Reflected Xss in https://world.engelvoelkers.com/...

👉 https://hackerone.com/reports/1401209

🔹 Severity: Medium
🔹 Reported To: Engel & Völkers Technology GmbH
🔹 Reported By: #pl4gue_shell
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 7:01am (UTC)

text injection and content spoofing

👉 https://hackerone.com/reports/1353200

🔹 Severity: Low
🔹 Reported To: OneWeb
🔹 Reported By: #aman420
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 11:12am (UTC)

Remote Code Execution on ██.8x8.com via .NET VSTATE Deserialization

👉 https://hackerone.com/reports/1391576

🔹 Severity: Critical
🔹 Reported To: 8x8
🔹 Reported By: #0daystolive
🔹 State: 🟢 Resolved
🔹 Disclosed: February 3, 2022, 4:37pm (UTC)

'net/http': HTTP Header Injection in the set_content_type method

👉 https://hackerone.com/reports/1168205

🔹 Severity: High
🔹 Reported To: Ruby
🔹 Reported By: #chinarulezzz
🔹 State: ⚪️ Informative
🔹 Disclosed: February 4, 2022, 6:31am (UTC)

Reflected XSS and Blind out of band command injection at subdomain dstuid-ww.dst.ibm.com

👉 https://hackerone.com/reports/410334

🔹 Severity: High
🔹 Reported To: IBM
🔹 Reported By: #smokin-ac3z
🔹 State: 🟢 Resolved
🔹 Disclosed: February 4, 2022, 6:23pm (UTC)

Arbitrary file read in Rocket.Chat-Desktop

👉 https://hackerone.com/reports/943737

🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #sectex
🔹 State: 🟢 Resolved
🔹 Disclosed: February 6, 2022, 7:36pm (UTC)

Leaking sensitive information through JSON file path.

👉 https://hackerone.com/reports/1211061

🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #rohitburke
🔹 State: ⚪️ Informative
🔹 Disclosed: February 7, 2022, 12:30pm (UTC)

Application level DOS at Login Page ( Accepts Long Password )

👉 https://hackerone.com/reports/1168804

🔹 Severity: High
🔹 Reported To: Reddit
🔹 Reported By: #e100_speaks
🔹 State: ⚪️ Informative
🔹 Disclosed: February 7, 2022, 4:32pm (UTC)

Information Disclosure via ZIP file on AWS Bucket [http://acronis.1.s3.amazonaws.com]

👉 https://hackerone.com/reports/1121771

🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #h4x0r_dz
🔹 State: 🔴 N/A
🔹 Disclosed: February 8, 2022, 9:08am (UTC)

Attacker Can Access to any Ticket Support on https://www.devicelock.com/support/

👉 https://hackerone.com/reports/1124974

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #h4x0r_dz
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 9:10am (UTC)

Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com

👉 https://hackerone.com/reports/1018790

🔹 Severity: High
🔹 Reported To: Acronis
🔹 Reported By: #ashmek
🔹 State: 🔴 N/A
🔹 Disclosed: February 8, 2022, 9:12am (UTC)

Stored Cross-site Scripting on devicelock.com/forum/

👉 https://hackerone.com/reports/1122513

🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #h4x0r_dz
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 10:49am (UTC)

Cross-site Scripting (XSS) - Stored | forum.acronis.com

👉 https://hackerone.com/reports/1161241

🔹 Severity: Medium | 💰 50 USD
🔹 Reported To: Acronis
🔹 Reported By: #quadrant
🔹 State: 🟢 Resolved
🔹 Disclosed: February 8, 2022, 1:52pm (UTC)

Reflected xss on ads.tiktok.com using `from` parameter.

👉 https://hackerone.com/reports/1452375

🔹 Severity: High | 💰 6,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 1:12am (UTC)

Race condition in User comments Likes

👉 https://hackerone.com/reports/1409913

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Zomato
🔹 Reported By: #0xdexter
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 9:42am (UTC)

staffOrderNotificationSubnoscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission

👉 https://hackerone.com/reports/1102652

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:58pm (UTC)

staffOrderNotificationSubnoscriptionDelete Could Be Used By Staff Member With Settings Permission

👉 https://hackerone.com/reports/1102660

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:59pm (UTC)

Is the Google Bucket Meant To Be Publicly Listable? https://cdn.shopify.com/shop-assets/

👉 https://hackerone.com/reports/1102546

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:59pm (UTC)

Node.js Certificate Verification Bypass via String Injection

👉 https://hackerone.com/reports/1429694

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #bengl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 1:26am (UTC)

Installing Gitlab runner with Docker-In-Docker allows root access

👉 https://hackerone.com/reports/1417211

🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: GitLab
🔹 Reported By: #jafarakhondali
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 9:13am (UTC)

Sending Arbitrary Requests through Jupyter Notebooks on gitlab.com and Self-Hosted GitLab Instances

👉 https://hackerone.com/reports/970869

🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #iwis
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 2:46pm (UTC)