Content injection in Jira issue noscript enabling sending arbitrary POST request as victim
👉 https://hackerone.com/reports/1533976
🔹 Severity: High | 💰 8,690 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:32pm (UTC)
👉 https://hackerone.com/reports/1533976
🔹 Severity: High | 💰 8,690 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 9:32pm (UTC)
🔥1
Open Redirect on www.redditinc.com via `failed` query param
👉 https://hackerone.com/reports/1257753
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 11:27pm (UTC)
👉 https://hackerone.com/reports/1257753
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Reddit
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: September 22, 2022, 11:27pm (UTC)
com.basecamp.bc3 Webview Javanoscript Injection and JS bridge takeover
👉 https://hackerone.com/reports/1343300
🔹 Severity: High | 💰 1,210 USD
🔹 Reported To: Basecamp
🔹 Reported By: #fr4via
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2022, 9:33am (UTC)
👉 https://hackerone.com/reports/1343300
🔹 Severity: High | 💰 1,210 USD
🔹 Reported To: Basecamp
🔹 Reported By: #fr4via
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2022, 9:33am (UTC)
CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
👉 https://hackerone.com/reports/1671140
🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #happyhacking123
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2022, 5:16pm (UTC)
👉 https://hackerone.com/reports/1671140
🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #happyhacking123
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2022, 5:16pm (UTC)
CVE-2022-35948: CRLF Injection in Nodejs ‘undici’ via Content-Type
👉 https://hackerone.com/reports/1664019
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #happyhacking123
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2022, 5:38pm (UTC)
👉 https://hackerone.com/reports/1664019
🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #happyhacking123
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2022, 5:38pm (UTC)
👍1
[CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname
👉 https://hackerone.com/reports/1663788
🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #haxatron1
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2022, 5:51pm (UTC)
👉 https://hackerone.com/reports/1663788
🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #haxatron1
🔹 State: 🟢 Resolved
🔹 Disclosed: September 23, 2022, 5:51pm (UTC)
Reflected xss on videostore.mtnonline.com
👉 https://hackerone.com/reports/1646248
🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #possowski
🔹 State: 🟢 Resolved
🔹 Disclosed: September 25, 2022, 7:10pm (UTC)
👉 https://hackerone.com/reports/1646248
🔹 Severity: High
🔹 Reported To: MTN Group
🔹 Reported By: #possowski
🔹 State: 🟢 Resolved
🔹 Disclosed: September 25, 2022, 7:10pm (UTC)
Main Domain Takeover at https://www.marketo.net/
👉 https://hackerone.com/reports/1661914
🔹 Severity: Critical
🔹 Reported To: Adobe
🔹 Reported By: #gdattacker
🔹 State: 🟢 Resolved
🔹 Disclosed: September 26, 2022, 3:05pm (UTC)
👉 https://hackerone.com/reports/1661914
🔹 Severity: Critical
🔹 Reported To: Adobe
🔹 Reported By: #gdattacker
🔹 State: 🟢 Resolved
🔹 Disclosed: September 26, 2022, 3:05pm (UTC)
XSS Reflected on reddit.com via url path
👉 https://hackerone.com/reports/1051373
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #criptex
🔹 State: 🟢 Resolved
🔹 Disclosed: September 27, 2022, 4:04pm (UTC)
👉 https://hackerone.com/reports/1051373
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #criptex
🔹 State: 🟢 Resolved
🔹 Disclosed: September 27, 2022, 4:04pm (UTC)
insecure gitlab repositories at ████████ [HtUS]
👉 https://hackerone.com/reports/1624152
🔹 Severity: High | 💰 500 USD
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #thpless
🔹 State: 🟢 Resolved
🔹 Disclosed: September 27, 2022, 6:18pm (UTC)
👉 https://hackerone.com/reports/1624152
🔹 Severity: High | 💰 500 USD
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #thpless
🔹 State: 🟢 Resolved
🔹 Disclosed: September 27, 2022, 6:18pm (UTC)
password field autocomplete enabled
👉 https://hackerone.com/reports/1023773
🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #er_salil
🔹 State: ⚪️ Informative
🔹 Disclosed: September 27, 2022, 11:26pm (UTC)
👉 https://hackerone.com/reports/1023773
🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #er_salil
🔹 State: ⚪️ Informative
🔹 Disclosed: September 27, 2022, 11:26pm (UTC)
CORS Misconfiguration on Yelp
👉 https://hackerone.com/reports/1707616
🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #qualwin3001
🔹 State: ⚪️ Informative
🔹 Disclosed: September 28, 2022, 3:43am (UTC)
👉 https://hackerone.com/reports/1707616
🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #qualwin3001
🔹 State: ⚪️ Informative
🔹 Disclosed: September 28, 2022, 3:43am (UTC)
Directory Listing vulnerability on █.packet8.net/php/include/
👉 https://hackerone.com/reports/790846
🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #rajauzairabdullah
🔹 State: 🟢 Resolved
🔹 Disclosed: September 28, 2022, 4:41am (UTC)
👉 https://hackerone.com/reports/790846
🔹 Severity: Low
🔹 Reported To: 8x8
🔹 Reported By: #rajauzairabdullah
🔹 State: 🟢 Resolved
🔹 Disclosed: September 28, 2022, 4:41am (UTC)
Server-side request forgery (ssrf)
👉 https://hackerone.com/reports/1712240
🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #raja404
🔹 State: 🔴 N/A
🔹 Disclosed: September 28, 2022, 7:54am (UTC)
👉 https://hackerone.com/reports/1712240
🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #raja404
🔹 State: 🔴 N/A
🔹 Disclosed: September 28, 2022, 7:54am (UTC)
DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)
👉 https://hackerone.com/reports/1632921
🔹 Severity: High
🔹 Reported To: Node.js
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: September 28, 2022, 8:38am (UTC)
👉 https://hackerone.com/reports/1632921
🔹 Severity: High
🔹 Reported To: Node.js
🔹 Reported By: #zeyu2001
🔹 State: 🟢 Resolved
🔹 Disclosed: September 28, 2022, 8:38am (UTC)
Take over subdomains of r2.dev using R2 custom domains
👉 https://hackerone.com/reports/1700276
🔹 Severity: Medium | 💰 1,125 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #albertspedersen
🔹 State: 🟢 Resolved
🔹 Disclosed: September 28, 2022, 12:49pm (UTC)
👉 https://hackerone.com/reports/1700276
🔹 Severity: Medium | 💰 1,125 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #albertspedersen
🔹 State: 🟢 Resolved
🔹 Disclosed: September 28, 2022, 12:49pm (UTC)
CSV export/import functionality allows administrators to modify member and message content of a workspace
👉 https://hackerone.com/reports/1661310
🔹 Severity: No Rating | 💰 250 USD
🔹 Reported To: Slack
🔹 Reported By: #security_warrior
🔹 State: ⚪️ Informative
🔹 Disclosed: September 28, 2022, 8:30pm (UTC)
👉 https://hackerone.com/reports/1661310
🔹 Severity: No Rating | 💰 250 USD
🔹 Reported To: Slack
🔹 Reported By: #security_warrior
🔹 State: ⚪️ Informative
🔹 Disclosed: September 28, 2022, 8:30pm (UTC)
XSS in Widget Review Form Preview in settings
👉 https://hackerone.com/reports/1595905
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #penguinshelp
🔹 State: 🟢 Resolved
🔹 Disclosed: September 29, 2022, 8:35am (UTC)
👉 https://hackerone.com/reports/1595905
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #penguinshelp
🔹 State: 🟢 Resolved
🔹 Disclosed: September 29, 2022, 8:35am (UTC)
no rate limit in forgot password session
👉 https://hackerone.com/reports/1714970
🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #irfadps
🔹 State: 🔴 N/A
🔹 Disclosed: September 29, 2022, 6:17pm (UTC)
👉 https://hackerone.com/reports/1714970
🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #irfadps
🔹 State: 🔴 N/A
🔹 Disclosed: September 29, 2022, 6:17pm (UTC)
Open Redirect
👉 https://hackerone.com/reports/1581258
🔹 Severity: Low | 💰 258 USD
🔹 Reported To: Flickr
🔹 Reported By: #stevejubs
🔹 State: 🟢 Resolved
🔹 Disclosed: September 29, 2022, 10:51pm (UTC)
👉 https://hackerone.com/reports/1581258
🔹 Severity: Low | 💰 258 USD
🔹 Reported To: Flickr
🔹 Reported By: #stevejubs
🔹 State: 🟢 Resolved
🔹 Disclosed: September 29, 2022, 10:51pm (UTC)
Password Policy Restriction Bypass
👉 https://hackerone.com/reports/1675730
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #lohigowda
🔹 State: 🟢 Resolved
🔹 Disclosed: September 30, 2022, 8:50am (UTC)
👉 https://hackerone.com/reports/1675730
🔹 Severity: Low | 💰 250 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #lohigowda
🔹 State: 🟢 Resolved
🔹 Disclosed: September 30, 2022, 8:50am (UTC)