Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457)
👉 https://hackerone.com/reports/1441103
🔹 Severity: High | 💰 10,000 USD
🔹 Reported To: PlayStation
🔹 Reported By: #theflow0
🔹 State: 🟢 Resolved
🔹 Disclosed: September 20, 2022, 9:16pm (UTC)
👉 https://hackerone.com/reports/1441103
🔹 Severity: High | 💰 10,000 USD
🔹 Reported To: PlayStation
🔹 Reported By: #theflow0
🔹 State: 🟢 Resolved
🔹 Disclosed: September 20, 2022, 9:16pm (UTC)
👍1
IDOR on Tagged People
👉 https://hackerone.com/reports/1555376
🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #apapedulimu
🔹 State: 🟢 Resolved
🔹 Disclosed: September 20, 2022, 10:17pm (UTC)
👉 https://hackerone.com/reports/1555376
🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #apapedulimu
🔹 State: 🟢 Resolved
🔹 Disclosed: September 20, 2022, 10:17pm (UTC)
👏1
DOS: out of memory from gif through upload api
👉 https://hackerone.com/reports/1620170
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #catenacyber
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 8:49am (UTC)
👉 https://hackerone.com/reports/1620170
🔹 Severity: Low | 💰 150 USD
🔹 Reported To: Mattermost
🔹 Reported By: #catenacyber
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 8:49am (UTC)
size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives
👉 https://hackerone.com/reports/1340942
🔹 Severity: High | 💰 10,000 USD
🔹 Reported To: PlayStation
🔹 Reported By: #theflow0
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 7:06pm (UTC)
👉 https://hackerone.com/reports/1340942
🔹 Severity: High | 💰 10,000 USD
🔹 Reported To: PlayStation
🔹 Reported By: #theflow0
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 7:06pm (UTC)
🔥3
Create product discounts of any shop
👉 https://hackerone.com/reports/1571578
🔹 Severity: Medium | 💰 4,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 10:39pm (UTC)
👉 https://hackerone.com/reports/1571578
🔹 Severity: Medium | 💰 4,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 10:39pm (UTC)
Add products to any livestream.
👉 https://hackerone.com/reports/1654657
🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 10:41pm (UTC)
👉 https://hackerone.com/reports/1654657
🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 10:41pm (UTC)
DLL Search-Order Hijacking Vulnerability in work-64-exe-v7.16.3-1.exe
👉 https://hackerone.com/reports/1519437
🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #is-
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 3:19am (UTC)
👉 https://hackerone.com/reports/1519437
🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #is-
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 3:19am (UTC)
XSS in ZenTao integration affecting self hosted instances without strict CSP
👉 https://hackerone.com/reports/1542510
🔹 Severity: High | 💰 13,950 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:10am (UTC)
👉 https://hackerone.com/reports/1542510
🔹 Severity: High | 💰 13,950 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:10am (UTC)
🔥3
Regex account takeover
👉 https://hackerone.com/reports/1581059
🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #ghaem51
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
👉 https://hackerone.com/reports/1581059
🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #ghaem51
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
Persistent CSS injection with ’marked’ markdown parser in Rocket.Chat
👉 https://hackerone.com/reports/1401268
🔹 Severity: High
🔹 Reported To: Rocket.Chat
🔹 Reported By: #danieljpp
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
👉 https://hackerone.com/reports/1401268
🔹 Severity: High
🔹 Reported To: Rocket.Chat
🔹 Reported By: #danieljpp
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
It is possible to elevate privileges for any authenticated user to view permissions matrix and view Direct messages without appropriate permissions.
👉 https://hackerone.com/reports/917946
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #garretby
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
👉 https://hackerone.com/reports/917946
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #garretby
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
getUserMentionsByChannel leaks messages with mention from private channel
👉 https://hackerone.com/reports/1410246
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
👉 https://hackerone.com/reports/1410246
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
Bypass local authentication (PIN code)
👉 https://hackerone.com/reports/1126414
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #dago_669
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
👉 https://hackerone.com/reports/1126414
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #dago_669
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
Unintended information disclosure in the Hubot Log files
👉 https://hackerone.com/reports/1394399
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #rolfzur
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
👉 https://hackerone.com/reports/1394399
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #rolfzur
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
REST API gets `query` as parameter and executes it
👉 https://hackerone.com/reports/1140631
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #paulocsanz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
👉 https://hackerone.com/reports/1140631
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #paulocsanz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
Message ID Enumeration with Action Link Handler
👉 https://hackerone.com/reports/1406953
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
👉 https://hackerone.com/reports/1406953
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
TOTP 2 Factor Authentication Bypass
👉 https://hackerone.com/reports/1448268
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
👉 https://hackerone.com/reports/1448268
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
getRoomRoles Method leaks Channel Owner
👉 https://hackerone.com/reports/1447440
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
👉 https://hackerone.com/reports/1447440
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
NoSQL-Injection discloses S3 File Upload URLs
👉 https://hackerone.com/reports/1458020
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
👉 https://hackerone.com/reports/1458020
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
API route chat.getThreadsList leaks private message content
👉 https://hackerone.com/reports/1446767
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
👉 https://hackerone.com/reports/1446767
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
Message ID Enumeration with Regular Expression in getReadReceipts Meteor method
👉 https://hackerone.com/reports/1377105
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
👉 https://hackerone.com/reports/1377105
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)