Blindy Replace User's Session with Attacker's Session
π https://hackerone.com/reports/892986
πΉ Severity: Low | π° 150 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #sayaanalam
πΉ Disclosed: July 28, 2020, 8:37am (UTC)
π https://hackerone.com/reports/892986
πΉ Severity: Low | π° 150 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #sayaanalam
πΉ Disclosed: July 28, 2020, 8:37am (UTC)
HTML/iframe/XSS injection on https://www.ucs.ru/online/shelter/settings/check/
π https://hackerone.com/reports/907867
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #hunter_py
πΉ Disclosed: July 28, 2020, 8:41am (UTC)
π https://hackerone.com/reports/907867
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #hunter_py
πΉ Disclosed: July 28, 2020, 8:41am (UTC)
Test-scripts for postgis in mason-repository using unsafe unzip of content from unclaimed bucket creates potential RCE-issues
π https://hackerone.com/reports/329689
πΉ Severity: Critical | π° 12500 USD
πΉ Reported To: Mapbox
πΉ Reported By: #fransrosen
πΉ Disclosed: July 28, 2020, 7:37pm (UTC)
π https://hackerone.com/reports/329689
πΉ Severity: Critical | π° 12500 USD
πΉ Reported To: Mapbox
πΉ Reported By: #fransrosen
πΉ Disclosed: July 28, 2020, 7:37pm (UTC)
Singapore - Account Takeover via IDOR
π https://hackerone.com/reports/876300
πΉ Severity: Critical
πΉ Reported To: Starbucks
πΉ Reported By: #ko2sec
πΉ Disclosed: July 28, 2020, 7:44pm (UTC)
π https://hackerone.com/reports/876300
πΉ Severity: Critical
πΉ Reported To: Starbucks
πΉ Reported By: #ko2sec
πΉ Disclosed: July 28, 2020, 7:44pm (UTC)
SQL injection in Razer Gold List Admin at /lists/index.php via the `list[]` parameter.
π https://hackerone.com/reports/824307
πΉ Severity: Critical | π° 2000 USD
πΉ Reported To: Razer
πΉ Reported By: #stealthy
πΉ Disclosed: July 28, 2020, 9:59pm (UTC)
π https://hackerone.com/reports/824307
πΉ Severity: Critical | π° 2000 USD
πΉ Reported To: Razer
πΉ Reported By: #stealthy
πΉ Disclosed: July 28, 2020, 9:59pm (UTC)
User Access Control Bypass Via Razer elevated service ( RzKLService.exe ) which loads exe in misconfigured way.
π https://hackerone.com/reports/769684
πΉ Severity: High | π° 750 USD
πΉ Reported To: Razer
πΉ Reported By: #dredd_589
πΉ Disclosed: July 28, 2020, 10:01pm (UTC)
π https://hackerone.com/reports/769684
πΉ Severity: High | π° 750 USD
πΉ Reported To: Razer
πΉ Reported By: #dredd_589
πΉ Disclosed: July 28, 2020, 10:01pm (UTC)
Missing rate limit in signup Form
π https://hackerone.com/reports/905692
πΉ Severity: Medium
πΉ Reported To: Courier
πΉ Reported By: #ahmed_almalky
πΉ Disclosed: July 28, 2020, 10:51pm (UTC)
π https://hackerone.com/reports/905692
πΉ Severity: Medium
πΉ Reported To: Courier
πΉ Reported By: #ahmed_almalky
πΉ Disclosed: July 28, 2020, 10:51pm (UTC)
"π" + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/
π https://hackerone.com/reports/853637
πΉ Severity: High
πΉ Reported To: Mail.ru
πΉ Reported By: #samet
πΉ Disclosed: July 28, 2020, 8:34am (UTC)
π https://hackerone.com/reports/853637
πΉ Severity: High
πΉ Reported To: Mail.ru
πΉ Reported By: #samet
πΉ Disclosed: July 28, 2020, 8:34am (UTC)
Possible denial of service when entering a loooong password
π https://hackerone.com/reports/840598
πΉ Severity: Medium | π° 100 USD
πΉ Reported To: Nextcloud
πΉ Reported By: #xcheater
πΉ Disclosed: July 29, 2020, 10:30am (UTC)
π https://hackerone.com/reports/840598
πΉ Severity: Medium | π° 100 USD
πΉ Reported To: Nextcloud
πΉ Reported By: #xcheater
πΉ Disclosed: July 29, 2020, 10:30am (UTC)
Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS
π https://hackerone.com/reports/903521
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ Disclosed: July 29, 2020, 12:53pm (UTC)
π https://hackerone.com/reports/903521
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ Disclosed: July 29, 2020, 12:53pm (UTC)
Stealing the ip addres from users
π https://hackerone.com/reports/672499
πΉ Severity: Low
πΉ Reported To: Vanilla
πΉ Reported By: #minoto
πΉ Disclosed: July 29, 2020, 4:13pm (UTC)
π https://hackerone.com/reports/672499
πΉ Severity: Low
πΉ Reported To: Vanilla
πΉ Reported By: #minoto
πΉ Disclosed: July 29, 2020, 4:13pm (UTC)
SQL injection (stacked queries) in the export to Excel functionality on Vidyo Server
π https://hackerone.com/reports/922567
πΉ Severity: High
πΉ Reported To: 8x8
πΉ Reported By: #b1ackgamba
πΉ State: Resolved
πΉ Disclosed: July 29, 2020, 5:07pm (UTC)
π https://hackerone.com/reports/922567
πΉ Severity: High
πΉ Reported To: 8x8
πΉ Reported By: #b1ackgamba
πΉ State: Resolved
πΉ Disclosed: July 29, 2020, 5:07pm (UTC)
Stored XSS in my staff name fired in another your internal panel
π https://hackerone.com/reports/946053
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #cyber__sec
πΉ State: π’ Resolved
πΉ Disclosed: July 29, 2020, 10:06pm (UTC)
π https://hackerone.com/reports/946053
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #cyber__sec
πΉ State: π’ Resolved
πΉ Disclosed: July 29, 2020, 10:06pm (UTC)
Bypass Too Many Requests Sign Up
π https://hackerone.com/reports/947349
πΉ Severity: Medium
πΉ Reported To: Courier
πΉ Reported By: #ni4hadpd
πΉ State: βͺοΈ Informative
πΉ Disclosed: July 30, 2020, 6:52am (UTC)
π https://hackerone.com/reports/947349
πΉ Severity: Medium
πΉ Reported To: Courier
πΉ Reported By: #ni4hadpd
πΉ State: βͺοΈ Informative
πΉ Disclosed: July 30, 2020, 6:52am (UTC)
SMTP Header Injection at http://abonement.ucs.ru
π https://hackerone.com/reports/901956
πΉ Severity: No Rating
πΉ Reported To: Mail.ru
πΉ Reported By: #killinem_sec
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 9:30am (UTC)
π https://hackerone.com/reports/901956
πΉ Severity: No Rating
πΉ Reported To: Mail.ru
πΉ Reported By: #killinem_sec
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 9:30am (UTC)
Stored XSS on ββββββββhelpdesk
π https://hackerone.com/reports/901799
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #atbabers
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:45pm (UTC)
π https://hackerone.com/reports/901799
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #atbabers
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:45pm (UTC)
HTML Injection leads to XSS onβββ
π https://hackerone.com/reports/874228
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #lemonoftroy
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:46pm (UTC)
π https://hackerone.com/reports/874228
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #lemonoftroy
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:46pm (UTC)
RCE (Remote code execution) in one of DoD's websites
π https://hackerone.com/reports/874924
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #ilyass01
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:47pm (UTC)
π https://hackerone.com/reports/874924
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #ilyass01
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:47pm (UTC)
PulseSSL VPN Site with Compromised Creds @ ββββ
π https://hackerone.com/reports/854049
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #r00tpgp
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:48pm (UTC)
π https://hackerone.com/reports/854049
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #r00tpgp
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:48pm (UTC)
Exposed Docker Registry at https://ββββ
π https://hackerone.com/reports/924487
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #chron0x
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:51pm (UTC)
π https://hackerone.com/reports/924487
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #chron0x
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:51pm (UTC)
Reflected XSS on https://βββββββ/
π https://hackerone.com/reports/804364
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #the_unlucky_guy
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:53pm (UTC)
π https://hackerone.com/reports/804364
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #the_unlucky_guy
πΉ State: π’ Resolved
πΉ Disclosed: July 30, 2020, 5:53pm (UTC)