Password reset token leakage

👉 https://hackerone.com/reports/1354437

🔹 Severity: High
🔹 Reported To: UPchieve
🔹 Reported By: #ww1
🔹 State: 🟤 Duplicate
🔹 Disclosed: March 26, 2022, 5:59pm (UTC)

No Rate Limit on forgot password page

👉 https://hackerone.com/reports/1317494

🔹 Severity: Medium
🔹 Reported To: UPchieve
🔹 Reported By: #pranto_0
🔹 State: 🔴 N/A
🔹 Disclosed: March 26, 2022, 6:00pm (UTC)

OTP reflecting in response sensitive data exposure leads to account take over

👉 https://hackerone.com/reports/1318087

🔹 Severity: Critical
🔹 Reported To: UPchieve
🔹 Reported By: #rupachandransangothi
🔹 State: 🔴 N/A
🔹 Disclosed: March 26, 2022, 6:00pm (UTC)

Able to steal bearer token from deep link

👉 https://hackerone.com/reports/1372667

🔹 Severity: High | 💰 6,337 USD
🔹 Reported To: Basecamp
🔹 Reported By: #danielllewellyn
🔹 State: 🟢 Resolved
🔹 Disclosed: March 27, 2022, 6:33pm (UTC)

EC2 Takeover at turn.shopify.com

👉 https://hackerone.com/reports/1295497

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #0xd0m7
🔹 State: 🟢 Resolved
🔹 Disclosed: March 28, 2022, 2:21pm (UTC)

Denial of Service vulnerability in curl when parsing MQTT server response

👉 https://hackerone.com/reports/1521610

🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #jenny
🔹 State: ⚪️ Informative
🔹 Disclosed: March 28, 2022, 8:00pm (UTC)

2 click Remote Code execution in Evernote Android

👉 https://hackerone.com/reports/1377748

🔹 Severity: High | 💰 750 USD
🔹 Reported To: Evernote
🔹 Reported By: #hulkvision_
🔹 State: 🟢 Resolved
🔹 Disclosed: March 29, 2022, 1:54pm (UTC)

Identify the mobile number of a twitter user

👉 https://hackerone.com/reports/1225164

🔹 Severity: Critical | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #aymen_mansour
🔹 State: 🟢 Resolved
🔹 Disclosed: March 29, 2022, 6:39pm (UTC)

Ability to use premium templates as free user via https://stripo.email/templates/?utm_source=viewstripo&utm_medium=referral

👉 https://hackerone.com/reports/1166993

🔹 Severity: High
🔹 Reported To: Stripo Inc
🔹 Reported By: #0xkira
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 6:18am (UTC)

Insecure Storage and Overly Permissive API Keys

👉 https://hackerone.com/reports/1283575

🔹 Severity: Medium
🔹 Reported To: Stripo Inc
🔹 Reported By: #andformod
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 6:19am (UTC)

Upload Profile Photo in any folder you want with any extension you want

👉 https://hackerone.com/reports/753375

🔹 Severity: Critical
🔹 Reported To: Stripo Inc
🔹 Reported By: #whoisbinit
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 6:21am (UTC)

[Java]: CWE-200 - Query to detect insecure WebResourceResponse implementation

👉 https://hackerone.com/reports/1526609

🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:28pm (UTC)

CPP: Add query for CWE-377 Insecure Temporary File

👉 https://hackerone.com/reports/1515139

🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:29pm (UTC)

[Python]: CWE-611: XXE

👉 https://hackerone.com/reports/1512937

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jorgectf
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:29pm (UTC)

[Java]: Add JDBC connection SSRF sinks

👉 https://hackerone.com/reports/1512936

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #p0wn4j
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:29pm (UTC)

[Java]: Timing attacks while comparing the headers value

👉 https://hackerone.com/reports/1496268

🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #farid_hunter
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:29pm (UTC)

Python: CWE-338 insecureRandomness

👉 https://hackerone.com/reports/1490400

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #museljh
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)

Java : Add query to detect Server Side Template Injection (SSTI)

👉 https://hackerone.com/reports/1490372

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #porcupineyhairs
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)

[C#] CWE-759: Query to detect password hash without a salt

👉 https://hackerone.com/reports/1484086

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #luchua
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)

CPP: Add query for CWE-266 Incorrect Privilege Assignment

👉 https://hackerone.com/reports/1483919

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)

[Java]: CWE-073 - File path injection with the JFinal framework

👉 https://hackerone.com/reports/1483918

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #luchua
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)