Grammarly Keyboard for Android "Authorization Code with PKCE" flow implementation vulnerability that allows account takeover
π https://hackerone.com/reports/824931
πΉ Severity: Medium
πΉ Reported To: Grammarly
πΉ Reported By: #tomtenisse
πΉ Disclosed: July 24, 2020, 2:22pm (UTC)
π https://hackerone.com/reports/824931
πΉ Severity: Medium
πΉ Reported To: Grammarly
πΉ Reported By: #tomtenisse
πΉ Disclosed: July 24, 2020, 2:22pm (UTC)
CVE-2019-19935 - DOM based XSS in the froala editor
π https://hackerone.com/reports/938683
πΉ Severity: Low
πΉ Reported To: lemlist
πΉ Reported By: #chackal
πΉ Disclosed: July 24, 2020, 3:33pm (UTC)
π https://hackerone.com/reports/938683
πΉ Severity: Low
πΉ Reported To: lemlist
πΉ Reported By: #chackal
πΉ Disclosed: July 24, 2020, 3:33pm (UTC)
SQL Injection or Denial of Service due to a Prototype Pollution
π https://hackerone.com/reports/869574
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #phra
πΉ Disclosed: July 24, 2020, 5:20pm (UTC)
π https://hackerone.com/reports/869574
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #phra
πΉ Disclosed: July 24, 2020, 5:20pm (UTC)
SAML Response Reuse on hackerone.com/users/saml/auth
π https://hackerone.com/reports/888930
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #samtink
πΉ Disclosed: July 24, 2020, 6:51pm (UTC)
π https://hackerone.com/reports/888930
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #samtink
πΉ Disclosed: July 24, 2020, 6:51pm (UTC)
Denial of Service [Chrome]
π https://hackerone.com/reports/921286
πΉ Severity: Medium | π° 560 USD
πΉ Reported To: Twitter
πΉ Reported By: #cyanpiny
πΉ Disclosed: July 24, 2020, 8:00pm (UTC)
π https://hackerone.com/reports/921286
πΉ Severity: Medium | π° 560 USD
πΉ Reported To: Twitter
πΉ Reported By: #cyanpiny
πΉ Disclosed: July 24, 2020, 8:00pm (UTC)
Untrusted users able to run pending migrations in production
π https://hackerone.com/reports/899069
πΉ Severity: Medium
πΉ Reported To: Ruby on Rails
πΉ Reported By: #tenderlove
πΉ Disclosed: July 24, 2020, 8:07pm (UTC)
π https://hackerone.com/reports/899069
πΉ Severity: Medium
πΉ Reported To: Ruby on Rails
πΉ Reported By: #tenderlove
πΉ Disclosed: July 24, 2020, 8:07pm (UTC)
GraphQL field on Team node can be used to determine if External Program runs invite-only program
π https://hackerone.com/reports/877642
πΉ Severity: Medium
πΉ Reported To: HackerOne
πΉ Reported By: #kunal94
πΉ Disclosed: July 25, 2020, 1:13am (UTC)
π https://hackerone.com/reports/877642
πΉ Severity: Medium
πΉ Reported To: HackerOne
πΉ Reported By: #kunal94
πΉ Disclosed: July 25, 2020, 1:13am (UTC)
Contacts menu (not app) fails to restrict (to local groups) for contacts from federated servers
π https://hackerone.com/reports/895730
πΉ Severity: Low
πΉ Reported To: Nextcloud
πΉ Reported By: #nursoda
πΉ Disclosed: July 25, 2020, 8:10am (UTC)
π https://hackerone.com/reports/895730
πΉ Severity: Low
πΉ Reported To: Nextcloud
πΉ Reported By: #nursoda
πΉ Disclosed: July 25, 2020, 8:10am (UTC)
Improper validation of unicode characters#2
π https://hackerone.com/reports/279945
πΉ Severity: No Rating
πΉ Reported To: Weblate
πΉ Reported By: #code_monkey
πΉ Disclosed: July 26, 2020, 10:50am (UTC)
π https://hackerone.com/reports/279945
πΉ Severity: No Rating
πΉ Reported To: Weblate
πΉ Reported By: #code_monkey
πΉ Disclosed: July 26, 2020, 10:50am (UTC)
Open Github Repo Leaking WEBLATE SECRET KEY
π https://hackerone.com/reports/942146
πΉ Severity: No Rating
πΉ Reported To: Weblate
πΉ Reported By: #nafisaqil4
πΉ Disclosed: July 26, 2020, 11:24am (UTC)
π https://hackerone.com/reports/942146
πΉ Severity: No Rating
πΉ Reported To: Weblate
πΉ Reported By: #nafisaqil4
πΉ Disclosed: July 26, 2020, 11:24am (UTC)
IDOR with Geolocation data not stripped from images
π https://hackerone.com/reports/906907
πΉ Severity: High | π° 200 USD
πΉ Reported To: IRCCloud
πΉ Reported By: #do_some_hack
πΉ Disclosed: July 26, 2020, 3:36pm (UTC)
π https://hackerone.com/reports/906907
πΉ Severity: High | π° 200 USD
πΉ Reported To: IRCCloud
πΉ Reported By: #do_some_hack
πΉ Disclosed: July 26, 2020, 3:36pm (UTC)
Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify
π https://hackerone.com/reports/810880
πΉ Severity: Medium | π° 100 USD
πΉ Reported To: Helium
πΉ Reported By: #w2w
πΉ Disclosed: July 26, 2020, 4:39pm (UTC)
π https://hackerone.com/reports/810880
πΉ Severity: Medium | π° 100 USD
πΉ Reported To: Helium
πΉ Reported By: #w2w
πΉ Disclosed: July 26, 2020, 4:39pm (UTC)
Send arbitrary PUT requests when user clicks on a link
π https://hackerone.com/reports/824689
πΉ Severity: Medium | π° 3000 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ Disclosed: July 27, 2020, 8:44am (UTC)
π https://hackerone.com/reports/824689
πΉ Severity: Medium | π° 3000 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ Disclosed: July 27, 2020, 8:44am (UTC)
π July 31 - August 1, 2020
h@cktivitycon is a HackerOne hosted hacker conference built by the community for the community.
h@cktivitycon is a place for hackers to learn, share, and meet friends. Hear talks and panelists exploring offensive hacking techniques, recon skills, target selection and more.
π£ Speakers | β± Schedule
π Register now
h@cktivitycon is a HackerOne hosted hacker conference built by the community for the community.
h@cktivitycon is a place for hackers to learn, share, and meet friends. Hear talks and panelists exploring offensive hacking techniques, recon skills, target selection and more.
π£ Speakers | β± Schedule
π Register now
Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN
π https://hackerone.com/reports/915541
πΉ Severity: No Rating
πΉ Reported To: Stripo Inc
πΉ Reported By: #3x3s
πΉ Disclosed: July 27, 2020, 12:54pm (UTC)
π https://hackerone.com/reports/915541
πΉ Severity: No Rating
πΉ Reported To: Stripo Inc
πΉ Reported By: #3x3s
πΉ Disclosed: July 27, 2020, 12:54pm (UTC)
DOM-Based XSS in tumblr.com
π https://hackerone.com/reports/882546
πΉ Severity: Medium | π° 350 USD
πΉ Reported To: Automattic
πΉ Reported By: #keer0k
πΉ Disclosed: July 27, 2020, 3:24pm (UTC)
π https://hackerone.com/reports/882546
πΉ Severity: Medium | π° 350 USD
πΉ Reported To: Automattic
πΉ Reported By: #keer0k
πΉ Disclosed: July 27, 2020, 3:24pm (UTC)
JDBC credentials leaked via github
π https://hackerone.com/reports/935573
πΉ Severity: No Rating
πΉ Reported To: Yelp
πΉ Reported By: #walidhossain
πΉ Disclosed: July 27, 2020, 4:44pm (UTC)
π https://hackerone.com/reports/935573
πΉ Severity: No Rating
πΉ Reported To: Yelp
πΉ Reported By: #walidhossain
πΉ Disclosed: July 27, 2020, 4:44pm (UTC)
IDOR: Adding Contacts to Other User Groups
π https://hackerone.com/reports/879960
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #ameyanekar
πΉ Disclosed: July 27, 2020, 4:50pm (UTC)
π https://hackerone.com/reports/879960
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #ameyanekar
πΉ Disclosed: July 27, 2020, 4:50pm (UTC)
Python : Add query to detect Server Side Template Injection
π https://hackerone.com/reports/944359
πΉ Severity: High | π° 2300 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #porcupineyhairs
πΉ Disclosed: July 27, 2020, 9:45pm (UTC)
π https://hackerone.com/reports/944359
πΉ Severity: High | π° 2300 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #porcupineyhairs
πΉ Disclosed: July 27, 2020, 9:45pm (UTC)
Wordpress Users Disclosure (/wp-json/wp/v2/users/) on data.gov
π https://hackerone.com/reports/942481
πΉ Severity: Medium
πΉ Reported To: TTS Bug Bounty
πΉ Reported By: #nagli
πΉ Disclosed: July 28, 2020, 12:12am (UTC)
π https://hackerone.com/reports/942481
πΉ Severity: Medium
πΉ Reported To: TTS Bug Bounty
πΉ Reported By: #nagli
πΉ Disclosed: July 28, 2020, 12:12am (UTC)
Stored XSS In mlbootcamp.ru
π https://hackerone.com/reports/820217
πΉ Severity: High
πΉ Reported To: Mail.ru
πΉ Reported By: #sniper302
πΉ Disclosed: July 28, 2020, 8:28am (UTC)
π https://hackerone.com/reports/820217
πΉ Severity: High
πΉ Reported To: Mail.ru
πΉ Reported By: #sniper302
πΉ Disclosed: July 28, 2020, 8:28am (UTC)