Authentication token and CSRF token bypass
👉 https://hackerone.com/reports/998457
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Enjin
🔹 Reported By: #whiteshadow201
🔹 State: 🟢 Resolved
🔹 Disclosed: June 19, 2022, 12:11pm (UTC)
👉 https://hackerone.com/reports/998457
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Enjin
🔹 Reported By: #whiteshadow201
🔹 State: 🟢 Resolved
🔹 Disclosed: June 19, 2022, 12:11pm (UTC)
Admin Authentication Bypass Lead to Admin Account Takeover
👉 https://hackerone.com/reports/1490470
🔹 Severity: Medium
🔹 Reported To: UPS VDP
🔹 Reported By: #7odamo
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 12:18am (UTC)
👉 https://hackerone.com/reports/1490470
🔹 Severity: Medium
🔹 Reported To: UPS VDP
🔹 Reported By: #7odamo
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 12:18am (UTC)
Add more seats by paying less via PUT /v2/seats request manipulation
👉 https://hackerone.com/reports/1446090
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Krisp
🔹 Reported By: #life__001
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:41pm (UTC)
👉 https://hackerone.com/reports/1446090
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Krisp
🔹 Reported By: #life__001
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:41pm (UTC)
❤1👍1
Authentication CSRF resulting in unauthorized account access on Krisp app
👉 https://hackerone.com/reports/1267476
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Krisp
🔹 Reported By: #yassineaboukir
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:51pm (UTC)
👉 https://hackerone.com/reports/1267476
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Krisp
🔹 Reported By: #yassineaboukir
🔹 State: 🟢 Resolved
🔹 Disclosed: June 20, 2022, 3:51pm (UTC)
Weak rate limit for SIGN.PLUS email verification
👉 https://hackerone.com/reports/1584569
🔹 Severity: Low
🔹 Reported To: Alohi
🔹 Reported By: #zeesozee
🔹 State: 🟢 Resolved
🔹 Disclosed: June 21, 2022, 10:53pm (UTC)
👉 https://hackerone.com/reports/1584569
🔹 Severity: Low
🔹 Reported To: Alohi
🔹 Reported By: #zeesozee
🔹 State: 🟢 Resolved
🔹 Disclosed: June 21, 2022, 10:53pm (UTC)
Able to approve admin approval and change effective status without adding payment details .
👉 https://hackerone.com/reports/1543159
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #bisesh
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2022, 5:05am (UTC)
👉 https://hackerone.com/reports/1543159
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #bisesh
🔹 State: 🟢 Resolved
🔹 Disclosed: June 22, 2022, 5:05am (UTC)
👍2
Bypass for Domain-level redirects (Unvalidated Redirects and Forwar)
👉 https://hackerone.com/reports/1582160
🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #thypon
🔹 State: ⚪️ Informative
🔹 Disclosed: June 22, 2022, 10:57pm (UTC)
👉 https://hackerone.com/reports/1582160
🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #thypon
🔹 State: ⚪️ Informative
🔹 Disclosed: June 22, 2022, 10:57pm (UTC)
User can link non-public file attachments, leading to file disclose on edit by higher-privileged user
👉 https://hackerone.com/reports/763177
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Phabricator
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 26, 2022, 6:25pm (UTC)
👉 https://hackerone.com/reports/763177
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Phabricator
🔹 Reported By: #foobar7
🔹 State: 🟢 Resolved
🔹 Disclosed: June 26, 2022, 6:25pm (UTC)
Credential leak when use two url
👉 https://hackerone.com/reports/1569926
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #chen172
🔹 State: 🔴 N/A
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
👉 https://hackerone.com/reports/1569926
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #chen172
🔹 State: 🔴 N/A
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32208: FTP-KRB bad message verification
👉 https://hackerone.com/reports/1590071
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
👉 https://hackerone.com/reports/1590071
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32207: Unpreserved file permissions
👉 https://hackerone.com/reports/1573634
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
👉 https://hackerone.com/reports/1573634
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32206: HTTP compression denial of service
👉 https://hackerone.com/reports/1570651
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
👉 https://hackerone.com/reports/1570651
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32205: Set-Cookie denial of service
👉 https://hackerone.com/reports/1569946
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:56am (UTC)
👉 https://hackerone.com/reports/1569946
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 6:56am (UTC)
Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
👉 https://hackerone.com/reports/1599573
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #windshock
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 11:46am (UTC)
👉 https://hackerone.com/reports/1599573
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #windshock
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 11:46am (UTC)
API docs expose an active token for the sample domain theburritobot.com
👉 https://hackerone.com/reports/1507412
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #sainaen
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:23pm (UTC)
👉 https://hackerone.com/reports/1507412
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #sainaen
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:23pm (UTC)
Sign in with Apple works on existing accounts, bypasses 2FA
👉 https://hackerone.com/reports/1593404
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #mattipv4
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:24pm (UTC)
👉 https://hackerone.com/reports/1593404
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #mattipv4
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:24pm (UTC)
👍1
Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts
👉 https://hackerone.com/reports/1593413
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #mattipv4
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:25pm (UTC)
👉 https://hackerone.com/reports/1593413
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #mattipv4
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:25pm (UTC)
Bypassing Cache Deception Armor using .avif extension file
👉 https://hackerone.com/reports/1391635
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:27pm (UTC)
👉 https://hackerone.com/reports/1391635
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:27pm (UTC)
HTTP request smuggling with Origin Rules using newlines in the host_header action parameter
👉 https://hackerone.com/reports/1575912
🔹 Severity: Critical | 💰 3,100 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #albertspedersen
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:32pm (UTC)
👉 https://hackerone.com/reports/1575912
🔹 Severity: Critical | 💰 3,100 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #albertspedersen
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:32pm (UTC)
Reflected XSS via `████████` parameter
👉 https://hackerone.com/reports/1536215
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mdakh404
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:23pm (UTC)
👉 https://hackerone.com/reports/1536215
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mdakh404
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:23pm (UTC)
Unauthorized Access to Internal Server Panel without Authentication
👉 https://hackerone.com/reports/1548067
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ahmd_halabi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:24pm (UTC)
👉 https://hackerone.com/reports/1548067
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ahmd_halabi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:24pm (UTC)