frozensolid
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 3:24pm (UTC)
👉 https://hackerone.com/reports/1240162
🔹 Severity: Medium
🔹 Reported To: HackerOne
🔹 Reported By: #frozensolid
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 3:24pm (UTC)
Private program disclosure through notifications
👉 https://hackerone.com/reports/1234746
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #sunil_yedla
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 6:42pm (UTC)
👉 https://hackerone.com/reports/1234746
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #sunil_yedla
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 6:42pm (UTC)
Partial report contents leakage - via HTTP/2 concurrent stream handling
👉 https://hackerone.com/reports/493176
🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #tomvg
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 8:07pm (UTC)
👉 https://hackerone.com/reports/493176
🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #tomvg
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 8:07pm (UTC)
CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com
👉 https://hackerone.com/reports/1257100
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Uber
🔹 Reported By: #0xprial
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 8:15pm (UTC)
👉 https://hackerone.com/reports/1257100
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Uber
🔹 Reported By: #0xprial
🔹 State: 🟢 Resolved
🔹 Disclosed: August 5, 2021, 8:15pm (UTC)
Mattermost Server OAuth Flow Cross-Site Scripting
👉 https://hackerone.com/reports/1216203
🔹 Severity: High | 💰 900 USD
🔹 Reported To: Mattermost
🔹 Reported By: #shielder
🔹 State: 🟢 Resolved
🔹 Disclosed: August 6, 2021, 2:01pm (UTC)
👉 https://hackerone.com/reports/1216203
🔹 Severity: High | 💰 900 USD
🔹 Reported To: Mattermost
🔹 Reported By: #shielder
🔹 State: 🟢 Resolved
🔹 Disclosed: August 6, 2021, 2:01pm (UTC)
Loading YAML in Java client can lead to command execution
👉 https://hackerone.com/reports/1167773
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #j0v
🔹 State: 🟢 Resolved
🔹 Disclosed: August 7, 2021, 12:41pm (UTC)
👉 https://hackerone.com/reports/1167773
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #j0v
🔹 State: 🟢 Resolved
🔹 Disclosed: August 7, 2021, 12:41pm (UTC)
Virtual Data Room / Hide download on collabora is easy to bypass
👉 https://hackerone.com/reports/1194606
🔹 Severity: High | 💰 150 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 7, 2021, 2:28pm (UTC)
👉 https://hackerone.com/reports/1194606
🔹 Severity: High | 💰 150 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 7, 2021, 2:28pm (UTC)