private keys exposed on the GitHub repository
👉 https://hackerone.com/reports/1234531
🔹 Severity: Medium
🔹 Reported To: MCUboot
🔹 Reported By: #r0m50
🔹 State: ⚪️ Informative
🔹 Disclosed: November 27, 2021, 7:06am (UTC)
👉 https://hackerone.com/reports/1234531
🔹 Severity: Medium
🔹 Reported To: MCUboot
🔹 Reported By: #r0m50
🔹 State: ⚪️ Informative
🔹 Disclosed: November 27, 2021, 7:06am (UTC)
Expired SSL Certificate allows credentials steal
👉 https://hackerone.com/reports/1344951
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #dmonsterrr
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:06pm (UTC)
👉 https://hackerone.com/reports/1344951
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #dmonsterrr
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:06pm (UTC)
Unauthenticated Access to Admin Panel Functions at https://██████████/████████
👉 https://hackerone.com/reports/1394910
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #palaziv
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:11pm (UTC)
👉 https://hackerone.com/reports/1394910
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #palaziv
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:11pm (UTC)
Unauthenticated Access to Admin Panel Functions at https://███████/███
👉 https://hackerone.com/reports/1397564
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #palaziv
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:16pm (UTC)
👉 https://hackerone.com/reports/1397564
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #palaziv
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2021, 10:16pm (UTC)
IDOR vulnerability (Price manipulation)
👉 https://hackerone.com/reports/1403176
🔹 Severity: Medium | 💰 400 USD
🔹 Reported To: Acronis
🔹 Reported By: #spookhorror
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2021, 9:17am (UTC)
👉 https://hackerone.com/reports/1403176
🔹 Severity: Medium | 💰 400 USD
🔹 Reported To: Acronis
🔹 Reported By: #spookhorror
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2021, 9:17am (UTC)
[https://www.glassdoor.com] - Web Cache Deception Leads to gdtoken Disclosure
👉 https://hackerone.com/reports/1343086
🔹 Severity: High | 💰 1,600 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2021, 1:38pm (UTC)
👉 https://hackerone.com/reports/1343086
🔹 Severity: High | 💰 1,600 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2021, 1:38pm (UTC)
XSS в сюжетах.
👉 https://hackerone.com/reports/1115763
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:02am (UTC)
👉 https://hackerone.com/reports/1115763
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:02am (UTC)
Получаем название и аватарку (50x50) частной группы.
👉 https://hackerone.com/reports/1343280
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:04am (UTC)
👉 https://hackerone.com/reports/1343280
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:04am (UTC)
XSS в выборе товара.
👉 https://hackerone.com/reports/1253124
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:07am (UTC)
👉 https://hackerone.com/reports/1253124
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:07am (UTC)
Просмотр аватарки замороженной страницы/частной группы.
👉 https://hackerone.com/reports/1268115
🔹 Severity: Low | 💰 300 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:09am (UTC)
👉 https://hackerone.com/reports/1268115
🔹 Severity: Low | 💰 300 USD
🔹 Reported To: VK.com
🔹 Reported By: #azimoff
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:09am (UTC)
Раскрытие названия частной группы через старый бокс просмотра фото.
👉 https://hackerone.com/reports/303062
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:14am (UTC)
👉 https://hackerone.com/reports/303062
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:14am (UTC)
Просмотр аттачей удаленного сообщения.....
👉 https://hackerone.com/reports/505336
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:15am (UTC)
👉 https://hackerone.com/reports/505336
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 6:15am (UTC)
Reflected XSS in photogallery component on [https://market.av.ru]
👉 https://hackerone.com/reports/988271
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 8:14am (UTC)
👉 https://hackerone.com/reports/988271
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Azbuka Vkusa
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 8:14am (UTC)
Stored XSS on https://community.my.games/ (Add Post)
👉 https://hackerone.com/reports/755322
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #c1kada
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 9:07am (UTC)
👉 https://hackerone.com/reports/755322
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #c1kada
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 9:07am (UTC)
Privilege Escalation leads to trash other users comment without having admin rights.
👉 https://hackerone.com/reports/1307943
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Basecamp
🔹 Reported By: #fuzzsqlb0f
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 11:24am (UTC)
👉 https://hackerone.com/reports/1307943
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Basecamp
🔹 Reported By: #fuzzsqlb0f
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2021, 11:24am (UTC)
account takeover through password reset in url https://reklama.tochka.com/
👉 https://hackerone.com/reports/1379842
🔹 Severity: High | 💰 500 USD
🔹 Reported To: QIWI
🔹 Reported By: #anonymouus
🔹 State: 🟢 Resolved
🔹 Disclosed: December 2, 2021, 12:58pm (UTC)
👉 https://hackerone.com/reports/1379842
🔹 Severity: High | 💰 500 USD
🔹 Reported To: QIWI
🔹 Reported By: #anonymouus
🔹 State: 🟢 Resolved
🔹 Disclosed: December 2, 2021, 12:58pm (UTC)
CSS injection via link tag whitelisted-domain bypass - https://www.glassdoor.com
👉 https://hackerone.com/reports/1250730
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #zonduu
🔹 State: 🟢 Resolved
🔹 Disclosed: December 2, 2021, 5:17pm (UTC)
👉 https://hackerone.com/reports/1250730
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #zonduu
🔹 State: 🟢 Resolved
🔹 Disclosed: December 2, 2021, 5:17pm (UTC)
Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints
👉 https://hackerone.com/reports/1115139
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #cthulhufhtagn
🔹 State: 🟢 Resolved
🔹 Disclosed: December 2, 2021, 8:38pm (UTC)
👉 https://hackerone.com/reports/1115139
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #cthulhufhtagn
🔹 State: 🟢 Resolved
🔹 Disclosed: December 2, 2021, 8:38pm (UTC)
Stored XSS in files.slack.com
👉 https://hackerone.com/reports/827606
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Slack
🔹 Reported By: #oskarsv
🔹 State: 🟢 Resolved
🔹 Disclosed: December 2, 2021, 10:39pm (UTC)
👉 https://hackerone.com/reports/827606
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Slack
🔹 Reported By: #oskarsv
🔹 State: 🟢 Resolved
🔹 Disclosed: December 2, 2021, 10:39pm (UTC)
Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com
👉 https://hackerone.com/reports/1394982
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #j0j0
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 12:50pm (UTC)
👉 https://hackerone.com/reports/1394982
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #j0j0
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 12:50pm (UTC)
Ability to add address without being an admin or staff in the store via wholesale store
👉 https://hackerone.com/reports/1279322
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #hydraxanon82
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 1:02pm (UTC)
👉 https://hackerone.com/reports/1279322
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #hydraxanon82
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 1:02pm (UTC)