Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS
👉 https://hackerone.com/reports/1695596
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #mhdawson
🔹 State: 🟢 Resolved
🔹 Disclosed: October 26, 2022, 8:17am (UTC)
👉 https://hackerone.com/reports/1695596
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #mhdawson
🔹 State: 🟢 Resolved
🔹 Disclosed: October 26, 2022, 8:17am (UTC)
CVE-2022-32213 bypass via obs-fold mechanic
👉 https://hackerone.com/reports/1630336
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #haxatron1
🔹 State: 🟢 Resolved
🔹 Disclosed: October 26, 2022, 8:17am (UTC)
👉 https://hackerone.com/reports/1630336
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #haxatron1
🔹 State: 🟢 Resolved
🔹 Disclosed: October 26, 2022, 8:17am (UTC)
HTTP Request Smuggling Due to Incorrect Parsing of Header Fields
👉 https://hackerone.com/reports/1675191
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #vvx7
🔹 State: 🟢 Resolved
🔹 Disclosed: October 26, 2022, 8:17am (UTC)
👉 https://hackerone.com/reports/1675191
🔹 Severity: Medium
🔹 Reported To: Node.js
🔹 Reported By: #vvx7
🔹 State: 🟢 Resolved
🔹 Disclosed: October 26, 2022, 8:17am (UTC)
Weak randomness in WebCrypto keygen
👉 https://hackerone.com/reports/1690000
🔹 Severity: High
🔹 Reported To: Node.js
🔹 Reported By: #bnoordhuis
🔹 State: 🟢 Resolved
🔹 Disclosed: October 26, 2022, 8:18am (UTC)
👉 https://hackerone.com/reports/1690000
🔹 Severity: High
🔹 Reported To: Node.js
🔹 Reported By: #bnoordhuis
🔹 State: 🟢 Resolved
🔹 Disclosed: October 26, 2022, 8:18am (UTC)
👍1
Subdomain takeover on 'de-headless.staging.gymshark.com'
👉 https://hackerone.com/reports/1711890
🔹 Severity: High
🔹 Reported To: Gymshark
🔹 Reported By: #a-p0c
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2022, 11:14am (UTC)
👉 https://hackerone.com/reports/1711890
🔹 Severity: High
🔹 Reported To: Gymshark
🔹 Reported By: #a-p0c
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2022, 11:14am (UTC)
CVE-2022-35260: .netrc parser out-of-bounds access
👉 https://hackerone.com/reports/1721098
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2022, 2:55pm (UTC)
👉 https://hackerone.com/reports/1721098
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2022, 2:55pm (UTC)
👍1
CVE-2022-42916: HSTS bypass via IDN
👉 https://hackerone.com/reports/1730660
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2022, 2:55pm (UTC)
👉 https://hackerone.com/reports/1730660
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2022, 2:55pm (UTC)
👍1
Jolokia Reflected XSS
👉 https://hackerone.com/reports/1714563
🔹 Severity: Medium
🔹 Reported To: Mars
🔹 Reported By: #ramzanrl
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2022, 5:36pm (UTC)
👉 https://hackerone.com/reports/1714563
🔹 Severity: Medium
🔹 Reported To: Mars
🔹 Reported By: #ramzanrl
🔹 State: 🟢 Resolved
🔹 Disclosed: October 27, 2022, 5:36pm (UTC)
👍1
HTML INJECTION FOUND ON https://adobedocs.github.io/analytics-1.4-apis/swagger-docs.html DUE TO OUTDATED SWAGGER UI
👉 https://hackerone.com/reports/1736466
🔹 Severity: Low
🔹 Reported To: Adobe
🔹 Reported By: #dreamer_eh
🔹 State: 🟢 Resolved
🔹 Disclosed: October 28, 2022, 7:18am (UTC)
👉 https://hackerone.com/reports/1736466
🔹 Severity: Low
🔹 Reported To: Adobe
🔹 Reported By: #dreamer_eh
🔹 State: 🟢 Resolved
🔹 Disclosed: October 28, 2022, 7:18am (UTC)
👍1
Privilege Escalation to All-staff group
👉 https://hackerone.com/reports/1021460
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #snapsec
🔹 State: 🟢 Resolved
🔹 Disclosed: October 28, 2022, 11:55pm (UTC)
👉 https://hackerone.com/reports/1021460
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #snapsec
🔹 State: 🟢 Resolved
🔹 Disclosed: October 28, 2022, 11:55pm (UTC)
Accessing/Editing Folders of Other Users in the Orginisation.
👉 https://hackerone.com/reports/1025881
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #snapsec
🔹 State: 🟢 Resolved
🔹 Disclosed: October 29, 2022, 12:56am (UTC)
👉 https://hackerone.com/reports/1025881
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #snapsec
🔹 State: 🟢 Resolved
🔹 Disclosed: October 29, 2022, 12:56am (UTC)
Cross-site Scripting (XSS) - Reflected
👉 https://hackerone.com/reports/1183336
🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: October 30, 2022, 9:54pm (UTC)
👉 https://hackerone.com/reports/1183336
🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: October 30, 2022, 9:54pm (UTC)
Cross-Site Request Forgery (CSRF) to xss
👉 https://hackerone.com/reports/1183241
🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: October 30, 2022, 9:54pm (UTC)
👉 https://hackerone.com/reports/1183241
🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: October 30, 2022, 9:54pm (UTC)
XSS in SocialIcon Link
👉 https://hackerone.com/reports/1698652
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Linktree
🔹 Reported By: #sudi
🔹 State: 🟢 Resolved
🔹 Disclosed: October 31, 2022, 4:04am (UTC)
👉 https://hackerone.com/reports/1698652
🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Linktree
🔹 Reported By: #sudi
🔹 State: 🟢 Resolved
🔹 Disclosed: October 31, 2022, 4:04am (UTC)
Authentication bypass for ███ leads to take over any users account.
👉 https://hackerone.com/reports/1608151
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Krisp
🔹 Reported By: #n0_m3rcy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 31, 2022, 5:56pm (UTC)
👉 https://hackerone.com/reports/1608151
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Krisp
🔹 Reported By: #n0_m3rcy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 31, 2022, 5:56pm (UTC)
IDOR in API applications (able to see any API token, leads to account takeover)
👉 https://hackerone.com/reports/1695454
🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 1, 2022, 10:46pm (UTC)
👉 https://hackerone.com/reports/1695454
🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 1, 2022, 10:46pm (UTC)
Stored XSS in intensedebate.com via the Comments RSS
👉 https://hackerone.com/reports/1664914
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 2, 2022, 9:20am (UTC)
👉 https://hackerone.com/reports/1664914
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 2, 2022, 9:20am (UTC)
CVE-2022-42916: HSTS bypass via IDN
👉 https://hackerone.com/reports/1753226
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 12:19am (UTC)
👉 https://hackerone.com/reports/1753226
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 12:19am (UTC)
Archived / Deleted / Private Poll Can Be Viewed by Another Users [Crowdsignal WordPress plugins]
👉 https://hackerone.com/reports/1711318
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Automattic
🔹 Reported By: #apapedulimu
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 11:41am (UTC)
👉 https://hackerone.com/reports/1711318
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Automattic
🔹 Reported By: #apapedulimu
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 11:41am (UTC)
Command injection in GitHub Actions ContainerStepHost
👉 https://hackerone.com/reports/1637621
🔹 Severity: No Rating | 💰 4,000 USD
🔹 Reported To: GitHub
🔹 Reported By: #jupenur
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 3:33pm (UTC)
👉 https://hackerone.com/reports/1637621
🔹 Severity: No Rating | 💰 4,000 USD
🔹 Reported To: GitHub
🔹 Reported By: #jupenur
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 3:33pm (UTC)
RepositoryPipeline allows importing of local git repos
👉 https://hackerone.com/reports/1685822
🔹 Severity: Medium | 💰 22,300 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:43am (UTC)
👉 https://hackerone.com/reports/1685822
🔹 Severity: Medium | 💰 22,300 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:43am (UTC)