xss on [developers.mtn.com]

👉 https://hackerone.com/reports/924851

🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #pisarenko
🔹 State: 🟢 Resolved
🔹 Disclosed: April 19, 2022, 7:58am (UTC)

Invitation Email is resent as a Reminder after invalidating pending email invites

👉 https://hackerone.com/reports/1486820

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #mr_anksec
🔹 State: 🟢 Resolved
🔹 Disclosed: April 19, 2022, 11:37am (UTC)

Reflected XSS in the shared note view on https://evernote.com

👉 https://hackerone.com/reports/1518343

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Evernote
🔹 Reported By: #sarka
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 7:37pm (UTC)

CORS Misconfiguration

👉 https://hackerone.com/reports/1530581

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #shirshak
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:15pm (UTC)

███ vulnerable to CVE-2022-22954

👉 https://hackerone.com/reports/1537694

🔹 Severity: Critical
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #null_bytes
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:16pm (UTC)

Full account takeover in ███████ due lack of rate limiting in forgot password

👉 https://hackerone.com/reports/1059758

🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #takester
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:17pm (UTC)

Open Akamai ARL XSS at ████████

👉 https://hackerone.com/reports/1317024

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #whoisbinit
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:18pm (UTC)

Timing difference exposes existence of accounts

👉 https://hackerone.com/reports/1391636

🔹 Severity: Low
🔹 Reported To: Zivver
🔹 Reported By: #martinvw
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:41am (UTC)

curl proceeds with unsafe connections when -K file can't be read

👉 https://hackerone.com/reports/1542881

🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #medianmedianstride
🔹 State: ⚪️ Informative
🔹 Disclosed: April 21, 2022, 3:38pm (UTC)

Same the Url

👉 https://hackerone.com/reports/1459338

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #4bel
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 6:54pm (UTC)

[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole

👉 https://hackerone.com/reports/1084638

🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Shopify
🔹 Reported By: #ramsexy
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 7:06pm (UTC)

User with no Develop apps permission can Uninstall Custom App

👉 https://hackerone.com/reports/1466855

🔹 Severity: Low | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #ayyoub
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 8:33pm (UTC)

[h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only

👉 https://hackerone.com/reports/1084939

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)

[h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management

👉 https://hackerone.com/reports/1084904

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)

[h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only

👉 https://hackerone.com/reports/1084892

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)

Open redirect by the parameter redirectUri in the URL

👉 https://hackerone.com/reports/1250758

🔹 Severity: Low
🔹 Reported To: BlackRock
🔹 Reported By: #mrccrqr
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:10pm (UTC)

After changing the storefront password, the preview link is still valid

👉 https://hackerone.com/reports/1370749

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #tomorrow_future
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:38pm (UTC)

Bypass of fix #1370749

👉 https://hackerone.com/reports/1489077

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #encryptsaan123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 22, 2022, 12:41am (UTC)

Attacker can bypass authentication build on ingress external auth (`nginx.ingress.kubernetes.io/auth-url`)

👉 https://hackerone.com/reports/1357948

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #thisbug
🔹 State: ⚪️ Informative
🔹 Disclosed: April 23, 2022, 7:07am (UTC)

Renderers can obtain access to random bluetooth device without permission

👉 https://hackerone.com/reports/1519099

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #palmeral
🔹 State: 🟢 Resolved
🔹 Disclosed: April 23, 2022, 5:23pm (UTC)

--libcurl code injection via trigraphs

👉 https://hackerone.com/reports/1548535

🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: ⚪️ Informative
🔹 Disclosed: April 24, 2022, 10:07pm (UTC)