Deprecated owners.query API bypasses object view policy

👉 https://hackerone.com/reports/1584409

🔹 Severity: No Rating | 💰 300 USD
🔹 Reported To: Phabricator
🔹 Reported By: #dyls
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 7:14pm (UTC)

Django debug enabled showing information about system, database, configuration files

👉 https://hackerone.com/reports/1561377

🔹 Severity: Medium
🔹 Reported To: Glovo
🔹 Reported By: #omarelfarsaoui
🔹 State: 🟢 Resolved
🔹 Disclosed: May 31, 2022, 9:28pm (UTC)

user can bypass password enforcement when federated sharing is enabled

👉 https://hackerone.com/reports/838510

🔹 Severity: No Rating | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: June 1, 2022, 1:52pm (UTC)

Exfiltrate GDrive access token using CSRF

👉 https://hackerone.com/reports/1468010

🔹 Severity: Medium | 💰 1,728 USD
🔹 Reported To: Dropbox
🔹 Reported By: #staz0t
🔹 State: 🟢 Resolved
🔹 Disclosed: June 1, 2022, 9:04pm (UTC)

AWS Load Balancer Controller can be used by an attacker to modify rules of any Security Group that they are able to tag

👉 https://hackerone.com/reports/1238482

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #t0rr3sp3dr0
🔹 State: 🔴 N/A
🔹 Disclosed: June 2, 2022, 12:49am (UTC)

AWS Load Balancer Controller Managed Security Groups can be replaced by an unprivileged attacker

👉 https://hackerone.com/reports/1238017

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #t0rr3sp3dr0
🔹 State: 🔴 N/A
🔹 Disclosed: June 2, 2022, 12:49am (UTC)

8ybhy85kld9zp9xf84x6.imgur.com Subdomain Takeover

👉 https://hackerone.com/reports/1527405

🔹 Severity: High | 💰 50 USD
🔹 Reported To: Imgur
🔹 Reported By: #mr_baka
🔹 State: 🟢 Resolved
🔹 Disclosed: June 3, 2022, 5:45pm (UTC)

Github Account Takeover from Docs page of `kubernetes-csi.github.io`

👉 https://hackerone.com/reports/1434967

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #codermak
🔹 State: 🟢 Resolved
🔹 Disclosed: June 4, 2022, 5:58pm (UTC)

KRB-FTP: Security level downgrade

👉 https://hackerone.com/reports/1590102

🔹 Severity: No Rating
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: June 5, 2022, 8:58pm (UTC)

Heap overflow via HTTP/2 PUSH_PROMISE

👉 https://hackerone.com/reports/1589847

🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: June 5, 2022, 8:59pm (UTC)

Registered users contact information disclosure on salesforce lightning endpoint https://disposal.gsa.gov

👉 https://hackerone.com/reports/1443654

🔹 Severity: High
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #rptl
🔹 State: 🟢 Resolved
🔹 Disclosed: June 6, 2022, 6:17am (UTC)

2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com

👉 https://hackerone.com/reports/1581454

🔹 Severity: High
🔹 Reported To: Exodus
🔹 Reported By: #bismillahfortuner
🔹 State: ⚪️ Informative
🔹 Disclosed: June 6, 2022, 11:31am (UTC)

Misconfigurated login page able to lock login action for any account without user interaction

👉 https://hackerone.com/reports/1582778

🔹 Severity: Critical
🔹 Reported To: Reddit
🔹 Reported By: #h1ugroon
🔹 State: ⚪️ Informative
🔹 Disclosed: June 6, 2022, 11:10pm (UTC)

Stored Cross Site Scripting at http://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode

👉 https://hackerone.com/reports/1164853

🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #ub3rsick
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 9:25am (UTC)

Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm

👉 https://hackerone.com/reports/1164854

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #ub3rsick
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 10:20am (UTC)

Path traversal in Nuget Package Registry

👉 https://hackerone.com/reports/822262

🔹 Severity: High | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)

Private objects exposed through project import

👉 https://hackerone.com/reports/767770

🔹 Severity: Critical | 💰 20,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)

Steal private objects of other projects via project import

👉 https://hackerone.com/reports/743953

🔹 Severity: Critical | 💰 20,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)

Path traversal, to RCE

👉 https://hackerone.com/reports/733072

🔹 Severity: High | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)

Open redirect on https://www.glassdoor.com/profile/siwa.htm via state parameter

👉 https://hackerone.com/reports/1097208

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #0x7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 11:44am (UTC)

Reflected XSS on https://help.glassdoor.com/gd_requestsubmitpage

👉 https://hackerone.com/reports/1094224

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #0x7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 11:46am (UTC)