Web Cache Poisoning leads to Stored XSS

👉 https://hackerone.com/reports/1424094

🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: March 7, 2022, 4:25pm (UTC)

PHP Info Exposing Secrets at https://radio.mtn.bj/info

👉 https://hackerone.com/reports/1049402

🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #pudsec
🔹 State: 🟢 Resolved
🔹 Disclosed: March 8, 2022, 10:48am (UTC)

objectId in share location can be set to open arbitrary URL or Deeplinks

👉 https://hackerone.com/reports/1337178

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #ctulhu
🔹 State: 🟢 Resolved
🔹 Disclosed: March 8, 2022, 4:11pm (UTC)

GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson

👉 https://hackerone.com/reports/1066203

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #bubbounty
🔹 State: 🟢 Resolved
🔹 Disclosed: March 8, 2022, 8:59pm (UTC)

High memory usage for generating preview of broken image

👉 https://hackerone.com/reports/1261225

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #fancycode
🔹 State: 🟢 Resolved
🔹 Disclosed: March 9, 2022, 7:22am (UTC)

Race condition in endpoint POST fetlife.com/users/invitation, allow attacker to generate unlimited invites

👉 https://hackerone.com/reports/1460373

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: FetLife
🔹 Reported By: #trieulieuf9
🔹 State: 🟢 Resolved
🔹 Disclosed: March 9, 2022, 12:58pm (UTC)

RXSS on https://equifax.gr8people.com on Password Reset page in the username parameter

👉 https://hackerone.com/reports/1463638

🔹 Severity: Medium
🔹 Reported To: Equifax
🔹 Reported By: #miguel_santareno
🔹 State: 🟢 Resolved
🔹 Disclosed: March 9, 2022, 5:15pm (UTC)

Unsubscripe linkes leaked

👉 https://hackerone.com/reports/1439025

🔹 Severity: No Rating
🔹 Reported To: Krisp
🔹 Reported By: #blackxxhat
🔹 State: 🟤 Duplicate
🔹 Disclosed: March 9, 2022, 5:55pm (UTC)

Error Page Content Spoofing or Text Injection

👉 https://hackerone.com/reports/1444031

🔹 Severity: No Rating
🔹 Reported To: Krisp
🔹 Reported By: #mrirfan__07
🔹 State: ⚪️ Informative
🔹 Disclosed: March 9, 2022, 5:57pm (UTC)

Occasional use-after-free in multi_done() libcurl-7.81.0

👉 https://hackerone.com/reports/1463013

🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #luminixaaron
🔹 State: ⚪️ Informative
🔹 Disclosed: March 9, 2022, 9:46pm (UTC)

Binary output bypass

👉 https://hackerone.com/reports/1468962

🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #eliasknudsen
🔹 State: 🔴 N/A
🔹 Disclosed: March 9, 2022, 9:48pm (UTC)

Use of Unsafe function || Strcpy

👉 https://hackerone.com/reports/1485379

🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #shobhit2401200
🔹 State: 🔴 N/A
🔹 Disclosed: March 9, 2022, 9:48pm (UTC)

Open Redirect on https://██.8x8.com/login?nextPage=%2F

👉 https://hackerone.com/reports/1467046

🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #ig420_vrush
🔹 State: 🟢 Resolved
🔹 Disclosed: March 10, 2022, 12:19am (UTC)

XSS via Mod Log Removed Posts

👉 https://hackerone.com/reports/1504410

🔹 Severity: High | 💰 6,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #ahacker1
🔹 State: 🟢 Resolved
🔹 Disclosed: March 10, 2022, 11:18pm (UTC)

Public Jenkins instance with /noscript enabled

👉 https://hackerone.com/reports/1492447

🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #thesanjok
🔹 State: 🟢 Resolved
🔹 Disclosed: March 11, 2022, 6:47pm (UTC)

CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com

👉 https://hackerone.com/reports/938684

🔹 Severity: High
🔹 Reported To: IBM
🔹 Reported By: #0xelkomy
🔹 State: 🟢 Resolved
🔹 Disclosed: March 11, 2022, 6:57pm (UTC)

Specially crafted message request crashes the webapp for users who view the message

👉 https://hackerone.com/reports/1253732

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #thesecuritydev
🔹 State: 🟢 Resolved
🔹 Disclosed: March 14, 2022, 5:05am (UTC)

User files is disclosed when someone called while the screen is locked

👉 https://hackerone.com/reports/1338781

🔹 Severity: Medium | 💰 350 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #ctulhu
🔹 State: 🟢 Resolved
🔹 Disclosed: March 14, 2022, 3:41pm (UTC)

registering with the same email address multiple times leads to account takeover

👉 https://hackerone.com/reports/785833

🔹 Severity: Low
🔹 Reported To: Reddit
🔹 Reported By: #whitehacker18
🔹 State: ⚪️ Informative
🔹 Disclosed: March 14, 2022, 9:13pm (UTC)

Open redirect GET-Based on https://www.flickr.com/browser/upgrade/?continue=

👉 https://hackerone.com/reports/1217570

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Flickr
🔹 Reported By: #c4rrilat0rr
🔹 State: 🟢 Resolved
🔹 Disclosed: March 16, 2022, 3:35am (UTC)

Stored XSS through PDF viewer

👉 https://hackerone.com/reports/881557

🔹 Severity: High | 💰 4,875 USD
🔹 Reported To: Slack
🔹 Reported By: #hitman_47
🔹 State: 🟢 Resolved
🔹 Disclosed: March 16, 2022, 2:10pm (UTC)