No Rate Limit On Contact Us

👉 https://hackerone.com/reports/1166069

🔹 Severity: No Rating
🔹 Reported To: UPchieve
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2021, 5:23pm (UTC)

2 Bypass of #1067533 rate limit via X-Forwarded-For<space>: Source IP on ( www.trycourier.app )

👉 https://hackerone.com/reports/1206777

🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #bugera
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2021, 5:47pm (UTC)

HTTP Request Smuggling via HTTP/2

👉 https://hackerone.com/reports/1211724

🔹 Severity: Critical | 💰 7,500 USD
🔹 Reported To: Basecamp
🔹 Reported By: #neex
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2021, 7:21pm (UTC)

Publicly exposed HashiCorp Vault (Secrets management) at usec-gcp-staging.uberinternal.com & usec-gcp.uberinternal.com

👉 https://hackerone.com/reports/519044

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Uber
🔹 Reported By: #ayoubfathi_
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2021, 8:20pm (UTC)

Unauthenticated Arbitrary File Deletion (CVE-2020-3187)

👉 https://hackerone.com/reports/1056611

🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #logic_err0r
🔹 State: 🟢 Resolved
🔹 Disclosed: August 29, 2021, 3:25pm (UTC)

[Biz] [Mailer] Кроп любых* изображений расположенных на сервере

👉 https://hackerone.com/reports/1073485

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #rainbow_json
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 4:17am (UTC)

Guest users can create new test cases

👉 https://hackerone.com/reports/1113289

🔹 Severity: Low | 💰 650 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:01am (UTC)

A profile page of a user can be denied from loading by appending .html to the username

👉 https://hackerone.com/reports/475098

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:02am (UTC)

A deactivated user can access data through GraphQL

👉 https://hackerone.com/reports/1192460

🔹 Severity: Medium | 💰 1,370 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 1:25pm (UTC)

SSH server due to Improper Signature Verification

👉 https://hackerone.com/reports/1294043

🔹 Severity: High
🔹 Reported To: Sifchain
🔹 Reported By: #escanor56
🔹 State: 🔴 N/A
🔹 Disclosed: August 30, 2021, 2:35pm (UTC)

Index Out Of Bounds in protobuf unmarshalling

👉 https://hackerone.com/reports/1073363

🔹 Severity: No Rating | 💰 250 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #pulpkk
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 7:06pm (UTC)

Bypass of the installation sandbox by injecting keystrokes with TIOCSTI

👉 https://hackerone.com/reports/1283871

🔹 Severity: Low
🔹 Reported To: Homebrew
🔹 Reported By: #gedwards
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:46pm (UTC)

Open Redirect

👉 https://hackerone.com/reports/1213580

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Affirm
🔹 Reported By: #litt1eb0y
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 8:48am (UTC)

Failed to validate Session after Password Change

👉 https://hackerone.com/reports/1295187

🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #aaruthra
🔹 State: 🟤 Duplicate
🔹 Disclosed: August 31, 2021, 9:15am (UTC)

old session dose not expire after password change

👉 https://hackerone.com/reports/1166076

🔹 Severity: No Rating
🔹 Reported To: UPchieve
🔹 Reported By: #elcayser-0x0a
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 9:16am (UTC)

IDOR on www.acronis.com API lead to steal private business user information

👉 https://hackerone.com/reports/1182465

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Acronis
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 10:14am (UTC)

Open Redirect at https://www.nutanix.com/tw/login via icid parameter

👉 https://hackerone.com/reports/1131753

🔹 Severity: Low
🔹 Reported To: Nutanix
🔹 Reported By: #blue_deja_vu
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 1:48pm (UTC)

No Rate Limit On Reset Password

👉 https://hackerone.com/reports/1166066

🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #elcayser-0x0a
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 3:23pm (UTC)

Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ]

👉 https://hackerone.com/reports/1312365

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Affirm
🔹 Reported By: #0xprial
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 4:18pm (UTC)

session takeover via open protocol redirection on streamlabs.com

👉 https://hackerone.com/reports/1178239

🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Logitech
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2021, 3:49pm (UTC)

Critical || Unrestricted access to private Github repos and properties of Elastic through leaked token of Elastic employee

👉 https://hackerone.com/reports/1266188

🔹 Severity: Critical | 💰 2,000 USD
🔹 Reported To: Elastic
🔹 Reported By: #prateek_0490
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2021, 5:40pm (UTC)