[h1-2102] Stored XSS in product denoscription via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]

👉 https://hackerone.com/reports/1085546

🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #intidc
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 9:33pm (UTC)

[h1-2102] HTML injection in packing slips can lead to physical theft

👉 https://hackerone.com/reports/1087122

🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #intidc
🔹 State: 🟢 Resolved
🔹 Disclosed: July 11, 2022, 9:35pm (UTC)

Github base action takeover which is used in `github.com/Shopify/unity-buy-sdk`

👉 https://hackerone.com/reports/1439355

🔹 Severity: Low | 💰 800 USD
🔹 Reported To: Shopify
🔹 Reported By: #codermak
🔹 State: 🟢 Resolved
🔹 Disclosed: July 12, 2022, 4:17am (UTC)

[CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day

👉 https://hackerone.com/reports/1425474

🔹 Severity: Critical | 💰 1,000 USD
🔹 Reported To: Acronis
🔹 Reported By: #rhinestonecowboy
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 12:26am (UTC)

CVE-2021-40438 on cp-eu2.acronis.com

👉 https://hackerone.com/reports/1370731

🔹 Severity: High | 💰 150 USD
🔹 Reported To: Acronis
🔹 Reported By: #savik
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 3:17am (UTC)

rubygems.org Batching attack to `confirmation_token` by bypass rate limit

👉 https://hackerone.com/reports/1559262

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 4:04am (UTC)

One Click XSS in [www.shopify.com]

👉 https://hackerone.com/reports/1563334

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #comwrg
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 6:13am (UTC)

Undici ProxyAgent vulnerable to MITM

👉 https://hackerone.com/reports/1599063

🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #pimterry
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 1:20pm (UTC)

Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy

👉 https://hackerone.com/reports/1583680

🔹 Severity: High
🔹 Reported To: Node.js
🔹 Reported By: #pimterry
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 2:47pm (UTC)

Stored XSS for Grafana dashboard URL

👉 https://hackerone.com/reports/684268

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: GitLab
🔹 Reported By: #xanbanx
🔹 State: 🟢 Resolved
🔹 Disclosed: July 13, 2022, 3:12pm (UTC)

[h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones

👉 https://hackerone.com/reports/1085332

🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #inhibitor181
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2022, 8:23am (UTC)

POST BASED REFLECTED XSS IN dailydeals.mtn.co.za

👉 https://hackerone.com/reports/1451394

🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #shuvam321
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2022, 9:56am (UTC)

Add me email address Authentication bypass

👉 https://hackerone.com/reports/1607645

🔹 Severity: No Rating
🔹 Reported To: LinkedIn
🔹 Reported By: #raajeevrathnam
🔹 State: ⚪️ Informative
🔹 Disclosed: July 15, 2022, 4:33pm (UTC)

Insecure Object Permissions for Guest User leads to access to internal documents!

👉 https://hackerone.com/reports/1089583

🔹 Severity: Critical
🔹 Reported To: IBM
🔹 Reported By: #mocr7
🔹 State: 🟢 Resolved
🔹 Disclosed: July 15, 2022, 5:40pm (UTC)

Can use the Reddit android app as usual even though revoking the access of it from reddit.com

👉 https://hackerone.com/reports/1632186

🔹 Severity: Critical
🔹 Reported To: Reddit
🔹 Reported By: #sateeshn
🔹 State: ⚪️ Informative
🔹 Disclosed: July 16, 2022, 11:10am (UTC)

Information disclosure ( Google Sales Channel )

👉 https://hackerone.com/reports/1584718

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #hydraxanon82
🔹 State: 🟢 Resolved
🔹 Disclosed: July 17, 2022, 2:10pm (UTC)

Open Redirect ███.8x8.com

👉 https://hackerone.com/reports/1637571

🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #mr_k0anti
🔹 State: 🟢 Resolved
🔹 Disclosed: July 17, 2022, 11:54pm (UTC)

Public Apache Tomcat /examples example directory

👉 https://hackerone.com/reports/1622624

🔹 Severity: Medium
🔹 Reported To: 8x8
🔹 Reported By: #mr_k0anti
🔹 State: 🟢 Resolved
🔹 Disclosed: July 18, 2022, 12:04am (UTC)

CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine

👉 https://hackerone.com/reports/1607940

🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #mr_k0anti
🔹 State: 🟢 Resolved
🔹 Disclosed: July 18, 2022, 12:14am (UTC)

Cross-site noscripting (DOM-based)

👉 https://hackerone.com/reports/1512644

🔹 Severity: Medium
🔹 Reported To: OneWeb
🔹 Reported By: #thewikiii
🔹 State: ⚪️ Informative
🔹 Disclosed: July 18, 2022, 9:50am (UTC)

unauth mosquitto ( client emails, ips, license keys exposure )

👉 https://hackerone.com/reports/1578574

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Acronis
🔹 Reported By: #second_grade_pentester
🔹 State: 🟢 Resolved
🔹 Disclosed: July 18, 2022, 11:39am (UTC)