CSRF protection bypass in GitHub Enterprise management console

👉 https://hackerone.com/reports/1497169

🔹 Severity: High | 💰 10,000 USD
🔹 Reported To: GitHub
🔹 Reported By: #bitquark
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 7:16pm (UTC)

Reflected XSS on TikTok Website

👉 https://hackerone.com/reports/1378413

🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #homosec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 13, 2022, 9:25pm (UTC)

[Bypass] Ability to invite a new member in sandbox Organization

👉 https://hackerone.com/reports/1486417

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #0619
🔹 State: 🟢 Resolved
🔹 Disclosed: April 14, 2022, 5:11pm (UTC)

Read and write beyond bounds in mod_sed

👉 https://hackerone.com/reports/1511619

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: April 14, 2022, 6:07pm (UTC)

Account takeover leading to PII chained with stored XSS

👉 https://hackerone.com/reports/1483201

🔹 Severity: High
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #hollaatm3
🔹 State: 🟢 Resolved
🔹 Disclosed: April 16, 2022, 8:20am (UTC)

[https://shipit-sox-staging.shopifycloud.com] Presence of multiple vulnerabilities present in Ruby On Rails

👉 https://hackerone.com/reports/1400309

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #beastglatisant
🔹 State: 🟢 Resolved
🔹 Disclosed: April 16, 2022, 5:19pm (UTC)

SSRF restricted to HTTP/HTML on LINE Social Plugins (https://social-plugins.line.me/)

👉 https://hackerone.com/reports/860939

🔹 Severity: Medium | 💰 1,350 USD
🔹 Reported To: LINE
🔹 Reported By: #duahaubadao
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:08am (UTC)

Use of unreleased features in programming education service (https://entry.line.me)

👉 https://hackerone.com/reports/975428

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: LINE
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:11am (UTC)

Deleting someone else's profile image with a GraphQL query in programming education service (https://entry.line.me)

👉 https://hackerone.com/reports/952095

🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: LINE
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:13am (UTC)

SSRF occurrence in website preview used by LINE Official Account Manager (https://manager.line.biz)

👉 https://hackerone.com/reports/1131608

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: LINE
🔹 Reported By: #jafarakhondali
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:15am (UTC)

Archive Any Scope of a Program

👉 https://hackerone.com/reports/1501611

🔹 Severity: High | 💰 12,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #ahacker1
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:22pm (UTC)

xss on [developers.mtn.com]

👉 https://hackerone.com/reports/924851

🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #pisarenko
🔹 State: 🟢 Resolved
🔹 Disclosed: April 19, 2022, 7:58am (UTC)

Invitation Email is resent as a Reminder after invalidating pending email invites

👉 https://hackerone.com/reports/1486820

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #mr_anksec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 19, 2022, 11:37am (UTC)

Reflected XSS in the shared note view on https://evernote.com

👉 https://hackerone.com/reports/1518343

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Evernote
🔹 Reported By: #sarka
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 7:37pm (UTC)

CORS Misconfiguration

👉 https://hackerone.com/reports/1530581

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #shirshak
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:15pm (UTC)

███ vulnerable to CVE-2022-22954

👉 https://hackerone.com/reports/1537694

🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #null_bytes
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:16pm (UTC)

Full account takeover in ███████ due lack of rate limiting in forgot password

👉 https://hackerone.com/reports/1059758

🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #takester
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:17pm (UTC)

Open Akamai ARL XSS at ████████

👉 https://hackerone.com/reports/1317024

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #whoisbinit
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:18pm (UTC)

Timing difference exposes existence of accounts

👉 https://hackerone.com/reports/1391636

🔹 Severity: Low
🔹 Reported To: Zivver
🔹 Reported By: #martinvw
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:41am (UTC)

curl proceeds with unsafe connections when -K file can't be read

👉 https://hackerone.com/reports/1542881

🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #medianmedianstride
🔹 State: ⚪️ Informative
🔹 Disclosed: April 21, 2022, 3:38pm (UTC)

Same the Url

👉 https://hackerone.com/reports/1459338

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #4bel
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 6:54pm (UTC)