IDOR
👉 https://hackerone.com/reports/389250
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #websecnl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:27pm (UTC)
👉 https://hackerone.com/reports/389250
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #websecnl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:27pm (UTC)
Broken Authentication
👉 https://hackerone.com/reports/409237
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #websecnl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:29pm (UTC)
👉 https://hackerone.com/reports/409237
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #websecnl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:29pm (UTC)
Arbitrary File Read at ███ via filename parameter
👉 https://hackerone.com/reports/1436223
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #shiar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:35pm (UTC)
👉 https://hackerone.com/reports/1436223
🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #shiar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 14, 2022, 9:35pm (UTC)
Ability to Disable the Login Attempt of any Shopify Owner for 24 hrs (Zero_Click)
👉 https://hackerone.com/reports/1406495
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #saurabhsankhwar3
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 6:20am (UTC)
👉 https://hackerone.com/reports/1406495
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #saurabhsankhwar3
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 6:20am (UTC)
When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL
👉 https://hackerone.com/reports/1358977
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #ctulhu
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 7:09am (UTC)
👉 https://hackerone.com/reports/1358977
🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #ctulhu
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 7:09am (UTC)
Cross-origin resource sharing
👉 https://hackerone.com/reports/1478449
🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Showmax
🔹 Reported By: #qualin
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 10:37am (UTC)
👉 https://hackerone.com/reports/1478449
🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Showmax
🔹 Reported By: #qualin
🔹 State: 🟢 Resolved
🔹 Disclosed: February 15, 2022, 10:37am (UTC)
XSS payload from an active vulnerability. What was bypassed with it? ⤵️
javanoscript:a=document;alert('\@example.com/|'+a.domain);
javanoscript:a=document;alert('\@example.com/|'+a.domain);
Anonymous Poll
21%
Text input URL validation
23%
WAF
56%
Text input URL validation + WAF
🔥5👍3
Broken Authentication Session Token Bug
👉 https://hackerone.com/reports/948345
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #the_hacker_girl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 16, 2022, 11:43pm (UTC)
👉 https://hackerone.com/reports/948345
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #the_hacker_girl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 16, 2022, 11:43pm (UTC)
Missing SPF record on trycourier.app
👉 https://hackerone.com/reports/1416701
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #musab_alharany
🔹 State: ⚪️ Informative
🔹 Disclosed: February 17, 2022, 6:36am (UTC)
👉 https://hackerone.com/reports/1416701
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #musab_alharany
🔹 State: ⚪️ Informative
🔹 Disclosed: February 17, 2022, 6:36am (UTC)
Subdomain Takeover of brand.zen.ly
👉 https://hackerone.com/reports/1474784
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Zenly
🔹 Reported By: #mega7
🔹 State: 🟢 Resolved
🔹 Disclosed: February 17, 2022, 10:09am (UTC)
👉 https://hackerone.com/reports/1474784
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Zenly
🔹 Reported By: #mega7
🔹 State: 🟢 Resolved
🔹 Disclosed: February 17, 2022, 10:09am (UTC)
👍1
Уязвимость в приложении для Android
👉 https://hackerone.com/reports/1343528
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: February 18, 2022, 7:09pm (UTC)
👉 https://hackerone.com/reports/1343528
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: February 18, 2022, 7:09pm (UTC)
👏3
Self XSS in Create New Workspace Screen
👉 https://hackerone.com/reports/1442017
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Mattermost
🔹 Reported By: #rynexxx
🔹 State: 🟢 Resolved
🔹 Disclosed: February 20, 2022, 9:08am (UTC)
👉 https://hackerone.com/reports/1442017
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Mattermost
🔹 Reported By: #rynexxx
🔹 State: 🟢 Resolved
🔹 Disclosed: February 20, 2022, 9:08am (UTC)
███ Page has a link to a google drive which has access to not only logos but also customer phone recordings
👉 https://hackerone.com/reports/864712
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Zomato
🔹 Reported By: #codersanjay
🔹 State: 🟢 Resolved
🔹 Disclosed: February 21, 2022, 8:15am (UTC)
👉 https://hackerone.com/reports/864712
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Zomato
🔹 Reported By: #codersanjay
🔹 State: 🟢 Resolved
🔹 Disclosed: February 21, 2022, 8:15am (UTC)
👍1
Remote memory disclosure vulnerability in libcurl on 64 Bit Windows
👉 https://hackerone.com/reports/1444539
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nsq11
🔹 State: ⚪️ Informative
🔹 Disclosed: February 21, 2022, 9:15am (UTC)
👉 https://hackerone.com/reports/1444539
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nsq11
🔹 State: ⚪️ Informative
🔹 Disclosed: February 21, 2022, 9:15am (UTC)
De-anonymize anonymous tips through the Tumblr blog network
👉 https://hackerone.com/reports/1484168
🔹 Severity: Medium | 💰 450 USD
🔹 Reported To: Automattic
🔹 Reported By: #ajoekerr
🔹 State: 🟢 Resolved
🔹 Disclosed: February 21, 2022, 2:58pm (UTC)
👉 https://hackerone.com/reports/1484168
🔹 Severity: Medium | 💰 450 USD
🔹 Reported To: Automattic
🔹 Reported By: #ajoekerr
🔹 State: 🟢 Resolved
🔹 Disclosed: February 21, 2022, 2:58pm (UTC)
████ api key exposed in github.com/███/███
👉 https://hackerone.com/reports/1454965
🔹 Severity: High
🔹 Reported To: 8x8
🔹 Reported By: #adnanmalikinfo
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:19am (UTC)
👉 https://hackerone.com/reports/1454965
🔹 Severity: High
🔹 Reported To: 8x8
🔹 Reported By: #adnanmalikinfo
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:19am (UTC)
😢2💩1
Claiming the listing of a non-delivery restaurant through OTP manipulation
👉 https://hackerone.com/reports/1330529
🔹 Severity: Critical | 💰 3,250 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 8:51am (UTC)
👉 https://hackerone.com/reports/1330529
🔹 Severity: Critical | 💰 3,250 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 8:51am (UTC)
🔥2🥰1
FULL SSRF
👉 https://hackerone.com/reports/1241149
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 9:09am (UTC)
👉 https://hackerone.com/reports/1241149
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 9:09am (UTC)
🔥1
broken authentication (password reset link not expire after use in https://network.tochka.com/sign-up)
👉 https://hackerone.com/reports/1401891
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #uddeshaya
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 2:28pm (UTC)
👉 https://hackerone.com/reports/1401891
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #uddeshaya
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 2:28pm (UTC)
👍1😁1
IDOR in "external status check" API leaks data about any status check on the instance
👉 https://hackerone.com/reports/1372216
🔹 Severity: Medium | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:48pm (UTC)
👉 https://hackerone.com/reports/1372216
🔹 Severity: Medium | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:48pm (UTC)
Incorrect authorization to the intelbot service leading to ticket information
👉 https://hackerone.com/reports/1328546
🔹 Severity: Critical | 💰 15,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #johnstone
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:09am (UTC)
👉 https://hackerone.com/reports/1328546
🔹 Severity: Critical | 💰 15,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #johnstone
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:09am (UTC)
🔥3