Reflected XSS online-store-git.shopifycloud.com

👉 https://hackerone.com/reports/1410459

🔹 Severity: Medium | 💰 3,500 USD
🔹 Reported To: Shopify
🔹 Reported By: #bepresent
🔹 State: 🟢 Resolved
🔹 Disclosed: January 20, 2022, 7:45pm (UTC)

Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044)

👉 https://hackerone.com/reports/1455411

🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tniessen
🔹 State: 🟢 Resolved
🔹 Disclosed: January 20, 2022, 11:40pm (UTC)

disclosing clients' secret keys https://stage-uapi.tochka.com:2000/

👉 https://hackerone.com/reports/1419205

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: QIWI
🔹 Reported By: #rivalsec
🔹 State: 🟢 Resolved
🔹 Disclosed: January 21, 2022, 11:19am (UTC)

[https://app.recordedfuture.com] - Reflected XSS via username parameter

👉 https://hackerone.com/reports/1201134

🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Recorded Future
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: January 21, 2022, 1:51pm (UTC)

Email change or personal data change on the account.

👉 https://hackerone.com/reports/1250037

🔹 Severity: Critical | 💰 3,000 USD
🔹 Reported To: Stripe
🔹 Reported By: #dk82hg
🔹 State: 🟢 Resolved
🔹 Disclosed: January 21, 2022, 2:13pm (UTC)

hosted.weblate.org display of unfiltered results

👉 https://hackerone.com/reports/1454552

🔹 Severity: No Rating
🔹 Reported To: Weblate
🔹 Reported By: #joshmcman08
🔹 State: ⚪️ Informative
🔹 Disclosed: January 21, 2022, 8:47pm (UTC)

xss reflected on imgur.com

👉 https://hackerone.com/reports/1058427

🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: Imgur
🔹 Reported By: #whoami991
🔹 State: 🟢 Resolved
🔹 Disclosed: January 22, 2022, 5:09am (UTC)

Buffer Overflow in optimized_escape_html method

👉 https://hackerone.com/reports/1455248

🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #chamal
🔹 State: 🟢 Resolved
🔹 Disclosed: January 22, 2022, 2:03pm (UTC)

No length on password

👉 https://hackerone.com/reports/1411363

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Imgur
🔹 Reported By: #blackfly_
🔹 State: 🟢 Resolved
🔹 Disclosed: January 24, 2022, 4:50am (UTC)

Cross site noscripting via file upload in subdomain ads.tiktok.com

👉 https://hackerone.com/reports/1433125

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #blubluuu
🔹 State: 🟢 Resolved
🔹 Disclosed: January 25, 2022, 2:49am (UTC)

Subdomain Takeover

👉 https://hackerone.com/reports/1348504

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #official_dhivish
🔹 State: 🟢 Resolved
🔹 Disclosed: January 25, 2022, 8:25am (UTC)

Able to steal private files by manipulating response using Compose Email function of Lark

👉 https://hackerone.com/reports/1373784

🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 25, 2022, 9:53pm (UTC)

Able to steal private files by manipulating response using Auto Reply function of Lark

👉 https://hackerone.com/reports/1387320

🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 25, 2022, 9:54pm (UTC)

Specific Payload makes a Users Posts unavailable

👉 https://hackerone.com/reports/1176794

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: FetLife
🔹 Reported By: #castilho
🔹 State: 🟢 Resolved
🔹 Disclosed: January 26, 2022, 4:10am (UTC)

subdomain takeover on fddkim.zomato.com

👉 https://hackerone.com/reports/1130376

🔹 Severity: Medium | 💰 350 USD
🔹 Reported To: Zomato
🔹 Reported By: #mosec9
🔹 State: 🟢 Resolved
🔹 Disclosed: January 27, 2022, 5:44am (UTC)

Improper access control for users with expired password, giving the user full access through API and Git

👉 https://hackerone.com/reports/1285226

🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 27, 2022, 8:22am (UTC)

Full read SSRF via Lark Docs `import as docs` feature

👉 https://hackerone.com/reports/1409727

🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #sirleeroyjenkins
🔹 State: 🟢 Resolved
🔹 Disclosed: January 28, 2022, 1:51am (UTC)

XSS via X-Forwarded-Host header

👉 https://hackerone.com/reports/1392935

🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Omise
🔹 Reported By: #oblivionlight
🔹 State: 🟢 Resolved
🔹 Disclosed: January 29, 2022, 1:18pm (UTC)

Misconfiguration in build environment allows DLL preloading attack

👉 https://hackerone.com/reports/896338

🔹 Severity: Low
🔹 Reported To: Monero
🔹 Reported By: #nim4
🔹 State: 🟢 Resolved
🔹 Disclosed: January 29, 2022, 5:08pm (UTC)

No character limit in password field

👉 https://hackerone.com/reports/1462175

🔹 Severity: Medium
🔹 Reported To: UPchieve
🔹 Reported By: #tomyway
🔹 State: 🔴 N/A
🔹 Disclosed: January 30, 2022, 11:35am (UTC)

Critical full compromise of jarvis-new.urbanclap.com via weak session signing

👉 https://hackerone.com/reports/1380121

🔹 Severity: Critical | 💰 1,500 USD
🔹 Reported To: Urban Company
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: January 30, 2022, 8:03pm (UTC)