1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch
👉 https://hackerone.com/reports/1361804
🔹 Severity: Medium
🔹 Reported To: Fastify
🔹 Reported By: #drstrnegth
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 4:41pm (UTC)
👉 https://hackerone.com/reports/1361804
🔹 Severity: Medium
🔹 Reported To: Fastify
🔹 Reported By: #drstrnegth
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 4:41pm (UTC)
[Python] CWE-348: Client supplied ip used in security check
👉 https://hackerone.com/reports/1365762
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:06pm (UTC)
👉 https://hackerone.com/reports/1365762
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:06pm (UTC)
[Java] CWE-200: Query to detect exposure of sensitive information from android file intent
👉 https://hackerone.com/reports/1365761
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:06pm (UTC)
👉 https://hackerone.com/reports/1365761
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:06pm (UTC)
Custom crafted message object in Meteor.Call allows remote code execution and impersonation
👉 https://hackerone.com/reports/534887
🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #wreiske
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:20pm (UTC)
👉 https://hackerone.com/reports/534887
🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #wreiske
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 5:20pm (UTC)
Array Index Underflow--http rpc
👉 https://hackerone.com/reports/825091
🔹 Severity: High
🔹 Reported To: Monero
🔹 Reported By: #minerscan
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 8:35pm (UTC)
👉 https://hackerone.com/reports/825091
🔹 Severity: High
🔹 Reported To: Monero
🔹 Reported By: #minerscan
🔹 State: 🟢 Resolved
🔹 Disclosed: October 11, 2021, 8:35pm (UTC)
Subdomain takeover of main domain of https://www.cyberlynx.lu/
👉 https://hackerone.com/reports/1256389
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Acronis
🔹 Reported By: #doosec101
🔹 State: 🟢 Resolved
🔹 Disclosed: October 12, 2021, 9:15am (UTC)
👉 https://hackerone.com/reports/1256389
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Acronis
🔹 Reported By: #doosec101
🔹 State: 🟢 Resolved
🔹 Disclosed: October 12, 2021, 9:15am (UTC)
Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru]
👉 https://hackerone.com/reports/1132209
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #melbadry9
🔹 State: 🟢 Resolved
🔹 Disclosed: October 12, 2021, 10:54am (UTC)
👉 https://hackerone.com/reports/1132209
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #melbadry9
🔹 State: 🟢 Resolved
🔹 Disclosed: October 12, 2021, 10:54am (UTC)
HTML - injection
👉 https://hackerone.com/reports/245233
🔹 Severity: No Rating
🔹 Reported To: WakaTime
🔹 Reported By: #mr_n0b3dy
🔹 State: 🔴 N/A
🔹 Disclosed: October 12, 2021, 11:18pm (UTC)
👉 https://hackerone.com/reports/245233
🔹 Severity: No Rating
🔹 Reported To: WakaTime
🔹 Reported By: #mr_n0b3dy
🔹 State: 🔴 N/A
🔹 Disclosed: October 12, 2021, 11:18pm (UTC)
Path traversal on [███]
👉 https://hackerone.com/reports/1212746
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #letfornz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:11pm (UTC)
👉 https://hackerone.com/reports/1212746
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #letfornz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:11pm (UTC)
POST based RXSS on https://███████/ via ███ parameter
👉 https://hackerone.com/reports/998935
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #nagli
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:13pm (UTC)
👉 https://hackerone.com/reports/998935
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #nagli
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:13pm (UTC)
Cache Posioning leading to denial of service at `█████████` - Bypass fix from report #1198434
👉 https://hackerone.com/reports/1322732
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #brumens
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:15pm (UTC)
👉 https://hackerone.com/reports/1322732
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #brumens
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:15pm (UTC)
Subdomain takeover [████████]
👉 https://hackerone.com/reports/1341133
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fdeleite
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:17pm (UTC)
👉 https://hackerone.com/reports/1341133
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fdeleite
🔹 State: 🟢 Resolved
🔹 Disclosed: October 13, 2021, 10:17pm (UTC)
DoD internal documents are leaked to the public
👉 https://hackerone.com/reports/1330455
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mrempy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:23pm (UTC)
👉 https://hackerone.com/reports/1330455
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mrempy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:23pm (UTC)
Authenticated path traversal to RCE
👉 https://hackerone.com/reports/1102067
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:37pm (UTC)
👉 https://hackerone.com/reports/1102067
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:37pm (UTC)
Stored unauth XSS in calendar event via CSRF
👉 https://hackerone.com/reports/1102018
🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:38pm (UTC)
👉 https://hackerone.com/reports/1102018
🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:38pm (UTC)
Stored XSS in markdown via the DesignReferenceFilter
👉 https://hackerone.com/reports/1212067
🔹 Severity: Critical | 💰 16,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:49am (UTC)
👉 https://hackerone.com/reports/1212067
🔹 Severity: Critical | 💰 16,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:49am (UTC)
Reporters can upload design to issues using the "Move to" feature
👉 https://hackerone.com/reports/1112297
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:57am (UTC)
👉 https://hackerone.com/reports/1112297
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:57am (UTC)
Stored XSS in Mermaid when viewing Markdown files
👉 https://hackerone.com/reports/1212822
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saleemrashid
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 6:00am (UTC)
👉 https://hackerone.com/reports/1212822
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saleemrashid
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 6:00am (UTC)
RXSS - ████
👉 https://hackerone.com/reports/923864
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:25pm (UTC)
👉 https://hackerone.com/reports/923864
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:25pm (UTC)
RXSS - https://████████/
👉 https://hackerone.com/reports/872304
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:25pm (UTC)
👉 https://hackerone.com/reports/872304
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:25pm (UTC)
RXSS Via URI Path - https://██████████/
👉 https://hackerone.com/reports/984654
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:26pm (UTC)
👉 https://hackerone.com/reports/984654
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:26pm (UTC)