Golang : Add Query To Detect PAM Authorization Bugs

👉 https://hackerone.com/reports/1597437

🔹 Severity: Medium | 💰 1,800 USD
🔹 Reported To: GitHub Security Lab
🔹 Reported By: #porcupineyhairs
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2022, 2:58pm (UTC)

The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more su

👉 https://hackerone.com/reports/1591504

🔹 Severity: Medium
🔹 Reported To: LinkedIn
🔹 Reported By: #suryasnn
🔹 State: 🔴 N/A
🔹 Disclosed: June 15, 2022, 6:18pm (UTC)

Remote 0click exfiltration of Safari user's IP address

👉 https://hackerone.com/reports/1392211

🔹 Severity: Medium | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #max2x
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2022, 8:00pm (UTC)

Delete direct message history without access the proper conversation_id

👉 https://hackerone.com/reports/1487804

🔹 Severity: Medium | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #saiful6601
🔹 State: 🟢 Resolved
🔹 Disclosed: June 15, 2022, 8:01pm (UTC)

Rate limit Bypass on contact-us through IP Rotator (burp extension)(https://www.linkedin.com/help/linkedin/solve/contact)

👉 https://hackerone.com/reports/1578121

🔹 Severity: No Rating
🔹 Reported To: LinkedIn
🔹 Reported By: #sachinrajput
🔹 State: 🔴 N/A
🔹 Disclosed: June 15, 2022, 9:10pm (UTC)

XSS STORED at https://webcast.tiktokv.com/ Via Create Live Event in `Denoscription` Form

👉 https://hackerone.com/reports/1542703

🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: June 16, 2022, 1:58am (UTC)

CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit !

👉 https://hackerone.com/reports/1480569

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #marvelmaniac
🔹 State: 🟢 Resolved
🔹 Disclosed: June 16, 2022, 4:27am (UTC)

curl "globbing" can lead to denial of service attacks

👉 https://hackerone.com/reports/1572120

🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #iylz
🔹 State: 🔴 N/A
🔹 Disclosed: June 16, 2022, 3:14pm (UTC)

xmlrpc file enabled

👉 https://hackerone.com/reports/1575401

🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #happykira0x1
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 16, 2022, 7:02pm (UTC)

Race condition via project team member invitation system.

👉 https://hackerone.com/reports/1108291

🔹 Severity: Low | 💰 60 USD
🔹 Reported To: Enjin
🔹 Reported By: #akashhamal0x01
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 8:44am (UTC)

CSRF Bypassed on Logout Endpoint

👉 https://hackerone.com/reports/1091403

🔹 Severity: Low
🔹 Reported To: Enjin
🔹 Reported By: #er_salil
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 8:50am (UTC)

sql injection via https://setup.p2p.ihost.com/

👉 https://hackerone.com/reports/1567516

🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #exploitmsf
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 5:47pm (UTC)

Broken access control

👉 https://hackerone.com/reports/1539426

🔹 Severity: High
🔹 Reported To: UPS VDP
🔹 Reported By: #nayefhamouda
🔹 State: 🟢 Resolved
🔹 Disclosed: June 18, 2022, 4:40pm (UTC)

bypass forced password protection via circles app

👉 https://hackerone.com/reports/1406926

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: June 19, 2022, 8:10am (UTC)

Authentication token and CSRF token bypass

👉 https://hackerone.com/reports/998457

🔹 Severity: High | 💰 300 USD
🔹 Reported To: Enjin
🔹 Reported By: #whiteshadow201
🔹 State: 🟢 Resolved
🔹 Disclosed: June 19, 2022, 12:11pm (UTC)

Admin Authentication Bypass Lead to Admin Account Takeover

👉 https://hackerone.com/reports/1490470

🔹 Severity: Medium
🔹 Reported To: UPS VDP
🔹 Reported By: #7odamo
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 12:18am (UTC)

Add more seats by paying less via PUT /v2/seats request manipulation

👉 https://hackerone.com/reports/1446090

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Krisp
🔹 Reported By: #life__001
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:41pm (UTC)

Authentication CSRF resulting in unauthorized account access on Krisp app

👉 https://hackerone.com/reports/1267476

🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Krisp
🔹 Reported By: #yassineaboukir
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:51pm (UTC)

Weak rate limit for SIGN.PLUS email verification

👉 https://hackerone.com/reports/1584569

🔹 Severity: Low
🔹 Reported To: Alohi
🔹 Reported By: #zeesozee
🔹 State: 🟢 Resolved
🔹 Disclosed: June 21, 2022, 10:53pm (UTC)

Able to approve admin approval and change effective status without adding payment details .

👉 https://hackerone.com/reports/1543159

🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #bisesh
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2022, 5:05am (UTC)

Bypass for Domain-level redirects (Unvalidated Redirects and Forwar)

👉 https://hackerone.com/reports/1582160

🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #thypon
🔹 State: ⚪️ Informative
🔹 Disclosed: June 22, 2022, 10:57pm (UTC)