IDOR in API applications (able to see any API token, leads to account takeover)
👉 https://hackerone.com/reports/1695454
🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 1, 2022, 10:46pm (UTC)
👉 https://hackerone.com/reports/1695454
🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 1, 2022, 10:46pm (UTC)
Stored XSS in intensedebate.com via the Comments RSS
👉 https://hackerone.com/reports/1664914
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 2, 2022, 9:20am (UTC)
👉 https://hackerone.com/reports/1664914
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 2, 2022, 9:20am (UTC)
CVE-2022-42916: HSTS bypass via IDN
👉 https://hackerone.com/reports/1753226
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 12:19am (UTC)
👉 https://hackerone.com/reports/1753226
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 12:19am (UTC)
Archived / Deleted / Private Poll Can Be Viewed by Another Users [Crowdsignal WordPress plugins]
👉 https://hackerone.com/reports/1711318
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Automattic
🔹 Reported By: #apapedulimu
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 11:41am (UTC)
👉 https://hackerone.com/reports/1711318
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Automattic
🔹 Reported By: #apapedulimu
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 11:41am (UTC)
Command injection in GitHub Actions ContainerStepHost
👉 https://hackerone.com/reports/1637621
🔹 Severity: No Rating | 💰 4,000 USD
🔹 Reported To: GitHub
🔹 Reported By: #jupenur
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 3:33pm (UTC)
👉 https://hackerone.com/reports/1637621
🔹 Severity: No Rating | 💰 4,000 USD
🔹 Reported To: GitHub
🔹 Reported By: #jupenur
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 3:33pm (UTC)
RepositoryPipeline allows importing of local git repos
👉 https://hackerone.com/reports/1685822
🔹 Severity: Medium | 💰 22,300 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:43am (UTC)
👉 https://hackerone.com/reports/1685822
🔹 Severity: Medium | 💰 22,300 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:43am (UTC)
DOS via move_issue
👉 https://hackerone.com/reports/1543584
🔹 Severity: Medium | 💰 2,300 USD
🔹 Reported To: GitLab
🔹 Reported By: #legit-security
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:44am (UTC)
👉 https://hackerone.com/reports/1543584
🔹 Severity: Medium | 💰 2,300 USD
🔹 Reported To: GitLab
🔹 Reported By: #legit-security
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:44am (UTC)
Path paths and file disclosure vulnerabilities at influxdb.quality.gitlab.net
👉 https://hackerone.com/reports/1643962
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: GitLab
🔹 Reported By: #otoyyy
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:46am (UTC)
👉 https://hackerone.com/reports/1643962
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: GitLab
🔹 Reported By: #otoyyy
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:46am (UTC)
DOS via issue preview
👉 https://hackerone.com/reports/1543718
🔹 Severity: High | 💰 7,640 USD
🔹 Reported To: GitLab
🔹 Reported By: #legit-security
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:47am (UTC)
👉 https://hackerone.com/reports/1543718
🔹 Severity: High | 💰 7,640 USD
🔹 Reported To: GitLab
🔹 Reported By: #legit-security
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:47am (UTC)
CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud
👉 https://hackerone.com/reports/1245165
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #mr-medi
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 7:38pm (UTC)
👉 https://hackerone.com/reports/1245165
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #mr-medi
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 7:38pm (UTC)
CVE-2022-35252: control code in cookie denial of service
👉 https://hackerone.com/reports/1686935
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #haxatron1
🔹 State: 🟢 Resolved
🔹 Disclosed: November 5, 2022, 2:50pm (UTC)
👉 https://hackerone.com/reports/1686935
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #haxatron1
🔹 State: 🟢 Resolved
🔹 Disclosed: November 5, 2022, 2:50pm (UTC)
Completely remove VPN profile from locked WARP iOS cient.
👉 https://hackerone.com/reports/1633231
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 10:59am (UTC)
👉 https://hackerone.com/reports/1633231
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 10:59am (UTC)
Bypass Cloudflare WARP lock on iOS.
👉 https://hackerone.com/reports/1542450
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 11:02am (UTC)
👉 https://hackerone.com/reports/1542450
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 11:02am (UTC)
I found another way to bypass Cloudflare Warp lock!
👉 https://hackerone.com/reports/1605847
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 11:02am (UTC)
👉 https://hackerone.com/reports/1605847
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 11:02am (UTC)
Exceed photo dimensions, Flickr.com
👉 https://hackerone.com/reports/1755552
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Flickr
🔹 Reported By: #0xcyborg
🔹 State: ⚪️ Informative
🔹 Disclosed: November 7, 2022, 5:53pm (UTC)
👉 https://hackerone.com/reports/1755552
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Flickr
🔹 Reported By: #0xcyborg
🔹 State: ⚪️ Informative
🔹 Disclosed: November 7, 2022, 5:53pm (UTC)
Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly)
👉 https://hackerone.com/reports/1102537
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #daik0n
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 9:34pm (UTC)
👉 https://hackerone.com/reports/1102537
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #daik0n
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 9:34pm (UTC)
Public Github Repo Leaking Internal Credentials
👉 https://hackerone.com/reports/1763266
🔹 Severity: Critical
🔹 Reported To: Yelp
🔹 Reported By: #xinfohuggerx
🔹 State: ⚪️ Informative
🔹 Disclosed: November 7, 2022, 11:45pm (UTC)
👉 https://hackerone.com/reports/1763266
🔹 Severity: Critical
🔹 Reported To: Yelp
🔹 Reported By: #xinfohuggerx
🔹 State: ⚪️ Informative
🔹 Disclosed: November 7, 2022, 11:45pm (UTC)
[Kafka Connect] [JdbcSinkConnector][HttpSinkConnector] RCE by leveraging file upload via SQLite JDBC driver and SSRF to internal Jolokia
👉 https://hackerone.com/reports/1547877
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:29am (UTC)
👉 https://hackerone.com/reports/1547877
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:29am (UTC)
Grafana RCE via SMTP server parameter injection
👉 https://hackerone.com/reports/1200647
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:29am (UTC)
👉 https://hackerone.com/reports/1200647
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:29am (UTC)
Kafka Connect RCE via connector SASL JAAS JndiLoginModule configuration
👉 https://hackerone.com/reports/1529790
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:30am (UTC)
👉 https://hackerone.com/reports/1529790
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:30am (UTC)
Apache Flink RCE via GET jar/plan API Endpoint
👉 https://hackerone.com/reports/1418891
🔹 Severity: Critical | 💰 6,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:30am (UTC)
👉 https://hackerone.com/reports/1418891
🔹 Severity: Critical | 💰 6,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:30am (UTC)