Corporate Jira credentials disclosed in public gist
👉 https://hackerone.com/reports/958432
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #mkhazov
🔹 State: 🟢 Resolved
🔹 Disclosed: November 15, 2021, 5:29pm (UTC)
👉 https://hackerone.com/reports/958432
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #mkhazov
🔹 State: 🟢 Resolved
🔹 Disclosed: November 15, 2021, 5:29pm (UTC)
Leak of Google Sheets API credentials
👉 https://hackerone.com/reports/965314
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #adsec2s
🔹 State: 🟢 Resolved
🔹 Disclosed: November 15, 2021, 8:14pm (UTC)
👉 https://hackerone.com/reports/965314
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #adsec2s
🔹 State: 🟢 Resolved
🔹 Disclosed: November 15, 2021, 8:14pm (UTC)
Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows
👉 https://hackerone.com/reports/1353603
🔹 Severity: Low | 💰 584 USD
🔹 Reported To: Elastic
🔹 Reported By: #dee-see
🔹 State: 🟢 Resolved
🔹 Disclosed: November 15, 2021, 8:32pm (UTC)
👉 https://hackerone.com/reports/1353603
🔹 Severity: Low | 💰 584 USD
🔹 Reported To: Elastic
🔹 Reported By: #dee-see
🔹 State: 🟢 Resolved
🔹 Disclosed: November 15, 2021, 8:32pm (UTC)
chainning bugs to get full disclosure of Users addresses
👉 https://hackerone.com/reports/1398905
🔹 Severity: Medium
🔹 Reported To: Glovo
🔹 Reported By: #spaceboy20
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2021, 8:57am (UTC)
👉 https://hackerone.com/reports/1398905
🔹 Severity: Medium
🔹 Reported To: Glovo
🔹 Reported By: #spaceboy20
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2021, 8:57am (UTC)
Мисконфигурация Cisco Smart Install
👉 https://hackerone.com/reports/1398662
🔹 Severity: Critical | 💰 2,000 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #kerbyj
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2021, 12:24pm (UTC)
👉 https://hackerone.com/reports/1398662
🔹 Severity: Critical | 💰 2,000 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #kerbyj
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2021, 12:24pm (UTC)
HTTP Request Smuggling on https://promosandbox.acronis.com
👉 https://hackerone.com/reports/1063493
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #riramar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2021, 2:40pm (UTC)
👉 https://hackerone.com/reports/1063493
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #riramar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2021, 2:40pm (UTC)
HTTP Request Smuggling on https://consumer.acronis.com
👉 https://hackerone.com/reports/1063627
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #riramar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2021, 2:44pm (UTC)
👉 https://hackerone.com/reports/1063627
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #riramar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2021, 2:44pm (UTC)
Cross Site Scripting (Reflected) on https://www.acronis.cz/
👉 https://hackerone.com/reports/1084156
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #darkdream
🔹 State: 🟢 Resolved
🔹 Disclosed: November 17, 2021, 10:00am (UTC)
👉 https://hackerone.com/reports/1084156
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #darkdream
🔹 State: 🟢 Resolved
🔹 Disclosed: November 17, 2021, 10:00am (UTC)
Social Club Account Takeover Via RGL And Steam/Epic Linked Account
👉 https://hackerone.com/reports/1235008
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Rockstar Games
🔹 Reported By: #sn0wd3n
🔹 State: 🟢 Resolved
🔹 Disclosed: November 17, 2021, 4:52pm (UTC)
👉 https://hackerone.com/reports/1235008
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Rockstar Games
🔹 Reported By: #sn0wd3n
🔹 State: 🟢 Resolved
🔹 Disclosed: November 17, 2021, 4:52pm (UTC)
BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS
👉 https://hackerone.com/reports/1337351
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #boynamedboy
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 1:47am (UTC)
👉 https://hackerone.com/reports/1337351
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #boynamedboy
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 1:47am (UTC)
Stored XSS via Mermaid Prototype Pollution vulnerability
👉 https://hackerone.com/reports/1280002
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #misha98857
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 2:03am (UTC)
👉 https://hackerone.com/reports/1280002
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #misha98857
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 2:03am (UTC)
Stored XSS in Email Templates via link
👉 https://hackerone.com/reports/1376672
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #rioncool22
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 6:05am (UTC)
👉 https://hackerone.com/reports/1376672
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #rioncool22
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 6:05am (UTC)
Open Redirect in www.shopify.dev Environment
👉 https://hackerone.com/reports/842035
🔹 Severity: Medium
🔹 Reported To: Shopify
🔹 Reported By: #beerboy_ankit
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 7:12pm (UTC)
👉 https://hackerone.com/reports/842035
🔹 Severity: Medium
🔹 Reported To: Shopify
🔹 Reported By: #beerboy_ankit
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 7:12pm (UTC)
The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values
👉 https://hackerone.com/reports/1374512
🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #mshtawythug
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 9:03pm (UTC)
👉 https://hackerone.com/reports/1374512
🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #mshtawythug
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 9:03pm (UTC)
Apache Flink Dashboard exposure at https://streaming-sales-model-production.flink.shopifykloud.com
👉 https://hackerone.com/reports/1262907
🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #savik
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 9:19pm (UTC)
👉 https://hackerone.com/reports/1262907
🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #savik
🔹 State: 🟢 Resolved
🔹 Disclosed: November 18, 2021, 9:19pm (UTC)
Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)
👉 https://hackerone.com/reports/1400238
🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #fms
🔹 State: 🟢 Resolved
🔹 Disclosed: November 19, 2021, 12:14am (UTC)
👉 https://hackerone.com/reports/1400238
🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #fms
🔹 State: 🟢 Resolved
🔹 Disclosed: November 19, 2021, 12:14am (UTC)
Ruby - Regular Expression Denial of Service Vulnerability of Date Parsing Methods
👉 https://hackerone.com/reports/1404789
🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #svalkanov
🔹 State: 🟢 Resolved
🔹 Disclosed: November 19, 2021, 3:50pm (UTC)
👉 https://hackerone.com/reports/1404789
🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #svalkanov
🔹 State: 🟢 Resolved
🔹 Disclosed: November 19, 2021, 3:50pm (UTC)
Clickjacking ar https://hackers.upchieve.org/login
👉 https://hackerone.com/reports/1400405
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #maisanisnotyours
🔹 State: 🔴 N/A
🔹 Disclosed: November 19, 2021, 4:06pm (UTC)
👉 https://hackerone.com/reports/1400405
🔹 Severity: Low
🔹 Reported To: UPchieve
🔹 Reported By: #maisanisnotyours
🔹 State: 🔴 N/A
🔹 Disclosed: November 19, 2021, 4:06pm (UTC)
Reflected XSS on av.ru via `q` parameter at https://av.ru/collections/*
👉 https://hackerone.com/reports/965663
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #ronr
🔹 State: 🟢 Resolved
🔹 Disclosed: November 19, 2021, 4:21pm (UTC)
👉 https://hackerone.com/reports/965663
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #ronr
🔹 State: 🟢 Resolved
🔹 Disclosed: November 19, 2021, 4:21pm (UTC)
Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50
👉 https://hackerone.com/reports/1404731
🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #itsecurityco
🔹 State: 🟢 Resolved
🔹 Disclosed: November 19, 2021, 11:45pm (UTC)
👉 https://hackerone.com/reports/1404731
🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #itsecurityco
🔹 State: 🟢 Resolved
🔹 Disclosed: November 19, 2021, 11:45pm (UTC)
Non privileged user is able to approve his own app himself leading to mass privilege escalations.
👉 https://hackerone.com/reports/1168475
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 20, 2021, 2:06am (UTC)
👉 https://hackerone.com/reports/1168475
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 20, 2021, 2:06am (UTC)