Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid}

👉 https://hackerone.com/reports/1558010

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: May 25, 2022, 4:28pm (UTC)

Read Other Users Reports Through Cloning

👉 https://hackerone.com/reports/1505609

🔹 Severity: Medium
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #hollaatm3
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2022, 12:41pm (UTC)

[Urgent] Critical Vulnerability [RCE] on ███ vulnerable to Remote Code Execution by exploiting MS15-034, CVE-2015-1635

👉 https://hackerone.com/reports/469730

🔹 Severity: High
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ashutosh7
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2022, 4:23pm (UTC)

Full read SSRF in flyte-poc-us-east4.uberinternal.com

👉 https://hackerone.com/reports/1540906

🔹 Severity: Medium | 💰 2,000 USD
🔹 Reported To: Uber
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: May 26, 2022, 10:18pm (UTC)

Notification implicit PendingIntent in com.nextcloud.client allows to access contacts

👉 https://hackerone.com/reports/1161401

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #qj_test
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2022, 7:23am (UTC)

Control character filtering misses leading and trailing whitespace in file and folder names

👉 https://hackerone.com/reports/1402249

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #david_h1
🔹 State: 🟢 Resolved
🔹 Disclosed: May 27, 2022, 7:23am (UTC)

CVE-2022-28738: Double free in Regexp compilation

👉 https://hackerone.com/reports/1549636

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #piao
🔹 State: 🟢 Resolved
🔹 Disclosed: May 28, 2022, 6:18pm (UTC)

Users who are restricted to use the application because of a "Waiting List" are able to get access to the Beta Application by bypassing the waitlist

👉 https://hackerone.com/reports/1494308

🔹 Severity: Low
🔹 Reported To: Alohi
🔹 Reported By: #darkknight4688
🔹 State: 🟢 Resolved
🔹 Disclosed: May 30, 2022, 9:21am (UTC)

Self XSS in attachments name

👉 https://hackerone.com/reports/1536901

🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #mega7
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 9:10am (UTC)

BlIND XSS on https://open.vanillaforums.com

👉 https://hackerone.com/reports/1189885

🔹 Severity: High | 💰 300 USD
🔹 Reported To: Vanilla
🔹 Reported By: #mohit0786
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 10:15am (UTC)

Improper input-size validation on the user new session name can result in server-side DDoS.

👉 https://hackerone.com/reports/1153138

🔹 Severity: Medium | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #demonia
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 2:37pm (UTC)

CSRF token validation system is disabled on Stripe Dashboard

👉 https://hackerone.com/reports/1493437

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #rodolfomarianocy
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 5:05pm (UTC)

DOM XSS on www.adobe.com

👉 https://hackerone.com/reports/1260825

🔹 Severity: Medium
🔹 Reported To: Adobe
🔹 Reported By: #saajanbhujel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 5:14pm (UTC)

Able to bypass the fix on DOM XSS at [www.adobe.com]

👉 https://hackerone.com/reports/1398374

🔹 Severity: Medium
🔹 Reported To: Adobe
🔹 Reported By: #saajanbhujel
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 5:16pm (UTC)

Deprecated owners.query API bypasses object view policy

👉 https://hackerone.com/reports/1584409

🔹 Severity: No Rating | 💰 300 USD
🔹 Reported To: Phabricator
🔹 Reported By: #dyls
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 7:14pm (UTC)

Django debug enabled showing information about system, database, configuration files

👉 https://hackerone.com/reports/1561377

🔹 Severity: Medium
🔹 Reported To: Glovo
🔹 Reported By: #omarelfarsaoui
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 9:28pm (UTC)

user can bypass password enforcement when federated sharing is enabled

👉 https://hackerone.com/reports/838510

🔹 Severity: No Rating | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: June 1, 2022, 1:52pm (UTC)

Exfiltrate GDrive access token using CSRF

👉 https://hackerone.com/reports/1468010

🔹 Severity: Medium | 💰 1,728 USD
🔹 Reported To: Dropbox
🔹 Reported By: #staz0t
🔹 State: 🟢 Resolved
🔹 Disclosed: June 1, 2022, 9:04pm (UTC)

AWS Load Balancer Controller can be used by an attacker to modify rules of any Security Group that they are able to tag

👉 https://hackerone.com/reports/1238482

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #t0rr3sp3dr0
🔹 State: 🔴 N/A
🔹 Disclosed: June 2, 2022, 12:49am (UTC)

AWS Load Balancer Controller Managed Security Groups can be replaced by an unprivileged attacker

👉 https://hackerone.com/reports/1238017

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #t0rr3sp3dr0
🔹 State: 🔴 N/A
🔹 Disclosed: June 2, 2022, 12:49am (UTC)

8ybhy85kld9zp9xf84x6.imgur.com Subdomain Takeover

👉 https://hackerone.com/reports/1527405

🔹 Severity: High | 💰 50 USD
🔹 Reported To: Imgur
🔹 Reported By: #mr_baka
🔹 State: 🟢 Resolved
🔹 Disclosed: June 3, 2022, 5:45pm (UTC)