CVE-2022-32221: POST following PUT confusion
👉 https://hackerone.com/reports/1704017
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #robbotic
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:02pm (UTC)
👉 https://hackerone.com/reports/1704017
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #robbotic
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:02pm (UTC)
CVE-2022-42915: HTTP proxy double-free
👉 https://hackerone.com/reports/1722065
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #bagder
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:04pm (UTC)
👉 https://hackerone.com/reports/1722065
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #bagder
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:04pm (UTC)
Exception logging in Sharepoint app reveals clear-text connection details
👉 https://hackerone.com/reports/1652903
🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #kichernde_erbse
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:46pm (UTC)
👉 https://hackerone.com/reports/1652903
🔹 Severity: Medium
🔹 Reported To: Nextcloud
🔹 Reported By: #kichernde_erbse
🔹 State: 🟢 Resolved
🔹 Disclosed: November 26, 2022, 12:46pm (UTC)
Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]
👉 https://hackerone.com/reports/1735586
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #shubham_srt
🔹 State: 🟢 Resolved
🔹 Disclosed: November 27, 2022, 3:25am (UTC)
👉 https://hackerone.com/reports/1735586
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #shubham_srt
🔹 State: 🟢 Resolved
🔹 Disclosed: November 27, 2022, 3:25am (UTC)
potential denial of service attack via the locale parameter
👉 https://hackerone.com/reports/1746098
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #benjaoming_realone
🔹 State: 🟢 Resolved
🔹 Disclosed: November 28, 2022, 6:31pm (UTC)
👉 https://hackerone.com/reports/1746098
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #benjaoming_realone
🔹 State: 🟢 Resolved
🔹 Disclosed: November 28, 2022, 6:31pm (UTC)
I found some api keys in js files ,huge leak of token addresses and huge amount of js files are not forbidden
👉 https://hackerone.com/reports/1787121
🔹 Severity: No Rating
🔹 Reported To: AMBER AI
🔹 Reported By: #orange_h
🔹 State: 🔴 N/A
🔹 Disclosed: November 29, 2022, 10:46am (UTC)
👉 https://hackerone.com/reports/1787121
🔹 Severity: No Rating
🔹 Reported To: AMBER AI
🔹 Reported By: #orange_h
🔹 State: 🔴 N/A
🔹 Disclosed: November 29, 2022, 10:46am (UTC)
🤔3👍2
Stored XSS in Dovetale by application of creator
👉 https://hackerone.com/reports/1652046
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #kun_19
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2022, 5:34pm (UTC)
👉 https://hackerone.com/reports/1652046
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #kun_19
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2022, 5:34pm (UTC)
Any organization's assets pending review can be downloaded
👉 https://hackerone.com/reports/1787644
🔹 Severity: High
🔹 Reported To: HackerOne
🔹 Reported By: #jobert
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2022, 6:36pm (UTC)
👉 https://hackerone.com/reports/1787644
🔹 Severity: High
🔹 Reported To: HackerOne
🔹 Reported By: #jobert
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2022, 6:36pm (UTC)
Stored XSS Payload when sending videos
👉 https://hackerone.com/reports/1536046
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2022, 9:30pm (UTC)
👉 https://hackerone.com/reports/1536046
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #aidilarf_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: November 29, 2022, 9:30pm (UTC)
If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposur
👉 https://hackerone.com/reports/1707680
🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #shubhangirathore836
🔹 State: 🔴 N/A
🔹 Disclosed: November 30, 2022, 3:15pm (UTC)
👉 https://hackerone.com/reports/1707680
🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #shubhangirathore836
🔹 State: 🔴 N/A
🔹 Disclosed: November 30, 2022, 3:15pm (UTC)
Campaign Account Balance and History Disclosed in API Response
👉 https://hackerone.com/reports/1587374
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: LinkedIn
🔹 Reported By: #sachin_kumar_
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2022, 7:31pm (UTC)
👉 https://hackerone.com/reports/1587374
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: LinkedIn
🔹 Reported By: #sachin_kumar_
🔹 State: 🟢 Resolved
🔹 Disclosed: November 30, 2022, 7:31pm (UTC)
Double evaluation in .bash_prompt of dotfiles allows a malicious repository to execute arbitrary commands
👉 https://hackerone.com/reports/1785378
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Ian Dunn
🔹 Reported By: #ryotak
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 4:00am (UTC)
👉 https://hackerone.com/reports/1785378
🔹 Severity: High | 💰 300 USD
🔹 Reported To: Ian Dunn
🔹 Reported By: #ryotak
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 4:00am (UTC)
🔥2
CVE-2022-45402: Apache Airflow: Open redirect during login
👉 https://hackerone.com/reports/1782514
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 9:41am (UTC)
👉 https://hackerone.com/reports/1782514
🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 9:41am (UTC)
Calendar name length not validated before writing to database
👉 https://hackerone.com/reports/1596148
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #errorx404
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 9:49am (UTC)
👉 https://hackerone.com/reports/1596148
🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #errorx404
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 9:49am (UTC)
Firebase Database Takeover in https://pulseradio.mtn.co.ug/
👉 https://hackerone.com/reports/1447751
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #shuvam321
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 10:52am (UTC)
👉 https://hackerone.com/reports/1447751
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #shuvam321
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 10:52am (UTC)
😱1
Unprotected Direct Object Reference
👉 https://hackerone.com/reports/1536936
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #coyemerald
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 5:24pm (UTC)
👉 https://hackerone.com/reports/1536936
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #coyemerald
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 5:24pm (UTC)
Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure
👉 https://hackerone.com/reports/1448550
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #wallotry
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 5:34pm (UTC)
👉 https://hackerone.com/reports/1448550
🔹 Severity: Critical
🔹 Reported To: MTN Group
🔹 Reported By: #wallotry
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 5:34pm (UTC)
😱1
Subdomain Takeover at course.oberlo.com
👉 https://hackerone.com/reports/1690951
🔹 Severity: No Rating
🔹 Reported To: Shopify
🔹 Reported By: #m7mdharoun
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 7:22pm (UTC)
👉 https://hackerone.com/reports/1690951
🔹 Severity: No Rating
🔹 Reported To: Shopify
🔹 Reported By: #m7mdharoun
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 7:22pm (UTC)
Read/Write arbitrary (non-HttpOnly) cookies on checkout pages via GoogleAnalyticsAdditionalScripts postMessage handler
👉 https://hackerone.com/reports/1081167
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #bored-engineer
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 7:34pm (UTC)
👉 https://hackerone.com/reports/1081167
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #bored-engineer
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 7:34pm (UTC)
Disconnecting an external login provider does not revoke session
👉 https://hackerone.com/reports/1547684
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #attackerbhai
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 7:50pm (UTC)
👉 https://hackerone.com/reports/1547684
🔹 Severity: Medium | 💰 1,600 USD
🔹 Reported To: Shopify
🔹 Reported By: #attackerbhai
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 7:50pm (UTC)
Stored XSS in /admin/product and /admin/collections
👉 https://hackerone.com/reports/1147433
🔹 Severity: Medium | 💰 5,300 USD
🔹 Reported To: Shopify
🔹 Reported By: #ashketchum
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 10:44pm (UTC)
👉 https://hackerone.com/reports/1147433
🔹 Severity: Medium | 💰 5,300 USD
🔹 Reported To: Shopify
🔹 Reported By: #ashketchum
🔹 State: 🟢 Resolved
🔹 Disclosed: December 1, 2022, 10:44pm (UTC)