Authorization bypass -> IDOR -> PII Leakage
👉 https://hackerone.com/reports/1489470
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #lubak
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:02pm (UTC)
👉 https://hackerone.com/reports/1489470
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #lubak
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:02pm (UTC)
Broken access control, can lead to legitimate user data loss
👉 https://hackerone.com/reports/1493007
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #lubak
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:03pm (UTC)
👉 https://hackerone.com/reports/1493007
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #lubak
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:03pm (UTC)
username and password leaked via pptx for █████████ website
👉 https://hackerone.com/reports/1512199
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ibrahimatix_
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:04pm (UTC)
👉 https://hackerone.com/reports/1512199
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ibrahimatix_
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:04pm (UTC)
[CVE-2020-3452] on ███████
👉 https://hackerone.com/reports/1234925
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #splint3rsec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:06pm (UTC)
👉 https://hackerone.com/reports/1234925
🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #splint3rsec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:06pm (UTC)
[www.█████] Path-based reflected Cross Site Scripting
👉 https://hackerone.com/reports/1159371
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #geeknik
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:08pm (UTC)
👉 https://hackerone.com/reports/1159371
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #geeknik
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:08pm (UTC)
Reflected XSS on [█████████]
👉 https://hackerone.com/reports/1267380
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #saajanbhujel
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:09pm (UTC)
👉 https://hackerone.com/reports/1267380
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #saajanbhujel
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:09pm (UTC)
Chain of IDORs Between U4B and Vouchers APIs Allows Attackers to View and Modify Program/Voucher Policies and to Obtain Organization Employees' PII
👉 https://hackerone.com/reports/1148697
🔹 Severity: High | 💰 10,250 USD
🔹 Reported To: Uber
🔹 Reported By: #hunt4p1zza
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:49pm (UTC)
👉 https://hackerone.com/reports/1148697
🔹 Severity: High | 💰 10,250 USD
🔹 Reported To: Uber
🔹 Reported By: #hunt4p1zza
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:49pm (UTC)
👍2🔥1
Exposed Golang Pprof debugger at https://cn-geo1.uber.com/
👉 https://hackerone.com/reports/1385906
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Uber
🔹 Reported By: #boobalan123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:52pm (UTC)
👉 https://hackerone.com/reports/1385906
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Uber
🔹 Reported By: #boobalan123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 7, 2022, 8:52pm (UTC)
👍1
Host Header Injection leads to Open Redirect and Content Spoofing or Text Injection.
👉 https://hackerone.com/reports/1444675
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Omise
🔹 Reported By: #oblivionlight
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 6:45am (UTC)
👉 https://hackerone.com/reports/1444675
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Omise
🔹 Reported By: #oblivionlight
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 6:45am (UTC)
Found Origin IP's Lead To Access To kraden.com
👉 https://hackerone.com/reports/1531183
🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: Kraden
🔹 Reported By: #4bhin8v
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 10:04am (UTC)
👉 https://hackerone.com/reports/1531183
🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: Kraden
🔹 Reported By: #4bhin8v
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 10:04am (UTC)
Folder architecture and Filesizes of private file drop shares can be getten
👉 https://hackerone.com/reports/1337422
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #shakierbellows
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 1:08pm (UTC)
👉 https://hackerone.com/reports/1337422
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #shakierbellows
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 1:08pm (UTC)
HTML injection through Invite Teammate email
👉 https://hackerone.com/reports/1482057
🔹 Severity: Low
🔹 Reported To: SecurityScorecard
🔹 Reported By: #cryptoknight028
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 5:25pm (UTC)
👉 https://hackerone.com/reports/1482057
🔹 Severity: Low
🔹 Reported To: SecurityScorecard
🔹 Reported By: #cryptoknight028
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 5:25pm (UTC)
Insecure Storage of Sensitive Information on lonestarcell.com server
👉 https://hackerone.com/reports/1482830
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #muhnad
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 6:58pm (UTC)
👉 https://hackerone.com/reports/1482830
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #muhnad
🔹 State: 🟢 Resolved
🔹 Disclosed: April 9, 2022, 6:58pm (UTC)
[Python]: Add Server-side Request Forgery sinks
👉 https://hackerone.com/reports/1538144
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: April 11, 2022, 11:52pm (UTC)
👉 https://hackerone.com/reports/1538144
🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: April 11, 2022, 11:52pm (UTC)
RCE via WikiCloth markdown rendering if the `rubyluabridge` gem is installed
👉 https://hackerone.com/reports/1401444
🔹 Severity: No Rating | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: April 12, 2022, 10:10am (UTC)
👉 https://hackerone.com/reports/1401444
🔹 Severity: No Rating | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: April 12, 2022, 10:10am (UTC)
🔥3
Regular Expression Denial of Service vulnerability
👉 https://hackerone.com/reports/1538157
🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #dingleberryfarts
🔹 State: ⚪️ Informative
🔹 Disclosed: April 12, 2022, 1:24pm (UTC)
👉 https://hackerone.com/reports/1538157
🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #dingleberryfarts
🔹 State: ⚪️ Informative
🔹 Disclosed: April 12, 2022, 1:24pm (UTC)
Open S3 Bucket Accessible by any User
👉 https://hackerone.com/reports/1474017
🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: Omise
🔹 Reported By: #ravansurya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 7:12am (UTC)
👉 https://hackerone.com/reports/1474017
🔹 Severity: No Rating | 💰 100 USD
🔹 Reported To: Omise
🔹 Reported By: #ravansurya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 7:12am (UTC)
Taking position in a discontinued forex pair without executing any trades
👉 https://hackerone.com/reports/1509211
🔹 Severity: High | 💰 2,337 USD
🔹 Reported To: EXNESS
🔹 Reported By: #a_ashwarya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 10:40am (UTC)
👉 https://hackerone.com/reports/1509211
🔹 Severity: High | 💰 2,337 USD
🔹 Reported To: EXNESS
🔹 Reported By: #a_ashwarya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 10:40am (UTC)
Access control vulnerability (read-only)
👉 https://hackerone.com/reports/1159367
🔹 Severity: Critical | 💰 2,250 USD
🔹 Reported To: EXNESS
🔹 Reported By: #a_ashwarya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 10:49am (UTC)
👉 https://hackerone.com/reports/1159367
🔹 Severity: Critical | 💰 2,250 USD
🔹 Reported To: EXNESS
🔹 Reported By: #a_ashwarya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 10:49am (UTC)
Access control vulnerability (read/write)
👉 https://hackerone.com/reports/1174734
🔹 Severity: Critical | 💰 2,500 USD
🔹 Reported To: EXNESS
🔹 Reported By: #a_ashwarya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 10:51am (UTC)
👉 https://hackerone.com/reports/1174734
🔹 Severity: Critical | 💰 2,500 USD
🔹 Reported To: EXNESS
🔹 Reported By: #a_ashwarya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 10:51am (UTC)
Acess control vulnerability (read/write)
👉 https://hackerone.com/reports/1174387
🔹 Severity: No Rating | 💰 1,000 USD
🔹 Reported To: EXNESS
🔹 Reported By: #a_ashwarya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 10:52am (UTC)
👉 https://hackerone.com/reports/1174387
🔹 Severity: No Rating | 💰 1,000 USD
🔹 Reported To: EXNESS
🔹 Reported By: #a_ashwarya
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 10:52am (UTC)