many commands can be manipulated to delete identities or affiliations

👉 https://hackerone.com/reports/348090

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Hyperledger
🔹 Reported By: #cet2000
🔹 State: 🟢 Resolved
🔹 Disclosed: August 10, 2022, 2:23pm (UTC)

Redirection in Repeater & Intruder Tab

👉 https://hackerone.com/reports/1541301

🔹 Severity: Low | 💰 150 USD
🔹 Reported To: PortSwigger Web Security
🔹 Reported By: #mr_vrush
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2022, 11:09am (UTC)

Disable xmlrpc.php file

👉 https://hackerone.com/reports/712321

🔹 Severity: Low
🔹 Reported To: Top Echelon Software
🔹 Reported By: #sohelahmed786
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2022, 12:50pm (UTC)

fix(security):Path Traversal Bug

👉 https://hackerone.com/reports/1664244

🔹 Severity: High
🔹 Reported To: Hyperledger
🔹 Reported By: #bhaskar_ram
🔹 State: 🔴 N/A
🔹 Disclosed: August 11, 2022, 7:53pm (UTC)

Admin panel Exposure without credential at https://plus-website.shopifycloud.com/admin.php

👉 https://hackerone.com/reports/1417288

🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #0x50d
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2022, 10:21pm (UTC)

Wordpress Users Disclosure (/wp-json/wp/v2/users/)

👉 https://hackerone.com/reports/1663363

🔹 Severity: Medium
🔹 Reported To: Top Echelon Software
🔹 Reported By: #hammodmt
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2022, 8:46pm (UTC)

Disabling context isolation, nodeIntegrationInSubFrames using an unauthorised frame.

👉 https://hackerone.com/reports/1647287

🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #s1r1u5
🔹 State: 🟢 Resolved
🔹 Disclosed: August 11, 2022, 11:08pm (UTC)

Reflected XSS at https://stories.showmax.com/wp-content/themes/theme-internal_ss/blocks/ajax/a.php via `ss_country_filter` param

👉 https://hackerone.com/reports/1663202

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Showmax
🔹 Reported By: #miron666
🔹 State: 🟢 Resolved
🔹 Disclosed: August 12, 2022, 12:51pm (UTC)

Cross Site Scripting Vulnerability in fabric-sdk-py source code

👉 https://hackerone.com/reports/1670187

🔹 Severity: No Rating
🔹 Reported To: Hyperledger
🔹 Reported By: #bhaskar_ram
🔹 State: ⚪️ Informative
🔹 Disclosed: August 17, 2022, 2:53pm (UTC)

Delimiter injection in GitHub Actions core.exportVariable

👉 https://hackerone.com/reports/1625652

🔹 Severity: Medium | 💰 4,617 USD
🔹 Reported To: GitHub
🔹 Reported By: #jupenur
🔹 State: 🟢 Resolved
🔹 Disclosed: August 18, 2022, 7:44pm (UTC)

CSRF Account Takeover

👉 https://hackerone.com/reports/1253462

🔹 Severity: High | 💰 2,373 USD
🔹 Reported To: TikTok
🔹 Reported By: #s3c
🔹 State: 🟢 Resolved
🔹 Disclosed: August 16, 2022, 9:04pm (UTC)

IDOR on TikTok Seller

👉 https://hackerone.com/reports/1509057

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: August 16, 2022, 9:07pm (UTC)

IDOR allowing to read another user's token on the Social Media Ads service

👉 https://hackerone.com/reports/1464168

🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Semrush
🔹 Reported By: #a_d_a_m
🔹 State: 🟢 Resolved
🔹 Disclosed: August 16, 2022, 7:47am (UTC)

Ingress-nginx annotation injection allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

👉 https://hackerone.com/reports/1378175

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #amlweems
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2022, 6:13pm (UTC)

Stored XSS on TikTok Ads

👉 https://hackerone.com/reports/1504202

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #sinayeganeh
🔹 State: 🟢 Resolved
🔹 Disclosed: August 19, 2022, 1:14am (UTC)

RPC call crashes node

👉 https://hackerone.com/reports/1379707

🔹 Severity: High
🔹 Reported To: Monero
🔹 Reported By: #xfang
🔹 State: 🟢 Resolved
🔹 Disclosed: August 20, 2022, 3:41am (UTC)

Blind SSRF External Interaction on https://mtngbissau.com/

👉 https://hackerone.com/reports/1220688

🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #error201
🔹 State: 🟢 Resolved
🔹 Disclosed: August 21, 2022, 8:40am (UTC)

XSS and HTML Injection on the pressable.com search box

👉 https://hackerone.com/reports/1537149

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Automattic
🔹 Reported By: #sawrav-chowdhury
🔹 State: 🟢 Resolved
🔹 Disclosed: August 23, 2022, 6:30pm (UTC)

support.invisionpower.com takeover the subdomain with Zendesk

👉 https://hackerone.com/reports/1646554

🔹 Severity: Medium
🔹 Reported To: Invision Power Services, Inc.
🔹 Reported By: #fthacker101
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2022, 1:10pm (UTC)

Off-by-slash vulnerability in nodejs.org and iojs.org

👉 https://hackerone.com/reports/1631350

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #nagaro
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2022, 2:11pm (UTC)

Golang expvar Information Disclosure

👉 https://hackerone.com/reports/1650035

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Uber
🔹 Reported By: #mustafa_farrag
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2022, 3:44pm (UTC)