Account takeover leading to PII chained with stored XSS

👉 https://hackerone.com/reports/1483201

🔹 Severity: High
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #hollaatm3
🔹 State: 🟢 Resolved
🔹 Disclosed: April 16, 2022, 8:20am (UTC)

[https://shipit-sox-staging.shopifycloud.com] Presence of multiple vulnerabilities present in Ruby On Rails

👉 https://hackerone.com/reports/1400309

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #beastglatisant
🔹 State: 🟢 Resolved
🔹 Disclosed: April 16, 2022, 5:19pm (UTC)

SSRF restricted to HTTP/HTML on LINE Social Plugins (https://social-plugins.line.me/)

👉 https://hackerone.com/reports/860939

🔹 Severity: Medium | 💰 1,350 USD
🔹 Reported To: LINE
🔹 Reported By: #duahaubadao
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:08am (UTC)

Use of unreleased features in programming education service (https://entry.line.me)

👉 https://hackerone.com/reports/975428

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: LINE
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:11am (UTC)

Deleting someone else's profile image with a GraphQL query in programming education service (https://entry.line.me)

👉 https://hackerone.com/reports/952095

🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: LINE
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:13am (UTC)

SSRF occurrence in website preview used by LINE Official Account Manager (https://manager.line.biz)

👉 https://hackerone.com/reports/1131608

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: LINE
🔹 Reported By: #jafarakhondali
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:15am (UTC)

Archive Any Scope of a Program

👉 https://hackerone.com/reports/1501611

🔹 Severity: High | 💰 12,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #ahacker1
🔹 State: 🟢 Resolved
🔹 Disclosed: April 18, 2022, 6:22pm (UTC)

xss on [developers.mtn.com]

👉 https://hackerone.com/reports/924851

🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #pisarenko
🔹 State: 🟢 Resolved
🔹 Disclosed: April 19, 2022, 7:58am (UTC)

Invitation Email is resent as a Reminder after invalidating pending email invites

👉 https://hackerone.com/reports/1486820

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #mr_anksec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 19, 2022, 11:37am (UTC)

Reflected XSS in the shared note view on https://evernote.com

👉 https://hackerone.com/reports/1518343

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Evernote
🔹 Reported By: #sarka
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 7:37pm (UTC)

CORS Misconfiguration

👉 https://hackerone.com/reports/1530581

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #shirshak
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:15pm (UTC)

███ vulnerable to CVE-2022-22954

👉 https://hackerone.com/reports/1537694

🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #null_bytes
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:16pm (UTC)

Full account takeover in ███████ due lack of rate limiting in forgot password

👉 https://hackerone.com/reports/1059758

🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #takester
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:17pm (UTC)

Open Akamai ARL XSS at ████████

👉 https://hackerone.com/reports/1317024

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #whoisbinit
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:18pm (UTC)

Timing difference exposes existence of accounts

👉 https://hackerone.com/reports/1391636

🔹 Severity: Low
🔹 Reported To: Zivver
🔹 Reported By: #martinvw
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:41am (UTC)

curl proceeds with unsafe connections when -K file can't be read

👉 https://hackerone.com/reports/1542881

🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #medianmedianstride
🔹 State: ⚪️ Informative
🔹 Disclosed: April 21, 2022, 3:38pm (UTC)

Same the Url

👉 https://hackerone.com/reports/1459338

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #4bel
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 6:54pm (UTC)

[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole

👉 https://hackerone.com/reports/1084638

🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Shopify
🔹 Reported By: #ramsexy
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 7:06pm (UTC)

User with no Develop apps permission can Uninstall Custom App

👉 https://hackerone.com/reports/1466855

🔹 Severity: Low | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #ayyoub
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 8:33pm (UTC)

[h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only

👉 https://hackerone.com/reports/1084939

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)

[h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management

👉 https://hackerone.com/reports/1084904

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)