Authenticated path traversal to RCE
👉 https://hackerone.com/reports/1102067
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:37pm (UTC)
👉 https://hackerone.com/reports/1102067
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:37pm (UTC)
Stored unauth XSS in calendar event via CSRF
👉 https://hackerone.com/reports/1102018
🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:38pm (UTC)
👉 https://hackerone.com/reports/1102018
🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #d3addog
🔹 State: 🟢 Resolved
🔹 Disclosed: October 15, 2021, 4:38pm (UTC)
Stored XSS in markdown via the DesignReferenceFilter
👉 https://hackerone.com/reports/1212067
🔹 Severity: Critical | 💰 16,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:49am (UTC)
👉 https://hackerone.com/reports/1212067
🔹 Severity: Critical | 💰 16,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:49am (UTC)
Reporters can upload design to issues using the "Move to" feature
👉 https://hackerone.com/reports/1112297
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:57am (UTC)
👉 https://hackerone.com/reports/1112297
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: GitLab
🔹 Reported By: #maruthi12
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 5:57am (UTC)
Stored XSS in Mermaid when viewing Markdown files
👉 https://hackerone.com/reports/1212822
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saleemrashid
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 6:00am (UTC)
👉 https://hackerone.com/reports/1212822
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saleemrashid
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 6:00am (UTC)
RXSS - ████
👉 https://hackerone.com/reports/923864
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:25pm (UTC)
👉 https://hackerone.com/reports/923864
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:25pm (UTC)
RXSS - https://████████/
👉 https://hackerone.com/reports/872304
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:25pm (UTC)
👉 https://hackerone.com/reports/872304
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:25pm (UTC)
RXSS Via URI Path - https://██████████/
👉 https://hackerone.com/reports/984654
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:26pm (UTC)
👉 https://hackerone.com/reports/984654
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:26pm (UTC)
Reflected Xss https://██████/
👉 https://hackerone.com/reports/759418
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:28pm (UTC)
👉 https://hackerone.com/reports/759418
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:28pm (UTC)
phpinfo() disclosure info
👉 https://hackerone.com/reports/804809
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:29pm (UTC)
👉 https://hackerone.com/reports/804809
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:29pm (UTC)
Unauthorized Kubernetes to RCE (root) and found TEAMTNT Crypto Miner on it
👉 https://hackerone.com/reports/1317236
🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #un_kn0wn
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:30pm (UTC)
👉 https://hackerone.com/reports/1317236
🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #un_kn0wn
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:30pm (UTC)
SQL Injection in IBM access control panel & Broken access in admin panel
👉 https://hackerone.com/reports/1355817
🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #thecyberguy0
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:50pm (UTC)
👉 https://hackerone.com/reports/1355817
🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #thecyberguy0
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2021, 7:50pm (UTC)
CSRF leads to account deactivation of users
👉 https://hackerone.com/reports/1121990
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Evernote
🔹 Reported By: #sampritdas
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2021, 7:05pm (UTC)
👉 https://hackerone.com/reports/1121990
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Evernote
🔹 Reported By: #sampritdas
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2021, 7:05pm (UTC)
Незащищённый экземпляр Zeppelin
👉 https://hackerone.com/reports/992564
🔹 Severity: Critical | 💰 35,000 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #k3ypt0
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2021, 8:36am (UTC)
👉 https://hackerone.com/reports/992564
🔹 Severity: Critical | 💰 35,000 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #k3ypt0
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2021, 8:36am (UTC)
HTTP Request Smuggling due to accepting space before colon
👉 https://hackerone.com/reports/1238709
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Node.js
🔹 Reported By: #mkg
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2021, 2:58pm (UTC)
👉 https://hackerone.com/reports/1238709
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Node.js
🔹 Reported By: #mkg
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2021, 2:58pm (UTC)
RCE on 17 different Docker containers on your network
👉 https://hackerone.com/reports/1332433
🔹 Severity: Critical
🔹 Reported To: Nextcloud
🔹 Reported By: #0x0luke
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2021, 3:07pm (UTC)
👉 https://hackerone.com/reports/1332433
🔹 Severity: Critical
🔹 Reported To: Nextcloud
🔹 Reported By: #0x0luke
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2021, 3:07pm (UTC)
Arbitrary File delete via PHAR deserialization
👉 https://hackerone.com/reports/921288
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #reset
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2021, 4:24pm (UTC)
👉 https://hackerone.com/reports/921288
🔹 Severity: High
🔹 Reported To: Concrete CMS
🔹 Reported By: #reset
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2021, 4:24pm (UTC)
"urllib" will result to deny of service
👉 https://hackerone.com/reports/1188128
🔹 Severity: Low | 💰 240 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #4nim4l
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 4:39pm (UTC)
👉 https://hackerone.com/reports/1188128
🔹 Severity: Low | 💰 240 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #4nim4l
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 4:39pm (UTC)
Hash-Collision Denial-of-Service Vulnerability in Markdown Parser
👉 https://hackerone.com/reports/1341957
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #nicolaas
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 5:03pm (UTC)
👉 https://hackerone.com/reports/1341957
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #nicolaas
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 5:03pm (UTC)
Domain Takeover at 3hopify.media
👉 https://hackerone.com/reports/1344982
🔹 Severity: No Rating
🔹 Reported To: Shopify
🔹 Reported By: #m7mdharoun
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 6:14pm (UTC)
👉 https://hackerone.com/reports/1344982
🔹 Severity: No Rating
🔹 Reported To: Shopify
🔹 Reported By: #m7mdharoun
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 6:14pm (UTC)
Store Deletion or Sell without authentication
👉 https://hackerone.com/reports/1087382
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #fr4via
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 6:57pm (UTC)
👉 https://hackerone.com/reports/1087382
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #fr4via
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2021, 6:57pm (UTC)