Bugpoint
@bugpoint
1K subscribers
3.73K photos
3.73K links
Latest updates about disclosure bug bounty reports: tech details, impacts, bounties πŸ“£

RateπŸ‘‡
https://cutt.ly/bugpoint_rate
FeedbackπŸ‘‡
https://cutt.ly/bugpoint_feedback

#️⃣ bug bounty disclosed reports
#️⃣ bug bounty write-ups
#️⃣ bug bounty teleg
Download Telegram
About
Blog
Apps
Platform
Join
Bugpoint
1K subscribers
Bugpoint
Denial of Service [Chrome]

πŸ‘‰ https://hackerone.com/reports/921286

πŸ”Ή Severity: Medium | πŸ’° 560 USD
πŸ”Ή Reported To: Twitter
πŸ”Ή Reported By: #cyanpiny
πŸ”Ή Disclosed: July 24, 2020, 8:00pm (UTC)
111 views
Bugpoint
Untrusted users able to run pending migrations in production

πŸ‘‰ https://hackerone.com/reports/899069

πŸ”Ή Severity: Medium
πŸ”Ή Reported To: Ruby on Rails
πŸ”Ή Reported By: #tenderlove
πŸ”Ή Disclosed: July 24, 2020, 8:07pm (UTC)
116 views
Bugpoint
GraphQL field on Team node can be used to determine if External Program runs invite-only program

πŸ‘‰ https://hackerone.com/reports/877642

πŸ”Ή Severity: Medium
πŸ”Ή Reported To: HackerOne
πŸ”Ή Reported By: #kunal94
πŸ”Ή Disclosed: July 25, 2020, 1:13am (UTC)
126 views
Bugpoint
Contacts menu (not app) fails to restrict (to local groups) for contacts from federated servers

πŸ‘‰ https://hackerone.com/reports/895730

πŸ”Ή Severity: Low
πŸ”Ή Reported To: Nextcloud
πŸ”Ή Reported By: #nursoda
πŸ”Ή Disclosed: July 25, 2020, 8:10am (UTC)
111 views
Bugpoint
Improper validation of unicode characters#2

πŸ‘‰ https://hackerone.com/reports/279945

πŸ”Ή Severity: No Rating
πŸ”Ή Reported To: Weblate
πŸ”Ή Reported By: #code_monkey
πŸ”Ή Disclosed: July 26, 2020, 10:50am (UTC)
74 views
Bugpoint
Open Github Repo Leaking WEBLATE SECRET KEY

πŸ‘‰ https://hackerone.com/reports/942146

πŸ”Ή Severity: No Rating
πŸ”Ή Reported To: Weblate
πŸ”Ή Reported By: #nafisaqil4
πŸ”Ή Disclosed: July 26, 2020, 11:24am (UTC)
80 views
Bugpoint
IDOR with Geolocation data not stripped from images

πŸ‘‰ https://hackerone.com/reports/906907

πŸ”Ή Severity: High | πŸ’° 200 USD
πŸ”Ή Reported To: IRCCloud
πŸ”Ή Reported By: #do_some_hack
πŸ”Ή Disclosed: July 26, 2020, 3:36pm (UTC)
80 views
Bugpoint
Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify

πŸ‘‰ https://hackerone.com/reports/810880

πŸ”Ή Severity: Medium | πŸ’° 100 USD
πŸ”Ή Reported To: Helium
πŸ”Ή Reported By: #w2w
πŸ”Ή Disclosed: July 26, 2020, 4:39pm (UTC)
81 views
Bugpoint
Send arbitrary PUT requests when user clicks on a link

πŸ‘‰ https://hackerone.com/reports/824689

πŸ”Ή Severity: Medium | πŸ’° 3000 USD
πŸ”Ή Reported To: GitLab
πŸ”Ή Reported By: #yvvdwf
πŸ”Ή Disclosed: July 27, 2020, 8:44am (UTC)
69 views
Bugpoint
πŸ“† July 31 - August 1, 2020

h@cktivitycon is a HackerOne hosted hacker conference built by the community for the community.

h@cktivitycon is a place for hackers to learn, share, and meet friends. Hear talks and panelists exploring offensive hacking techniques, recon skills, target selection and more.

πŸ—£ Speakers | ⏱ Schedule

πŸš€ Register now
67 views
Bugpoint
Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN

πŸ‘‰ https://hackerone.com/reports/915541

πŸ”Ή Severity: No Rating
πŸ”Ή Reported To: Stripo Inc
πŸ”Ή Reported By: #3x3s
πŸ”Ή Disclosed: July 27, 2020, 12:54pm (UTC)
71 views
Bugpoint
DOM-Based XSS in tumblr.com

πŸ‘‰ https://hackerone.com/reports/882546

πŸ”Ή Severity: Medium | πŸ’° 350 USD
πŸ”Ή Reported To: Automattic
πŸ”Ή Reported By: #keer0k
πŸ”Ή Disclosed: July 27, 2020, 3:24pm (UTC)
70 views
Bugpoint
JDBC credentials leaked via github

πŸ‘‰ https://hackerone.com/reports/935573

πŸ”Ή Severity: No Rating
πŸ”Ή Reported To: Yelp
πŸ”Ή Reported By: #walidhossain
πŸ”Ή Disclosed: July 27, 2020, 4:44pm (UTC)
67 views
Bugpoint
IDOR: Adding Contacts to Other User Groups

πŸ‘‰ https://hackerone.com/reports/879960

πŸ”Ή Severity: Low
πŸ”Ή Reported To: 8x8
πŸ”Ή Reported By: #ameyanekar
πŸ”Ή Disclosed: July 27, 2020, 4:50pm (UTC)
70 views
Bugpoint
Python : Add query to detect Server Side Template Injection

πŸ‘‰ https://hackerone.com/reports/944359

πŸ”Ή Severity: High | πŸ’° 2300 USD
πŸ”Ή Reported To: GitHub Security Lab
πŸ”Ή Reported By: #porcupineyhairs
πŸ”Ή Disclosed: July 27, 2020, 9:45pm (UTC)
78 views
Bugpoint
Wordpress Users Disclosure (/wp-json/wp/v2/users/) on data.gov

πŸ‘‰ https://hackerone.com/reports/942481

πŸ”Ή Severity: Medium
πŸ”Ή Reported To: TTS Bug Bounty
πŸ”Ή Reported By: #nagli
πŸ”Ή Disclosed: July 28, 2020, 12:12am (UTC)
69 views
Bugpoint
Stored XSS In mlbootcamp.ru

πŸ‘‰ https://hackerone.com/reports/820217

πŸ”Ή Severity: High
πŸ”Ή Reported To: Mail.ru
πŸ”Ή Reported By: #sniper302
πŸ”Ή Disclosed: July 28, 2020, 8:28am (UTC)
60 views
Bugpoint
Content injection on shared event (calendar.mail.ru)

πŸ‘‰ https://hackerone.com/reports/847473

πŸ”Ή Severity: Low | πŸ’° 150 USD
πŸ”Ή Reported To: Mail.ru
πŸ”Ή Reported By: #urban_tramp
πŸ”Ή Disclosed: July 28, 2020, 8:31am (UTC)
52 views
Bugpoint
Blindy Replace User's Session with Attacker's Session

πŸ‘‰ https://hackerone.com/reports/892986

πŸ”Ή Severity: Low | πŸ’° 150 USD
πŸ”Ή Reported To: Mail.ru
πŸ”Ή Reported By: #sayaanalam
πŸ”Ή Disclosed: July 28, 2020, 8:37am (UTC)
55 views
Bugpoint
HTML/iframe/XSS injection on https://www.ucs.ru/online/shelter/settings/check/

πŸ‘‰ https://hackerone.com/reports/907867

πŸ”Ή Severity: Medium
πŸ”Ή Reported To: Mail.ru
πŸ”Ή Reported By: #hunter_py
πŸ”Ή Disclosed: July 28, 2020, 8:41am (UTC)
58 views
Bugpoint
Test-scripts for postgis in mason-repository using unsafe unzip of content from unclaimed bucket creates potential RCE-issues

πŸ‘‰ https://hackerone.com/reports/329689

πŸ”Ή Severity: Critical | πŸ’° 12500 USD
πŸ”Ή Reported To: Mapbox
πŸ”Ή Reported By: #fransrosen
πŸ”Ή Disclosed: July 28, 2020, 7:37pm (UTC)
58 views