Able to steal private files by manipulating response using Auto Reply function of Lark

👉 https://hackerone.com/reports/1387320

🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 25, 2022, 9:54pm (UTC)

Specific Payload makes a Users Posts unavailable

👉 https://hackerone.com/reports/1176794

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: FetLife
🔹 Reported By: #castilho
🔹 State: 🟢 Resolved
🔹 Disclosed: January 26, 2022, 4:10am (UTC)

subdomain takeover on fddkim.zomato.com

👉 https://hackerone.com/reports/1130376

🔹 Severity: Medium | 💰 350 USD
🔹 Reported To: Zomato
🔹 Reported By: #mosec9
🔹 State: 🟢 Resolved
🔹 Disclosed: January 27, 2022, 5:44am (UTC)

Improper access control for users with expired password, giving the user full access through API and Git

👉 https://hackerone.com/reports/1285226

🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: January 27, 2022, 8:22am (UTC)

Full read SSRF via Lark Docs `import as docs` feature

👉 https://hackerone.com/reports/1409727

🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #sirleeroyjenkins
🔹 State: 🟢 Resolved
🔹 Disclosed: January 28, 2022, 1:51am (UTC)

XSS via X-Forwarded-Host header

👉 https://hackerone.com/reports/1392935

🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Omise
🔹 Reported By: #oblivionlight
🔹 State: 🟢 Resolved
🔹 Disclosed: January 29, 2022, 1:18pm (UTC)

Misconfiguration in build environment allows DLL preloading attack

👉 https://hackerone.com/reports/896338

🔹 Severity: Low
🔹 Reported To: Monero
🔹 Reported By: #nim4
🔹 State: 🟢 Resolved
🔹 Disclosed: January 29, 2022, 5:08pm (UTC)

No character limit in password field

👉 https://hackerone.com/reports/1462175

🔹 Severity: Medium
🔹 Reported To: UPchieve
🔹 Reported By: #tomyway
🔹 State: 🔴 N/A
🔹 Disclosed: January 30, 2022, 11:35am (UTC)

Critical full compromise of jarvis-new.urbanclap.com via weak session signing

👉 https://hackerone.com/reports/1380121

🔹 Severity: Critical | 💰 1,500 USD
🔹 Reported To: Urban Company
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: January 30, 2022, 8:03pm (UTC)

Reflected Xss On https://vk.com/search

👉 https://hackerone.com/reports/1454359

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: VK.com
🔹 Reported By: #b4walid
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 1:09pm (UTC)

Full Response SSRF via Google Drive

👉 https://hackerone.com/reports/1406938

🔹 Severity: Critical | 💰 17,576 USD
🔹 Reported To: Dropbox
🔹 Reported By: #bugdiscloseguys
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 2:53pm (UTC)

Saving Christmas from Grinchy Gods

👉 https://hackerone.com/reports/1434017

🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: h1-ctf
🔹 Reported By: #akshansh
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 5:42pm (UTC)

The Return of the Grinch

👉 https://hackerone.com/reports/1433581

🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: h1-ctf
🔹 Reported By: #w31rd0
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 5:44pm (UTC)

Information disclosure-Referer leak

👉 https://hackerone.com/reports/1337624

🔹 Severity: High | 💰 500 USD
🔹 Reported To: Brave Software
🔹 Reported By: #kkarfalcon
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 7:32pm (UTC)

SQL injection at /admin.php?/cp/members/create

👉 https://hackerone.com/reports/968240

🔹 Severity: Medium
🔹 Reported To: ExpressionEngine
🔹 Reported By: #khoabda1
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 9:12pm (UTC)

Multiple vulnerability leading to account takeover in TikTok SMB subdomain.

👉 https://hackerone.com/reports/1404612

🔹 Severity: Critical | 💰 999 USD
🔹 Reported To: TikTok
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: February 2, 2022, 3:27am (UTC)

Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

👉 https://hackerone.com/reports/1464396

🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 3:43am (UTC)

Reflected Xss in https://world.engelvoelkers.com/...

👉 https://hackerone.com/reports/1401209

🔹 Severity: Medium
🔹 Reported To: Engel & Völkers Technology GmbH
🔹 Reported By: #pl4gue_shell
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 7:01am (UTC)

text injection and content spoofing

👉 https://hackerone.com/reports/1353200

🔹 Severity: Low
🔹 Reported To: OneWeb
🔹 Reported By: #aman420
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 11:12am (UTC)

Remote Code Execution on ██.8x8.com via .NET VSTATE Deserialization

👉 https://hackerone.com/reports/1391576

🔹 Severity: Critical
🔹 Reported To: 8x8
🔹 Reported By: #0daystolive
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 4:37pm (UTC)

'net/http': HTTP Header Injection in the set_content_type method

👉 https://hackerone.com/reports/1168205

🔹 Severity: High
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: ⚪️ Informative
🔹 Disclosed: February 4, 2022, 6:31am (UTC)