staffOrderNotificationSubnoscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission

👉 https://hackerone.com/reports/1102652

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:58pm (UTC)

staffOrderNotificationSubnoscriptionDelete Could Be Used By Staff Member With Settings Permission

👉 https://hackerone.com/reports/1102660

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:59pm (UTC)

Is the Google Bucket Meant To Be Publicly Listable? https://cdn.shopify.com/shop-assets/

👉 https://hackerone.com/reports/1102546

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: February 9, 2022, 8:59pm (UTC)

Node.js Certificate Verification Bypass via String Injection

👉 https://hackerone.com/reports/1429694

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #bengl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 1:26am (UTC)

Installing Gitlab runner with Docker-In-Docker allows root access

👉 https://hackerone.com/reports/1417211

🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: GitLab
🔹 Reported By: #jafarakhondali
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 9:13am (UTC)

Sending Arbitrary Requests through Jupyter Notebooks on gitlab.com and Self-Hosted GitLab Instances

👉 https://hackerone.com/reports/970869

🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #iwis
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 2:46pm (UTC)

Critically Sensitive Spring Boot Endpoints Exposed

👉 https://hackerone.com/reports/1022048

🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Semrush
🔹 Reported By: #a_d_a_m
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 4:10pm (UTC)

Orders full read for a staff with only `Customers` permissions.

👉 https://hackerone.com/reports/1392032

🔹 Severity: Low | 💰 800 USD
🔹 Reported To: Shopify
🔹 Reported By: #scaramouche31
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 7:34pm (UTC)

Password reset token leak via "Host header" on third party website

👉 https://hackerone.com/reports/1092831

🔹 Severity: No Rating
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 7:41pm (UTC)

Bypass For #997350 your-store.myshopify.com preview link is leak on third party website Via Online Store

👉 https://hackerone.com/reports/1015283

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 7:42pm (UTC)

[h1-2102] Information disclosure - ShopifyPlus add user displays existing Shopify ID fullname

👉 https://hackerone.com/reports/1083922

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #francisbeaudoin
🔹 State: 🟢 Resolved
🔹 Disclosed: February 10, 2022, 7:45pm (UTC)

Information Exposure Through Directory Listing vulnerability

👉 https://hackerone.com/reports/1476709

🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #technorat
🔹 State: ⚪️ Informative
🔹 Disclosed: February 11, 2022, 8:05am (UTC)

Able to detect if a user is FetLife supporter although this user hides their support badge in fetlife.com/conversations/{id} JSON response

👉 https://hackerone.com/reports/1423704

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: FetLife
🔹 Reported By: #trieulieuf9
🔹 State: 🟢 Resolved
🔹 Disclosed: February 11, 2022, 11:43am (UTC)

Discoverability by phone number/email restriction bypass

👉 https://hackerone.com/reports/1439026

🔹 Severity: High | 💰 5,040 USD
🔹 Reported To: Twitter
🔹 Reported By: #zhirinovskiy
🔹 State: 🟢 Resolved
🔹 Disclosed: February 11, 2022, 5:00pm (UTC)

Blind XSS on Twitter's internal Jira panel at ████ allows exfiltration of hackers reports and other sensitive data

👉 https://hackerone.com/reports/1369674

🔹 Severity: Critical | 💰 5,040 USD
🔹 Reported To: Twitter
🔹 Reported By: #iambouali
🔹 State: 🟢 Resolved
🔹 Disclosed: February 12, 2022, 6:32am (UTC)

[h1-2102] Break permissions waterfall

👉 https://hackerone.com/reports/1088159

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #hogarth45
🔹 State: 🟢 Resolved
🔹 Disclosed: February 12, 2022, 8:48pm (UTC)

Widespread CSRF on authenticated POST endpoints

👉 https://hackerone.com/reports/1309435

🔹 Severity: High
🔹 Reported To: UPchieve
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: February 13, 2022, 10:38am (UTC)

[CVE-2020-3452] Unauthenticated file read in Cisco ASA

👉 https://hackerone.com/reports/1415825

🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ghostxsec
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:13pm (UTC)

RXSS ON https://██████████

👉 https://hackerone.com/reports/1244145

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #iam_a_jinchuriki
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:14pm (UTC)

Unauthorized access to PII leads to MASS account Takeover

👉 https://hackerone.com/reports/1061736

🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #takester
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:15pm (UTC)

default ████ creds on https://████████

👉 https://hackerone.com/reports/711662

🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pirateducky
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:17pm (UTC)