Stored XSS in merge request creation page through payload in approval rule name

👉 https://hackerone.com/reports/1342009

🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 7:24pm (UTC)

Information Leakage via TikTok Ads Web Cache Deception

👉 https://hackerone.com/reports/1484468

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #arifmkhls
🔹 State: 🟢 Resolved
🔹 Disclosed: March 31, 2022, 10:16pm (UTC)

CVE-2022-24288: Apache Airflow: TWO RCEs in example DAGs

👉 https://hackerone.com/reports/1492896

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #happyhacking123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 1, 2022, 2:40pm (UTC)

Subdomain Takeover on proxies.sifchain.finance pointing to vercel

👉 https://hackerone.com/reports/1487793

🔹 Severity: High | 💰 100 USD
🔹 Reported To: Sifchain
🔹 Reported By: #hrdfrdh
🔹 State: ⚪️ Informative
🔹 Disclosed: April 1, 2022, 3:25pm (UTC)

Workspace configuration metadata disclosure

👉 https://hackerone.com/reports/864489

🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #kadusantiago
🔹 State: 🟢 Resolved
🔹 Disclosed: April 1, 2022, 7:44pm (UTC)

CSRF token validation system is disabled on Stripe Dashboard

👉 https://hackerone.com/reports/1483327

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #d_sharad
🔹 State: 🟢 Resolved
🔹 Disclosed: April 2, 2022, 1:22pm (UTC)

Broken Domain Link Takeover from kubernetes.io docs

👉 https://hackerone.com/reports/1434179

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #0xlegendkiller
🔹 State: 🟢 Resolved
🔹 Disclosed: April 3, 2022, 4:47am (UTC)

[api.krisp.ai] Race condition on /v2/seats endpoint allows bypassing the original seat limit

👉 https://hackerone.com/reports/1418419

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #alp
🔹 State: 🟢 Resolved
🔹 Disclosed: April 4, 2022, 1:43pm (UTC)

Private invitation links/tokens leak to third-party analytics site

👉 https://hackerone.com/reports/1491127

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #bigbug
🔹 State: 🟢 Resolved
🔹 Disclosed: April 5, 2022, 6:57am (UTC)

SQL Injection at https://files.palantir.com/ due to CVE-2021-38159

👉 https://hackerone.com/reports/1525200

🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Palantir Public
🔹 Reported By: #haxor31337
🔹 State: 🟢 Resolved
🔹 Disclosed: April 5, 2022, 8:05am (UTC)

Attacker shall recieve order updates on whatsapp for users who have activated whatsapp notification

👉 https://hackerone.com/reports/1523584

🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Zomato
🔹 Reported By: #schutzx0r
🔹 State: 🟢 Resolved
🔹 Disclosed: April 6, 2022, 6:00am (UTC)

Uninstalling Rockstar Games Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication

👉 https://hackerone.com/reports/1278261

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Rockstar Games
🔹 Reported By: #toxiqcitee
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 12:56pm (UTC)

XSS Reflected - ███

👉 https://hackerone.com/reports/1223575

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #drauschkolb
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 7:50pm (UTC)

Bypassing CORS Misconfiguration Leads to Sensitive Exposure at https://███/

👉 https://hackerone.com/reports/1092125

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #whoisbinit
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 7:53pm (UTC)

Open Akamai ARL XSS at ████████

👉 https://hackerone.com/reports/1317031

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #whoisbinit
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 7:54pm (UTC)

XSS on https://████/ via ███████ parameter

👉 https://hackerone.com/reports/1251868

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #homosec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 7:55pm (UTC)

XSS on https://██████/███ via █████ parameter

👉 https://hackerone.com/reports/1252059

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #homosec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 7:56pm (UTC)

XSS on https://███████/██████████ parameter

👉 https://hackerone.com/reports/1252229

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #homosec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 7:57pm (UTC)

XSS on https://████████/████' parameter

👉 https://hackerone.com/reports/1252020

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #homosec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 7:57pm (UTC)

SQL Injection in █████

👉 https://hackerone.com/reports/1489744

🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #lubak
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 7:59pm (UTC)

Cross-site Scripting (XSS) - Reflected at https://██████████/

👉 https://hackerone.com/reports/1370746

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mamunwhh
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:00pm (UTC)