access to stack memory beyond array boundaries
👉 https://hackerone.com/reports/796555
🔹 Severity: Medium | 💰 400 USD
🔹 Reported To: Open-Xchange
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 2:05pm (UTC)
👉 https://hackerone.com/reports/796555
🔹 Severity: Medium | 💰 400 USD
🔹 Reported To: Open-Xchange
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 2:05pm (UTC)
[h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS
👉 https://hackerone.com/reports/1089978
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #c0rv4x
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 2:51pm (UTC)
👉 https://hackerone.com/reports/1089978
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #c0rv4x
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 2:51pm (UTC)
IDOR the ability to view support tickets of any user on seller platform
👉 https://hackerone.com/reports/1392630
🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #lewaperbb
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 11:35pm (UTC)
👉 https://hackerone.com/reports/1392630
🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #lewaperbb
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 11:35pm (UTC)
reflected xss on the path m.tiktok.com
👉 https://hackerone.com/reports/1394440
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #semsem123
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 11:38pm (UTC)
👉 https://hackerone.com/reports/1394440
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #semsem123
🔹 State: 🟢 Resolved
🔹 Disclosed: December 3, 2021, 11:38pm (UTC)
Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all
👉 https://hackerone.com/reports/1350095
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #yinvi777
🔹 State: 🟢 Resolved
🔹 Disclosed: December 4, 2021, 1:04am (UTC)
👉 https://hackerone.com/reports/1350095
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #yinvi777
🔹 State: 🟢 Resolved
🔹 Disclosed: December 4, 2021, 1:04am (UTC)
Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces
👉 https://hackerone.com/reports/1249583
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #libio
🔹 State: 🟢 Resolved
🔹 Disclosed: December 4, 2021, 10:16am (UTC)
👉 https://hackerone.com/reports/1249583
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #libio
🔹 State: 🟢 Resolved
🔹 Disclosed: December 4, 2021, 10:16am (UTC)
Recaptcha Secret key Leaked
👉 https://hackerone.com/reports/1416665
🔹 Severity: High
🔹 Reported To: Paragon Initiative Enterprises
🔹 Reported By: #kashifinfo90
🔹 State: ⚪️ Informative
🔹 Disclosed: December 4, 2021, 6:07pm (UTC)
👉 https://hackerone.com/reports/1416665
🔹 Severity: High
🔹 Reported To: Paragon Initiative Enterprises
🔹 Reported By: #kashifinfo90
🔹 State: ⚪️ Informative
🔹 Disclosed: December 4, 2021, 6:07pm (UTC)
[h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status
👉 https://hackerone.com/reports/1091209
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #rhynorater
🔹 State: 🟢 Resolved
🔹 Disclosed: December 6, 2021, 1:26am (UTC)
👉 https://hackerone.com/reports/1091209
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #rhynorater
🔹 State: 🟢 Resolved
🔹 Disclosed: December 6, 2021, 1:26am (UTC)
xss is triggered on your web
👉 https://hackerone.com/reports/1121900
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: December 6, 2021, 5:34am (UTC)
👉 https://hackerone.com/reports/1121900
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: December 6, 2021, 5:34am (UTC)
IDOR to view order information of users and personal information
👉 https://hackerone.com/reports/1323406
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Affirm
🔹 Reported By: #xfiltrer
🔹 State: 🟢 Resolved
🔹 Disclosed: December 6, 2021, 6:39pm (UTC)
👉 https://hackerone.com/reports/1323406
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Affirm
🔹 Reported By: #xfiltrer
🔹 State: 🟢 Resolved
🔹 Disclosed: December 6, 2021, 6:39pm (UTC)
Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion
👉 https://hackerone.com/reports/1189367
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Evernote
🔹 Reported By: #neolexsecurity
🔹 State: 🟢 Resolved
🔹 Disclosed: December 6, 2021, 9:41pm (UTC)
👉 https://hackerone.com/reports/1189367
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Evernote
🔹 Reported By: #neolexsecurity
🔹 State: 🟢 Resolved
🔹 Disclosed: December 6, 2021, 9:41pm (UTC)
Blind XSS
👉 https://hackerone.com/reports/1091118
🔹 Severity: Low
🔹 Reported To: Rocket.Chat
🔹 Reported By: #cyberasset
🔹 State: 🟢 Resolved
🔹 Disclosed: December 7, 2021, 7:15am (UTC)
👉 https://hackerone.com/reports/1091118
🔹 Severity: Low
🔹 Reported To: Rocket.Chat
🔹 Reported By: #cyberasset
🔹 State: 🟢 Resolved
🔹 Disclosed: December 7, 2021, 7:15am (UTC)
Guard WKS lookup: Evil WKS server forces connections to last forever
👉 https://hackerone.com/reports/1016691
🔹 Severity: Low | 💰 444 USD
🔹 Reported To: Open-Xchange
🔹 Reported By: #afewgoats
🔹 State: 🟢 Resolved
🔹 Disclosed: December 7, 2021, 10:49am (UTC)
👉 https://hackerone.com/reports/1016691
🔹 Severity: Low | 💰 444 USD
🔹 Reported To: Open-Xchange
🔹 Reported By: #afewgoats
🔹 State: 🟢 Resolved
🔹 Disclosed: December 7, 2021, 10:49am (UTC)
Bypass a fix for report #708013
👉 https://hackerone.com/reports/1363672
🔹 Severity: Medium | 💰 3,500 USD
🔹 Reported To: Shopify
🔹 Reported By: #scaramouche31
🔹 State: 🟢 Resolved
🔹 Disclosed: December 7, 2021, 1:14pm (UTC)
👉 https://hackerone.com/reports/1363672
🔹 Severity: Medium | 💰 3,500 USD
🔹 Reported To: Shopify
🔹 Reported By: #scaramouche31
🔹 State: 🟢 Resolved
🔹 Disclosed: December 7, 2021, 1:14pm (UTC)
Authentication Bypass - Email Verification code bypass in account registration process.
👉 https://hackerone.com/reports/1406471
🔹 Severity: Critical
🔹 Reported To: UPchieve
🔹 Reported By: #anas_44
🔹 State: 🟤 Duplicate
🔹 Disclosed: December 7, 2021, 6:57pm (UTC)
👉 https://hackerone.com/reports/1406471
🔹 Severity: Critical
🔹 Reported To: UPchieve
🔹 Reported By: #anas_44
🔹 State: 🟤 Duplicate
🔹 Disclosed: December 7, 2021, 6:57pm (UTC)
CORS origin validation failure
👉 https://hackerone.com/reports/1404986
🔹 Severity: Medium
🔹 Reported To: UPchieve
🔹 Reported By: #jupiter-47
🔹 State: 🟢 Resolved
🔹 Disclosed: December 7, 2021, 8:24pm (UTC)
👉 https://hackerone.com/reports/1404986
🔹 Severity: Medium
🔹 Reported To: UPchieve
🔹 Reported By: #jupiter-47
🔹 State: 🟢 Resolved
🔹 Disclosed: December 7, 2021, 8:24pm (UTC)
[allods.mail.ru] - WebCache Poisoning Host Header lead to Potential Stored XSS
👉 https://hackerone.com/reports/1262408
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #0xd0ff9
🔹 State: 🟢 Resolved
🔹 Disclosed: December 8, 2021, 2:01am (UTC)
👉 https://hackerone.com/reports/1262408
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #0xd0ff9
🔹 State: 🟢 Resolved
🔹 Disclosed: December 8, 2021, 2:01am (UTC)
Account Takeover through registration to the same email address
👉 https://hackerone.com/reports/1224008
🔹 Severity: High | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #avolume
🔹 State: 🟢 Resolved
🔹 Disclosed: December 8, 2021, 9:17am (UTC)
👉 https://hackerone.com/reports/1224008
🔹 Severity: High | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #avolume
🔹 State: 🟢 Resolved
🔹 Disclosed: December 8, 2021, 9:17am (UTC)
php info file and sql backup at vendor's subdomain
👉 https://hackerone.com/reports/1358249
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Semrush
🔹 Reported By: #rivalsec
🔹 State: 🟢 Resolved
🔹 Disclosed: December 8, 2021, 2:12pm (UTC)
👉 https://hackerone.com/reports/1358249
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Semrush
🔹 Reported By: #rivalsec
🔹 State: 🟢 Resolved
🔹 Disclosed: December 8, 2021, 2:12pm (UTC)
[Transportation Management Services Solution 2.0] Improper authorization at tmss.gsa.gov leads to data exposure of all registered users
👉 https://hackerone.com/reports/1175980
🔹 Severity: Critical
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #alexandrio
🔹 State: 🟢 Resolved
🔹 Disclosed: December 8, 2021, 3:36pm (UTC)
👉 https://hackerone.com/reports/1175980
🔹 Severity: Critical
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #alexandrio
🔹 State: 🟢 Resolved
🔹 Disclosed: December 8, 2021, 3:36pm (UTC)
Exposed kubernetes dashboard
👉 https://hackerone.com/reports/1418101
🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #bugkill3r
🔹 State: 🟢 Resolved
🔹 Disclosed: December 9, 2021, 2:02am (UTC)
👉 https://hackerone.com/reports/1418101
🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #bugkill3r
🔹 State: 🟢 Resolved
🔹 Disclosed: December 9, 2021, 2:02am (UTC)