Python: CWE-338 insecureRandomness
👉 https://hackerone.com/reports/1490400
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #museljh
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)
👉 https://hackerone.com/reports/1490400
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #museljh
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)
Java : Add query to detect Server Side Template Injection (SSTI)
👉 https://hackerone.com/reports/1490372
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #porcupineyhairs
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)
👉 https://hackerone.com/reports/1490372
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #porcupineyhairs
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)
[C#] CWE-759: Query to detect password hash without a salt
👉 https://hackerone.com/reports/1484086
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #luchua
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)
👉 https://hackerone.com/reports/1484086
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #luchua
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)
CPP: Add query for CWE-266 Incorrect Privilege Assignment
👉 https://hackerone.com/reports/1483919
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)
👉 https://hackerone.com/reports/1483919
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)
[Java]: CWE-073 - File path injection with the JFinal framework
👉 https://hackerone.com/reports/1483918
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #luchua
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)
👉 https://hackerone.com/reports/1483918
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #luchua
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)
Java: An experimental query for ignored hostname verification
👉 https://hackerone.com/reports/1481247
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #artem
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)
👉 https://hackerone.com/reports/1481247
🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #artem
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)
[Python]: Add shutil module sinks for path injection query
👉 https://hackerone.com/reports/1471622
🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jessforfun
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)
👉 https://hackerone.com/reports/1471622
🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jessforfun
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)
ihsinme: CPP Add a query to find incorrectly used exceptions.
👉 https://hackerone.com/reports/1455531
🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:32pm (UTC)
👉 https://hackerone.com/reports/1455531
🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:32pm (UTC)
Stored XSS in Question edit for product name (bypass #1416672)
👉 https://hackerone.com/reports/1428207
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:01pm (UTC)
👉 https://hackerone.com/reports/1428207
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:01pm (UTC)
stored XSS on AliExpress Review Importer/Products when delete product
👉 https://hackerone.com/reports/1425882
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:01pm (UTC)
👉 https://hackerone.com/reports/1425882
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:01pm (UTC)
Stored XSS in Question edit from product name
👉 https://hackerone.com/reports/1416672
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:02pm (UTC)
👉 https://hackerone.com/reports/1416672
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:02pm (UTC)
IDOR: leak buyer info & Publish/Hide foreign comments
👉 https://hackerone.com/reports/1410498
🔹 Severity: High | 💰 1,250 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:04pm (UTC)
👉 https://hackerone.com/reports/1410498
🔹 Severity: High | 💰 1,250 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:04pm (UTC)
👍2
Stored XSS in merge request creation page through payload in approval rule name
👉 https://hackerone.com/reports/1342009
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 7:24pm (UTC)
👉 https://hackerone.com/reports/1342009
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 7:24pm (UTC)
Information Leakage via TikTok Ads Web Cache Deception
👉 https://hackerone.com/reports/1484468
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #arifmkhls
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 10:16pm (UTC)
👉 https://hackerone.com/reports/1484468
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #arifmkhls
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 10:16pm (UTC)
CVE-2022-24288: Apache Airflow: TWO RCEs in example DAGs
👉 https://hackerone.com/reports/1492896
🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #happyhacking123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 1, 2022, 2:40pm (UTC)
👉 https://hackerone.com/reports/1492896
🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #happyhacking123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 1, 2022, 2:40pm (UTC)
Subdomain Takeover on proxies.sifchain.finance pointing to vercel
👉 https://hackerone.com/reports/1487793
🔹 Severity: High | 💰 100 USD
🔹 Reported To: Sifchain
🔹 Reported By: #hrdfrdh
🔹 State: ⚪️ Informative
🔹 Disclosed: April 1, 2022, 3:25pm (UTC)
👉 https://hackerone.com/reports/1487793
🔹 Severity: High | 💰 100 USD
🔹 Reported To: Sifchain
🔹 Reported By: #hrdfrdh
🔹 State: ⚪️ Informative
🔹 Disclosed: April 1, 2022, 3:25pm (UTC)
Workspace configuration metadata disclosure
👉 https://hackerone.com/reports/864489
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #kadusantiago
🔹 State: 🟢 Resolved
🔹 Disclosed: April 1, 2022, 7:44pm (UTC)
👉 https://hackerone.com/reports/864489
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #kadusantiago
🔹 State: 🟢 Resolved
🔹 Disclosed: April 1, 2022, 7:44pm (UTC)
CSRF token validation system is disabled on Stripe Dashboard
👉 https://hackerone.com/reports/1483327
🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #d_sharad
🔹 State: 🟢 Resolved
🔹 Disclosed: April 2, 2022, 1:22pm (UTC)
👉 https://hackerone.com/reports/1483327
🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #d_sharad
🔹 State: 🟢 Resolved
🔹 Disclosed: April 2, 2022, 1:22pm (UTC)
🔥2
Broken Domain Link Takeover from kubernetes.io docs
👉 https://hackerone.com/reports/1434179
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #0xlegendkiller
🔹 State: 🟢 Resolved
🔹 Disclosed: April 3, 2022, 4:47am (UTC)
👉 https://hackerone.com/reports/1434179
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #0xlegendkiller
🔹 State: 🟢 Resolved
🔹 Disclosed: April 3, 2022, 4:47am (UTC)
🤯1
[api.krisp.ai] Race condition on /v2/seats endpoint allows bypassing the original seat limit
👉 https://hackerone.com/reports/1418419
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #alp
🔹 State: 🟢 Resolved
🔹 Disclosed: April 4, 2022, 1:43pm (UTC)
👉 https://hackerone.com/reports/1418419
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #alp
🔹 State: 🟢 Resolved
🔹 Disclosed: April 4, 2022, 1:43pm (UTC)
🥰3
Private invitation links/tokens leak to third-party analytics site
👉 https://hackerone.com/reports/1491127
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #bigbug
🔹 State: 🟢 Resolved
🔹 Disclosed: April 5, 2022, 6:57am (UTC)
👉 https://hackerone.com/reports/1491127
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #bigbug
🔹 State: 🟢 Resolved
🔹 Disclosed: April 5, 2022, 6:57am (UTC)