Bugpoint – Telegram
Bugpoint
@bugpoint
1.06K subscribers
3.73K photos
3.73K links
Latest updates about disclosure bug bounty reports: tech details, impacts, bounties 📣

Rate👇
https://cutt.ly/bugpoint_rate
Feedback👇
https://cutt.ly/bugpoint_feedback

#️⃣ bug bounty disclosed reports
#️⃣ bug bounty write-ups
#️⃣ bug bounty teleg
Download Telegram
About
Blog
Apps
Platform
Join
Bugpoint
1.06K subscribers
Bugpoint
[h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only

👉 https://hackerone.com/reports/1084892

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)
268 views
Bugpoint
Open redirect by the parameter redirectUri in the URL

👉 https://hackerone.com/reports/1250758

🔹 Severity: Low
🔹 Reported To: BlackRock
🔹 Reported By: #mrccrqr
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:10pm (UTC)
299 views
Bugpoint
After changing the storefront password, the preview link is still valid

👉 https://hackerone.com/reports/1370749

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #tomorrow_future
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:38pm (UTC)
330 views
Bugpoint
Bypass of fix #1370749

👉 https://hackerone.com/reports/1489077

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #encryptsaan123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 22, 2022, 12:41am (UTC)
342 views
Bugpoint
Attacker can bypass authentication build on ingress external auth (`nginx.ingress.kubernetes.io/auth-url`)

👉 https://hackerone.com/reports/1357948

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #thisbug
🔹 State: ⚪️ Informative
🔹 Disclosed: April 23, 2022, 7:07am (UTC)
330 views
Bugpoint
Renderers can obtain access to random bluetooth device without permission

👉 https://hackerone.com/reports/1519099

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #palmeral
🔹 State: 🟢 Resolved
🔹 Disclosed: April 23, 2022, 5:23pm (UTC)
342 views
Bugpoint
--libcurl code injection via trigraphs

👉 https://hackerone.com/reports/1548535

🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: ⚪️ Informative
🔹 Disclosed: April 24, 2022, 10:07pm (UTC)
313 views
Bugpoint
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 bypass if string not 32 chars

👉 https://hackerone.com/reports/1549461

🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 9:05am (UTC)
304 views
Bugpoint
CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 comparison disaster

👉 https://hackerone.com/reports/1549435

🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 10:58am (UTC)
295 views
Bugpoint
Xss triggered in Your-store.myshopify.com/myshopify.com/admin/apps/shopify-email/editor/****

👉 https://hackerone.com/reports/1472471

🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 11:01am (UTC)
296 views
Bugpoint
Visibility Robots.txt file

👉 https://hackerone.com/reports/1450014

🔹 Severity: No Rating
🔹 Reported To: Krisp
🔹 Reported By: #razahack
🔹 State: 🟤 Duplicate
🔹 Disclosed: April 25, 2022, 12:20pm (UTC)
301 views
Bugpoint
Force User to Accept Attacker's invite [ Restrict user to create account]

👉 https://hackerone.com/reports/1420070

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #sammam
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 12:27pm (UTC)
309 views
Bugpoint
Local file disclosure through SSRF at next.nutanix.com

👉 https://hackerone.com/reports/471520

🔹 Severity: High
🔹 Reported To: Nutanix
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 10:27pm (UTC)
328 views
Bugpoint
RCE via exposed JMX server on jabber.37signals.com/jabber.basecamp.com

👉 https://hackerone.com/reports/1456063

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:01am (UTC)
334 views
Bugpoint
Stored XSS in "product type" field executed via product filters

👉 https://hackerone.com/reports/1404770

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 4:11pm (UTC)
336 views
Bugpoint
SQL Injection on https://soa-accp.glbx.tva.gov/ via "/api/" path - VI-21-015

👉 https://hackerone.com/reports/1125752

🔹 Severity: Critical
🔹 Reported To: Tennessee Valley Authority
🔹 Reported By: #yassinek3ch
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:33pm (UTC)
338 views
Bugpoint
CVE-2022-27774: Credential leak on redirect

👉 https://hackerone.com/reports/1543773

🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
301 views
Bugpoint
CVE-2022-27775: Bad local IPv6 connection reuse

👉 https://hackerone.com/reports/1546268

🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
314 views
Bugpoint
CVE-2022-27776: Auth/cookie leak on redirect

👉 https://hackerone.com/reports/1547048

🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
299 views
Bugpoint
Container escape on public GitLab CI runners

👉 https://hackerone.com/reports/1442118

🔹 Severity: High
🔹 Reported To: GitLab
🔹 Reported By: #ec0
🔹 State: ⚪️ Informative
🔹 Disclosed: April 27, 2022, 11:12am (UTC)
325 views
Bugpoint
subdomain takeover (abandoned Zendesk █.easycontactnow.com)

👉 https://hackerone.com/reports/1486670

🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #bx_1
🔹 State: 🟢 Resolved
🔹 Disclosed: April 28, 2022, 5:59am (UTC)
303 views