Brute force of a current password on a disable 2fa leads to guess password and disable 2fa.

👉 https://hackerone.com/reports/1465277

🔹 Severity: No Rating
🔹 Reported To: Omise
🔹 Reported By: #sachinrajput
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 4:35pm (UTC)

HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding

👉 https://hackerone.com/reports/1501679

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 5:26pm (UTC)

HTTP Request Smuggling Due To Improper Delimiting of Header Fields

👉 https://hackerone.com/reports/1524692

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 5:26pm (UTC)

HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding

👉 https://hackerone.com/reports/1524555

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 5:28pm (UTC)

Clickjacking Vulnerability In Whole Page Ads Tiktok

👉 https://hackerone.com/reports/1418857

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #rioncool22
🔹 State: 🟢 Resolved
🔹 Disclosed: July 7, 2022, 11:18pm (UTC)

Exposed valid AWS, Mysql, Sendgrid and other secrets

👉 https://hackerone.com/reports/1580567

🔹 Severity: Critical
🔹 Reported To: Glovo
🔹 Reported By: #mehdisadir
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2022, 3:48pm (UTC)

Open Redirect through POST Request in www.redditinc.com

👉 https://hackerone.com/reports/1310230

🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #kratul
🔹 State: ⚪️ Informative
🔹 Disclosed: July 8, 2022, 7:02pm (UTC)

Unauthorized packages modification or secrets exfiltration via GitHub actions

👉 https://hackerone.com/reports/1548870

🔹 Severity: High | 💰 1,500 USD
🔹 Reported To: Hyperledger
🔹 Reported By: #dusty_wormwood
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2022, 7:51pm (UTC)

Read beyond bounds in ap_strcmp_match() [zhbug_httpd_47.7]

👉 https://hackerone.com/reports/1595281

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 1:39pm (UTC)

Controllable read beyond bounds in lua_websocket_readbytes() [zhbug_httpd_126]

👉 https://hackerone.com/reports/1595290

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 1:45pm (UTC)

Read beyond bounds in mod_isapi.c [zhbug_httpd_41]

👉 https://hackerone.com/reports/1595296

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 1:50pm (UTC)

Read beyond bounds via ap_rwrite() [zhbug_httpd_47.2]

👉 https://hackerone.com/reports/1595299

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 1:54pm (UTC)

Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

👉 https://hackerone.com/reports/1594627

🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #ricterz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 7:25pm (UTC)

DoS via lua_read_body() [zhbug_httpd_94]

👉 https://hackerone.com/reports/1596252

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 8:19pm (UTC)

Blind SSRF at packagist.maximum.nl

👉 https://hackerone.com/reports/1538056

🔹 Severity: No Rating | 💰 75 USD
🔹 Reported To: Radancy
🔹 Reported By: #dk4trin
🔹 State: 🟢 Resolved
🔹 Disclosed: July 10, 2022, 12:38pm (UTC)

Homograph attack bypass cause redirection

👉 https://hackerone.com/reports/1285245

🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Vanilla
🔹 Reported By: #malek
🔹 State: 🟢 Resolved
🔹 Disclosed: July 10, 2022, 9:38pm (UTC)

Server Side Template Injection on Name parameter during Sign Up process

👉 https://hackerone.com/reports/1104349

🔹 Severity: High
🔹 Reported To: Glovo
🔹 Reported By: #battle_angel
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 8:42am (UTC)

Getting a free delivery by singing up from "admin_@glovoapp.com"

👉 https://hackerone.com/reports/1296584

🔹 Severity: Medium
🔹 Reported To: Glovo
🔹 Reported By: #cmuppin
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 8:42am (UTC)

Mass Account Takeover at https://app.taxjar.com/ - No user Interaction

👉 https://hackerone.com/reports/1581240

🔹 Severity: Critical | 💰 11,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #beerboy_ankit
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 1:50pm (UTC)

Able to view hackerone reports attachments

👉 https://hackerone.com/reports/979787

🔹 Severity: Critical | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #sateeshn
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 4:00pm (UTC)

Theme editor `oseid` parameter is leaked to third-party services through the `Referer` header which leads to somekind of storefront password bypass.

👉 https://hackerone.com/reports/1262434

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #saltymermaid
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 5:13pm (UTC)