Acronis True Image Local Privilege Escalation Due To Race Condition In Application Verification

👉 https://hackerone.com/reports/1251464

🔹 Severity: High | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #vkas-afk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 10:32am (UTC)

Hijack all emails sent to any domain that uses Cloudflare Email Forwarding

👉 https://hackerone.com/reports/1419341

🔹 Severity: Critical | 💰 6,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #albertspedersen
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 4:35pm (UTC)

Twitter Account hijack through broken link in https://runpanther.io

👉 https://hackerone.com/reports/1607429

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Panther Labs
🔹 Reported By: #prakash142
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 4:57pm (UTC)

Channel statistics up-to-date

🥇Total awarded amount - 💰2,994,628
🥈Total bug reports - 3,350
🥉Total reporters - 1,654

Reports counts by severity rating:

🔵 medium - 1333
🟠 high - 689
🟢 low - 659
🔴 critical - 359
🟤 none - 310

Top 10 participants by vulnerabilities found:

#skavans < 34 < 💰68,911
#nyymi < 33 < 💰21,320
#rtod < 33 < 💰11,200
#jon_bottarini < 32 < 💰36,773
#nagli < 31 < 💰4,961
#luchua < 26 < 💰47,700
#executor < 23 < 💰9,100
#ihsinme < 22 < 💰25,650
#lu3ky-13 < 21 < 💰4,048
#d3lla < 20 < 💰9,900

Top 10 teams by resolved reports:

Mail.ru > 305 > 💰314,033
U.S. Dept Of Defense > 290 > 💰8,000
GitHub Security Lab > 158 > 💰203,750
Shopify > 139 > 💰256,050
Nextcloud > 128 > 💰20,575
GitLab > 97 > 💰405,160
curl > 87 > 💰16,700
New Relic > 82 > 💰104,490
Acronis > 80 > 💰12,837
HackerOne > 68 > 💰63,501

HTML Injection via TikTok Ads Email Share

👉 https://hackerone.com/reports/1376990

🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 10:08pm (UTC)

@nextcloud/logger NPM package brings vulnerable ansi-regex version

👉 https://hackerone.com/reports/1607601

🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #ro0telqayser
🔹 State: 🟢 Resolved
🔹 Disclosed: July 29, 2022, 10:18am (UTC)

Send Fax from Anyone's HelloFax Account Due to Misconfigured Email Validation

👉 https://hackerone.com/reports/1428385

🔹 Severity: High | 💰 4,913 USD
🔹 Reported To: Dropbox
🔹 Reported By: #sayaanalam
🔹 State: 🟢 Resolved
🔹 Disclosed: July 29, 2022, 5:18pm (UTC)

Possible to make restricted files public on Phabricator via Diffusion

👉 https://hackerone.com/reports/1560717

🔹 Severity: No Rating | 💰 2,000 USD
🔹 Reported To: Phabricator
🔹 Reported By: #dyls
🔹 State: 🟢 Resolved
🔹 Disclosed: July 29, 2022, 10:37pm (UTC)

Open redirection at https://smartreports.mtncameroon.net

👉 https://hackerone.com/reports/1530396

🔹 Severity: Low
🔹 Reported To: MTN Group
🔹 Reported By: #vulnera
🔹 State: 🟢 Resolved
🔹 Disclosed: July 30, 2022, 1:38am (UTC)

Corsa Site Scripting Vulnerability (XSS)

👉 https://hackerone.com/reports/1650210

🔹 Severity: High
🔹 Reported To: Hyperledger
🔹 Reported By: #bhaskar_ram
🔹 State: 🔴 N/A
🔹 Disclosed: July 30, 2022, 2:37pm (UTC)

Open S3 Bucket Accessible by any Aws User

👉 https://hackerone.com/reports/1654145

🔹 Severity: No Rating
🔹 Reported To: GoCD
🔹 Reported By: #khalidou
🔹 State: 🟢 Resolved
🔹 Disclosed: July 31, 2022, 3:02am (UTC)

Race condition on https://judge.me/people

👉 https://hackerone.com/reports/1566017

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Judge.me
🔹 Reported By: #netboom
🔹 State: 🟢 Resolved
🔹 Disclosed: August 1, 2022, 5:28am (UTC)

Insecure use of shell.openExternal() in Rocket.Chat Desktop App leading to RCE

👉 https://hackerone.com/reports/924151

🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #baltpeter
🔹 State: 🟢 Resolved
🔹 Disclosed: August 1, 2022, 10:17am (UTC)

delete the subaccount from the user id

👉 https://hackerone.com/reports/1646340

🔹 Severity: Medium | 💰 700 USD
🔹 Reported To: Showmax
🔹 Reported By: #qualwin38000
🔹 State: 🟢 Resolved
🔹 Disclosed: August 1, 2022, 1:05pm (UTC)

Insecure TLS Configuration #3530

👉 https://hackerone.com/reports/1639423

🔹 Severity: Low
🔹 Reported To: Hyperledger
🔹 Reported By: #bhaskar_ram
🔹 State: 🔴 N/A
🔹 Disclosed: August 1, 2022, 2:04pm (UTC)

Found Origin IP's lead to access to gitlab

👉 https://hackerone.com/reports/1637577

🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #m-narayanan
🔹 State: ⚪️ Informative
🔹 Disclosed: August 2, 2022, 4:51am (UTC)

One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com

👉 https://hackerone.com/reports/1567186

🔹 Severity: Critical | 💰 10,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #fransrosen
🔹 State: 🟢 Resolved
🔹 Disclosed: August 2, 2022, 3:13pm (UTC)

XSS in redditmedia.com can compromise data of reddit.com

👉 https://hackerone.com/reports/862882

🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #keer0k
🔹 State: 🔴 N/A
🔹 Disclosed: August 3, 2022, 3:40pm (UTC)

Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com

👉 https://hackerone.com/reports/1577370

🔹 Severity: Low | 💰 250 USD
🔹 Reported To: TikTok
🔹 Reported By: #mrzheev
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2022, 1:31am (UTC)

Sensei LMS IDOR to send message

👉 https://hackerone.com/reports/1592596

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Automattic
🔹 Reported By: #ghimire_veshraj
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2022, 10:17am (UTC)

Unauthenticated Private Messages DIsclosure via wordpress Rest API

👉 https://hackerone.com/reports/1590237

🔹 Severity: Medium | 💰 350 USD
🔹 Reported To: Automattic
🔹 Reported By: #ghimire_veshraj
🔹 State: 🟢 Resolved
🔹 Disclosed: August 4, 2022, 10:45am (UTC)