Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
👉 https://hackerone.com/reports/1599573
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #windshock
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 11:46am (UTC)
👉 https://hackerone.com/reports/1599573
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #windshock
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 11:46am (UTC)
API docs expose an active token for the sample domain theburritobot.com
👉 https://hackerone.com/reports/1507412
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #sainaen
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:23pm (UTC)
👉 https://hackerone.com/reports/1507412
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #sainaen
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:23pm (UTC)
Sign in with Apple works on existing accounts, bypasses 2FA
👉 https://hackerone.com/reports/1593404
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #mattipv4
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:24pm (UTC)
👉 https://hackerone.com/reports/1593404
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #mattipv4
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:24pm (UTC)
👍1
Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts
👉 https://hackerone.com/reports/1593413
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #mattipv4
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:25pm (UTC)
👉 https://hackerone.com/reports/1593413
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #mattipv4
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:25pm (UTC)
Bypassing Cache Deception Armor using .avif extension file
👉 https://hackerone.com/reports/1391635
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:27pm (UTC)
👉 https://hackerone.com/reports/1391635
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #bombon
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:27pm (UTC)
HTTP request smuggling with Origin Rules using newlines in the host_header action parameter
👉 https://hackerone.com/reports/1575912
🔹 Severity: Critical | 💰 3,100 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #albertspedersen
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:32pm (UTC)
👉 https://hackerone.com/reports/1575912
🔹 Severity: Critical | 💰 3,100 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #albertspedersen
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 4:32pm (UTC)
Reflected XSS via `████████` parameter
👉 https://hackerone.com/reports/1536215
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mdakh404
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:23pm (UTC)
👉 https://hackerone.com/reports/1536215
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #mdakh404
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:23pm (UTC)
Unauthorized Access to Internal Server Panel without Authentication
👉 https://hackerone.com/reports/1548067
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ahmd_halabi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:24pm (UTC)
👉 https://hackerone.com/reports/1548067
🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #ahmd_halabi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:24pm (UTC)
CVE-2022-32207: Unpreserved file permissions
👉 https://hackerone.com/reports/1614331
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:52pm (UTC)
👉 https://hackerone.com/reports/1614331
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:52pm (UTC)
CVE-2022-32205: Set-Cookie denial of service
👉 https://hackerone.com/reports/1614328
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:53pm (UTC)
👉 https://hackerone.com/reports/1614328
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:53pm (UTC)
CVE-2022-32206: HTTP compression denial of service
👉 https://hackerone.com/reports/1614330
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:53pm (UTC)
👉 https://hackerone.com/reports/1614330
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:53pm (UTC)
CVE-2022-32208: FTP-KRB bad message verification
👉 https://hackerone.com/reports/1614332
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 8:09pm (UTC)
👉 https://hackerone.com/reports/1614332
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 8:09pm (UTC)
XSS Payload on TikTok Seller Center endpoint
👉 https://hackerone.com/reports/1554048
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: June 29, 2022, 1:10am (UTC)
👉 https://hackerone.com/reports/1554048
🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: June 29, 2022, 1:10am (UTC)
Browser is not following proper flow for redirection cause open redirect
👉 https://hackerone.com/reports/1579374
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Brave Software
🔹 Reported By: #abhinavsecondary
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:45pm (UTC)
👉 https://hackerone.com/reports/1579374
🔹 Severity: High | 💰 500 USD
🔹 Reported To: Brave Software
🔹 Reported By: #abhinavsecondary
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:45pm (UTC)
Redirecting users to malicious torrent-files/websites using WebTorrent
👉 https://hackerone.com/reports/968328
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)
👉 https://hackerone.com/reports/968328
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)
Arbitrary file download due to bad handling of Redirects in WebTorrent
👉 https://hackerone.com/reports/975514
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)
👉 https://hackerone.com/reports/975514
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)
Arbitrary file download via "Save .torrent file" option can lead to Client RCE and XSS
👉 https://hackerone.com/reports/963155
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)
👉 https://hackerone.com/reports/963155
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)
Open redirect found on account.brave.com
👉 https://hackerone.com/reports/1338437
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Brave Software
🔹 Reported By: #tabaahi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:47pm (UTC)
👉 https://hackerone.com/reports/1338437
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Brave Software
🔹 Reported By: #tabaahi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:47pm (UTC)
Unauthorized Access - downgraded admin roles to none can still edit projects through brupsuite
👉 https://hackerone.com/reports/1607756
🔹 Severity: High
🔹 Reported To: Omise
🔹 Reported By: #zombieesshx
🔹 State: 🔴 N/A
🔹 Disclosed: July 1, 2022, 4:48pm (UTC)
👉 https://hackerone.com/reports/1607756
🔹 Severity: High
🔹 Reported To: Omise
🔹 Reported By: #zombieesshx
🔹 State: 🔴 N/A
🔹 Disclosed: July 1, 2022, 4:48pm (UTC)
June 2022 Incident Report
👉 https://hackerone.com/reports/1622449
🔹 Severity: Critical
🔹 Reported To: HackerOne
🔹 Reported By: #jobert
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2022, 7:13pm (UTC)
👉 https://hackerone.com/reports/1622449
🔹 Severity: Critical
🔹 Reported To: HackerOne
🔹 Reported By: #jobert
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2022, 7:13pm (UTC)
Federated editing allows iframing possibly malicious remotes
👉 https://hackerone.com/reports/1210424
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 2, 2022, 9:10am (UTC)
👉 https://hackerone.com/reports/1210424
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 2, 2022, 9:10am (UTC)