Users Without Permission Can Download Restricted Files

👉 https://hackerone.com/reports/794904

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: October 18, 2022, 9:10pm (UTC)

DOM XSS at `https://adobedocs.github.io/OAE_PartnerAPI/?configUrl={site}` due to outdated Swagger UI

👉 https://hackerone.com/reports/1736378

🔹 Severity: Medium
🔹 Reported To: Adobe
🔹 Reported By: #dreamer_eh
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2022, 12:07pm (UTC)

IDOR able to buy a plan with lesser fee

👉 https://hackerone.com/reports/1679276

🔹 Severity: Medium
🔹 Reported To: Automattic
🔹 Reported By: #ug0x01
🔹 State: ⚪️ Informative
🔹 Disclosed: October 19, 2022, 4:20pm (UTC)

Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data

👉 https://hackerone.com/reports/1677541

🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Stripe
🔹 Reported By: #mr_asg
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2022, 6:36pm (UTC)

Tomcat Servlet Examples accessible at https://44.240.33.83:38443 and https://52.36.56.155:38443

👉 https://hackerone.com/reports/1560149

🔹 Severity: Medium | 💰 1,500 USD
🔹 Reported To: Stripe
🔹 Reported By: #mustafa_farrag
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2022, 6:45pm (UTC)

Bypassing domain deny_list rule in Smokescreen via double brackets [[]] which leads to SSRF

👉 https://hackerone.com/reports/1580495

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Stripe
🔹 Reported By: #sim4n6
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2022, 6:47pm (UTC)

User information disclosed via API

👉 https://hackerone.com/reports/1218461

🔹 Severity: High
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #toormund
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2022, 6:47pm (UTC)

Local applications from user's computer can listen for webhooks via insecure gRPC server from stripe-cli

👉 https://hackerone.com/reports/1369191

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Stripe
🔹 Reported By: #gregxsunday
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2022, 7:03pm (UTC)

Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/

👉 https://hackerone.com/reports/1685970

🔹 Severity: High | 💰 13,000 USD
🔹 Reported To: Stripe
🔹 Reported By: #mr_asg
🔹 State: 🟢 Resolved
🔹 Disclosed: October 19, 2022, 7:05pm (UTC)

[CSRF] No Csrf protection against sending invitation to join the team.

👉 https://hackerone.com/reports/728199

🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2022, 12:31am (UTC)

Ability to View Non-Permitted Admin Log

👉 https://hackerone.com/reports/1533220

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2022, 12:34am (UTC)

Removed user can still view comments on the file/documents.

👉 https://hackerone.com/reports/1335070

🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #imran_nisar
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2022, 12:36am (UTC)

POOL_UPGRADE request handler may allow an unauthenticated attacker to remotely execute code on every node in the network.

👉 https://hackerone.com/reports/1705717

🔹 Severity: Critical | 💰 2,000 USD
🔹 Reported To: Hyperledger
🔹 Reported By: #shakedreiner
🔹 State: 🟢 Resolved
🔹 Disclosed: October 20, 2022, 8:07pm (UTC)

Card requirement bypass for business trial

👉 https://hackerone.com/reports/1670304

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #n0_m3rcy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2022, 4:23pm (UTC)

access nagios dashboard using default credentials in ** omon1.fpki.gov, 3.220.248.203**

👉 https://hackerone.com/reports/1700896

🔹 Severity: Critical
🔹 Reported To: U.S. General Services Administration
🔹 Reported By: #ahmed0x0mahmoud
🔹 State: 🟢 Resolved
🔹 Disclosed: October 21, 2022, 11:33pm (UTC)

installed.json sensitive file was publicly accessible on your web application which discloses information about authors and admins

👉 https://hackerone.com/reports/1586524

🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #whitehacker18
🔹 State: ⚪️ Informative
🔹 Disclosed: October 22, 2022, 6:39pm (UTC)

Viewer is able to leak the previous versions of the file

👉 https://hackerone.com/reports/1080700

🔹 Severity: Medium | 💰 550 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #snapsec
🔹 State: 🟢 Resolved
🔹 Disclosed: October 24, 2022, 9:56pm (UTC)

IDOR Allows Viewer to Delete Bin's Files

👉 https://hackerone.com/reports/1074420

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #snapsec
🔹 State: 🟢 Resolved
🔹 Disclosed: October 24, 2022, 9:59pm (UTC)

Remotely Accessible Container Advisor exposed performance metrics and resource usage

👉 https://hackerone.com/reports/1697599

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: TikTok
🔹 Reported By: #tw4v3sx
🔹 State: 🟢 Resolved
🔹 Disclosed: October 24, 2022, 10:07pm (UTC)

A malicious admin can be able to permanently disable a Owner(Admin) to access his account

👉 https://hackerone.com/reports/1718574

🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: Linktree
🔹 Reported By: #dewcode91
🔹 State: 🟢 Resolved
🔹 Disclosed: October 25, 2022, 12:49am (UTC)

Reflected Cross site noscripting via Swagger UI

👉 https://hackerone.com/reports/1656650

🔹 Severity: Medium
🔹 Reported To: Adobe
🔹 Reported By: #webcipher101
🔹 State: 🟢 Resolved
🔹 Disclosed: October 25, 2022, 7:14am (UTC)