Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly)
👉 https://hackerone.com/reports/1102537
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #daik0n
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 9:34pm (UTC)
👉 https://hackerone.com/reports/1102537
🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #daik0n
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 9:34pm (UTC)
Public Github Repo Leaking Internal Credentials
👉 https://hackerone.com/reports/1763266
🔹 Severity: Critical
🔹 Reported To: Yelp
🔹 Reported By: #xinfohuggerx
🔹 State: ⚪️ Informative
🔹 Disclosed: November 7, 2022, 11:45pm (UTC)
👉 https://hackerone.com/reports/1763266
🔹 Severity: Critical
🔹 Reported To: Yelp
🔹 Reported By: #xinfohuggerx
🔹 State: ⚪️ Informative
🔹 Disclosed: November 7, 2022, 11:45pm (UTC)
[Kafka Connect] [JdbcSinkConnector][HttpSinkConnector] RCE by leveraging file upload via SQLite JDBC driver and SSRF to internal Jolokia
👉 https://hackerone.com/reports/1547877
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:29am (UTC)
👉 https://hackerone.com/reports/1547877
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:29am (UTC)
Grafana RCE via SMTP server parameter injection
👉 https://hackerone.com/reports/1200647
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:29am (UTC)
👉 https://hackerone.com/reports/1200647
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:29am (UTC)
Kafka Connect RCE via connector SASL JAAS JndiLoginModule configuration
👉 https://hackerone.com/reports/1529790
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:30am (UTC)
👉 https://hackerone.com/reports/1529790
🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:30am (UTC)
Apache Flink RCE via GET jar/plan API Endpoint
👉 https://hackerone.com/reports/1418891
🔹 Severity: Critical | 💰 6,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:30am (UTC)
👉 https://hackerone.com/reports/1418891
🔹 Severity: Critical | 💰 6,000 USD
🔹 Reported To: Aiven Ltd
🔹 Reported By: #jarij
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 6:30am (UTC)
Self-XSS on Suggest Tag dialog box
👉 https://hackerone.com/reports/1761505
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: XVIDEOS
🔹 Reported By: #j3rry4unt
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 7:19pm (UTC)
👉 https://hackerone.com/reports/1761505
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: XVIDEOS
🔹 Reported By: #j3rry4unt
🔹 State: 🟢 Resolved
🔹 Disclosed: November 8, 2022, 7:19pm (UTC)
Host Header Injection Attack - www.xnxx.com
👉 https://hackerone.com/reports/1630073
🔹 Severity: No Rating
🔹 Reported To: XVIDEOS
🔹 Reported By: #cyber_anon
🔹 State: ⚪️ Informative
🔹 Disclosed: November 8, 2022, 7:25pm (UTC)
👉 https://hackerone.com/reports/1630073
🔹 Severity: No Rating
🔹 Reported To: XVIDEOS
🔹 Reported By: #cyber_anon
🔹 State: ⚪️ Informative
🔹 Disclosed: November 8, 2022, 7:25pm (UTC)
api keys leaked
👉 https://hackerone.com/reports/1762927
🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #saibalajis6
🔹 State: ⚪️ Informative
🔹 Disclosed: November 10, 2022, 2:40pm (UTC)
👉 https://hackerone.com/reports/1762927
🔹 Severity: Medium
🔹 Reported To: Reddit
🔹 Reported By: #saibalajis6
🔹 State: ⚪️ Informative
🔹 Disclosed: November 10, 2022, 2:40pm (UTC)
sensitive data exposure
👉 https://hackerone.com/reports/1716249
🔹 Severity: High
🔹 Reported To: Reddit
🔹 Reported By: #saibalajis6
🔹 State: 🔴 N/A
🔹 Disclosed: November 10, 2022, 2:41pm (UTC)
👉 https://hackerone.com/reports/1716249
🔹 Severity: High
🔹 Reported To: Reddit
🔹 Reported By: #saibalajis6
🔹 State: 🔴 N/A
🔹 Disclosed: November 10, 2022, 2:41pm (UTC)
Business Suite "Get Leads" Resulting in Revealing User Email & Phone
👉 https://hackerone.com/reports/1744194
🔹 Severity: High | 💰 5,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: November 10, 2022, 11:41pm (UTC)
👉 https://hackerone.com/reports/1744194
🔹 Severity: High | 💰 5,500 USD
🔹 Reported To: TikTok
🔹 Reported By: #datph4m
🔹 State: 🟢 Resolved
🔹 Disclosed: November 10, 2022, 11:41pm (UTC)
Subdomain Takeover on delivey.yelp.com
👉 https://hackerone.com/reports/1715538
🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #racersaravanaa05
🔹 State: 🔴 N/A
🔹 Disclosed: November 12, 2022, 3:49pm (UTC)
👉 https://hackerone.com/reports/1715538
🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #racersaravanaa05
🔹 State: 🔴 N/A
🔹 Disclosed: November 12, 2022, 3:49pm (UTC)
Subdomain takeover at http://test.www.midigator.com
👉 https://hackerone.com/reports/1718371
🔹 Severity: High
🔹 Reported To: Equifax
🔹 Reported By: #valluvarsploit_h1
🔹 State: 🟢 Resolved
🔹 Disclosed: November 12, 2022, 4:05pm (UTC)
👉 https://hackerone.com/reports/1718371
🔹 Severity: High
🔹 Reported To: Equifax
🔹 Reported By: #valluvarsploit_h1
🔹 State: 🟢 Resolved
🔹 Disclosed: November 12, 2022, 4:05pm (UTC)
Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application.
👉 https://hackerone.com/reports/1596663
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #41bin
🔹 State: 🟢 Resolved
🔹 Disclosed: November 14, 2022, 4:34am (UTC)
👉 https://hackerone.com/reports/1596663
🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: Reddit
🔹 Reported By: #41bin
🔹 State: 🟢 Resolved
🔹 Disclosed: November 14, 2022, 4:34am (UTC)
Open redirect at mc-beta-cloud-acronis.com
👉 https://hackerone.com/reports/846389
🔹 Severity: No Rating
🔹 Reported To: Acronis
🔹 Reported By: #angeltsvetkov
🔹 State: 🟢 Resolved
🔹 Disclosed: November 15, 2022, 9:49am (UTC)
👉 https://hackerone.com/reports/846389
🔹 Severity: No Rating
🔹 Reported To: Acronis
🔹 Reported By: #angeltsvetkov
🔹 State: 🟢 Resolved
🔹 Disclosed: November 15, 2022, 9:49am (UTC)
New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields
👉 https://hackerone.com/reports/1578400
🔹 Severity: High | 💰 13,950 USD
🔹 Reported To: GitLab
🔹 Reported By: #cryptopone
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 1:07am (UTC)
👉 https://hackerone.com/reports/1578400
🔹 Severity: High | 💰 13,950 USD
🔹 Reported To: GitLab
🔹 Reported By: #cryptopone
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 1:07am (UTC)
XSS: `v-safe-html` is not safe enough
👉 https://hackerone.com/reports/1579645
🔹 Severity: High | 💰 6,580 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 1:08am (UTC)
👉 https://hackerone.com/reports/1579645
🔹 Severity: High | 💰 6,580 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 1:08am (UTC)
CSP-bypass XSS in project settings page
👉 https://hackerone.com/reports/1588732
🔹 Severity: High | 💰 10,270 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 1:08am (UTC)
👉 https://hackerone.com/reports/1588732
🔹 Severity: High | 💰 10,270 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 1:08am (UTC)
RCE via github import
👉 https://hackerone.com/reports/1672388
🔹 Severity: Critical | 💰 33,510 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 1:10am (UTC)
👉 https://hackerone.com/reports/1672388
🔹 Severity: Critical | 💰 33,510 USD
🔹 Reported To: GitLab
🔹 Reported By: #yvvdwf
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 1:10am (UTC)
Ability to bypass locked Cloudflare WARP on wifi networks.
👉 https://hackerone.com/reports/1635748
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 8:59am (UTC)
👉 https://hackerone.com/reports/1635748
🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 8:59am (UTC)
[Git Gud] GitHub.com Svnbridge memcached deserialization vulnerability chain leading to Remote Code Execution
👉 https://hackerone.com/reports/1593913
🔹 Severity: Medium | 💰 17,500 USD
🔹 Reported To: GitHub
🔹 Reported By: #ajxchapman
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 9:22pm (UTC)
👉 https://hackerone.com/reports/1593913
🔹 Severity: Medium | 💰 17,500 USD
🔹 Reported To: GitHub
🔹 Reported By: #ajxchapman
🔹 State: 🟢 Resolved
🔹 Disclosed: November 16, 2022, 9:22pm (UTC)