Create product discounts of any shop
👉 https://hackerone.com/reports/1571578
🔹 Severity: Medium | 💰 4,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 10:39pm (UTC)
👉 https://hackerone.com/reports/1571578
🔹 Severity: Medium | 💰 4,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 10:39pm (UTC)
Add products to any livestream.
👉 https://hackerone.com/reports/1654657
🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 10:41pm (UTC)
👉 https://hackerone.com/reports/1654657
🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: September 21, 2022, 10:41pm (UTC)
DLL Search-Order Hijacking Vulnerability in work-64-exe-v7.16.3-1.exe
👉 https://hackerone.com/reports/1519437
🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #is-
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 3:19am (UTC)
👉 https://hackerone.com/reports/1519437
🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #is-
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 3:19am (UTC)
XSS in ZenTao integration affecting self hosted instances without strict CSP
👉 https://hackerone.com/reports/1542510
🔹 Severity: High | 💰 13,950 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:10am (UTC)
👉 https://hackerone.com/reports/1542510
🔹 Severity: High | 💰 13,950 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:10am (UTC)
🔥3
Regex account takeover
👉 https://hackerone.com/reports/1581059
🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #ghaem51
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
👉 https://hackerone.com/reports/1581059
🔹 Severity: Critical
🔹 Reported To: Rocket.Chat
🔹 Reported By: #ghaem51
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
Persistent CSS injection with ’marked’ markdown parser in Rocket.Chat
👉 https://hackerone.com/reports/1401268
🔹 Severity: High
🔹 Reported To: Rocket.Chat
🔹 Reported By: #danieljpp
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
👉 https://hackerone.com/reports/1401268
🔹 Severity: High
🔹 Reported To: Rocket.Chat
🔹 Reported By: #danieljpp
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
It is possible to elevate privileges for any authenticated user to view permissions matrix and view Direct messages without appropriate permissions.
👉 https://hackerone.com/reports/917946
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #garretby
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
👉 https://hackerone.com/reports/917946
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #garretby
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:00pm (UTC)
getUserMentionsByChannel leaks messages with mention from private channel
👉 https://hackerone.com/reports/1410246
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
👉 https://hackerone.com/reports/1410246
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
Bypass local authentication (PIN code)
👉 https://hackerone.com/reports/1126414
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #dago_669
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
👉 https://hackerone.com/reports/1126414
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #dago_669
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
Unintended information disclosure in the Hubot Log files
👉 https://hackerone.com/reports/1394399
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #rolfzur
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
👉 https://hackerone.com/reports/1394399
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #rolfzur
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:01pm (UTC)
REST API gets `query` as parameter and executes it
👉 https://hackerone.com/reports/1140631
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #paulocsanz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
👉 https://hackerone.com/reports/1140631
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #paulocsanz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
Message ID Enumeration with Action Link Handler
👉 https://hackerone.com/reports/1406953
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
👉 https://hackerone.com/reports/1406953
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
TOTP 2 Factor Authentication Bypass
👉 https://hackerone.com/reports/1448268
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
👉 https://hackerone.com/reports/1448268
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:02pm (UTC)
getRoomRoles Method leaks Channel Owner
👉 https://hackerone.com/reports/1447440
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
👉 https://hackerone.com/reports/1447440
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
NoSQL-Injection discloses S3 File Upload URLs
👉 https://hackerone.com/reports/1458020
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
👉 https://hackerone.com/reports/1458020
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
API route chat.getThreadsList leaks private message content
👉 https://hackerone.com/reports/1446767
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
👉 https://hackerone.com/reports/1446767
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
Message ID Enumeration with Regular Expression in getReadReceipts Meteor method
👉 https://hackerone.com/reports/1377105
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
👉 https://hackerone.com/reports/1377105
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:03pm (UTC)
Rocket.chat user info security issue
👉 https://hackerone.com/reports/1517377
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #mikolajczak
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:04pm (UTC)
👉 https://hackerone.com/reports/1517377
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #mikolajczak
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:04pm (UTC)
getUsersOfRoom discloses users in private channels
👉 https://hackerone.com/reports/1410357
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:04pm (UTC)
👉 https://hackerone.com/reports/1410357
🔹 Severity: Medium
🔹 Reported To: Rocket.Chat
🔹 Reported By: #gronke
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 4:04pm (UTC)
Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at `{group_id}.gitlab.io`
👉 https://hackerone.com/reports/1591412
🔹 Severity: Medium | 💰 1,990 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:31pm (UTC)
👉 https://hackerone.com/reports/1591412
🔹 Severity: Medium | 💰 1,990 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:31pm (UTC)
🔥1
Content injection in Jira issue noscript enabling sending arbitrary POST request as victim
👉 https://hackerone.com/reports/1533976
🔹 Severity: High | 💰 8,690 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:32pm (UTC)
👉 https://hackerone.com/reports/1533976
🔹 Severity: High | 💰 8,690 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:32pm (UTC)
🔥1