CSV injection in the credentials export

👉 https://hackerone.com/reports/1131887

🔹 Severity: No Rating
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:33pm (UTC)

Temporary banned user (from platform) is able to make submissions via embedded submission forms

👉 https://hackerone.com/reports/1133536

🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:34pm (UTC)

User's who are banned from program can still be invited to the new reports as collaborators

👉 https://hackerone.com/reports/1131306

🔹 Severity: Low
🔹 Reported To: HackerOne
🔹 Reported By: #muon4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 7:36pm (UTC)

Fetching the update json scheme from concrete5 over HTTP leads to remote code execution

👉 https://hackerone.com/reports/982130

🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #pabl00nicarres
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2021, 10:19pm (UTC)

[Zomato Order] Insecure deeplink leads to sensitive information disclosure

👉 https://hackerone.com/reports/532225

🔹 Severity: High | 💰 750 USD
🔹 Reported To: Zomato
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 5:54am (UTC)

[Zomato for Business Android] Vulnerability in exported activity WebView

👉 https://hackerone.com/reports/537670

🔹 Severity: Medium
🔹 Reported To: Zomato
🔹 Reported By: #shell_c0de
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 5:56am (UTC)

No Rate Limit On dashboard.myndr.net/auth

👉 https://hackerone.com/reports/1065128

🔹 Severity: No Rating
🔹 Reported To: Myndr
🔹 Reported By: #azimuthub
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 8:41am (UTC)

Clients do not verify server public key

👉 https://hackerone.com/reports/1192470

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 12:25pm (UTC)

End to end encryption public key is not properly verified on Desktop and Android

👉 https://hackerone.com/reports/1189162

🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 12:25pm (UTC)

[Python] CWE-522: Insecure LDAP Authentication

👉 https://hackerone.com/reports/1350076

🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2021, 11:37pm (UTC)

DoS of LINE client for Android via message containing multiple unicode characters (0x0e & 0x0f)

👉 https://hackerone.com/reports/1058383

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: LINE
🔹 Reported By: #lynx_vn
🔹 State: 🟢 Resolved
🔹 Disclosed: September 24, 2021, 1:49am (UTC)

Guest Users can create issues for Sentry errors and track their status

👉 https://hackerone.com/reports/1117768

🔹 Severity: Low | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: September 24, 2021, 12:07pm (UTC)

CVE-2021-22947: STARTTLS protocol injection via MITM

👉 https://hackerone.com/reports/1334763

🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: curl
🔹 Reported By: #monnerat
🔹 State: 🟢 Resolved
🔹 Disclosed: September 24, 2021, 1:14pm (UTC)

CVE-2021-22946: Protocol downgrade required TLS bypassed

👉 https://hackerone.com/reports/1334111

🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: curl
🔹 Reported By: #monnerat
🔹 State: 🟢 Resolved
🔹 Disclosed: September 24, 2021, 1:15pm (UTC)

Phar Deserialization Vulnerability via Logging Settings

👉 https://hackerone.com/reports/1063039

🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #egix
🔹 State: 🟢 Resolved
🔹 Disclosed: September 24, 2021, 4:52pm (UTC)

Deserialization of untrusted data at https://www.redtube.com/media/hls?s=data

👉 https://hackerone.com/reports/1312641

🔹 Severity: Critical | 💰 10,000 USD
🔹 Reported To: Redtube
🔹 Reported By: #kevsecurity
🔹 State: 🟢 Resolved
🔹 Disclosed: September 24, 2021, 4:56pm (UTC)

unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software

👉 https://hackerone.com/reports/1316650

🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Brave Software
🔹 Reported By: #bhatiagaurav1211
🔹 State: ⚪️ Informative
🔹 Disclosed: September 24, 2021, 5:32pm (UTC)

CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco

👉 https://hackerone.com/reports/944665

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: QIWI
🔹 Reported By: #lalit2020
🔹 State: 🟢 Resolved
🔹 Disclosed: September 24, 2021, 8:37pm (UTC)

Reflected Cross-Site noscripting in : mtn.bj

👉 https://hackerone.com/reports/1264832

🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #alimanshester
🔹 State: 🟢 Resolved
🔹 Disclosed: September 26, 2021, 12:59pm (UTC)

com.duckduckgo.mobile.android - Cache corruption

👉 https://hackerone.com/reports/1074613

🔹 Severity: Medium
🔹 Reported To: DuckDuckGo
🔹 Reported By: #webklex
🔹 State: 🟢 Resolved
🔹 Disclosed: September 26, 2021, 11:08pm (UTC)

Tor Browser using --log or --verbose logs the exact connection time a client connects to any v2 domains.

👉 https://hackerone.com/reports/1250273

🔹 Severity: High
🔹 Reported To: Tor
🔹 Reported By: #sickcodes
🔹 State: ⚪️ Informative
🔹 Disclosed: September 27, 2021, 9:14am (UTC)