Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation
👉 https://hackerone.com/reports/981036
🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #frozensolid
🔹 State: ⚪️ Informative
🔹 Disclosed: September 20, 2021, 1:20pm (UTC)
👉 https://hackerone.com/reports/981036
🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #frozensolid
🔹 State: ⚪️ Informative
🔹 Disclosed: September 20, 2021, 1:20pm (UTC)
New experimental query: Clipboard-based XSS
👉 https://hackerone.com/reports/1345484
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: September 20, 2021, 10:00pm (UTC)
👉 https://hackerone.com/reports/1345484
🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: September 20, 2021, 10:00pm (UTC)
ihsinme: Add query for CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
👉 https://hackerone.com/reports/1345483
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: September 20, 2021, 10:00pm (UTC)
👉 https://hackerone.com/reports/1345483
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: September 20, 2021, 10:00pm (UTC)
Open Redirect through POST Request in OAuth
👉 https://hackerone.com/reports/1129761
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Moneybird
🔹 Reported By: #bugera
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 2:29pm (UTC)
👉 https://hackerone.com/reports/1129761
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Moneybird
🔹 Reported By: #bugera
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 2:29pm (UTC)
IDOR in https://moneybird.com/user/accountant_company/edit(change company name)
👉 https://hackerone.com/reports/726163
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Moneybird
🔹 Reported By: #t3chnophil3
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 2:31pm (UTC)
👉 https://hackerone.com/reports/726163
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Moneybird
🔹 Reported By: #t3chnophil3
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 2:31pm (UTC)
Access to microtransaction sales data for lots of apps from 2014 to present at /valvefinance/sanity/
👉 https://hackerone.com/reports/975212
🔹 Severity: Critical | 💰 9,000 USD
🔹 Reported To: Valve
🔹 Reported By: #njbooher
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 9:41pm (UTC)
👉 https://hackerone.com/reports/975212
🔹 Severity: Critical | 💰 9,000 USD
🔹 Reported To: Valve
🔹 Reported By: #njbooher
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 9:41pm (UTC)
Big Picture web browser leaks login cookies and discloses sensitive information (may lead to account takeover)
👉 https://hackerone.com/reports/1079561
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Valve
🔹 Reported By: #bugstar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 9:42pm (UTC)
👉 https://hackerone.com/reports/1079561
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Valve
🔹 Reported By: #bugstar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 9:42pm (UTC)
Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation
👉 https://hackerone.com/reports/852091
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Valve
🔹 Reported By: #hydraskyteam
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 9:55pm (UTC)
👉 https://hackerone.com/reports/852091
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Valve
🔹 Reported By: #hydraskyteam
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2021, 9:55pm (UTC)
Information disclosure
👉 https://hackerone.com/reports/1347249
🔹 Severity: High
🔹 Reported To: Brave Software
🔹 Reported By: #kkarfalcon
🔹 State: 🔴 N/A
🔹 Disclosed: September 21, 2021, 11:35pm (UTC)
👉 https://hackerone.com/reports/1347249
🔹 Severity: High
🔹 Reported To: Brave Software
🔹 Reported By: #kkarfalcon
🔹 State: 🔴 N/A
🔹 Disclosed: September 21, 2021, 11:35pm (UTC)
HTML Injection in Email
👉 https://hackerone.com/reports/1248585
🔹 Severity: Low
🔹 Reported To: Engel & Völkers Technology GmbH
🔹 Reported By: #chaitanya_024
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 8:30am (UTC)
👉 https://hackerone.com/reports/1248585
🔹 Severity: Low
🔹 Reported To: Engel & Völkers Technology GmbH
🔹 Reported By: #chaitanya_024
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 8:30am (UTC)
Race condition allows to send multiple times feedback for the hacker
👉 https://hackerone.com/reports/1132171
🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:21pm (UTC)
👉 https://hackerone.com/reports/1132171
🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:21pm (UTC)
Used email confirmation link reveals the email address which is tied to it
👉 https://hackerone.com/reports/1128358
🔹 Severity: No Rating
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:24pm (UTC)
👉 https://hackerone.com/reports/1128358
🔹 Severity: No Rating
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:24pm (UTC)
CSV injection in the credentials export
👉 https://hackerone.com/reports/1131887
🔹 Severity: No Rating
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:33pm (UTC)
👉 https://hackerone.com/reports/1131887
🔹 Severity: No Rating
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:33pm (UTC)
Temporary banned user (from platform) is able to make submissions via embedded submission forms
👉 https://hackerone.com/reports/1133536
🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:34pm (UTC)
👉 https://hackerone.com/reports/1133536
🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:34pm (UTC)
User's who are banned from program can still be invited to the new reports as collaborators
👉 https://hackerone.com/reports/1131306
🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:36pm (UTC)
👉 https://hackerone.com/reports/1131306
🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:36pm (UTC)
Fetching the update json scheme from concrete5 over HTTP leads to remote code execution
👉 https://hackerone.com/reports/982130
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #pabl00nicarres
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 10:19pm (UTC)
👉 https://hackerone.com/reports/982130
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #pabl00nicarres
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 10:19pm (UTC)
[Zomato Order] Insecure deeplink leads to sensitive information disclosure
👉 https://hackerone.com/reports/532225
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Zomato
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 5:54am (UTC)
👉 https://hackerone.com/reports/532225
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Zomato
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 5:54am (UTC)
[Zomato for Business Android] Vulnerability in exported activity WebView
👉 https://hackerone.com/reports/537670
🔹 Severity: Medium
🔹 Reported To: Zomato
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 5:56am (UTC)
👉 https://hackerone.com/reports/537670
🔹 Severity: Medium
🔹 Reported To: Zomato
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 5:56am (UTC)
No Rate Limit On dashboard.myndr.net/auth
👉 https://hackerone.com/reports/1065128
🔹 Severity: No Rating
🔹 Reported To: Myndr
🔹 Reported By: #azimuthub
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 8:41am (UTC)
👉 https://hackerone.com/reports/1065128
🔹 Severity: No Rating
🔹 Reported To: Myndr
🔹 Reported By: #azimuthub
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 8:41am (UTC)
Clients do not verify server public key
👉 https://hackerone.com/reports/1192470
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 12:25pm (UTC)
👉 https://hackerone.com/reports/1192470
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 12:25pm (UTC)
End to end encryption public key is not properly verified on Desktop and Android
👉 https://hackerone.com/reports/1189162
🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 12:25pm (UTC)
👉 https://hackerone.com/reports/1189162
🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 12:25pm (UTC)