Arbitrary file read via the bulk imports UploadsPipeline

👉 https://hackerone.com/reports/1439593

🔹 Severity: Critical | 💰 29,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: March 21, 2022, 2:46pm (UTC)

Log4j Java RCE in [beta.dev.adobeconnect.com]

👉 https://hackerone.com/reports/1442644

🔹 Severity: Critical
🔹 Reported To: Adobe
🔹 Reported By: #sheikhrishad0
🔹 State: 🟢 Resolved
🔹 Disclosed: March 21, 2022, 4:26pm (UTC)

html injection via invite members can be leads account takeover

👉 https://hackerone.com/reports/1443567

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #rynexxx
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:15am (UTC)

[https://█████████/]&&[https://█████████/] Open Redirection

👉 https://hackerone.com/reports/537047

🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Lyst
🔹 Reported By: #mandark
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 11:53am (UTC)

Web Cache poisoning attack leads to User information Disclosure and more

👉 https://hackerone.com/reports/631589

🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Lyst
🔹 Reported By: #deksterh1
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 11:53am (UTC)

The endpoint /api/internal/graphql/requestAuthEmail on Khanacademy.or is vulnerable to Race Condition Attack.

👉 https://hackerone.com/reports/1293377

🔹 Severity: Medium
🔹 Reported To: Khan Academy
🔹 Reported By: #sim4n6
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 9:31pm (UTC)

Race condition on action: Invite members to a team

👉 https://hackerone.com/reports/1285538

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Omise
🔹 Reported By: #sim4n6
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 9:52pm (UTC)

The endpoint '/test/webhooks' is vulnerable to DNS Rebinding

👉 https://hackerone.com/reports/1379656

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Omise
🔹 Reported By: #sim4n6
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 9:56pm (UTC)

Regexes with large repetitions on empty sub-expressions take a very long time to parse

👉 https://hackerone.com/reports/1518036

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #addisoncrump
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:24pm (UTC)

Potential Authentication Bypass through "autologin" feature

👉 https://hackerone.com/reports/1081986

🔹 Severity: Low
🔹 Reported To: ImpressCMS
🔹 Reported By: #egix
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:56pm (UTC)

Arbitrary File Deletion via Path Traversal in image-edit.php

👉 https://hackerone.com/reports/1081878

🔹 Severity: Medium
🔹 Reported To: ImpressCMS
🔹 Reported By: #egix
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:56pm (UTC)

Incorrect Authorization Checks in /include/findusers.php

👉 https://hackerone.com/reports/1081137

🔹 Severity: Medium
🔹 Reported To: ImpressCMS
🔹 Reported By: #egix
🔹 State: 🟢 Resolved
🔹 Disclosed: March 22, 2022, 10:57pm (UTC)

XSS Reflected at https://sketch.pixiv.net/ Via `next_url`

👉 https://hackerone.com/reports/1503601

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: pixiv
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: March 23, 2022, 1:19am (UTC)

Bypassing domain deny_list rule in Smokescreen via trailing dot leads to SSRF

👉 https://hackerone.com/reports/1410214

🔹 Severity: Low | 💰 1,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #gregxsunday
🔹 State: 🟢 Resolved
🔹 Disclosed: March 23, 2022, 3:43pm (UTC)

Improper Authentication via previous backup code login

👉 https://hackerone.com/reports/1485788

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Basecamp
🔹 Reported By: #fuzzsqlb0f
🔹 State: 🟢 Resolved
🔹 Disclosed: March 24, 2022, 2:45am (UTC)

Time-of-check to time-of-use vulnerability in the std::fs::remove_dir_all() function of the Rust standard library

👉 https://hackerone.com/reports/1520931

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #hkratz
🔹 State: 🟢 Resolved
🔹 Disclosed: March 24, 2022, 6:09pm (UTC)

Impersonation of tiktok account via Broken Link in TikTok Newsroom

👉 https://hackerone.com/reports/1504294

🔹 Severity: No Rating
🔹 Reported To: TikTok
🔹 Reported By: #bushidobrown200
🔹 State: 🟢 Resolved
🔹 Disclosed: March 24, 2022, 10:37pm (UTC)

Broken link hijacking in https://kubernetes-csi.github.io/docs/drivers.html?highlight=chubaofs#production-drivers

👉 https://hackerone.com/reports/1466889

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #0xlegendkiller
🔹 State: 🟢 Resolved
🔹 Disclosed: March 25, 2022, 6:49am (UTC)

Business Logic Flaw in the subnoscription of the app

👉 https://hackerone.com/reports/1505189

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Dragon
🔹 Reported By: #engr-naseem1
🔹 State: 🟢 Resolved
🔹 Disclosed: March 25, 2022, 8:21am (UTC)

F5 BIG-IP TMUI RCE - CVE-2020-5902 (██.packet8.net)

👉 https://hackerone.com/reports/1519841

🔹 Severity: Critical
🔹 Reported To: 8x8
🔹 Reported By: #remonsec
🔹 State: 🟢 Resolved
🔹 Disclosed: March 25, 2022, 11:11am (UTC)

Misconfigured Rate Limit at app.sign.plus/forgot_password

👉 https://hackerone.com/reports/1472394

🔹 Severity: Low
🔹 Reported To: Alohi
🔹 Reported By: #shamim_12__
🔹 State: 🟢 Resolved
🔹 Disclosed: March 25, 2022, 3:05pm (UTC)