Saving Christmas from Grinchy Gods

👉 https://hackerone.com/reports/1434017

🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: h1-ctf
🔹 Reported By: #akshansh
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 5:42pm (UTC)

The Return of the Grinch

👉 https://hackerone.com/reports/1433581

🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: h1-ctf
🔹 Reported By: #w31rd0
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 5:44pm (UTC)

Information disclosure-Referer leak

👉 https://hackerone.com/reports/1337624

🔹 Severity: High | 💰 500 USD
🔹 Reported To: Brave Software
🔹 Reported By: #kkarfalcon
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 7:32pm (UTC)

SQL injection at /admin.php?/cp/members/create

👉 https://hackerone.com/reports/968240

🔹 Severity: Medium
🔹 Reported To: ExpressionEngine
🔹 Reported By: #khoabda1
🔹 State: 🟢 Resolved
🔹 Disclosed: February 1, 2022, 9:12pm (UTC)

Multiple vulnerability leading to account takeover in TikTok SMB subdomain.

👉 https://hackerone.com/reports/1404612

🔹 Severity: Critical | 💰 999 USD
🔹 Reported To: TikTok
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: February 2, 2022, 3:27am (UTC)

Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

👉 https://hackerone.com/reports/1464396

🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 3:43am (UTC)

Reflected Xss in https://world.engelvoelkers.com/...

👉 https://hackerone.com/reports/1401209

🔹 Severity: Medium
🔹 Reported To: Engel & Völkers Technology GmbH
🔹 Reported By: #pl4gue_shell
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 7:01am (UTC)

text injection and content spoofing

👉 https://hackerone.com/reports/1353200

🔹 Severity: Low
🔹 Reported To: OneWeb
🔹 Reported By: #aman420
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 11:12am (UTC)

Remote Code Execution on ██.8x8.com via .NET VSTATE Deserialization

👉 https://hackerone.com/reports/1391576

🔹 Severity: Critical
🔹 Reported To: 8x8
🔹 Reported By: #0daystolive
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 4:37pm (UTC)

'net/http': HTTP Header Injection in the set_content_type method

👉 https://hackerone.com/reports/1168205

🔹 Severity: High
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: ⚪️ Informative
🔹 Disclosed: February 4, 2022, 6:31am (UTC)

Reflected XSS and Blind out of band command injection at subdomain dstuid-ww.dst.ibm.com

👉 https://hackerone.com/reports/410334

🔹 Severity: High
🔹 Reported To: IBM
🔹 Reported By: #smokin-ac3z
🔹 State: 🟢 Resolved
🔹 Disclosed: February 4, 2022, 6:23pm (UTC)

Arbitrary file read in Rocket.Chat-Desktop

👉 https://hackerone.com/reports/943737

🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #sectex
🔹 State: 🟢 Resolved
🔹 Disclosed: February 6, 2022, 7:36pm (UTC)

Leaking sensitive information through JSON file path.

👉 https://hackerone.com/reports/1211061

🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #rohitburke
🔹 State: ⚪️ Informative
🔹 Disclosed: February 7, 2022, 12:30pm (UTC)

Application level DOS at Login Page ( Accepts Long Password )

👉 https://hackerone.com/reports/1168804

🔹 Severity: High
🔹 Reported To: Reddit
🔹 Reported By: #e100_speaks
🔹 State: ⚪️ Informative
🔹 Disclosed: February 7, 2022, 4:32pm (UTC)

Information Disclosure via ZIP file on AWS Bucket [http://acronis.1.s3.amazonaws.com]

👉 https://hackerone.com/reports/1121771

🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #h4x0r_dz
🔹 State: 🔴 N/A
🔹 Disclosed: February 8, 2022, 9:08am (UTC)

Attacker Can Access to any Ticket Support on https://www.devicelock.com/support/

👉 https://hackerone.com/reports/1124974

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #h4x0r_dz
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 9:10am (UTC)

Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com

👉 https://hackerone.com/reports/1018790

🔹 Severity: High
🔹 Reported To: Acronis
🔹 Reported By: #ashmek
🔹 State: 🔴 N/A
🔹 Disclosed: February 8, 2022, 9:12am (UTC)

Stored Cross-site Scripting on devicelock.com/forum/

👉 https://hackerone.com/reports/1122513

🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #h4x0r_dz
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 10:49am (UTC)

Cross-site Scripting (XSS) - Stored | forum.acronis.com

👉 https://hackerone.com/reports/1161241

🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #quadrant
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 1:52pm (UTC)

Reflected xss on ads.tiktok.com using `from` parameter.

👉 https://hackerone.com/reports/1452375

🔹 Severity: High | 💰 6,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 1:12am (UTC)

Race condition in User comments Likes

👉 https://hackerone.com/reports/1409913

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Zomato
🔹 Reported By: #0xdexter
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 9:42am (UTC)