[jitsi-meet] Authentication Bypass when using JWT w/ public keys
👉 https://hackerone.com/reports/1210502
🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #plokta
🔹 State: 🟢 Resolved
🔹 Disclosed: November 20, 2021, 2:55pm (UTC)
👉 https://hackerone.com/reports/1210502
🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #plokta
🔹 State: 🟢 Resolved
🔹 Disclosed: November 20, 2021, 2:55pm (UTC)
Full account takeover of any user through GET /checkout/psp/auth_response?
👉 https://hackerone.com/reports/978542
🔹 Severity: Critical | 💰 2,500 USD
🔹 Reported To: A.S. Watson Group
🔹 Reported By: #sachin_kumar_
🔹 State: 🟢 Resolved
🔹 Disclosed: November 21, 2021, 8:02am (UTC)
👉 https://hackerone.com/reports/978542
🔹 Severity: Critical | 💰 2,500 USD
🔹 Reported To: A.S. Watson Group
🔹 Reported By: #sachin_kumar_
🔹 State: 🟢 Resolved
🔹 Disclosed: November 21, 2021, 8:02am (UTC)
Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link)
👉 https://hackerone.com/reports/1266828
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #hydraxanon82
🔹 State: 🟢 Resolved
🔹 Disclosed: November 21, 2021, 2:59pm (UTC)
👉 https://hackerone.com/reports/1266828
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #hydraxanon82
🔹 State: 🟢 Resolved
🔹 Disclosed: November 21, 2021, 2:59pm (UTC)
No-Rate limit of current password on delete account endpoint(https://www.xvideos.com/account/close)
👉 https://hackerone.com/reports/1392287
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: XVIDEOS
🔹 Reported By: #rajput__16
🔹 State: 🟢 Resolved
🔹 Disclosed: November 23, 2021, 11:02am (UTC)
👉 https://hackerone.com/reports/1392287
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: XVIDEOS
🔹 Reported By: #rajput__16
🔹 State: 🟢 Resolved
🔹 Disclosed: November 23, 2021, 11:02am (UTC)
Blind XSS via Digital Ocean Partner account creation form.
👉 https://hackerone.com/reports/880591
🔹 Severity: High
🔹 Reported To: DigitalOcean
🔹 Reported By: #wshadow
🔹 State: ⚪️ Informative
🔹 Disclosed: November 23, 2021, 6:20pm (UTC)
👉 https://hackerone.com/reports/880591
🔹 Severity: High
🔹 Reported To: DigitalOcean
🔹 Reported By: #wshadow
🔹 State: ⚪️ Informative
🔹 Disclosed: November 23, 2021, 6:20pm (UTC)
Cross-site Scripting (XSS) - Stored
👉 https://hackerone.com/reports/1318395
🔹 Severity: High
🔹 Reported To: Mail.ru
🔹 Reported By: #ghost_shell
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2021, 7:42am (UTC)
👉 https://hackerone.com/reports/1318395
🔹 Severity: High
🔹 Reported To: Mail.ru
🔹 Reported By: #ghost_shell
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2021, 7:42am (UTC)
WordPress Plugin Update Confusion at trafficfactory.com
👉 https://hackerone.com/reports/1364851
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Traffic Factory
🔹 Reported By: #vavkamil
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2021, 9:11am (UTC)
👉 https://hackerone.com/reports/1364851
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Traffic Factory
🔹 Reported By: #vavkamil
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2021, 9:11am (UTC)
Sidekiq dashboard exposed at notary.shopifycloud.com
👉 https://hackerone.com/reports/1405673
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #youstin
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2021, 7:28pm (UTC)
👉 https://hackerone.com/reports/1405673
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #youstin
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2021, 7:28pm (UTC)
A non-privileged user may create an admin account in Stocky
👉 https://hackerone.com/reports/1245736
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #stapia
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2021, 8:43pm (UTC)
👉 https://hackerone.com/reports/1245736
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #stapia
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2021, 8:43pm (UTC)
Insufficient session expiration in the **com.shopify.ping** android app
👉 https://hackerone.com/reports/1172205
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #fr4via
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2021, 6:02am (UTC)
👉 https://hackerone.com/reports/1172205
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #fr4via
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2021, 6:02am (UTC)
CSRF on delete friend requests - Not protected with CSRF Token
👉 https://hackerone.com/reports/1408745
🔹 Severity: No Rating
🔹 Reported To: XVIDEOS
🔹 Reported By: #sbakhour
🔹 State: 🟤 Duplicate
🔹 Disclosed: November 26, 2021, 10:19pm (UTC)
👉 https://hackerone.com/reports/1408745
🔹 Severity: No Rating
🔹 Reported To: XVIDEOS
🔹 Reported By: #sbakhour
🔹 State: 🟤 Duplicate
🔹 Disclosed: November 26, 2021, 10:19pm (UTC)
private keys exposed on the GitHub repository
👉 https://hackerone.com/reports/1234531
🔹 Severity: Medium
🔹 Reported To: MCUboot
🔹 Reported By: #r0m50
🔹 State: ⚪️ Informative
🔹 Disclosed: November 27, 2021, 7:06am (UTC)
👉 https://hackerone.com/reports/1234531
🔹 Severity: Medium
🔹 Reported To: MCUboot
🔹 Reported By: #r0m50
🔹 State: ⚪️ Informative
🔹 Disclosed: November 27, 2021, 7:06am (UTC)
Expired SSL Certificate allows credentials steal
👉 https://hackerone.com/reports/1344951
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #dmonsterrr
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:06pm (UTC)
👉 https://hackerone.com/reports/1344951
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #dmonsterrr
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:06pm (UTC)
Unauthenticated Access to Admin Panel Functions at https://██████████/████████
👉 https://hackerone.com/reports/1394910
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #palaziv
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:11pm (UTC)
👉 https://hackerone.com/reports/1394910
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #palaziv
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:11pm (UTC)
Unauthenticated Access to Admin Panel Functions at https://███████/███
👉 https://hackerone.com/reports/1397564
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #palaziv
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:16pm (UTC)
👉 https://hackerone.com/reports/1397564
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #palaziv
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:16pm (UTC)
IDOR vulnerability (Price manipulation)
👉 https://hackerone.com/reports/1403176
🔹 Severity: Medium | 💰 400 USD
🔹 Reported To: Acronis
🔹 Reported By: #spookhorror
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2021, 9:17am (UTC)
👉 https://hackerone.com/reports/1403176
🔹 Severity: Medium | 💰 400 USD
🔹 Reported To: Acronis
🔹 Reported By: #spookhorror
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2021, 9:17am (UTC)
[https://www.glassdoor.com] - Web Cache Deception Leads to gdtoken Disclosure
👉 https://hackerone.com/reports/1343086
🔹 Severity: High | 💰 1,600 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2021, 1:38pm (UTC)
👉 https://hackerone.com/reports/1343086
🔹 Severity: High | 💰 1,600 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2021, 1:38pm (UTC)
XSS в сюжетах.
👉 https://hackerone.com/reports/1115763
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:02am (UTC)
👉 https://hackerone.com/reports/1115763
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:02am (UTC)
Получаем название и аватарку (50x50) частной группы.
👉 https://hackerone.com/reports/1343280
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:04am (UTC)
👉 https://hackerone.com/reports/1343280
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:04am (UTC)
XSS в выборе товара.
👉 https://hackerone.com/reports/1253124
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:07am (UTC)
👉 https://hackerone.com/reports/1253124
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:07am (UTC)
Просмотр аватарки замороженной страницы/частной группы.
👉 https://hackerone.com/reports/1268115
🔹 Severity: Low | 💰 300 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:09am (UTC)
👉 https://hackerone.com/reports/1268115
🔹 Severity: Low | 💰 300 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:09am (UTC)