Password reset link not expiring after changing password in settings
👉 https://hackerone.com/reports/1288898
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Basecamp
🔹 Reported By: #blackbibin
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 6:58am (UTC)
👉 https://hackerone.com/reports/1288898
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Basecamp
🔹 Reported By: #blackbibin
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 6:58am (UTC)
Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org
👉 https://hackerone.com/reports/1104874
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Basecamp
🔹 Reported By: #zofrex
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 7:12am (UTC)
👉 https://hackerone.com/reports/1104874
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Basecamp
🔹 Reported By: #zofrex
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 7:12am (UTC)
Login session not expire
👉 https://hackerone.com/reports/1294231
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #blackbibin
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 8:08am (UTC)
👉 https://hackerone.com/reports/1294231
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #blackbibin
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 8:08am (UTC)
Password reset token leak on third party website via Referer header
👉 https://hackerone.com/reports/1177287
🔹 Severity: Medium
🔹 Reported To: UPchieve
🔹 Reported By: #n1had
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 3:20pm (UTC)
👉 https://hackerone.com/reports/1177287
🔹 Severity: Medium
🔹 Reported To: UPchieve
🔹 Reported By: #n1had
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 3:20pm (UTC)
Acronis True Image 2021 (windows) does not validate server hostname on a login TLS connection
👉 https://hackerone.com/reports/1070533
🔹 Severity: High | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #aapo
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 6:02pm (UTC)
👉 https://hackerone.com/reports/1070533
🔹 Severity: High | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #aapo
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 6:02pm (UTC)
Improper authorization on `/api/as/v1/credentials/` for Dev Role User with Limited Engine Access
👉 https://hackerone.com/reports/1218680
🔹 Severity: High | 💰 3,800 USD
🔹 Reported To: Elastic
🔹 Reported By: #superman85
🔹 State: 🟢 Resolved
🔹 Disclosed: August 3, 2021, 5:12pm (UTC)
👉 https://hackerone.com/reports/1218680
🔹 Severity: High | 💰 3,800 USD
🔹 Reported To: Elastic
🔹 Reported By: #superman85
🔹 State: 🟢 Resolved
🔹 Disclosed: August 3, 2021, 5:12pm (UTC)
[Swiftype] - Stored XSS via document field `url` triggers on `https://app.swiftype.com/engines/<engine>/document_types/<type>/documents/<id>`
👉 https://hackerone.com/reports/1245787
🔹 Severity: High | 💰 3,200 USD
🔹 Reported To: Elastic
🔹 Reported By: #superman85
🔹 State: 🟢 Resolved
🔹 Disclosed: August 3, 2021, 5:12pm (UTC)
👉 https://hackerone.com/reports/1245787
🔹 Severity: High | 💰 3,200 USD
🔹 Reported To: Elastic
🔹 Reported By: #superman85
🔹 State: 🟢 Resolved
🔹 Disclosed: August 3, 2021, 5:12pm (UTC)
Modify in-flight data to payment provider Smart2Pay
👉 https://hackerone.com/reports/1295844
🔹 Severity: Critical | 💰 7,500 USD
🔹 Reported To: Valve
🔹 Reported By: #drbrix
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 10:05pm (UTC)
👉 https://hackerone.com/reports/1295844
🔹 Severity: Critical | 💰 7,500 USD
🔹 Reported To: Valve
🔹 Reported By: #drbrix
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2021, 10:05pm (UTC)
Ratelimits do not apply to OCS DataResponse
👉 https://hackerone.com/reports/1214158
🔹 Severity: No Rating
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:14am (UTC)
👉 https://hackerone.com/reports/1214158
🔹 Severity: No Rating
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:14am (UTC)
Download of file with arbitrary extension via injection into attachment header
👉 https://hackerone.com/reports/1215263
🔹 Severity: Medium | 💰 125 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:15am (UTC)
👉 https://hackerone.com/reports/1215263
🔹 Severity: Medium | 💰 125 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:15am (UTC)
index.php/apps/files_sharing/shareinfo endpoint is not properly protected
👉 https://hackerone.com/reports/1173684
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:18am (UTC)
👉 https://hackerone.com/reports/1173684
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:18am (UTC)
public webdav endpoint not bruteforce protected
👉 https://hackerone.com/reports/1192159
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:19am (UTC)
👉 https://hackerone.com/reports/1192159
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:19am (UTC)
Bypass of privacy filter / tracking pixel blocker
👉 https://hackerone.com/reports/1215251
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:21am (UTC)
👉 https://hackerone.com/reports/1215251
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:21am (UTC)
ApiService#fetch serves content as text/html and inline Content-Disposition
👉 https://hackerone.com/reports/1241460
🔹 Severity: No Rating
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:22am (UTC)
👉 https://hackerone.com/reports/1241460
🔹 Severity: No Rating
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:22am (UTC)
Text app leaks file path of shared files
👉 https://hackerone.com/reports/1246721
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:23am (UTC)
👉 https://hackerone.com/reports/1246721
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:23am (UTC)
Add to your nextcloud endpoint is not properly protected
👉 https://hackerone.com/reports/1192144
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:24am (UTC)
👉 https://hackerone.com/reports/1192144
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:24am (UTC)
Business logic error
👉 https://hackerone.com/reports/1296597
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #scianto05
🔹 State: 🔴 N/A
🔹 Disclosed: August 11, 2021, 5:46pm (UTC)
👉 https://hackerone.com/reports/1296597
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #scianto05
🔹 State: 🔴 N/A
🔹 Disclosed: August 11, 2021, 5:46pm (UTC)
Java: Timing attacks while comparing results of cryptographic operations
👉 https://hackerone.com/reports/1301753
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 5:27pm (UTC)
👉 https://hackerone.com/reports/1301753
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 5:27pm (UTC)
[C#]: HttpOnly and Secure Cookies for .NET Core and .NET
👉 https://hackerone.com/reports/1301752
🔹 Severity: Low
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 5:27pm (UTC)
👉 https://hackerone.com/reports/1301752
🔹 Severity: Low
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 5:27pm (UTC)
Client IP Spoofing using "X-Forwarded-For: 127.0.0.1" on "studio-app.snapchat.com" exposing bucket details
👉 https://hackerone.com/reports/382678
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Snapchat
🔹 Reported By: #damian89
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 9:33pm (UTC)
👉 https://hackerone.com/reports/382678
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Snapchat
🔹 Reported By: #damian89
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 9:33pm (UTC)
Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io
👉 https://hackerone.com/reports/911606
🔹 Severity: High | 💰 15,000 USD
🔹 Reported To: Snapchat
🔹 Reported By: #kiyell
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 9:40pm (UTC)
👉 https://hackerone.com/reports/911606
🔹 Severity: High | 💰 15,000 USD
🔹 Reported To: Snapchat
🔹 Reported By: #kiyell
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 9:40pm (UTC)