Download of file with arbitrary extension via injection into attachment header
👉 https://hackerone.com/reports/1215263
🔹 Severity: Medium | 💰 125 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:15am (UTC)
👉 https://hackerone.com/reports/1215263
🔹 Severity: Medium | 💰 125 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:15am (UTC)
index.php/apps/files_sharing/shareinfo endpoint is not properly protected
👉 https://hackerone.com/reports/1173684
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:18am (UTC)
👉 https://hackerone.com/reports/1173684
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:18am (UTC)
public webdav endpoint not bruteforce protected
👉 https://hackerone.com/reports/1192159
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:19am (UTC)
👉 https://hackerone.com/reports/1192159
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:19am (UTC)
Bypass of privacy filter / tracking pixel blocker
👉 https://hackerone.com/reports/1215251
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:21am (UTC)
👉 https://hackerone.com/reports/1215251
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:21am (UTC)
ApiService#fetch serves content as text/html and inline Content-Disposition
👉 https://hackerone.com/reports/1241460
🔹 Severity: No Rating
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:22am (UTC)
👉 https://hackerone.com/reports/1241460
🔹 Severity: No Rating
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:22am (UTC)
Text app leaks file path of shared files
👉 https://hackerone.com/reports/1246721
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:23am (UTC)
👉 https://hackerone.com/reports/1246721
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #lukasreschkenc
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:23am (UTC)
Add to your nextcloud endpoint is not properly protected
👉 https://hackerone.com/reports/1192144
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:24am (UTC)
👉 https://hackerone.com/reports/1192144
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2021, 9:24am (UTC)
Business logic error
👉 https://hackerone.com/reports/1296597
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #scianto05
🔹 State: 🔴 N/A
🔹 Disclosed: August 11, 2021, 5:46pm (UTC)
👉 https://hackerone.com/reports/1296597
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #scianto05
🔹 State: 🔴 N/A
🔹 Disclosed: August 11, 2021, 5:46pm (UTC)
Java: Timing attacks while comparing results of cryptographic operations
👉 https://hackerone.com/reports/1301753
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 5:27pm (UTC)
👉 https://hackerone.com/reports/1301753
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 5:27pm (UTC)
[C#]: HttpOnly and Secure Cookies for .NET Core and .NET
👉 https://hackerone.com/reports/1301752
🔹 Severity: Low
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 5:27pm (UTC)
👉 https://hackerone.com/reports/1301752
🔹 Severity: Low
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 5:27pm (UTC)
Client IP Spoofing using "X-Forwarded-For: 127.0.0.1" on "studio-app.snapchat.com" exposing bucket details
👉 https://hackerone.com/reports/382678
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Snapchat
🔹 Reported By: #damian89
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 9:33pm (UTC)
👉 https://hackerone.com/reports/382678
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Snapchat
🔹 Reported By: #damian89
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 9:33pm (UTC)
Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io
👉 https://hackerone.com/reports/911606
🔹 Severity: High | 💰 15,000 USD
🔹 Reported To: Snapchat
🔹 Reported By: #kiyell
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 9:40pm (UTC)
👉 https://hackerone.com/reports/911606
🔹 Severity: High | 💰 15,000 USD
🔹 Reported To: Snapchat
🔹 Reported By: #kiyell
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 9:40pm (UTC)
Chain of vulnerabilities in Uber for Business Vouchers program allows for attacker to perform arbitrary charges to victim's U4B payment account
👉 https://hackerone.com/reports/1145428
🔹 Severity: High | 💰 5,750 USD
🔹 Reported To: Uber
🔹 Reported By: #pmnh
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 10:17pm (UTC)
👉 https://hackerone.com/reports/1145428
🔹 Severity: High | 💰 5,750 USD
🔹 Reported To: Uber
🔹 Reported By: #pmnh
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2021, 10:17pm (UTC)
[http://kiwi.youdrive.today/] Information disclosure via Kiwi TCMS vulnerability
👉 https://hackerone.com/reports/968402
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #act1on3
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 3:16pm (UTC)
👉 https://hackerone.com/reports/968402
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #act1on3
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 3:16pm (UTC)
uchi.ru check_lessons Blind SQL Injection
👉 https://hackerone.com/reports/1214814
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #cutoffurmind
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 3:21pm (UTC)
👉 https://hackerone.com/reports/1214814
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #cutoffurmind
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 3:21pm (UTC)
mailer.i.bizml.ru viber service preprod information disclosure
👉 https://hackerone.com/reports/836149
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #cutoffurmind
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 3:22pm (UTC)
👉 https://hackerone.com/reports/836149
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #cutoffurmind
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 3:22pm (UTC)
Domain Takeover [3737signals.com]
👉 https://hackerone.com/reports/1253926
🔹 Severity: Low | 💰 300 USD
🔹 Reported To: Basecamp
🔹 Reported By: #mrmax4o4
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 6:23pm (UTC)
👉 https://hackerone.com/reports/1253926
🔹 Severity: Low | 💰 300 USD
🔹 Reported To: Basecamp
🔹 Reported By: #mrmax4o4
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 6:23pm (UTC)
Information Disclosure on TikTok Unplugged Site
👉 https://hackerone.com/reports/1249050
🔹 Severity: Low
🔹 Reported To: TikTok
🔹 Reported By: #nanwn
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 7:27pm (UTC)
👉 https://hackerone.com/reports/1249050
🔹 Severity: Low
🔹 Reported To: TikTok
🔹 Reported By: #nanwn
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2021, 7:27pm (UTC)
Blind SQL Injection
👉 https://hackerone.com/reports/1069531
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: August 14, 2021, 6:34pm (UTC)
👉 https://hackerone.com/reports/1069531
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: August 14, 2021, 6:34pm (UTC)
Reflected XSS on play.mtn.co.za
👉 https://hackerone.com/reports/1061199
🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: August 14, 2021, 6:45pm (UTC)
👉 https://hackerone.com/reports/1061199
🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: August 14, 2021, 6:45pm (UTC)
IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136
👉 https://hackerone.com/reports/893922
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: The Internet
🔹 Reported By: #yannayl
🔹 State: 🟢 Resolved
🔹 Disclosed: August 15, 2021, 5:03am (UTC)
👉 https://hackerone.com/reports/893922
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: The Internet
🔹 Reported By: #yannayl
🔹 State: 🟢 Resolved
🔹 Disclosed: August 15, 2021, 5:03am (UTC)