Blind SSRF at packagist.maximum.nl

👉 https://hackerone.com/reports/1538056

🔹 Severity: No Rating | 💰 75 USD
🔹 Reported To: Radancy
🔹 Reported By: #dk4trin
🔹 State: 🟢 Resolved
🔹 Disclosed: July 10, 2022, 12:38pm (UTC)

Homograph attack bypass cause redirection

👉 https://hackerone.com/reports/1285245

🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Vanilla
🔹 Reported By: #malek
🔹 State: 🟢 Resolved
🔹 Disclosed: July 10, 2022, 9:38pm (UTC)

Server Side Template Injection on Name parameter during Sign Up process

👉 https://hackerone.com/reports/1104349

🔹 Severity: High
🔹 Reported To: Glovo
🔹 Reported By: #battle_angel
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 8:42am (UTC)

Getting a free delivery by singing up from "admin_@glovoapp.com"

👉 https://hackerone.com/reports/1296584

🔹 Severity: Medium
🔹 Reported To: Glovo
🔹 Reported By: #cmuppin
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 8:42am (UTC)

Mass Account Takeover at https://app.taxjar.com/ - No user Interaction

👉 https://hackerone.com/reports/1581240

🔹 Severity: Critical | 💰 11,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #beerboy_ankit
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 1:50pm (UTC)

Able to view hackerone reports attachments

👉 https://hackerone.com/reports/979787

🔹 Severity: Critical | 💰 12,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #sateeshn
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 4:00pm (UTC)

Theme editor `oseid` parameter is leaked to third-party services through the `Referer` header which leads to somekind of storefront password bypass.

👉 https://hackerone.com/reports/1262434

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #saltymermaid
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 5:13pm (UTC)

Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps

👉 https://hackerone.com/reports/1555502

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #kun_19
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 5:50pm (UTC)

Improper deep link validation

👉 https://hackerone.com/reports/1087744

🔹 Severity: Low | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #fr4via
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 7:51pm (UTC)

[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement

👉 https://hackerone.com/reports/1085042

🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Shopify
🔹 Reported By: #ramsexy
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 9:15pm (UTC)

[h1-2102] Stored XSS in product denoscription via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]

👉 https://hackerone.com/reports/1085546

🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #intidc
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 9:33pm (UTC)

[h1-2102] HTML injection in packing slips can lead to physical theft

👉 https://hackerone.com/reports/1087122

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #intidc
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 9:35pm (UTC)

Github base action takeover which is used in `github.com/Shopify/unity-buy-sdk`

👉 https://hackerone.com/reports/1439355

🔹 Severity: Low | 💰 800 USD
🔹 Reported To: Shopify
🔹 Reported By: #codermak
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2022, 4:17am (UTC)

[CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day

👉 https://hackerone.com/reports/1425474

🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: Acronis
🔹 Reported By: #rhinestonecowboy
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 12:26am (UTC)

CVE-2021-40438 on cp-eu2.acronis.com

👉 https://hackerone.com/reports/1370731

🔹 Severity: High | 💰 150 USD
🔹 Reported To: Acronis
🔹 Reported By: #savik
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 3:17am (UTC)

rubygems.org Batching attack to `confirmation_token` by bypass rate limit

👉 https://hackerone.com/reports/1559262

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 4:04am (UTC)

One Click XSS in [www.shopify.com]

👉 https://hackerone.com/reports/1563334

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #comwrg
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 6:13am (UTC)

Undici ProxyAgent vulnerable to MITM

👉 https://hackerone.com/reports/1599063

🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #pimterry
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 1:20pm (UTC)

Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy

👉 https://hackerone.com/reports/1583680

🔹 Severity: High
🔹 Reported To: Node.js
🔹 Reported By: #pimterry
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 2:47pm (UTC)

Stored XSS for Grafana dashboard URL

👉 https://hackerone.com/reports/684268

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #xanbanx
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 3:12pm (UTC)

[h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones

👉 https://hackerone.com/reports/1085332

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #inhibitor181
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2022, 8:23am (UTC)