Account Takeover via SMS Authentication Flow
👉 https://hackerone.com/reports/1245762
🔹 Severity: High | 💰 1,750 USD
🔹 Reported To: Zenly
🔹 Reported By: #yetanotherhacker
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 10:08am (UTC)
👉 https://hackerone.com/reports/1245762
🔹 Severity: High | 💰 1,750 USD
🔹 Reported To: Zenly
🔹 Reported By: #yetanotherhacker
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 10:08am (UTC)
🎉1
Friend Request Flow Exposes User Data
👉 https://hackerone.com/reports/1245741
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Zenly
🔹 Reported By: #yetanotherhacker
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 10:25am (UTC)
👉 https://hackerone.com/reports/1245741
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Zenly
🔹 Reported By: #yetanotherhacker
🔹 State: 🟢 Resolved
🔹 Disclosed: January 12, 2022, 10:25am (UTC)
[IDOR] Modify other team's reminders via reminderId parameter
👉 https://hackerone.com/reports/946323
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 13, 2022, 12:21am (UTC)
👉 https://hackerone.com/reports/946323
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 13, 2022, 12:21am (UTC)
Reflected xss and open redirect on larksuite.com using /?back_uri= parameter.
👉 https://hackerone.com/reports/955606
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 13, 2022, 12:24am (UTC)
👉 https://hackerone.com/reports/955606
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 13, 2022, 12:24am (UTC)
👍2🎉2🤮1
Disclosure of github access token in config file via nignx off-by-slash
👉 https://hackerone.com/reports/1386547
🔹 Severity: Critical
🔹 Reported To: Adobe
🔹 Reported By: #letm3through
🔹 State: 🟢 Resolved
🔹 Disclosed: January 13, 2022, 6:16pm (UTC)
👉 https://hackerone.com/reports/1386547
🔹 Severity: Critical
🔹 Reported To: Adobe
🔹 Reported By: #letm3through
🔹 State: 🟢 Resolved
🔹 Disclosed: January 13, 2022, 6:16pm (UTC)
AEM forms XXE Vulnerability
👉 https://hackerone.com/reports/1321070
🔹 Severity: Critical
🔹 Reported To: Adobe
🔹 Reported By: #ismailmuh
🔹 State: 🟢 Resolved
🔹 Disclosed: January 13, 2022, 6:38pm (UTC)
👉 https://hackerone.com/reports/1321070
🔹 Severity: Critical
🔹 Reported To: Adobe
🔹 Reported By: #ismailmuh
🔹 State: 🟢 Resolved
🔹 Disclosed: January 13, 2022, 6:38pm (UTC)
Bug Report : [ No Valid SPF Records ]
👉 https://hackerone.com/reports/1301696
🔹 Severity: High
🔹 Reported To: Ruby
🔹 Reported By: #sohaib619
🔹 State: ⚪️ Informative
🔹 Disclosed: January 13, 2022, 10:39pm (UTC)
👉 https://hackerone.com/reports/1301696
🔹 Severity: High
🔹 Reported To: Ruby
🔹 Reported By: #sohaib619
🔹 State: ⚪️ Informative
🔹 Disclosed: January 13, 2022, 10:39pm (UTC)
😱3
Deserialization of potentially malicious data to RCE
👉 https://hackerone.com/reports/1415436
🔹 Severity: High
🔹 Reported To: Django
🔹 Reported By: #scaramouche31
🔹 State: ⚪️ Informative
🔹 Disclosed: January 14, 2022, 4:34pm (UTC)
👉 https://hackerone.com/reports/1415436
🔹 Severity: High
🔹 Reported To: Django
🔹 Reported By: #scaramouche31
🔹 State: ⚪️ Informative
🔹 Disclosed: January 14, 2022, 4:34pm (UTC)
SQL Injection and plaintext passwords via User Search
👉 https://hackerone.com/reports/703819
🔹 Severity: High
🔹 Reported To: IBM
🔹 Reported By: #xyantix
🔹 State: 🟢 Resolved
🔹 Disclosed: January 14, 2022, 6:42pm (UTC)
👉 https://hackerone.com/reports/703819
🔹 Severity: High
🔹 Reported To: IBM
🔹 Reported By: #xyantix
🔹 State: 🟢 Resolved
🔹 Disclosed: January 14, 2022, 6:42pm (UTC)
Stored xss on helpdesk using user's city
👉 https://hackerone.com/reports/971857
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 14, 2022, 8:36pm (UTC)
👉 https://hackerone.com/reports/971857
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 14, 2022, 8:36pm (UTC)
👍2
In orginization stored xss using location (Larksuite survey app)
👉 https://hackerone.com/reports/998138
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 14, 2022, 8:41pm (UTC)
👉 https://hackerone.com/reports/998138
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 14, 2022, 8:41pm (UTC)
👍2
Lack of URL normalization renders Blocked-Previews feature ineffectual
👉 https://hackerone.com/reports/1102764
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Slack
🔹 Reported By: #jub0bs
🔹 State: 🟢 Resolved
🔹 Disclosed: January 16, 2022, 7:48am (UTC)
👉 https://hackerone.com/reports/1102764
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Slack
🔹 Reported By: #jub0bs
🔹 State: 🟢 Resolved
🔹 Disclosed: January 16, 2022, 7:48am (UTC)
🎉1
Clickjacking
👉 https://hackerone.com/reports/688546
🔹 Severity: No Rating
🔹 Reported To: Palo Alto Software
🔹 Reported By: #paramdham
🔹 State: 🟢 Resolved
🔹 Disclosed: January 17, 2022, 7:27am (UTC)
👉 https://hackerone.com/reports/688546
🔹 Severity: No Rating
🔹 Reported To: Palo Alto Software
🔹 Reported By: #paramdham
🔹 State: 🟢 Resolved
🔹 Disclosed: January 17, 2022, 7:27am (UTC)
SSRF & Blind XSS in Gravatar email
👉 https://hackerone.com/reports/1100096
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Automattic
🔹 Reported By: #rockybandana
🔹 State: 🟢 Resolved
🔹 Disclosed: January 17, 2022, 8:44pm (UTC)
👉 https://hackerone.com/reports/1100096
🔹 Severity: High | 💰 750 USD
🔹 Reported To: Automattic
🔹 Reported By: #rockybandana
🔹 State: 🟢 Resolved
🔹 Disclosed: January 17, 2022, 8:44pm (UTC)
🔥4
DOM XSS through ads
👉 https://hackerone.com/reports/889041
🔹 Severity: Medium
🔹 Reported To: Urban Dictionary
🔹 Reported By: #bemodtwz
🔹 State: 🟢 Resolved
🔹 Disclosed: January 18, 2022, 12:56am (UTC)
👉 https://hackerone.com/reports/889041
🔹 Severity: Medium
🔹 Reported To: Urban Dictionary
🔹 Reported By: #bemodtwz
🔹 State: 🟢 Resolved
🔹 Disclosed: January 18, 2022, 12:56am (UTC)
🤩1
Exposed Golang debugger on tier3.riot.mail.ru:9090, 9080
👉 https://hackerone.com/reports/1247910
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 7:48am (UTC)
👉 https://hackerone.com/reports/1247910
🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 7:48am (UTC)
Dom Xss vulnerability
👉 https://hackerone.com/reports/1448616
🔹 Severity: High
🔹 Reported To: Recorded Future
🔹 Reported By: #fornex
🔹 State: ⚪️ Informative
🔹 Disclosed: January 19, 2022, 11:00am (UTC)
👉 https://hackerone.com/reports/1448616
🔹 Severity: High
🔹 Reported To: Recorded Future
🔹 Reported By: #fornex
🔹 State: ⚪️ Informative
🔹 Disclosed: January 19, 2022, 11:00am (UTC)
User can pay using archived price by manipulating the request sent to `POST /v1/payment_pages/for_plink`
👉 https://hackerone.com/reports/1328278
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Stripe
🔹 Reported By: #gregxsunday
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 3:19pm (UTC)
👉 https://hackerone.com/reports/1328278
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Stripe
🔹 Reported By: #gregxsunday
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 3:19pm (UTC)
Wrong settings in ADF Faces leads to information disclosure
👉 https://hackerone.com/reports/1422641
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #h3xr
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 7:28pm (UTC)
👉 https://hackerone.com/reports/1422641
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #h3xr
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 7:28pm (UTC)
XSS Reflected - ██████████
👉 https://hackerone.com/reports/1223577
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #drauschkolb
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 7:29pm (UTC)
👉 https://hackerone.com/reports/1223577
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #drauschkolb
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 7:29pm (UTC)
👍1
Reflected XSS in https://███████ via hidden parameter "████████"
👉 https://hackerone.com/reports/1029238
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #supr4s
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 7:30pm (UTC)
👉 https://hackerone.com/reports/1029238
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #supr4s
🔹 State: 🟢 Resolved
🔹 Disclosed: January 19, 2022, 7:30pm (UTC)