Renderers can obtain access to random bluetooth device without permission
👉 https://hackerone.com/reports/1519099
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #palmeral
🔹 State: 🟢 Resolved
🔹 Disclosed: April 23, 2022, 5:23pm (UTC)
👉 https://hackerone.com/reports/1519099
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #palmeral
🔹 State: 🟢 Resolved
🔹 Disclosed: April 23, 2022, 5:23pm (UTC)
--libcurl code injection via trigraphs
👉 https://hackerone.com/reports/1548535
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: ⚪️ Informative
🔹 Disclosed: April 24, 2022, 10:07pm (UTC)
👉 https://hackerone.com/reports/1548535
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: ⚪️ Informative
🔹 Disclosed: April 24, 2022, 10:07pm (UTC)
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 bypass if string not 32 chars
👉 https://hackerone.com/reports/1549461
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 9:05am (UTC)
👉 https://hackerone.com/reports/1549461
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 9:05am (UTC)
CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 comparison disaster
👉 https://hackerone.com/reports/1549435
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 10:58am (UTC)
👉 https://hackerone.com/reports/1549435
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 10:58am (UTC)
Xss triggered in Your-store.myshopify.com/myshopify.com/admin/apps/shopify-email/editor/****
👉 https://hackerone.com/reports/1472471
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 11:01am (UTC)
👉 https://hackerone.com/reports/1472471
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 11:01am (UTC)
Visibility Robots.txt file
👉 https://hackerone.com/reports/1450014
🔹 Severity: No Rating
🔹 Reported To: Krisp
🔹 Reported By: #razahack
🔹 State: 🟤 Duplicate
🔹 Disclosed: April 25, 2022, 12:20pm (UTC)
👉 https://hackerone.com/reports/1450014
🔹 Severity: No Rating
🔹 Reported To: Krisp
🔹 Reported By: #razahack
🔹 State: 🟤 Duplicate
🔹 Disclosed: April 25, 2022, 12:20pm (UTC)
Force User to Accept Attacker's invite [ Restrict user to create account]
👉 https://hackerone.com/reports/1420070
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #sammam
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 12:27pm (UTC)
👉 https://hackerone.com/reports/1420070
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #sammam
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 12:27pm (UTC)
Local file disclosure through SSRF at next.nutanix.com
👉 https://hackerone.com/reports/471520
🔹 Severity: High
🔹 Reported To: Nutanix
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 10:27pm (UTC)
👉 https://hackerone.com/reports/471520
🔹 Severity: High
🔹 Reported To: Nutanix
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 10:27pm (UTC)
RCE via exposed JMX server on jabber.37signals.com/jabber.basecamp.com
👉 https://hackerone.com/reports/1456063
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:01am (UTC)
👉 https://hackerone.com/reports/1456063
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:01am (UTC)
Stored XSS in "product type" field executed via product filters
👉 https://hackerone.com/reports/1404770
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 4:11pm (UTC)
👉 https://hackerone.com/reports/1404770
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 4:11pm (UTC)
SQL Injection on https://soa-accp.glbx.tva.gov/ via "/api/" path - VI-21-015
👉 https://hackerone.com/reports/1125752
🔹 Severity: Critical
🔹 Reported To: Tennessee Valley Authority
🔹 Reported By: #yassinek3ch
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:33pm (UTC)
👉 https://hackerone.com/reports/1125752
🔹 Severity: Critical
🔹 Reported To: Tennessee Valley Authority
🔹 Reported By: #yassinek3ch
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:33pm (UTC)
CVE-2022-27774: Credential leak on redirect
👉 https://hackerone.com/reports/1543773
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
👉 https://hackerone.com/reports/1543773
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
CVE-2022-27775: Bad local IPv6 connection reuse
👉 https://hackerone.com/reports/1546268
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
👉 https://hackerone.com/reports/1546268
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
CVE-2022-27776: Auth/cookie leak on redirect
👉 https://hackerone.com/reports/1547048
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
👉 https://hackerone.com/reports/1547048
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
Container escape on public GitLab CI runners
👉 https://hackerone.com/reports/1442118
🔹 Severity: High
🔹 Reported To: GitLab
🔹 Reported By: #ec0
🔹 State: ⚪️ Informative
🔹 Disclosed: April 27, 2022, 11:12am (UTC)
👉 https://hackerone.com/reports/1442118
🔹 Severity: High
🔹 Reported To: GitLab
🔹 Reported By: #ec0
🔹 State: ⚪️ Informative
🔹 Disclosed: April 27, 2022, 11:12am (UTC)
subdomain takeover (abandoned Zendesk █.easycontactnow.com)
👉 https://hackerone.com/reports/1486670
🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #bx_1
🔹 State: 🟢 Resolved
🔹 Disclosed: April 28, 2022, 5:59am (UTC)
👉 https://hackerone.com/reports/1486670
🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #bx_1
🔹 State: 🟢 Resolved
🔹 Disclosed: April 28, 2022, 5:59am (UTC)
CVE-2022-27774: Credential leak on redirect
👉 https://hackerone.com/reports/1551586
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 6:32am (UTC)
👉 https://hackerone.com/reports/1551586
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 6:32am (UTC)
CVE-2022-27775: Bad local IPv6 connection reuse
👉 https://hackerone.com/reports/1551588
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 6:32am (UTC)
👉 https://hackerone.com/reports/1551588
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 6:32am (UTC)
CVE-2022-27776: Auth/cookie leak on redirect
👉 https://hackerone.com/reports/1551591
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 6:32am (UTC)
👉 https://hackerone.com/reports/1551591
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 6:32am (UTC)
DoS via large console messages
👉 https://hackerone.com/reports/1243724
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #thesecuritydev
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 7:11am (UTC)
👉 https://hackerone.com/reports/1243724
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #thesecuritydev
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 7:11am (UTC)
CVE-2022-22576: OAUTH2 bearer bypass in connection re-use
👉 https://hackerone.com/reports/1526328
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #monnerat
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 11:27am (UTC)
👉 https://hackerone.com/reports/1526328
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #monnerat
🔹 State: 🟢 Resolved
🔹 Disclosed: April 29, 2022, 11:27am (UTC)