[C#] CWE-759: Query to detect password hash without a salt

👉 https://hackerone.com/reports/1484086

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #luchua
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:30pm (UTC)

CPP: Add query for CWE-266 Incorrect Privilege Assignment

👉 https://hackerone.com/reports/1483919

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)

[Java]: CWE-073 - File path injection with the JFinal framework

👉 https://hackerone.com/reports/1483918

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #luchua
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)

Java: An experimental query for ignored hostname verification

👉 https://hackerone.com/reports/1481247

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #artem
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)

[Python]: Add shutil module sinks for path injection query

👉 https://hackerone.com/reports/1471622

🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #jessforfun
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:31pm (UTC)

ihsinme: CPP Add a query to find incorrectly used exceptions.

👉 https://hackerone.com/reports/1455531

🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #ihsinme
🔹 State: 🟢 Resolved
🔹 Disclosed: March 30, 2022, 8:32pm (UTC)

Stored XSS in Question edit for product name (bypass #1416672)

👉 https://hackerone.com/reports/1428207

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:01pm (UTC)

stored XSS on AliExpress Review Importer/Products when delete product

👉 https://hackerone.com/reports/1425882

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:01pm (UTC)

Stored XSS in Question edit from product name

👉 https://hackerone.com/reports/1416672

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:02pm (UTC)

IDOR: leak buyer info & Publish/Hide foreign comments

👉 https://hackerone.com/reports/1410498

🔹 Severity: High | 💰 1,250 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 2:04pm (UTC)

Stored XSS in merge request creation page through payload in approval rule name

👉 https://hackerone.com/reports/1342009

🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 7:24pm (UTC)

Information Leakage via TikTok Ads Web Cache Deception

👉 https://hackerone.com/reports/1484468

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #arifmkhls
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 10:16pm (UTC)

CVE-2022-24288: Apache Airflow: TWO RCEs in example DAGs

👉 https://hackerone.com/reports/1492896

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #happyhacking123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 1, 2022, 2:40pm (UTC)

Subdomain Takeover on proxies.sifchain.finance pointing to vercel

👉 https://hackerone.com/reports/1487793

🔹 Severity: High | 💰 100 USD
🔹 Reported To: Sifchain
🔹 Reported By: #hrdfrdh
🔹 State: ⚪️ Informative
🔹 Disclosed: April 1, 2022, 3:25pm (UTC)

Workspace configuration metadata disclosure

👉 https://hackerone.com/reports/864489

🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #kadusantiago
🔹 State: 🟢 Resolved
🔹 Disclosed: April 1, 2022, 7:44pm (UTC)

CSRF token validation system is disabled on Stripe Dashboard

👉 https://hackerone.com/reports/1483327

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #d_sharad
🔹 State: 🟢 Resolved
🔹 Disclosed: April 2, 2022, 1:22pm (UTC)

Broken Domain Link Takeover from kubernetes.io docs

👉 https://hackerone.com/reports/1434179

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #0xlegendkiller
🔹 State: 🟢 Resolved
🔹 Disclosed: April 3, 2022, 4:47am (UTC)

[api.krisp.ai] Race condition on /v2/seats endpoint allows bypassing the original seat limit

👉 https://hackerone.com/reports/1418419

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #alp
🔹 State: 🟢 Resolved
🔹 Disclosed: April 4, 2022, 1:43pm (UTC)

Private invitation links/tokens leak to third-party analytics site

👉 https://hackerone.com/reports/1491127

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #bigbug
🔹 State: 🟢 Resolved
🔹 Disclosed: April 5, 2022, 6:57am (UTC)

SQL Injection at https://files.palantir.com/ due to CVE-2021-38159

👉 https://hackerone.com/reports/1525200

🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Palantir Public
🔹 Reported By: #haxor31337
🔹 State: 🟢 Resolved
🔹 Disclosed: April 5, 2022, 8:05am (UTC)

Attacker shall recieve order updates on whatsapp for users who have activated whatsapp notification

👉 https://hackerone.com/reports/1523584

🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Zomato
🔹 Reported By: #schutzx0r
🔹 State: 🟢 Resolved
🔹 Disclosed: April 6, 2022, 6:00am (UTC)