Unauthorized packages modification or secrets exfiltration via GitHub actions

👉 https://hackerone.com/reports/1548870

🔹 Severity: High | 💰 1,500 USD
🔹 Reported To: Hyperledger
🔹 Reported By: #dusty_wormwood
🔹 State: 🟢 Resolved
🔹 Disclosed: July 8, 2022, 7:51pm (UTC)

Read beyond bounds in ap_strcmp_match() [zhbug_httpd_47.7]

👉 https://hackerone.com/reports/1595281

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 1:39pm (UTC)

Controllable read beyond bounds in lua_websocket_readbytes() [zhbug_httpd_126]

👉 https://hackerone.com/reports/1595290

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 1:45pm (UTC)

Read beyond bounds in mod_isapi.c [zhbug_httpd_41]

👉 https://hackerone.com/reports/1595296

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 1:50pm (UTC)

Read beyond bounds via ap_rwrite() [zhbug_httpd_47.2]

👉 https://hackerone.com/reports/1595299

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 1:54pm (UTC)

Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

👉 https://hackerone.com/reports/1594627

🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #ricterz
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 7:25pm (UTC)

DoS via lua_read_body() [zhbug_httpd_94]

👉 https://hackerone.com/reports/1596252

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #tdp3kel9g
🔹 State: 🟢 Resolved
🔹 Disclosed: July 9, 2022, 8:19pm (UTC)

Blind SSRF at packagist.maximum.nl

👉 https://hackerone.com/reports/1538056

🔹 Severity: No Rating | 💰 75 USD
🔹 Reported To: Radancy
🔹 Reported By: #dk4trin
🔹 State: 🟢 Resolved
🔹 Disclosed: July 10, 2022, 12:38pm (UTC)

Homograph attack bypass cause redirection

👉 https://hackerone.com/reports/1285245

🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Vanilla
🔹 Reported By: #malek
🔹 State: 🟢 Resolved
🔹 Disclosed: July 10, 2022, 9:38pm (UTC)

Server Side Template Injection on Name parameter during Sign Up process

👉 https://hackerone.com/reports/1104349

🔹 Severity: High
🔹 Reported To: Glovo
🔹 Reported By: #battle_angel
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 8:42am (UTC)

Getting a free delivery by singing up from "admin_@glovoapp.com"

👉 https://hackerone.com/reports/1296584

🔹 Severity: Medium
🔹 Reported To: Glovo
🔹 Reported By: #cmuppin
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 8:42am (UTC)

Mass Account Takeover at https://app.taxjar.com/ - No user Interaction

👉 https://hackerone.com/reports/1581240

🔹 Severity: Critical | 💰 11,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #beerboy_ankit
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 1:50pm (UTC)

Able to view hackerone reports attachments

👉 https://hackerone.com/reports/979787

🔹 Severity: Critical | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #sateeshn
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 4:00pm (UTC)

Theme editor `oseid` parameter is leaked to third-party services through the `Referer` header which leads to somekind of storefront password bypass.

👉 https://hackerone.com/reports/1262434

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #saltymermaid
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 5:13pm (UTC)

Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps

👉 https://hackerone.com/reports/1555502

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #kun_19
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 5:50pm (UTC)

Improper deep link validation

👉 https://hackerone.com/reports/1087744

🔹 Severity: Low | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #fr4via
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 7:51pm (UTC)

[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement

👉 https://hackerone.com/reports/1085042

🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Shopify
🔹 Reported By: #ramsexy
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 9:15pm (UTC)

[h1-2102] Stored XSS in product denoscription via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]

👉 https://hackerone.com/reports/1085546

🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #intidc
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 9:33pm (UTC)

[h1-2102] HTML injection in packing slips can lead to physical theft

👉 https://hackerone.com/reports/1087122

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #intidc
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 9:35pm (UTC)

Github base action takeover which is used in `github.com/Shopify/unity-buy-sdk`

👉 https://hackerone.com/reports/1439355

🔹 Severity: Low | 💰 800 USD
🔹 Reported To: Shopify
🔹 Reported By: #codermak
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2022, 4:17am (UTC)

[CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day

👉 https://hackerone.com/reports/1425474

🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: Acronis
🔹 Reported By: #rhinestonecowboy
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 12:26am (UTC)