CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit !
👉 https://hackerone.com/reports/1480569
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #marvelmaniac
🔹 State: 🟢 Resolved
🔹 Disclosed: June 16, 2022, 4:27am (UTC)
👉 https://hackerone.com/reports/1480569
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #marvelmaniac
🔹 State: 🟢 Resolved
🔹 Disclosed: June 16, 2022, 4:27am (UTC)
curl "globbing" can lead to denial of service attacks
👉 https://hackerone.com/reports/1572120
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #iylz
🔹 State: 🔴 N/A
🔹 Disclosed: June 16, 2022, 3:14pm (UTC)
👉 https://hackerone.com/reports/1572120
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #iylz
🔹 State: 🔴 N/A
🔹 Disclosed: June 16, 2022, 3:14pm (UTC)
xmlrpc file enabled
👉 https://hackerone.com/reports/1575401
🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #happykira0x1
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 16, 2022, 7:02pm (UTC)
👉 https://hackerone.com/reports/1575401
🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #happykira0x1
🔹 State: 🟤 Duplicate
🔹 Disclosed: June 16, 2022, 7:02pm (UTC)
Race condition via project team member invitation system.
👉 https://hackerone.com/reports/1108291
🔹 Severity: Low | 💰 60 USD
🔹 Reported To: Enjin
🔹 Reported By: #akashhamal0x01
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 8:44am (UTC)
👉 https://hackerone.com/reports/1108291
🔹 Severity: Low | 💰 60 USD
🔹 Reported To: Enjin
🔹 Reported By: #akashhamal0x01
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 8:44am (UTC)
CSRF Bypassed on Logout Endpoint
👉 https://hackerone.com/reports/1091403
🔹 Severity: Low
🔹 Reported To: Enjin
🔹 Reported By: #er_salil
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 8:50am (UTC)
👉 https://hackerone.com/reports/1091403
🔹 Severity: Low
🔹 Reported To: Enjin
🔹 Reported By: #er_salil
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 8:50am (UTC)
sql injection via https://setup.p2p.ihost.com/
👉 https://hackerone.com/reports/1567516
🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #exploitmsf
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 5:47pm (UTC)
👉 https://hackerone.com/reports/1567516
🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #exploitmsf
🔹 State: 🟢 Resolved
🔹 Disclosed: June 17, 2022, 5:47pm (UTC)
👍1
Broken access control
👉 https://hackerone.com/reports/1539426
🔹 Severity: High
🔹 Reported To: UPS VDP
🔹 Reported By: #nayefhamouda
🔹 State: 🟢 Resolved
🔹 Disclosed: June 18, 2022, 4:40pm (UTC)
👉 https://hackerone.com/reports/1539426
🔹 Severity: High
🔹 Reported To: UPS VDP
🔹 Reported By: #nayefhamouda
🔹 State: 🟢 Resolved
🔹 Disclosed: June 18, 2022, 4:40pm (UTC)
bypass forced password protection via circles app
👉 https://hackerone.com/reports/1406926
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: June 19, 2022, 8:10am (UTC)
👉 https://hackerone.com/reports/1406926
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: June 19, 2022, 8:10am (UTC)
Authentication token and CSRF token bypass
👉 https://hackerone.com/reports/998457
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Enjin
🔹 Reported By: #whiteshadow201
🔹 State: 🟢 Resolved
🔹 Disclosed: June 19, 2022, 12:11pm (UTC)
👉 https://hackerone.com/reports/998457
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Enjin
🔹 Reported By: #whiteshadow201
🔹 State: 🟢 Resolved
🔹 Disclosed: June 19, 2022, 12:11pm (UTC)
Admin Authentication Bypass Lead to Admin Account Takeover
👉 https://hackerone.com/reports/1490470
🔹 Severity: Medium
🔹 Reported To: UPS VDP
🔹 Reported By: #7odamo
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 12:18am (UTC)
👉 https://hackerone.com/reports/1490470
🔹 Severity: Medium
🔹 Reported To: UPS VDP
🔹 Reported By: #7odamo
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 12:18am (UTC)
Add more seats by paying less via PUT /v2/seats request manipulation
👉 https://hackerone.com/reports/1446090
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Krisp
🔹 Reported By: #life__001
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:41pm (UTC)
👉 https://hackerone.com/reports/1446090
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Krisp
🔹 Reported By: #life__001
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:41pm (UTC)
❤1👍1
Authentication CSRF resulting in unauthorized account access on Krisp app
👉 https://hackerone.com/reports/1267476
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Krisp
🔹 Reported By: #yassineaboukir
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:51pm (UTC)
👉 https://hackerone.com/reports/1267476
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Krisp
🔹 Reported By: #yassineaboukir
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:51pm (UTC)
Weak rate limit for SIGN.PLUS email verification
👉 https://hackerone.com/reports/1584569
🔹 Severity: Low
🔹 Reported To: Alohi
🔹 Reported By: #zeesozee
🔹 State: 🟢 Resolved
🔹 Disclosed: June 21, 2022, 10:53pm (UTC)
👉 https://hackerone.com/reports/1584569
🔹 Severity: Low
🔹 Reported To: Alohi
🔹 Reported By: #zeesozee
🔹 State: 🟢 Resolved
🔹 Disclosed: June 21, 2022, 10:53pm (UTC)
Able to approve admin approval and change effective status without adding payment details .
👉 https://hackerone.com/reports/1543159
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #bisesh
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2022, 5:05am (UTC)
👉 https://hackerone.com/reports/1543159
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #bisesh
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2022, 5:05am (UTC)
👍2
Bypass for Domain-level redirects (Unvalidated Redirects and Forwar)
👉 https://hackerone.com/reports/1582160
🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #thypon
🔹 State: ⚪️ Informative
🔹 Disclosed: June 22, 2022, 10:57pm (UTC)
👉 https://hackerone.com/reports/1582160
🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #thypon
🔹 State: ⚪️ Informative
🔹 Disclosed: June 22, 2022, 10:57pm (UTC)
User can link non-public file attachments, leading to file disclose on edit by higher-privileged user
👉 https://hackerone.com/reports/763177
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Phabricator
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 26, 2022, 6:25pm (UTC)
👉 https://hackerone.com/reports/763177
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Phabricator
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 26, 2022, 6:25pm (UTC)
Credential leak when use two url
👉 https://hackerone.com/reports/1569926
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #chen172
🔹 State: 🔴 N/A
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
👉 https://hackerone.com/reports/1569926
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #chen172
🔹 State: 🔴 N/A
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32208: FTP-KRB bad message verification
👉 https://hackerone.com/reports/1590071
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
👉 https://hackerone.com/reports/1590071
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32207: Unpreserved file permissions
👉 https://hackerone.com/reports/1573634
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
👉 https://hackerone.com/reports/1573634
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32206: HTTP compression denial of service
👉 https://hackerone.com/reports/1570651
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
👉 https://hackerone.com/reports/1570651
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32205: Set-Cookie denial of service
👉 https://hackerone.com/reports/1569946
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:56am (UTC)
👉 https://hackerone.com/reports/1569946
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:56am (UTC)