Heap overflow via HTTP/2 PUSH_PROMISE
👉 https://hackerone.com/reports/1589847
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: June 5, 2022, 8:59pm (UTC)
👉 https://hackerone.com/reports/1589847
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: June 5, 2022, 8:59pm (UTC)
Registered users contact information disclosure on salesforce lightning endpoint https://disposal.gsa.gov
👉 https://hackerone.com/reports/1443654
🔹 Severity: High
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #rptl
🔹 State: 🟢 Resolved
🔹 Disclosed: June 6, 2022, 6:17am (UTC)
👉 https://hackerone.com/reports/1443654
🔹 Severity: High
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #rptl
🔹 State: 🟢 Resolved
🔹 Disclosed: June 6, 2022, 6:17am (UTC)
2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com
👉 https://hackerone.com/reports/1581454
🔹 Severity: High
🔹 Reported To: Exodus
🔹 Reported By: #bismillahfortuner
🔹 State: ⚪️ Informative
🔹 Disclosed: June 6, 2022, 11:31am (UTC)
👉 https://hackerone.com/reports/1581454
🔹 Severity: High
🔹 Reported To: Exodus
🔹 Reported By: #bismillahfortuner
🔹 State: ⚪️ Informative
🔹 Disclosed: June 6, 2022, 11:31am (UTC)
Misconfigurated login page able to lock login action for any account without user interaction
👉 https://hackerone.com/reports/1582778
🔹 Severity: Critical
🔹 Reported To: Reddit
🔹 Reported By: #h1ugroon
🔹 State: ⚪️ Informative
🔹 Disclosed: June 6, 2022, 11:10pm (UTC)
👉 https://hackerone.com/reports/1582778
🔹 Severity: Critical
🔹 Reported To: Reddit
🔹 Reported By: #h1ugroon
🔹 State: ⚪️ Informative
🔹 Disclosed: June 6, 2022, 11:10pm (UTC)
Stored Cross Site Scripting at http://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode
👉 https://hackerone.com/reports/1164853
🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #ub3rsick
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 9:25am (UTC)
👉 https://hackerone.com/reports/1164853
🔹 Severity: Medium
🔹 Reported To: Acronis
🔹 Reported By: #ub3rsick
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 9:25am (UTC)
Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm
👉 https://hackerone.com/reports/1164854
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #ub3rsick
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 10:20am (UTC)
👉 https://hackerone.com/reports/1164854
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #ub3rsick
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 10:20am (UTC)
Path traversal in Nuget Package Registry
👉 https://hackerone.com/reports/822262
🔹 Severity: High | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)
👉 https://hackerone.com/reports/822262
🔹 Severity: High | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)
🔥3
Private objects exposed through project import
👉 https://hackerone.com/reports/767770
🔹 Severity: Critical | 💰 20,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)
👉 https://hackerone.com/reports/767770
🔹 Severity: Critical | 💰 20,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)
🔥4
Steal private objects of other projects via project import
👉 https://hackerone.com/reports/743953
🔹 Severity: Critical | 💰 20,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)
👉 https://hackerone.com/reports/743953
🔹 Severity: Critical | 💰 20,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)
🔥4
Path traversal, to RCE
👉 https://hackerone.com/reports/733072
🔹 Severity: High | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)
👉 https://hackerone.com/reports/733072
🔹 Severity: High | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #saltyyolk
🔹 State: 🟢 Resolved
🔹 Disclosed: June 7, 2022, 2:16pm (UTC)
🔥5
Open redirect on https://www.glassdoor.com/profile/siwa.htm via state parameter
👉 https://hackerone.com/reports/1097208
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #0x7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 11:44am (UTC)
👉 https://hackerone.com/reports/1097208
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #0x7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 11:44am (UTC)
Reflected XSS on https://help.glassdoor.com/gd_requestsubmitpage
👉 https://hackerone.com/reports/1094224
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #0x7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 11:46am (UTC)
👉 https://hackerone.com/reports/1094224
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #0x7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 11:46am (UTC)
Reflected XSS on https://www.glassdoor.com/parts/header.htm
👉 https://hackerone.com/reports/1073712
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #0x7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 12:00pm (UTC)
👉 https://hackerone.com/reports/1073712
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: Glassdoor
🔹 Reported By: #0x7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 12:00pm (UTC)
Stored XSS on issue comments and other pages which contain notes
👉 https://hackerone.com/reports/1398305
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 2:02pm (UTC)
👉 https://hackerone.com/reports/1398305
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 2:02pm (UTC)
"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request
👉 https://hackerone.com/reports/1375393
🔹 Severity: Medium | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 2:04pm (UTC)
👉 https://hackerone.com/reports/1375393
🔹 Severity: Medium | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 2:04pm (UTC)
Gitlab Pages token theft using service workers
👉 https://hackerone.com/reports/1439552
🔹 Severity: Medium | 💰 1,680 USD
🔹 Reported To: GitLab
🔹 Reported By: #ehhthing
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 2:06pm (UTC)
👉 https://hackerone.com/reports/1439552
🔹 Severity: Medium | 💰 1,680 USD
🔹 Reported To: GitLab
🔹 Reported By: #ehhthing
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 2:06pm (UTC)
XSS by clicking Jira's link
👉 https://hackerone.com/reports/1194254
🔹 Severity: Medium | 💰 1,130 USD
🔹 Reported To: GitLab
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 2:07pm (UTC)
👉 https://hackerone.com/reports/1194254
🔹 Severity: Medium | 💰 1,130 USD
🔹 Reported To: GitLab
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: June 8, 2022, 2:07pm (UTC)
Several Subdomains Takeover
👉 https://hackerone.com/reports/1591085
🔹 Severity: High
🔹 Reported To: Reddit
🔹 Reported By: #3amii
🔹 State: 🔴 N/A
🔹 Disclosed: June 8, 2022, 8:36pm (UTC)
👉 https://hackerone.com/reports/1591085
🔹 Severity: High
🔹 Reported To: Reddit
🔹 Reported By: #3amii
🔹 State: 🔴 N/A
🔹 Disclosed: June 8, 2022, 8:36pm (UTC)
match
👉 https://hackerone.com/reports/1555440
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #maslahhunter
🔹 State: 🔴 N/A
🔹 Disclosed: June 9, 2022, 7:09am (UTC)
👉 https://hackerone.com/reports/1555440
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #maslahhunter
🔹 State: 🔴 N/A
🔹 Disclosed: June 9, 2022, 7:09am (UTC)
Integer overflows in unescape_word()
👉 https://hackerone.com/reports/1564922
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #ddme
🔹 State: 🔴 N/A
🔹 Disclosed: June 9, 2022, 7:10am (UTC)
👉 https://hackerone.com/reports/1564922
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #ddme
🔹 State: 🔴 N/A
🔹 Disclosed: June 9, 2022, 7:10am (UTC)
Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic
👉 https://hackerone.com/reports/1520685
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: June 9, 2022, 12:42pm (UTC)
👉 https://hackerone.com/reports/1520685
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: June 9, 2022, 12:42pm (UTC)