Unauthenticated Arbitrary File Deletion (CVE-2020-3187)
👉 https://hackerone.com/reports/1056611
🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #logic_err0r
🔹 State: 🟢 Resolved
🔹 Disclosed: August 29, 2021, 3:25pm (UTC)
👉 https://hackerone.com/reports/1056611
🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #logic_err0r
🔹 State: 🟢 Resolved
🔹 Disclosed: August 29, 2021, 3:25pm (UTC)
[Biz] [Mailer] Кроп любых* изображений расположенных на сервере
👉 https://hackerone.com/reports/1073485
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #rainbow_json
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 4:17am (UTC)
👉 https://hackerone.com/reports/1073485
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #rainbow_json
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 4:17am (UTC)
Guest users can create new test cases
👉 https://hackerone.com/reports/1113289
🔹 Severity: Low | 💰 650 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:01am (UTC)
👉 https://hackerone.com/reports/1113289
🔹 Severity: Low | 💰 650 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:01am (UTC)
A profile page of a user can be denied from loading by appending .html to the username
👉 https://hackerone.com/reports/475098
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:02am (UTC)
👉 https://hackerone.com/reports/475098
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:02am (UTC)
A deactivated user can access data through GraphQL
👉 https://hackerone.com/reports/1192460
🔹 Severity: Medium | 💰 1,370 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 1:25pm (UTC)
👉 https://hackerone.com/reports/1192460
🔹 Severity: Medium | 💰 1,370 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 1:25pm (UTC)
SSH server due to Improper Signature Verification
👉 https://hackerone.com/reports/1294043
🔹 Severity: High
🔹 Reported To: Sifchain
🔹 Reported By: #escanor56
🔹 State: 🔴 N/A
🔹 Disclosed: August 30, 2021, 2:35pm (UTC)
👉 https://hackerone.com/reports/1294043
🔹 Severity: High
🔹 Reported To: Sifchain
🔹 Reported By: #escanor56
🔹 State: 🔴 N/A
🔹 Disclosed: August 30, 2021, 2:35pm (UTC)
Index Out Of Bounds in protobuf unmarshalling
👉 https://hackerone.com/reports/1073363
🔹 Severity: No Rating | 💰 250 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #pulpkk
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 7:06pm (UTC)
👉 https://hackerone.com/reports/1073363
🔹 Severity: No Rating | 💰 250 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #pulpkk
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 7:06pm (UTC)
Bypass of the installation sandbox by injecting keystrokes with TIOCSTI
👉 https://hackerone.com/reports/1283871
🔹 Severity: Low
🔹 Reported To: Homebrew
🔹 Reported By: #gedwards
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:46pm (UTC)
👉 https://hackerone.com/reports/1283871
🔹 Severity: Low
🔹 Reported To: Homebrew
🔹 Reported By: #gedwards
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2021, 11:46pm (UTC)
Open Redirect
👉 https://hackerone.com/reports/1213580
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Affirm
🔹 Reported By: #litt1eb0y
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 8:48am (UTC)
👉 https://hackerone.com/reports/1213580
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Affirm
🔹 Reported By: #litt1eb0y
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 8:48am (UTC)
Failed to validate Session after Password Change
👉 https://hackerone.com/reports/1295187
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #aaruthra
🔹 State: 🟤 Duplicate
🔹 Disclosed: August 31, 2021, 9:15am (UTC)
👉 https://hackerone.com/reports/1295187
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #aaruthra
🔹 State: 🟤 Duplicate
🔹 Disclosed: August 31, 2021, 9:15am (UTC)
old session dose not expire after password change
👉 https://hackerone.com/reports/1166076
🔹 Severity: No Rating
🔹 Reported To: UPchieve
🔹 Reported By: #elcayser-0x0a
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 9:16am (UTC)
👉 https://hackerone.com/reports/1166076
🔹 Severity: No Rating
🔹 Reported To: UPchieve
🔹 Reported By: #elcayser-0x0a
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 9:16am (UTC)
IDOR on www.acronis.com API lead to steal private business user information
👉 https://hackerone.com/reports/1182465
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Acronis
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 10:14am (UTC)
👉 https://hackerone.com/reports/1182465
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Acronis
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 10:14am (UTC)
Open Redirect at https://www.nutanix.com/tw/login via icid parameter
👉 https://hackerone.com/reports/1131753
🔹 Severity: Low
🔹 Reported To: Nutanix
🔹 Reported By: #blue_deja_vu
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 1:48pm (UTC)
👉 https://hackerone.com/reports/1131753
🔹 Severity: Low
🔹 Reported To: Nutanix
🔹 Reported By: #blue_deja_vu
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 1:48pm (UTC)
No Rate Limit On Reset Password
👉 https://hackerone.com/reports/1166066
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #elcayser-0x0a
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 3:23pm (UTC)
👉 https://hackerone.com/reports/1166066
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #elcayser-0x0a
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 3:23pm (UTC)
Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ]
👉 https://hackerone.com/reports/1312365
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Affirm
🔹 Reported By: #0xprial
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 4:18pm (UTC)
👉 https://hackerone.com/reports/1312365
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Affirm
🔹 Reported By: #0xprial
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2021, 4:18pm (UTC)
session takeover via open protocol redirection on streamlabs.com
👉 https://hackerone.com/reports/1178239
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Logitech
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2021, 3:49pm (UTC)
👉 https://hackerone.com/reports/1178239
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Logitech
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2021, 3:49pm (UTC)
Critical || Unrestricted access to private Github repos and properties of Elastic through leaked token of Elastic employee
👉 https://hackerone.com/reports/1266188
🔹 Severity: Critical | 💰 2,000 USD
🔹 Reported To: Elastic
🔹 Reported By: #prateek_0490
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2021, 5:40pm (UTC)
👉 https://hackerone.com/reports/1266188
🔹 Severity: Critical | 💰 2,000 USD
🔹 Reported To: Elastic
🔹 Reported By: #prateek_0490
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2021, 5:40pm (UTC)
Improper input validation in projects leads to fully deny access to project resources
👉 https://hackerone.com/reports/1237700
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Semrush
🔹 Reported By: #a_d_a_m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2021, 8:11pm (UTC)
👉 https://hackerone.com/reports/1237700
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Semrush
🔹 Reported By: #a_d_a_m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2021, 8:11pm (UTC)
e-mail verification bypass through interception & modification of response status
👉 https://hackerone.com/reports/1181253
🔹 Severity: No Rating
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #rajeshpatil
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2021, 2:46pm (UTC)
👉 https://hackerone.com/reports/1181253
🔹 Severity: No Rating
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #rajeshpatil
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2021, 2:46pm (UTC)
Java: Static initialization vector
👉 https://hackerone.com/reports/1329260
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2021, 12:15am (UTC)
👉 https://hackerone.com/reports/1329260
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2021, 12:15am (UTC)
Improper Authentication - any user can login as other user with otp/logout & otp/login
👉 https://hackerone.com/reports/921780
🔹 Severity: Critical | 💰 25,000 USD
🔹 Reported To: Snapchat
🔹 Reported By: #korniltsev
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2021, 9:12am (UTC)
👉 https://hackerone.com/reports/921780
🔹 Severity: Critical | 💰 25,000 USD
🔹 Reported To: Snapchat
🔹 Reported By: #korniltsev
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2021, 9:12am (UTC)