3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290)
👉 https://hackerone.com/reports/331368
🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Ubiquiti Inc.
🔹 Reported By: #nih8l
🔹 State: 🟢 Resolved
🔹 Disclosed: October 10, 2021, 11:23pm (UTC)
👉 https://hackerone.com/reports/331368
🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Ubiquiti Inc.
🔹 Reported By: #nih8l
🔹 State: 🟢 Resolved
🔹 Disclosed: October 10, 2021, 11:23pm (UTC)
XW 6.2.0 firmware: 5 Reflected XSS issues in link.cgi
👉 https://hackerone.com/reports/802498
🔹 Severity: Medium | 💰 344 USD
🔹 Reported To: Ubiquiti Inc.
🔹 Reported By: #nih8l
🔹 State: 🟢 Resolved
🔹 Disclosed: October 10, 2021, 11:23pm (UTC)
👉 https://hackerone.com/reports/802498
🔹 Severity: Medium | 💰 344 USD
🔹 Reported To: Ubiquiti Inc.
🔹 Reported By: #nih8l
🔹 State: 🟢 Resolved
🔹 Disclosed: October 10, 2021, 11:23pm (UTC)
CVE-2020-11110: Grafana Unauthenticated Stored XSS - grafana-lms.rsv.bizml.ru
👉 https://hackerone.com/reports/1329433
🔹 Severity: No Rating
🔹 Reported To: Mail.ru
🔹 Reported By: #melbadry9
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 4:12am (UTC)
👉 https://hackerone.com/reports/1329433
🔹 Severity: No Rating
🔹 Reported To: Mail.ru
🔹 Reported By: #melbadry9
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 4:12am (UTC)
Privilege escalation of "external user" (with maintainer privilege) to internal access through project token
👉 https://hackerone.com/reports/1193062
🔹 Severity: High | 💰 1,020 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 10:23am (UTC)
👉 https://hackerone.com/reports/1193062
🔹 Severity: High | 💰 1,020 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 10:23am (UTC)
Open redirect in fastify-static via mishandled user's input when attempt to redirect
👉 https://hackerone.com/reports/1354255
🔹 Severity: Low
🔹 Reported To: Fastify
🔹 Reported By: #drstrnegth
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 4:39pm (UTC)
👉 https://hackerone.com/reports/1354255
🔹 Severity: Low
🔹 Reported To: Fastify
🔹 Reported By: #drstrnegth
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 4:39pm (UTC)
1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch
👉 https://hackerone.com/reports/1361804
🔹 Severity: Medium
🔹 Reported To: Fastify
🔹 Reported By: #drstrnegth
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 4:41pm (UTC)
👉 https://hackerone.com/reports/1361804
🔹 Severity: Medium
🔹 Reported To: Fastify
🔹 Reported By: #drstrnegth
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 4:41pm (UTC)
[Python] CWE-348: Client supplied ip used in security check
👉 https://hackerone.com/reports/1365762
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:06pm (UTC)
👉 https://hackerone.com/reports/1365762
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:06pm (UTC)
[Java] CWE-200: Query to detect exposure of sensitive information from android file intent
👉 https://hackerone.com/reports/1365761
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:06pm (UTC)
👉 https://hackerone.com/reports/1365761
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:06pm (UTC)
Custom crafted message object in Meteor.Call allows remote code execution and impersonation
👉 https://hackerone.com/reports/534887
🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #wreiske
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:20pm (UTC)
👉 https://hackerone.com/reports/534887
🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #wreiske
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:20pm (UTC)
Array Index Underflow--http rpc
👉 https://hackerone.com/reports/825091
🔹 Severity: High
🔹 Reported To: Monero
🔹 Reported By: #minerscan
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 8:35pm (UTC)
👉 https://hackerone.com/reports/825091
🔹 Severity: High
🔹 Reported To: Monero
🔹 Reported By: #minerscan
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 8:35pm (UTC)
Subdomain takeover of main domain of https://www.cyberlynx.lu/
👉 https://hackerone.com/reports/1256389
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Acronis
🔹 Reported By: #doosec101
🔹 State: 🟢 Resolved
🔹 Disclosed: October 12, 2021, 9:15am (UTC)
👉 https://hackerone.com/reports/1256389
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Acronis
🔹 Reported By: #doosec101
🔹 State: 🟢 Resolved
🔹 Disclosed: October 12, 2021, 9:15am (UTC)
Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru]
👉 https://hackerone.com/reports/1132209
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #melbadry9
🔹 State: 🟢 Resolved
🔹 Disclosed: October 12, 2021, 10:54am (UTC)
👉 https://hackerone.com/reports/1132209
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #melbadry9
🔹 State: 🟢 Resolved
🔹 Disclosed: October 12, 2021, 10:54am (UTC)
HTML - injection
👉 https://hackerone.com/reports/245233
🔹 Severity: No Rating
🔹 Reported To: WakaTime
🔹 Reported By: #mr_n0b3dy
🔹 State: 🔴 N/A
🔹 Disclosed: October 12, 2021, 11:18pm (UTC)
👉 https://hackerone.com/reports/245233
🔹 Severity: No Rating
🔹 Reported To: WakaTime
🔹 Reported By: #mr_n0b3dy
🔹 State: 🔴 N/A
🔹 Disclosed: October 12, 2021, 11:18pm (UTC)
Path traversal on [███]
👉 https://hackerone.com/reports/1212746
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #letfornz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:11pm (UTC)
👉 https://hackerone.com/reports/1212746
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #letfornz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:11pm (UTC)
POST based RXSS on https://███████/ via ███ parameter
👉 https://hackerone.com/reports/998935
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #nagli
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:13pm (UTC)
👉 https://hackerone.com/reports/998935
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #nagli
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:13pm (UTC)
Cache Posioning leading to denial of service at `█████████` - Bypass fix from report #1198434
👉 https://hackerone.com/reports/1322732
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #brumens
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:15pm (UTC)
👉 https://hackerone.com/reports/1322732
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #brumens
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:15pm (UTC)
Subdomain takeover [████████]
👉 https://hackerone.com/reports/1341133
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fdeleite
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:17pm (UTC)
👉 https://hackerone.com/reports/1341133
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fdeleite
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:17pm (UTC)
DoD internal documents are leaked to the public
👉 https://hackerone.com/reports/1330455
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mrempy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:23pm (UTC)
👉 https://hackerone.com/reports/1330455
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mrempy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:23pm (UTC)
Authenticated path traversal to RCE
👉 https://hackerone.com/reports/1102067
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:37pm (UTC)
👉 https://hackerone.com/reports/1102067
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:37pm (UTC)
Stored unauth XSS in calendar event via CSRF
👉 https://hackerone.com/reports/1102018
🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:38pm (UTC)
👉 https://hackerone.com/reports/1102018
🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:38pm (UTC)
Stored XSS in markdown via the DesignReferenceFilter
👉 https://hackerone.com/reports/1212067
🔹 Severity: Critical | 💰 16,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:49am (UTC)
👉 https://hackerone.com/reports/1212067
🔹 Severity: Critical | 💰 16,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:49am (UTC)