CVE-2022-32206: HTTP compression denial of service

👉 https://hackerone.com/reports/1614330

🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 7:53pm (UTC)

CVE-2022-32208: FTP-KRB bad message verification

👉 https://hackerone.com/reports/1614332

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 27, 2022, 8:09pm (UTC)

XSS Payload on TikTok Seller Center endpoint

👉 https://hackerone.com/reports/1554048

🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: June 29, 2022, 1:10am (UTC)

Browser is not following proper flow for redirection cause open redirect

👉 https://hackerone.com/reports/1579374

🔹 Severity: High | 💰 500 USD
🔹 Reported To: Brave Software
🔹 Reported By: #abhinavsecondary
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:45pm (UTC)

Redirecting users to malicious torrent-files/websites using WebTorrent

👉 https://hackerone.com/reports/968328

🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)

Arbitrary file download due to bad handling of Redirects in WebTorrent

👉 https://hackerone.com/reports/975514

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)

Arbitrary file download via "Save .torrent file" option can lead to Client RCE and XSS

👉 https://hackerone.com/reports/963155

🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Brave Software
🔹 Reported By: #d3f4u17
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:46pm (UTC)

Open redirect found on account.brave.com

👉 https://hackerone.com/reports/1338437

🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Brave Software
🔹 Reported By: #tabaahi
🔹 State: 🟢 Resolved
🔹 Disclosed: June 30, 2022, 5:47pm (UTC)

Unauthorized Access - downgraded admin roles to none can still edit projects through brupsuite

👉 https://hackerone.com/reports/1607756

🔹 Severity: High
🔹 Reported To: Omise
🔹 Reported By: #zombieesshx
🔹 State: 🔴 N/A
🔹 Disclosed: July 1, 2022, 4:48pm (UTC)

June 2022 Incident Report

👉 https://hackerone.com/reports/1622449

🔹 Severity: Critical
🔹 Reported To: HackerOne
🔹 Reported By: #jobert
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2022, 7:13pm (UTC)

Federated editing allows iframing possibly malicious remotes

👉 https://hackerone.com/reports/1210424

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 2, 2022, 9:10am (UTC)

Moderators can send messages to users from banned subreddits via `oauth.reddit.com/api/mod/conversations`

👉 https://hackerone.com/reports/1543770

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Reddit
🔹 Reported By: #zqyzoid
🔹 State: 🟢 Resolved
🔹 Disclosed: July 4, 2022, 12:59pm (UTC)

SMTP Command Injection in iCalendar Attachments to Emails via Newlines

👉 https://hackerone.com/reports/1516377

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #spaceraccoon
🔹 State: 🟢 Resolved
🔹 Disclosed: July 4, 2022, 1:10pm (UTC)

Reflected XSS on https://wwwapps.ups.com/ctc/request?loc=

👉 https://hackerone.com/reports/1536461

🔹 Severity: Medium
🔹 Reported To: UPS VDP
🔹 Reported By: #3amoura
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2022, 12:03pm (UTC)

Reflected Cross site Scripting (XSS) on https://one.newrelic.com

👉 https://hackerone.com/reports/1367642

🔹 Severity: High | 💰 2,048 USD
🔹 Reported To: New Relic
🔹 Reported By: #sairanga
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2022, 1:55pm (UTC)

Exposure of a valid Gitlab-Workhorse JWT leading to various bad things

👉 https://hackerone.com/reports/1040786

🔹 Severity: High | 💰 10,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #ledz1996
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2022, 4:28pm (UTC)

SSRF via Office file thumbnails

👉 https://hackerone.com/reports/671935

🔹 Severity: Critical | 💰 4,000 USD
🔹 Reported To: Slack
🔹 Reported By: #ziot
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2022, 6:40pm (UTC)

Blind User-Agent SQL Injection to Blind Remote OS Command Execution at █████████

👉 https://hackerone.com/reports/1339430

🔹 Severity: Critical
🔹 Reported To: Sony
🔹 Reported By: #echidonut
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2022, 5:44pm (UTC)

Ownership check missing when updating or deleting attachments

👉 https://hackerone.com/reports/1579820

🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #kesselb
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2022, 5:50pm (UTC)

Privilege escalation possible in dovecot when similar passdbs are used

👉 https://hackerone.com/reports/1561579

🔹 Severity: Medium | 💰 900 USD
🔹 Reported To: Open-Xchange
🔹 Reported By: #julezman
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2022, 10:41pm (UTC)

Stack Buffer Overflow via `gmp_sprintf`in `BLSSignature` and `BLSSigShare`

👉 https://hackerone.com/reports/1546935

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: SKALE Network
🔹 Reported By: #voiddy
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 12:17am (UTC)