June 2022 Incident Report

👉 https://hackerone.com/reports/1622449

🔹 Severity: Critical
🔹 Reported To: HackerOne
🔹 Reported By: #jobert
🔹 State: 🟢 Resolved
🔹 Disclosed: July 1, 2022, 7:13pm (UTC)

Federated editing allows iframing possibly malicious remotes

👉 https://hackerone.com/reports/1210424

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #rtod
🔹 State: 🟢 Resolved
🔹 Disclosed: July 2, 2022, 9:10am (UTC)

Moderators can send messages to users from banned subreddits via `oauth.reddit.com/api/mod/conversations`

👉 https://hackerone.com/reports/1543770

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Reddit
🔹 Reported By: #zqyzoid
🔹 State: 🟢 Resolved
🔹 Disclosed: July 4, 2022, 12:59pm (UTC)

SMTP Command Injection in iCalendar Attachments to Emails via Newlines

👉 https://hackerone.com/reports/1516377

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #spaceraccoon
🔹 State: 🟢 Resolved
🔹 Disclosed: July 4, 2022, 1:10pm (UTC)

Reflected XSS on https://wwwapps.ups.com/ctc/request?loc=

👉 https://hackerone.com/reports/1536461

🔹 Severity: Medium
🔹 Reported To: UPS VDP
🔹 Reported By: #3amoura
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2022, 12:03pm (UTC)

Reflected Cross site Scripting (XSS) on https://one.newrelic.com

👉 https://hackerone.com/reports/1367642

🔹 Severity: High | 💰 2,048 USD
🔹 Reported To: New Relic
🔹 Reported By: #sairanga
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2022, 1:55pm (UTC)

Exposure of a valid Gitlab-Workhorse JWT leading to various bad things

👉 https://hackerone.com/reports/1040786

🔹 Severity: High | 💰 10,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #ledz1996
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2022, 4:28pm (UTC)

SSRF via Office file thumbnails

👉 https://hackerone.com/reports/671935

🔹 Severity: Critical | 💰 4,000 USD
🔹 Reported To: Slack
🔹 Reported By: #ziot
🔹 State: 🟢 Resolved
🔹 Disclosed: July 5, 2022, 6:40pm (UTC)

Blind User-Agent SQL Injection to Blind Remote OS Command Execution at █████████

👉 https://hackerone.com/reports/1339430

🔹 Severity: Critical
🔹 Reported To: Sony
🔹 Reported By: #echidonut
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2022, 5:44pm (UTC)

Ownership check missing when updating or deleting attachments

👉 https://hackerone.com/reports/1579820

🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #kesselb
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2022, 5:50pm (UTC)

Privilege escalation possible in dovecot when similar passdbs are used

👉 https://hackerone.com/reports/1561579

🔹 Severity: Medium | 💰 900 USD
🔹 Reported To: Open-Xchange
🔹 Reported By: #julezman
🔹 State: 🟢 Resolved
🔹 Disclosed: July 6, 2022, 10:41pm (UTC)

Stack Buffer Overflow via `gmp_sprintf`in `BLSSignature` and `BLSSigShare`

👉 https://hackerone.com/reports/1546935

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: SKALE Network
🔹 Reported By: #voiddy
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 12:17am (UTC)

Remote denial of service in HyperLedger Fabric

👉 https://hackerone.com/reports/1604951

🔹 Severity: High | 💰 1,500 USD
🔹 Reported To: Hyperledger
🔹 Reported By: #fatal0
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 11:55am (UTC)

Brute force of a current password on a disable 2fa leads to guess password and disable 2fa.

👉 https://hackerone.com/reports/1465277

🔹 Severity: No Rating
🔹 Reported To: Omise
🔹 Reported By: #sachinrajput
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 4:35pm (UTC)

HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding

👉 https://hackerone.com/reports/1501679

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 5:26pm (UTC)

HTTP Request Smuggling Due To Improper Delimiting of Header Fields

👉 https://hackerone.com/reports/1524692

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 5:26pm (UTC)

HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding

👉 https://hackerone.com/reports/1524555

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 5:28pm (UTC)

Clickjacking Vulnerability In Whole Page Ads Tiktok

👉 https://hackerone.com/reports/1418857

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #rioncool22
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 11:18pm (UTC)

Exposed valid AWS, Mysql, Sendgrid and other secrets

👉 https://hackerone.com/reports/1580567

🔹 Severity: Critical
🔹 Reported To: Glovo
🔹 Reported By: #mehdisadir
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2022, 3:48pm (UTC)

Open Redirect through POST Request in www.redditinc.com

👉 https://hackerone.com/reports/1310230

🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #kratul
🔹 State: ⚪️ Informative
🔹 Disclosed: July 8, 2022, 7:02pm (UTC)

Unauthorized packages modification or secrets exfiltration via GitHub actions

👉 https://hackerone.com/reports/1548870

🔹 Severity: High | 💰 1,500 USD
🔹 Reported To: Hyperledger
🔹 Reported By: #dusty_wormwood
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2022, 7:51pm (UTC)