2x Remote file inclusion within your VMware Instances

👉 https://hackerone.com/reports/1069105

🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #0x0luke
🔹 State: 🟢 Resolved
🔹 Disclosed: August 19, 2021, 8:16pm (UTC)

When you call your branch the same name as a git hash, it could be checked out by dependents

👉 https://hackerone.com/reports/790634

🔹 Severity: Medium | 💰 2,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #retroplasma
🔹 State: 🟢 Resolved
🔹 Disclosed: August 19, 2021, 9:09pm (UTC)

information discloure via logs files at ==> https://ihelp.mtnbusiness.com/logfiles/Log_21-06-2021.txt

👉 https://hackerone.com/reports/1239633

🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #zero_or_1
🔹 State: 🟢 Resolved
🔹 Disclosed: August 20, 2021, 9:36am (UTC)

kubectl creating secrets from stringData leaves secret in plain text

👉 https://hackerone.com/reports/1102064

🔹 Severity: Low
🔹 Reported To: Kubernetes
🔹 Reported By: #max_lan
🔹 State: ⚪️ Informative
🔹 Disclosed: August 21, 2021, 7:32am (UTC)

CVE-2020-9383 Floppy OOB read

👉 https://hackerone.com/reports/891846

🔹 Severity: High | 💰 750 USD
🔹 Reported To: The Internet
🔹 Reported By: #jordyzomer
🔹 State: 🟢 Resolved
🔹 Disclosed: August 22, 2021, 3:22am (UTC)

Local Privilege Escalation during execution of VeraCryptExpander.exe (UAC bypass)

👉 https://hackerone.com/reports/530292

🔹 Severity: Medium | 💰 1,250 USD
🔹 Reported To: VeraCrypt
🔹 Reported By: #penrose
🔹 State: 🟢 Resolved
🔹 Disclosed: August 22, 2021, 3:30am (UTC)

Several protocol parsers in before 4.9.2 could cause a buffer overflow in util-print.c:bittok2str_internal()

👉 https://hackerone.com/reports/800324

🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #bags
🔹 State: 🟢 Resolved
🔹 Disclosed: August 22, 2021, 3:50am (UTC)

CVE-2020-10938-buffer overflow/out-of-bounds write in compress.c:HuffmanDecodeImage()

👉 https://hackerone.com/reports/816637

🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #nathaniellives
🔹 State: 🟢 Resolved
🔹 Disclosed: August 22, 2021, 3:54am (UTC)

CVE-2017-13019: The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print()

👉 https://hackerone.com/reports/802896

🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #bags
🔹 State: 🟢 Resolved
🔹 Disclosed: August 22, 2021, 3:55am (UTC)

CVE-2017-13050: The RPKI-Router parser in tcpdump before 4.9.2 has a buffer over-read in print-rpki-rtr.c:rpki_rtr_pdu_print()

👉 https://hackerone.com/reports/802863

🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #bags
🔹 State: 🟢 Resolved
🔹 Disclosed: August 22, 2021, 3:56am (UTC)

The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print-vtp.c:vtp_print()

👉 https://hackerone.com/reports/802846

🔹 Severity: High | 💰 500 USD
🔹 Reported To: Data Processing (IBB)
🔹 Reported By: #bags
🔹 State: 🟢 Resolved
🔹 Disclosed: August 22, 2021, 3:56am (UTC)

GitHub Integration doesn't sanitize repository URLs which might be attacker-controlled

👉 https://hackerone.com/reports/1197160

🔹 Severity: Low | 💰 512 USD
🔹 Reported To: New Relic
🔹 Reported By: #dee-see
🔹 State: 🟢 Resolved
🔹 Disclosed: August 23, 2021, 7:39pm (UTC)

Hackers can find out the ID of private programs

👉 https://hackerone.com/reports/1129649

🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2021, 3:10am (UTC)

The possibility of disrupting the normal operation of frontend using markdown

👉 https://hackerone.com/reports/1138668

🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2021, 3:19am (UTC)

Hackers can reveal the names of private programs that have an external link

👉 https://hackerone.com/reports/1127455

🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #haxta4ok00
🔹 State: ⚪️ Informative
🔹 Disclosed: August 24, 2021, 3:20am (UTC)

Hackers can reveal the names of private programs that have an external link and Enterprise Product Edition

👉 https://hackerone.com/reports/1130235

🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2021, 4:13am (UTC)

Attachment object in GraphQL continues to grant access to files, even if they are removed from rendering

👉 https://hackerone.com/reports/1132606

🔹 Severity: Medium
🔹 Reported To: HackerOne
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2021, 4:15am (UTC)

Disclosure handle private program with external link

👉 https://hackerone.com/reports/1276992

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2021, 4:48pm (UTC)

Enumerating HackerOne Pentests

👉 https://hackerone.com/reports/1139541

🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #whhackersbr
🔹 State: ⚪️ Informative
🔹 Disclosed: August 25, 2021, 3:40am (UTC)

[Python] CWE-943: Add NoSQL Injection Query

👉 https://hackerone.com/reports/1319271

🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 25, 2021, 8:01pm (UTC)

[C#]: Deserialization sinks

👉 https://hackerone.com/reports/1319270

🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: August 25, 2021, 8:01pm (UTC)