🛑 Blocking bounty payments for Russian & Belarusian hackers 🇺🇸🇺🇦

👉 https://www.hackerone.com/sanctions-faq

Exposed .bash_history at http://21days2017.mtncameroon.net/.bash_history

👉 https://hackerone.com/reports/801437

🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #xlife
🔹 State: 🟢 Resolved
🔹 Disclosed: March 20, 2022, 5:31am (UTC)

Insecure crossdomain.xml on https://vdc.mtnonline.com/

👉 https://hackerone.com/reports/838817

🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #xlife
🔹 State: 🟢 Resolved
🔹 Disclosed: March 20, 2022, 5:31am (UTC)

RXSS

👉 https://hackerone.com/reports/1418413

🔹 Severity: Medium
🔹 Reported To: SecurityScorecard
🔹 Reported By: #ww1
🔹 State: 🟢 Resolved
🔹 Disclosed: March 20, 2022, 6:55am (UTC)

Get all personal email IDs of Glassdoor users[No user interaction required]

👉 https://hackerone.com/reports/864783

🔹 Severity: High | 💰 1,500 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #safehacker_2715
🔹 State: 🟢 Resolved
🔹 Disclosed: March 21, 2022, 1:11pm (UTC)

Arbitrary file read via the bulk imports UploadsPipeline

👉 https://hackerone.com/reports/1439593

🔹 Severity: Critical | 💰 29,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: March 21, 2022, 2:46pm (UTC)

Log4j Java RCE in [beta.dev.adobeconnect.com]

👉 https://hackerone.com/reports/1442644

🔹 Severity: Critical
🔹 Reported To: Adobe
🔹 Reported By: #sheikhrishad0
🔹 State: 🟢 Resolved
🔹 Disclosed: March 21, 2022, 4:26pm (UTC)

html injection via invite members can be leads account takeover

👉 https://hackerone.com/reports/1443567

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #rynexxx
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:15am (UTC)

[https://█████████/]&&[https://█████████/] Open Redirection

👉 https://hackerone.com/reports/537047

🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Lyst
🔹 Reported By: #mandark
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 11:53am (UTC)

Web Cache poisoning attack leads to User information Disclosure and more

👉 https://hackerone.com/reports/631589

🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Lyst
🔹 Reported By: #deksterh1
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 11:53am (UTC)

The endpoint /api/internal/graphql/requestAuthEmail on Khanacademy.or is vulnerable to Race Condition Attack.

👉 https://hackerone.com/reports/1293377

🔹 Severity: Medium
🔹 Reported To: Khan Academy
🔹 Reported By: #sim4n6
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 9:31pm (UTC)

Race condition on action: Invite members to a team

👉 https://hackerone.com/reports/1285538

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Omise
🔹 Reported By: #sim4n6
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 9:52pm (UTC)

The endpoint '/test/webhooks' is vulnerable to DNS Rebinding

👉 https://hackerone.com/reports/1379656

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Omise
🔹 Reported By: #sim4n6
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 9:56pm (UTC)

Regexes with large repetitions on empty sub-expressions take a very long time to parse

👉 https://hackerone.com/reports/1518036

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #addisoncrump
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:24pm (UTC)

Potential Authentication Bypass through "autologin" feature

👉 https://hackerone.com/reports/1081986

🔹 Severity: Low
🔹 Reported To: ImpressCMS
🔹 Reported By: #egix
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:56pm (UTC)

Arbitrary File Deletion via Path Traversal in image-edit.php

👉 https://hackerone.com/reports/1081878

🔹 Severity: Medium
🔹 Reported To: ImpressCMS
🔹 Reported By: #egix
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:56pm (UTC)

Incorrect Authorization Checks in /include/findusers.php

👉 https://hackerone.com/reports/1081137

🔹 Severity: Medium
🔹 Reported To: ImpressCMS
🔹 Reported By: #egix
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:57pm (UTC)

XSS Reflected at https://sketch.pixiv.net/ Via `next_url`

👉 https://hackerone.com/reports/1503601

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: pixiv
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: March 23, 2022, 1:19am (UTC)

Bypassing domain deny_list rule in Smokescreen via trailing dot leads to SSRF

👉 https://hackerone.com/reports/1410214

🔹 Severity: Low | 💰 1,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #gregxsunday
🔹 State: 🟢 Resolved
🔹 Disclosed: March 23, 2022, 3:43pm (UTC)

Improper Authentication via previous backup code login

👉 https://hackerone.com/reports/1485788

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Basecamp
🔹 Reported By: #fuzzsqlb0f
🔹 State: 🟢 Resolved
🔹 Disclosed: March 24, 2022, 2:45am (UTC)

Time-of-check to time-of-use vulnerability in the std::fs::remove_dir_all() function of the Rust standard library

👉 https://hackerone.com/reports/1520931

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #hkratz
🔹 State: 🟢 Resolved
🔹 Disclosed: March 24, 2022, 6:09pm (UTC)