Error in Deleting Deck cards attachment reveals the full path of the website

👉 https://hackerone.com/reports/1354334

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #ctulhu
🔹 State: 🟢 Resolved
🔹 Disclosed: May 20, 2022, 2:04pm (UTC)

Arbitrary POST request as victim user from HTML injection in Jupyter notebooks

👉 https://hackerone.com/reports/1409788

🔹 Severity: High | 💰 8,690 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: May 20, 2022, 2:32pm (UTC)

Clickjacking at app.lemlist.com

👉 https://hackerone.com/reports/1574017

🔹 Severity: High
🔹 Reported To: lemlist
🔹 Reported By: #ondermedia
🔹 State: 🟢 Resolved
🔹 Disclosed: May 20, 2022, 3:04pm (UTC)

Possible Domain Takeover on AWS Instance.

👉 https://hackerone.com/reports/1390782

🔹 Severity: Low
🔹 Reported To: Rocket.Chat
🔹 Reported By: #samuelsiv
🔹 State: 🟢 Resolved
🔹 Disclosed: May 22, 2022, 8:18pm (UTC)

Email Verification Bypass by bruteforcing when setting up 2FA

👉 https://hackerone.com/reports/1394984

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Evernote
🔹 Reported By: #cyberworlcload
🔹 State: 🟢 Resolved
🔹 Disclosed: May 22, 2022, 9:41pm (UTC)

[Java]: Flow sources and steps for JMS and RabbitMQ

👉 https://hackerone.com/reports/1579235

🔹 Severity: Medium
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #not_specified
🔹 State: 🟢 Resolved
🔹 Disclosed: May 23, 2022, 8:45pm (UTC)

[python]: Zip Slip Vulnerability

👉 https://hackerone.com/reports/1572496

🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #farid_hunter
🔹 State: 🟢 Resolved
🔹 Disclosed: May 23, 2022, 8:46pm (UTC)

Stored XSS in photos_user_map.gne

👉 https://hackerone.com/reports/1534636

🔹 Severity: High | 💰 3,263 USD
🔹 Reported To: Flickr
🔹 Reported By: #keer0k
🔹 State: 🟢 Resolved
🔹 Disclosed: May 23, 2022, 11:21pm (UTC)

Open redirect bypass

👉 https://hackerone.com/reports/1513031

🔹 Severity: Low | 💰 300 USD
🔹 Reported To: Flickr
🔹 Reported By: #xlord91
🔹 State: 🟢 Resolved
🔹 Disclosed: May 23, 2022, 11:23pm (UTC)

Cross-site noscripting on dashboard2.omise.co

👉 https://hackerone.com/reports/1532858

🔹 Severity: Critical | 💰 200 USD
🔹 Reported To: Omise
🔹 Reported By: #oblivionlight
🔹 State: 🟢 Resolved
🔹 Disclosed: May 24, 2022, 11:54am (UTC)

[com.exness.android.pa Android] Universal XSS in webview. Lead to steal user cookies

👉 https://hackerone.com/reports/532836

🔹 Severity: No Rating | 💰 400 USD
🔹 Reported To: EXNESS
🔹 Reported By: #nearsecurity
🔹 State: 🟢 Resolved
🔹 Disclosed: May 24, 2022, 3:24pm (UTC)

Critical broken cookie signing on dagobah.flickr.com

👉 https://hackerone.com/reports/1440290

🔹 Severity: Medium | 💰 479 USD
🔹 Reported To: Flickr
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: May 24, 2022, 11:56pm (UTC)

Email templates XSS by filterXSS bypass

👉 https://hackerone.com/reports/1404804

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #caue
🔹 State: 🟢 Resolved
🔹 Disclosed: May 25, 2022, 7:45am (UTC)

Stored XSS in Notes (with CSP bypass for gitlab.com)

👉 https://hackerone.com/reports/1481207

🔹 Severity: High | 💰 13,950 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: May 25, 2022, 12:09pm (UTC)

Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid}

👉 https://hackerone.com/reports/1558010

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: May 25, 2022, 4:28pm (UTC)

Read Other Users Reports Through Cloning

👉 https://hackerone.com/reports/1505609

🔹 Severity: Medium
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #hollaatm3
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2022, 12:41pm (UTC)

[Urgent] Critical Vulnerability [RCE] on ███ vulnerable to Remote Code Execution by exploiting MS15-034, CVE-2015-1635

👉 https://hackerone.com/reports/469730

🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ashutosh7
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2022, 4:23pm (UTC)

Full read SSRF in flyte-poc-us-east4.uberinternal.com

👉 https://hackerone.com/reports/1540906

🔹 Severity: Medium | 💰 2,000 USD
🔹 Reported To: Uber
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2022, 10:18pm (UTC)

Notification implicit PendingIntent in com.nextcloud.client allows to access contacts

👉 https://hackerone.com/reports/1161401

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #qj_test
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2022, 7:23am (UTC)

Control character filtering misses leading and trailing whitespace in file and folder names

👉 https://hackerone.com/reports/1402249

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #david_h1
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2022, 7:23am (UTC)

CVE-2022-28738: Double free in Regexp compilation

👉 https://hackerone.com/reports/1549636

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #piao
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2022, 6:18pm (UTC)