Open Akamai ARL XSS at ████████

👉 https://hackerone.com/reports/1317024

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #whoisbinit
🔹 State: 🟢 Resolved
🔹 Disclosed: April 20, 2022, 8:18pm (UTC)

Timing difference exposes existence of accounts

👉 https://hackerone.com/reports/1391636

🔹 Severity: Low
🔹 Reported To: Zivver
🔹 Reported By: #martinvw
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:41am (UTC)

curl proceeds with unsafe connections when -K file can't be read

👉 https://hackerone.com/reports/1542881

🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #medianmedianstride
🔹 State: ⚪️ Informative
🔹 Disclosed: April 21, 2022, 3:38pm (UTC)

Same the Url

👉 https://hackerone.com/reports/1459338

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #4bel
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 6:54pm (UTC)

[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole

👉 https://hackerone.com/reports/1084638

🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Shopify
🔹 Reported By: #ramsexy
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 7:06pm (UTC)

User with no Develop apps permission can Uninstall Custom App

👉 https://hackerone.com/reports/1466855

🔹 Severity: Low | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #ayyoub
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 8:33pm (UTC)

[h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only

👉 https://hackerone.com/reports/1084939

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)

[h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management

👉 https://hackerone.com/reports/1084904

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)

[h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only

👉 https://hackerone.com/reports/1084892

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)

Open redirect by the parameter redirectUri in the URL

👉 https://hackerone.com/reports/1250758

🔹 Severity: Low
🔹 Reported To: BlackRock
🔹 Reported By: #mrccrqr
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:10pm (UTC)

After changing the storefront password, the preview link is still valid

👉 https://hackerone.com/reports/1370749

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #tomorrow_future
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:38pm (UTC)

Bypass of fix #1370749

👉 https://hackerone.com/reports/1489077

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #encryptsaan123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 22, 2022, 12:41am (UTC)

Attacker can bypass authentication build on ingress external auth (`nginx.ingress.kubernetes.io/auth-url`)

👉 https://hackerone.com/reports/1357948

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #thisbug
🔹 State: ⚪️ Informative
🔹 Disclosed: April 23, 2022, 7:07am (UTC)

Renderers can obtain access to random bluetooth device without permission

👉 https://hackerone.com/reports/1519099

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #palmeral
🔹 State: 🟢 Resolved
🔹 Disclosed: April 23, 2022, 5:23pm (UTC)

--libcurl code injection via trigraphs

👉 https://hackerone.com/reports/1548535

🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: ⚪️ Informative
🔹 Disclosed: April 24, 2022, 10:07pm (UTC)

CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 bypass if string not 32 chars

👉 https://hackerone.com/reports/1549461

🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 9:05am (UTC)

CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 comparison disaster

👉 https://hackerone.com/reports/1549435

🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 10:58am (UTC)

Xss triggered in Your-store.myshopify.com/myshopify.com/admin/apps/shopify-email/editor/****

👉 https://hackerone.com/reports/1472471

🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 11:01am (UTC)

Visibility Robots.txt file

👉 https://hackerone.com/reports/1450014

🔹 Severity: No Rating
🔹 Reported To: Krisp
🔹 Reported By: #razahack
🔹 State: 🟤 Duplicate
🔹 Disclosed: April 25, 2022, 12:20pm (UTC)

Force User to Accept Attacker's invite [ Restrict user to create account]

👉 https://hackerone.com/reports/1420070

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #sammam
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 12:27pm (UTC)

Local file disclosure through SSRF at next.nutanix.com

👉 https://hackerone.com/reports/471520

🔹 Severity: High
🔹 Reported To: Nutanix
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 10:27pm (UTC)