CSRF Account Takeover

👉 https://hackerone.com/reports/1253462

🔹 Severity: High | 💰 2,373 USD
🔹 Reported To: TikTok
🔹 Reported By: #s3c
🔹 State: 🟢 Resolved
🔹 Disclosed: August 16, 2022, 9:04pm (UTC)

IDOR on TikTok Seller

👉 https://hackerone.com/reports/1509057

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: August 16, 2022, 9:07pm (UTC)

IDOR allowing to read another user's token on the Social Media Ads service

👉 https://hackerone.com/reports/1464168

🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Semrush
🔹 Reported By: #a_d_a_m
🔹 State: 🟢 Resolved
🔹 Disclosed: August 16, 2022, 7:47am (UTC)

Ingress-nginx annotation injection allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

👉 https://hackerone.com/reports/1378175

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #amlweems
🔹 State: 🟢 Resolved
🔹 Disclosed: August 13, 2022, 6:13pm (UTC)

Stored XSS on TikTok Ads

👉 https://hackerone.com/reports/1504202

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #sinayeganeh
🔹 State: 🟢 Resolved
🔹 Disclosed: August 19, 2022, 1:14am (UTC)

RPC call crashes node

👉 https://hackerone.com/reports/1379707

🔹 Severity: High
🔹 Reported To: Monero
🔹 Reported By: #xfang
🔹 State: 🟢 Resolved
🔹 Disclosed: August 20, 2022, 3:41am (UTC)

Blind SSRF External Interaction on https://mtngbissau.com/

👉 https://hackerone.com/reports/1220688

🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #error201
🔹 State: 🟢 Resolved
🔹 Disclosed: August 21, 2022, 8:40am (UTC)

XSS and HTML Injection on the pressable.com search box

👉 https://hackerone.com/reports/1537149

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Automattic
🔹 Reported By: #sawrav-chowdhury
🔹 State: 🟢 Resolved
🔹 Disclosed: August 23, 2022, 6:30pm (UTC)

support.invisionpower.com takeover the subdomain with Zendesk

👉 https://hackerone.com/reports/1646554

🔹 Severity: Medium
🔹 Reported To: Invision Power Services, Inc.
🔹 Reported By: #fthacker101
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2022, 1:10pm (UTC)

Off-by-slash vulnerability in nodejs.org and iojs.org

👉 https://hackerone.com/reports/1631350

🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #nagaro
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2022, 2:11pm (UTC)

Golang expvar Information Disclosure

👉 https://hackerone.com/reports/1650035

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Uber
🔹 Reported By: #mustafa_farrag
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2022, 3:44pm (UTC)

Reflected XSS on pages.email.sel.sony.com/page.aspx via jobid parameter

👉 https://hackerone.com/reports/1309949

🔹 Severity: Medium
🔹 Reported To: Sony
🔹 Reported By: #leo_rac
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2022, 5:59pm (UTC)

NordVPN Linux Client - Unsafe service file permissions leads to Local Privilege Escalation

👉 https://hackerone.com/reports/1218523

🔹 Severity: Medium | 💰 700 USD
🔹 Reported To: Nord Security
🔹 Reported By: #bashketchum
🔹 State: 🟢 Resolved
🔹 Disclosed: August 24, 2022, 6:48pm (UTC)

Pause-based desync in Apache HTTPD

👉 https://hackerone.com/reports/1667974

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #albinowax
🔹 State: 🟢 Resolved
🔹 Disclosed: August 25, 2022, 7:02am (UTC)

Default Login Credentials on https://broadbandmaps.mtn.com.gh/

👉 https://hackerone.com/reports/1297480

🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #theranger
🔹 State: 🟢 Resolved
🔹 Disclosed: August 25, 2022, 11:05am (UTC)

Non-revoked API Key Information disclosure via Stripo_report()

👉 https://hackerone.com/reports/1613714

🔹 Severity: Medium
🔹 Reported To: Stripo Inc
🔹 Reported By: #deb0con
🔹 State: 🟢 Resolved
🔹 Disclosed: August 25, 2022, 11:05am (UTC)

Unauthorized access

👉 https://hackerone.com/reports/1669176

🔹 Severity: Medium
🔹 Reported To: GitLab
🔹 Reported By: #mega7
🔹 State: ⚪️ Informative
🔹 Disclosed: August 25, 2022, 2:14pm (UTC)

Privilege Escalation - "Analyst" Role Can View Email Domains of a Company - [GET /voyager/api/voyagerOrganizationDashEmailDomainMappings]

👉 https://hackerone.com/reports/1572591

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: LinkedIn
🔹 Reported By: #naaash
🔹 State: 🟢 Resolved
🔹 Disclosed: August 26, 2022, 6:38pm (UTC)

weak protection against brute-forcing on login api leads to account takeover

👉 https://hackerone.com/reports/766875

🔹 Severity: Critical
🔹 Reported To: Palo Alto Software
🔹 Reported By: #zer0code
🔹 State: 🟢 Resolved
🔹 Disclosed: August 29, 2022, 6:23pm (UTC)

TikTok's pixel/sdk.js leaks current URL from websites using postMessage

👉 https://hackerone.com/reports/1598749

🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #fransrosen
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2022, 6:25pm (UTC)

Blind SSRF on platform.dash.cloudflare.com Due to Sentry misconfiguration

👉 https://hackerone.com/reports/1467044

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #lohigowda
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2022, 10:54am (UTC)