[CVE-2020-3452] Unauthenticated file read in Cisco ASA
👉 https://hackerone.com/reports/1415825
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ghostxsec
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:13pm (UTC)
👉 https://hackerone.com/reports/1415825
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ghostxsec
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:13pm (UTC)
RXSS ON https://██████████
👉 https://hackerone.com/reports/1244145
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #iam_a_jinchuriki
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:14pm (UTC)
👉 https://hackerone.com/reports/1244145
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #iam_a_jinchuriki
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:14pm (UTC)
Unauthorized access to PII leads to MASS account Takeover
👉 https://hackerone.com/reports/1061736
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #takester
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:15pm (UTC)
👉 https://hackerone.com/reports/1061736
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #takester
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:15pm (UTC)
default ████ creds on https://████████
👉 https://hackerone.com/reports/711662
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pirateducky
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:17pm (UTC)
👉 https://hackerone.com/reports/711662
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pirateducky
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:17pm (UTC)
(CORS) Cross-origin resource sharing misconfiguration on https://█████████
👉 https://hackerone.com/reports/995144
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fiveguyslover
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:18pm (UTC)
👉 https://hackerone.com/reports/995144
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #fiveguyslover
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:18pm (UTC)
Reflected XSS at https://██████/██████████ via "████████" parameter
👉 https://hackerone.com/reports/1457413
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:19pm (UTC)
👉 https://hackerone.com/reports/1457413
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:19pm (UTC)
Reflected XSS at https://██████/██████ via "██████" parameter
👉 https://hackerone.com/reports/1457444
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:20pm (UTC)
👉 https://hackerone.com/reports/1457444
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:20pm (UTC)
Reflected XSS at https://██████████/████████ via "███████" parameter
👉 https://hackerone.com/reports/1457493
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:20pm (UTC)
👉 https://hackerone.com/reports/1457493
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:20pm (UTC)
Reflected XSS at https://█████ via "██████████" parameter
👉 https://hackerone.com/reports/1457546
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:21pm (UTC)
👉 https://hackerone.com/reports/1457546
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:21pm (UTC)
Reflected XSS at https://█████████ via "███" parameter
👉 https://hackerone.com/reports/1457277
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:22pm (UTC)
👉 https://hackerone.com/reports/1457277
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pelegn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:22pm (UTC)
XSS trigger via HTML Iframe injection in ( https://██████████ ) due to unfiltered HTML tags
👉 https://hackerone.com/reports/1200770
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #rozerx00
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:23pm (UTC)
👉 https://hackerone.com/reports/1200770
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #rozerx00
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:23pm (UTC)
EC2 subdomain takeover at http://████████/
👉 https://hackerone.com/reports/1296366
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #dreyand72
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:24pm (UTC)
👉 https://hackerone.com/reports/1296366
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #dreyand72
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:24pm (UTC)
CUI Labelled document out in the open
👉 https://hackerone.com/reports/1436460
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pll25
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:26pm (UTC)
👉 https://hackerone.com/reports/1436460
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #pll25
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:26pm (UTC)
IDOR
👉 https://hackerone.com/reports/389250
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #websecnl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:27pm (UTC)
👉 https://hackerone.com/reports/389250
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #websecnl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:27pm (UTC)
Broken Authentication
👉 https://hackerone.com/reports/409237
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #websecnl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:29pm (UTC)
👉 https://hackerone.com/reports/409237
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #websecnl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:29pm (UTC)
Arbitrary File Read at ███ via filename parameter
👉 https://hackerone.com/reports/1436223
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #shiar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:35pm (UTC)
👉 https://hackerone.com/reports/1436223
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #shiar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:35pm (UTC)
Ability to Disable the Login Attempt of any Shopify Owner for 24 hrs (Zero_Click)
👉 https://hackerone.com/reports/1406495
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #saurabhsankhwar3
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 6:20am (UTC)
👉 https://hackerone.com/reports/1406495
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #saurabhsankhwar3
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 6:20am (UTC)
When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL
👉 https://hackerone.com/reports/1358977
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #ctulhu
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 7:09am (UTC)
👉 https://hackerone.com/reports/1358977
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #ctulhu
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 7:09am (UTC)
Cross-origin resource sharing
👉 https://hackerone.com/reports/1478449
🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Showmax
🔹 Reported By: #qualin
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 10:37am (UTC)
👉 https://hackerone.com/reports/1478449
🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Showmax
🔹 Reported By: #qualin
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 10:37am (UTC)
XSS payload from an active vulnerability. What was bypassed with it? ⤵️
javanoscript:a=document;alert('\@example.com/|'+a.domain);
javanoscript:a=document;alert('\@example.com/|'+a.domain);
Anonymous Poll
21%
Text input URL validation
23%
WAF
56%
Text input URL validation + WAF
🔥5👍3
Broken Authentication Session Token Bug
👉 https://hackerone.com/reports/948345
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #the_hacker_girl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 16, 2022, 11:43pm (UTC)
👉 https://hackerone.com/reports/948345
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #the_hacker_girl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 16, 2022, 11:43pm (UTC)