Выполняем любой API метод при открытии сообщества/приложения + повышение прав у любого токена.
👉 https://hackerone.com/reports/1354452
🔹 Severity: High
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: December 30, 2021, 10:26am (UTC)
👉 https://hackerone.com/reports/1354452
🔹 Severity: High
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: December 30, 2021, 10:26am (UTC)
DLL hijacking in Monero GUI for Windows 0.17.3.0 would allow an attacker to perform remote command execution
👉 https://hackerone.com/reports/1437942
🔹 Severity: Medium
🔹 Reported To: Monero
🔹 Reported By: #fukuyama
🔹 State: ⚪️ Informative
🔹 Disclosed: December 30, 2021, 5:08pm (UTC)
👉 https://hackerone.com/reports/1437942
🔹 Severity: Medium
🔹 Reported To: Monero
🔹 Reported By: #fukuyama
🔹 State: ⚪️ Informative
🔹 Disclosed: December 30, 2021, 5:08pm (UTC)
Read-only user can edit user segments.
👉 https://hackerone.com/reports/1277753
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #astates
🔹 State: 🟢 Resolved
🔹 Disclosed: December 30, 2021, 6:28pm (UTC)
👉 https://hackerone.com/reports/1277753
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #astates
🔹 State: 🟢 Resolved
🔹 Disclosed: December 30, 2021, 6:28pm (UTC)
ADB Backup is enabled within AndroidManifest
👉 https://hackerone.com/reports/1225158
🔹 Severity: Medium
🔹 Reported To: Zivver
🔹 Reported By: #hack_4fun
🔹 State: 🟢 Resolved
🔹 Disclosed: December 31, 2021, 11:27am (UTC)
👉 https://hackerone.com/reports/1225158
🔹 Severity: Medium
🔹 Reported To: Zivver
🔹 Reported By: #hack_4fun
🔹 State: 🟢 Resolved
🔹 Disclosed: December 31, 2021, 11:27am (UTC)
Improper authorization allows disclosing users' notification data in Notification channel server
👉 https://hackerone.com/reports/1314162
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: LINE
🔹 Reported By: #66ed3gs
🔹 State: 🟢 Resolved
🔹 Disclosed: December 31, 2021, 12:08pm (UTC)
👉 https://hackerone.com/reports/1314162
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: LINE
🔹 Reported By: #66ed3gs
🔹 State: 🟢 Resolved
🔹 Disclosed: December 31, 2021, 12:08pm (UTC)
Default credentials lead to Spring Boot Admin dashboard access
👉 https://hackerone.com/reports/1417635
🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #sparroww
🔹 State: 🟢 Resolved
🔹 Disclosed: January 2, 2022, 2:41pm (UTC)
👉 https://hackerone.com/reports/1417635
🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #sparroww
🔹 State: 🟢 Resolved
🔹 Disclosed: January 2, 2022, 2:41pm (UTC)
EMAIL SPOOFING
👉 https://hackerone.com/reports/496360
🔹 Severity: Medium
🔹 Reported To: Khan Academy
🔹 Reported By: #hackthedevil
🔹 State: 🟢 Resolved
🔹 Disclosed: January 2, 2022, 6:30pm (UTC)
👉 https://hackerone.com/reports/496360
🔹 Severity: Medium
🔹 Reported To: Khan Academy
🔹 Reported By: #hackthedevil
🔹 State: 🟢 Resolved
🔹 Disclosed: January 2, 2022, 6:30pm (UTC)
Log4Shell: RCE 0-day exploit on █████████
👉 https://hackerone.com/reports/1429014
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mr_x_strange
🔹 State: 🟢 Resolved
🔹 Disclosed: January 3, 2022, 9:23pm (UTC)
👉 https://hackerone.com/reports/1429014
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mr_x_strange
🔹 State: 🟢 Resolved
🔹 Disclosed: January 3, 2022, 9:23pm (UTC)
👍1
%0A (New line) and limitness URL leads to DoS at all system [Main adress (https://www.acronis.com/)]
👉 https://hackerone.com/reports/1382448
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #plantos
🔹 State: 🟢 Resolved
🔹 Disclosed: January 4, 2022, 9:47am (UTC)
👉 https://hackerone.com/reports/1382448
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #plantos
🔹 State: 🟢 Resolved
🔹 Disclosed: January 4, 2022, 9:47am (UTC)
Buffer overflow in req_parsebody method in lua_request.c
👉 https://hackerone.com/reports/1434056
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #chamal
🔹 State: 🟢 Resolved
🔹 Disclosed: January 4, 2022, 3:31pm (UTC)
👉 https://hackerone.com/reports/1434056
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #chamal
🔹 State: 🟢 Resolved
🔹 Disclosed: January 4, 2022, 3:31pm (UTC)
OPEN REDIRECT
👉 https://hackerone.com/reports/1369806
🔹 Severity: Low
🔹 Reported To: Nutanix
🔹 Reported By: #kauenavarro
🔹 State: 🟢 Resolved
🔹 Disclosed: January 4, 2022, 4:14pm (UTC)
👉 https://hackerone.com/reports/1369806
🔹 Severity: Low
🔹 Reported To: Nutanix
🔹 Reported By: #kauenavarro
🔹 State: 🟢 Resolved
🔹 Disclosed: January 4, 2022, 4:14pm (UTC)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
👉 https://hackerone.com/reports/1440161
🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #n1had
🔹 State: 🟢 Resolved
🔹 Disclosed: January 5, 2022, 2:44am (UTC)
👉 https://hackerone.com/reports/1440161
🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #n1had
🔹 State: 🟢 Resolved
🔹 Disclosed: January 5, 2022, 2:44am (UTC)
ABLE TO TRICK THE VICTIM INTO USING A CRAFTED EMAIL ADDRESS FOR A PARTICULAR SESSION AND THEN LATER TAKE BACK THE ACCOUNT
👉 https://hackerone.com/reports/1357013
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #at11zt00
🔹 State: 🟢 Resolved
🔹 Disclosed: January 5, 2022, 5:15am (UTC)
👉 https://hackerone.com/reports/1357013
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #at11zt00
🔹 State: 🟢 Resolved
🔹 Disclosed: January 5, 2022, 5:15am (UTC)
Subdomain takeover of images.crossinstall.com
👉 https://hackerone.com/reports/1406335
🔹 Severity: High
🔹 Reported To: Twitter
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: January 5, 2022, 7:58pm (UTC)
👉 https://hackerone.com/reports/1406335
🔹 Severity: High
🔹 Reported To: Twitter
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: January 5, 2022, 7:58pm (UTC)
Grafana LFI on https://grafana.mariadb.org
👉 https://hackerone.com/reports/1419213
🔹 Severity: Medium
🔹 Reported To: MariaDB
🔹 Reported By: #realtess
🔹 State: 🟢 Resolved
🔹 Disclosed: January 6, 2022, 5:57pm (UTC)
👉 https://hackerone.com/reports/1419213
🔹 Severity: Medium
🔹 Reported To: MariaDB
🔹 Reported By: #realtess
🔹 State: 🟢 Resolved
🔹 Disclosed: January 6, 2022, 5:57pm (UTC)
blog/wp-json/wp/v2/users FILE is enable it will used for bruteforce attack the admin panel at blog/wp-login.php
👉 https://hackerone.com/reports/1403302
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #kassem_s94
🔹 State: 🟢 Resolved
🔹 Disclosed: January 9, 2022, 6:28pm (UTC)
👉 https://hackerone.com/reports/1403302
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #kassem_s94
🔹 State: 🟢 Resolved
🔹 Disclosed: January 9, 2022, 6:28pm (UTC)
Prototype pollution via console.table properties
👉 https://hackerone.com/reports/1431042
🔹 Severity: Low
🔹 Reported To: Node.js
🔹 Reported By: #rugvip
🔹 State: 🟢 Resolved
🔹 Disclosed: January 11, 2022, 5:23pm (UTC)
👉 https://hackerone.com/reports/1431042
🔹 Severity: Low
🔹 Reported To: Node.js
🔹 Reported By: #rugvip
🔹 State: 🟢 Resolved
🔹 Disclosed: January 11, 2022, 5:23pm (UTC)
Clickjacking to change email address
👉 https://hackerone.com/reports/783191
🔹 Severity: High
🔹 Reported To: Gener8
🔹 Reported By: #paramdham
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 8:33am (UTC)
👉 https://hackerone.com/reports/783191
🔹 Severity: High
🔹 Reported To: Gener8
🔹 Reported By: #paramdham
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 8:33am (UTC)
CSRF to change password
👉 https://hackerone.com/reports/204703
🔹 Severity: Critical | 💰 300 USD
🔹 Reported To: Nord Security
🔹 Reported By: #paramdham
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 8:33am (UTC)
👉 https://hackerone.com/reports/204703
🔹 Severity: Critical | 💰 300 USD
🔹 Reported To: Nord Security
🔹 Reported By: #paramdham
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 8:33am (UTC)
Account Takeover via SMS Authentication Flow
👉 https://hackerone.com/reports/1245762
🔹 Severity: High | 💰 1,750 USD
🔹 Reported To: Zenly
🔹 Reported By: #yetanotherhacker
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 10:08am (UTC)
👉 https://hackerone.com/reports/1245762
🔹 Severity: High | 💰 1,750 USD
🔹 Reported To: Zenly
🔹 Reported By: #yetanotherhacker
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 10:08am (UTC)
🎉1
Friend Request Flow Exposes User Data
👉 https://hackerone.com/reports/1245741
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Zenly
🔹 Reported By: #yetanotherhacker
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 10:25am (UTC)
👉 https://hackerone.com/reports/1245741
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Zenly
🔹 Reported By: #yetanotherhacker
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 10:25am (UTC)