Dependecy Confusion via Lookup Request Forwarding to PyPi.org
👉 https://hackerone.com/reports/1681275
🔹 Severity: No Rating
🔹 Reported To: GitLab
🔹 Reported By: #usd-responsible-disclosure
🔹 State: ⚪️ Informative
🔹 Disclosed: November 21, 2022, 3:49am (UTC)
👉 https://hackerone.com/reports/1681275
🔹 Severity: No Rating
🔹 Reported To: GitLab
🔹 Reported By: #usd-responsible-disclosure
🔹 State: ⚪️ Informative
🔹 Disclosed: November 21, 2022, 3:49am (UTC)
Open redirect that can lead to malicious websites
👉 https://hackerone.com/reports/1771749
🔹 Severity: No Rating
🔹 Reported To: AMBER AI
🔹 Reported By: #mrdot404
🔹 State: ⚪️ Informative
🔹 Disclosed: November 21, 2022, 7:24am (UTC)
👉 https://hackerone.com/reports/1771749
🔹 Severity: No Rating
🔹 Reported To: AMBER AI
🔹 Reported By: #mrdot404
🔹 State: ⚪️ Informative
🔹 Disclosed: November 21, 2022, 7:24am (UTC)
Support Portal Takeover via Leaked API KEY
👉 https://hackerone.com/reports/1766228
🔹 Severity: High | 💰 1,500 USD
🔹 Reported To: AMBER AI
🔹 Reported By: #khizer47
🔹 State: 🟢 Resolved
🔹 Disclosed: November 22, 2022, 9:55am (UTC)
👉 https://hackerone.com/reports/1766228
🔹 Severity: High | 💰 1,500 USD
🔹 Reported To: AMBER AI
🔹 Reported By: #khizer47
🔹 State: 🟢 Resolved
🔹 Disclosed: November 22, 2022, 9:55am (UTC)
DoS via Automatic Response Message
👉 https://hackerone.com/reports/1680241
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Mattermost
🔹 Reported By: #vultza
🔹 State: 🟢 Resolved
🔹 Disclosed: November 23, 2022, 2:55pm (UTC)
👉 https://hackerone.com/reports/1680241
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Mattermost
🔹 Reported By: #vultza
🔹 State: 🟢 Resolved
🔹 Disclosed: November 23, 2022, 2:55pm (UTC)
DoS via Playbook
👉 https://hackerone.com/reports/1685979
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Mattermost
🔹 Reported By: #vultza
🔹 State: 🟢 Resolved
🔹 Disclosed: November 23, 2022, 2:55pm (UTC)
👉 https://hackerone.com/reports/1685979
🔹 Severity: Medium | 💰 300 USD
🔹 Reported To: Mattermost
🔹 Reported By: #vultza
🔹 State: 🟢 Resolved
🔹 Disclosed: November 23, 2022, 2:55pm (UTC)
RubyのCGIライブラリにHTTPレスポンス分割(HTTPヘッダインジェクション)があり、秘密情報が漏洩する
👉 https://hackerone.com/reports/1204695
🔹 Severity: High
🔹 Reported To: Ruby
🔹 Reported By: #htokumaru
🔹 State: 🟢 Resolved
🔹 Disclosed: November 24, 2022, 1:46am (UTC)
👉 https://hackerone.com/reports/1204695
🔹 Severity: High
🔹 Reported To: Ruby
🔹 Reported By: #htokumaru
🔹 State: 🟢 Resolved
🔹 Disclosed: November 24, 2022, 1:46am (UTC)
👍1
CGI::Cookieクラスにおけるセキュリティ上好ましくない仕様および実装
👉 https://hackerone.com/reports/1204977
🔹 Severity: Low
🔹 Reported To: Ruby
🔹 Reported By: #htokumaru
🔹 State: 🟢 Resolved
🔹 Disclosed: November 24, 2022, 1:47am (UTC)
👉 https://hackerone.com/reports/1204977
🔹 Severity: Low
🔹 Reported To: Ruby
🔹 Reported By: #htokumaru
🔹 State: 🟢 Resolved
🔹 Disclosed: November 24, 2022, 1:47am (UTC)
XSS in Desktop Client in the notifications
👉 https://hackerone.com/reports/1668028
🔹 Severity: Low | 💰 750 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #mikeisastar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 11:29am (UTC)
👉 https://hackerone.com/reports/1668028
🔹 Severity: Low | 💰 750 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #mikeisastar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 11:29am (UTC)
XSS in Desktop Client via user status and information
👉 https://hackerone.com/reports/1707977
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #mikeisastar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 3:44pm (UTC)
👉 https://hackerone.com/reports/1707977
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #mikeisastar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 3:44pm (UTC)
XSS in Desktop Client in call notification popup
👉 https://hackerone.com/reports/1711847
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #mikeisastar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 3:45pm (UTC)
👉 https://hackerone.com/reports/1711847
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #mikeisastar
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 3:45pm (UTC)
SSRF - pivoting in the private LAN
👉 https://hackerone.com/reports/1364797
🔹 Severity: Low
🔹 Reported To: Concrete CMS
🔹 Reported By: #adrian_t
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 5:20pm (UTC)
👉 https://hackerone.com/reports/1364797
🔹 Severity: Low
🔹 Reported To: Concrete CMS
🔹 Reported By: #adrian_t
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 5:20pm (UTC)
open redirect to a remote website which can phish users
👉 https://hackerone.com/reports/1397804
🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #adrian_t
🔹 State: ⚪️ Informative
🔹 Disclosed: November 25, 2022, 6:08pm (UTC)
👉 https://hackerone.com/reports/1397804
🔹 Severity: Medium
🔹 Reported To: Concrete CMS
🔹 Reported By: #adrian_t
🔹 State: ⚪️ Informative
🔹 Disclosed: November 25, 2022, 6:08pm (UTC)
SSRF mitigation bypass using DNS Rebind attack
👉 https://hackerone.com/reports/1369312
🔹 Severity: Low
🔹 Reported To: Concrete CMS
🔹 Reported By: #adrian_t
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 6:11pm (UTC)
👉 https://hackerone.com/reports/1369312
🔹 Severity: Low
🔹 Reported To: Concrete CMS
🔹 Reported By: #adrian_t
🔹 State: 🟢 Resolved
🔹 Disclosed: November 25, 2022, 6:11pm (UTC)
👍1
Database resource exhaustion for logged-in users via sharee recommendations with circles
👉 https://hackerone.com/reports/1688199
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 6:52am (UTC)
👉 https://hackerone.com/reports/1688199
🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #michag86
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 6:52am (UTC)
Profile of disabled user stays accessible
👉 https://hackerone.com/reports/1675014
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #mikaelgundersen
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 6:53am (UTC)
👉 https://hackerone.com/reports/1675014
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Nextcloud
🔹 Reported By: #mikaelgundersen
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 6:53am (UTC)
CVE-2022-32221: POST following PUT confusion
👉 https://hackerone.com/reports/1704017
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #robbotic
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:02pm (UTC)
👉 https://hackerone.com/reports/1704017
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #robbotic
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:02pm (UTC)
CVE-2022-42915: HTTP proxy double-free
👉 https://hackerone.com/reports/1722065
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #bagder
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:04pm (UTC)
👉 https://hackerone.com/reports/1722065
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #bagder
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:04pm (UTC)
Exception logging in Sharepoint app reveals clear-text connection details
👉 https://hackerone.com/reports/1652903
🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #kichernde_erbse
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:46pm (UTC)
👉 https://hackerone.com/reports/1652903
🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #kichernde_erbse
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:46pm (UTC)
Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]
👉 https://hackerone.com/reports/1735586
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #shubham_srt
🔹 State: 🟢 Resolved
🔹 Disclosed: November 27, 2022, 3:25am (UTC)
👉 https://hackerone.com/reports/1735586
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #shubham_srt
🔹 State: 🟢 Resolved
🔹 Disclosed: November 27, 2022, 3:25am (UTC)
potential denial of service attack via the locale parameter
👉 https://hackerone.com/reports/1746098
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #benjaoming_realone
🔹 State: 🟢 Resolved
🔹 Disclosed: November 28, 2022, 6:31pm (UTC)
👉 https://hackerone.com/reports/1746098
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #benjaoming_realone
🔹 State: 🟢 Resolved
🔹 Disclosed: November 28, 2022, 6:31pm (UTC)
I found some api keys in js files ,huge leak of token addresses and huge amount of js files are not forbidden
👉 https://hackerone.com/reports/1787121
🔹 Severity: No Rating
🔹 Reported To: AMBER AI
🔹 Reported By: #orange_h
🔹 State: 🔴 N/A
🔹 Disclosed: November 29, 2022, 10:46am (UTC)
👉 https://hackerone.com/reports/1787121
🔹 Severity: No Rating
🔹 Reported To: AMBER AI
🔹 Reported By: #orange_h
🔹 State: 🔴 N/A
🔹 Disclosed: November 29, 2022, 10:46am (UTC)
🤔3👍2