[cpp] CWE-787: query to detect unsigned integer to signed integer conversions used in pointer arithmetics

👉 https://hackerone.com/reports/1378946

🔹 Severity: High
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 22, 2021, 10:21pm (UTC)

[Java] CWE-552: Unsafe url forward

👉 https://hackerone.com/reports/1378947

🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: October 22, 2021, 10:22pm (UTC)

XSS on tiktok.com

👉 https://hackerone.com/reports/1322104

🔹 Severity: Medium | 💰 2,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #arifmkhls
🔹 State: 🟢 Resolved
🔹 Disclosed: October 23, 2021, 12:36am (UTC)

Script breaking tag (Forces website to render blank) (Informative)

👉 https://hackerone.com/reports/1355537

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: XVIDEOS
🔹 Reported By: #ch1ck3n42
🔹 State: 🟢 Resolved
🔹 Disclosed: October 23, 2021, 2:50pm (UTC)

Image queue default key of 'None' and GraphQL unhandled type exception

👉 https://hackerone.com/reports/996041

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #moblig
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2021, 2:04pm (UTC)

Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API

👉 https://hackerone.com/reports/1298902

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Reddit
🔹 Reported By: #trieulieuf9
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2021, 2:05pm (UTC)

Race condition leads to Inflation of coins when bought via Google Play Store at endpoint https://oauth.reddit.com/api/v2/gold/android/verify_purchase

👉 https://hackerone.com/reports/801743

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #yashrs
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2021, 2:08pm (UTC)

Third party app could steal access token as well as protected files using inAppBrowser

👉 https://hackerone.com/reports/1122177

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #rahulkankrale
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2021, 2:10pm (UTC)

Content Spoofing/Text Injection at https://gateway-production.dubsmash.com

👉 https://hackerone.com/reports/1166770

🔹 Severity: No Rating
🔹 Reported To: Reddit
🔹 Reported By: #karthik86
🔹 State: 🔴 N/A
🔹 Disclosed: October 27, 2021, 2:11pm (UTC)

Missing rate limit in current password change settings leads to Account takeover

👉 https://hackerone.com/reports/1170522

🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #m0hacks
🔹 State: 🟤 Duplicate
🔹 Disclosed: October 27, 2021, 2:12pm (UTC)

Exposed PHP dependencies at ██.8x8.com

👉 https://hackerone.com/reports/1132457

🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2021, 4:12pm (UTC)

Dependency on private SSH keys in public github

👉 https://hackerone.com/reports/974176

🔹 Severity: High
🔹 Reported To: Agoric
🔹 Reported By: #pacmanx
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2021, 4:18pm (UTC)

Reflected XSS at ████ via ██████████= parameter

👉 https://hackerone.com/reports/1305472

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #zhenwarx
🔹 State: 🟢 Resolved
🔹 Disclosed: October 28, 2021, 8:17pm (UTC)

AWS subdomain takeover of www.███████

👉 https://hackerone.com/reports/1329792

🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #al-madjus
🔹 State: 🟢 Resolved
🔹 Disclosed: October 28, 2021, 8:18pm (UTC)

Bypassing the Grammarly plagiarism checker by simply replacing characters in the source text

👉 https://hackerone.com/reports/1282282

🔹 Severity: No Rating
🔹 Reported To: Grammarly
🔹 Reported By: #evilksandr
🔹 State: ⚪️ Informative
🔹 Disclosed: October 28, 2021, 9:24pm (UTC)

HTML Injection on tiktoktutorials via firstName parameter

👉 https://hackerone.com/reports/1343492

🔹 Severity: Low
🔹 Reported To: TikTok
🔹 Reported By: #siratsami
🔹 State: 🟢 Resolved
🔹 Disclosed: October 30, 2021, 2:08am (UTC)

[play.skillbox.ru] CRLF Injection

👉 https://hackerone.com/reports/1271276

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #s_kustm
🔹 State: 🟢 Resolved
🔹 Disclosed: October 30, 2021, 3:19pm (UTC)

critical server misconfiguration lead to access to any user sensitive data which include user email and password

👉 https://hackerone.com/reports/1365738

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Flickr
🔹 Reported By: #mr_robert
🔹 State: 🟢 Resolved
🔹 Disclosed: November 2, 2021, 3:50pm (UTC)

C# : Add query to detect Server Side Request Forgery

👉 https://hackerone.com/reports/1389905

🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: November 2, 2021, 6:23pm (UTC)

HTTP Request Smuggling due to ignoring chunk extensions

👉 https://hackerone.com/reports/1238099

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Node.js
🔹 Reported By: #mkg
🔹 State: 🟢 Resolved
🔹 Disclosed: November 2, 2021, 9:07pm (UTC)

[samokat.ru] PHP modules path disclosure due to lack of error handling

👉 https://hackerone.com/reports/1353244

🔹 Severity: No Rating
🔹 Reported To: Mail.ru
🔹 Reported By: #andridev_
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2021, 3:34pm (UTC)