Spring Actuator endpoints publicly available, leading to account takeover
π https://hackerone.com/reports/862589
πΉ Severity: Critical | π° 5,000 USD
πΉ Reported To: LINE
πΉ Reported By: #kazan71p
πΉ State: π’ Resolved
πΉ Disclosed: August 4, 2020, 2:52am (UTC)
π https://hackerone.com/reports/862589
πΉ Severity: Critical | π° 5,000 USD
πΉ Reported To: LINE
πΉ Reported By: #kazan71p
πΉ State: π’ Resolved
πΉ Disclosed: August 4, 2020, 2:52am (UTC)
Stored XSS in blob viewer
π https://hackerone.com/reports/806571
πΉ Severity: Medium | π° 2,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ State: π’ Resolved
πΉ Disclosed: August 4, 2020, 9:46am (UTC)
π https://hackerone.com/reports/806571
πΉ Severity: Medium | π° 2,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ State: π’ Resolved
πΉ Disclosed: August 4, 2020, 9:46am (UTC)
Time-base SQL Injection in Search Users
π https://hackerone.com/reports/876800
πΉ Severity: Medium
πΉ Reported To: concrete5
πΉ Reported By: #thiennv
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 1:08am (UTC)
π https://hackerone.com/reports/876800
πΉ Severity: Medium
πΉ Reported To: concrete5
πΉ Reported By: #thiennv
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 1:08am (UTC)
XSS in image metadata field
π https://hackerone.com/reports/896511
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #yzy9951
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 7:04am (UTC)
π https://hackerone.com/reports/896511
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #yzy9951
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 7:04am (UTC)
Arbitrary code execution in desktop client via OpenSSL config
π https://hackerone.com/reports/622170
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #l00ph0le
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 8:50am (UTC)
π https://hackerone.com/reports/622170
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #l00ph0le
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 8:50am (UTC)
S3 bucket data at http://rockset-support.s3-us-west-2.amazonaws.com/ reveals user addresses based on latitudes and longitudes.
π https://hackerone.com/reports/947725
πΉ Severity: High
πΉ Reported To: Rockset
πΉ Reported By: #thatquasar
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 2:38pm (UTC)
π https://hackerone.com/reports/947725
πΉ Severity: High
πΉ Reported To: Rockset
πΉ Reported By: #thatquasar
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 2:38pm (UTC)
Send Phishing/Spam email from support@sameroom.io to any email address.
π https://hackerone.com/reports/840688
πΉ Severity: High
πΉ Reported To: 8x8
πΉ Reported By: #wisp
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 10:34pm (UTC)
π https://hackerone.com/reports/840688
πΉ Severity: High
πΉ Reported To: 8x8
πΉ Reported By: #wisp
πΉ State: π’ Resolved
πΉ Disclosed: August 5, 2020, 10:34pm (UTC)
Spring Actuator endpoints publicly available and broken authentication
π https://hackerone.com/reports/838635
πΉ Severity: Critical | π° 12,500 USD
πΉ Reported To: LINE
πΉ Reported By: #kazan71p
πΉ State: π’ Resolved
πΉ Disclosed: August 6, 2020, 5:13am (UTC)
π https://hackerone.com/reports/838635
πΉ Severity: Critical | π° 12,500 USD
πΉ Reported To: LINE
πΉ Reported By: #kazan71p
πΉ State: π’ Resolved
πΉ Disclosed: August 6, 2020, 5:13am (UTC)
Memory Leak in OCUtil.dll library in Desktop client can lead to DoS
π https://hackerone.com/reports/588562
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #cwave
πΉ State: π’ Resolved
πΉ Disclosed: August 6, 2020, 1:56pm (UTC)
π https://hackerone.com/reports/588562
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #cwave
πΉ State: π’ Resolved
πΉ Disclosed: August 6, 2020, 1:56pm (UTC)
[wappalyzer] ReDoS allows an attacker to completely break Wappalyzer
π https://hackerone.com/reports/888030
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #vrechson
πΉ State: π’ Resolved
πΉ Disclosed: August 6, 2020, 10:56pm (UTC)
π https://hackerone.com/reports/888030
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #vrechson
πΉ State: π’ Resolved
πΉ Disclosed: August 6, 2020, 10:56pm (UTC)
Lack of Input sanitization leads to database Character encoding configuration Disclosure
π https://hackerone.com/reports/866271
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Unikrn
πΉ Reported By: #l_user
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 8:48am (UTC)
π https://hackerone.com/reports/866271
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Unikrn
πΉ Reported By: #l_user
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 8:48am (UTC)
Full Read SSRF on Gitlab's Internal Grafana
π https://hackerone.com/reports/878779
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #rhynorater
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 1:48pm (UTC)
π https://hackerone.com/reports/878779
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #rhynorater
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 1:48pm (UTC)
Server-Side Request Forgery in "icons.bitwarden.net"
π https://hackerone.com/reports/913276
πΉ Severity: Medium
πΉ Reported To: Bitwarden
πΉ Reported By: #njgadhiya
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 2:39pm (UTC)
π https://hackerone.com/reports/913276
πΉ Severity: Medium
πΉ Reported To: Bitwarden
πΉ Reported By: #njgadhiya
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 2:39pm (UTC)
Blind stored XSS due to insecure contact form at https://www.topcoder.com leads to leakage of session token and other PII
π https://hackerone.com/reports/878145
πΉ Severity: High
πΉ Reported To: Topcoder
πΉ Reported By: #mase289
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 5:17pm (UTC)
π https://hackerone.com/reports/878145
πΉ Severity: High
πΉ Reported To: Topcoder
πΉ Reported By: #mase289
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 5:17pm (UTC)
Improper use of "path" parameter can be used to trick testers into leaking their Front-End PoC
π https://hackerone.com/reports/926221
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: BugPoC
πΉ Reported By: #acut3
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 7:12pm (UTC)
π https://hackerone.com/reports/926221
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: BugPoC
πΉ Reported By: #acut3
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 7:12pm (UTC)
Availing Zomato gold by using a random third-party `wallet_id`
π https://hackerone.com/reports/938021
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #pandaaaa
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 7:42pm (UTC)
π https://hackerone.com/reports/938021
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #pandaaaa
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 7:42pm (UTC)
Ability to manipulate price with a max threshold of `<1 Rupee` in support rider parameter
π https://hackerone.com/reports/927661
πΉ Severity: Low | π° 150 USD
πΉ Reported To: Zomato
πΉ Reported By: #0xdexter
πΉ State: π’ Resolved
πΉ Disclosed: August 8, 2020, 7:36am (UTC)
π https://hackerone.com/reports/927661
πΉ Severity: Low | π° 150 USD
πΉ Reported To: Zomato
πΉ Reported By: #0xdexter
πΉ State: π’ Resolved
πΉ Disclosed: August 8, 2020, 7:36am (UTC)
Access control on https://eaccounting.stage.vismaonline.com/
π https://hackerone.com/reports/812143
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #brdoors3
πΉ State: π’ Resolved
πΉ Disclosed: August 9, 2020, 7:57pm (UTC)
π https://hackerone.com/reports/812143
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #brdoors3
πΉ State: π’ Resolved
πΉ Disclosed: August 9, 2020, 7:57pm (UTC)
Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json
π https://hackerone.com/reports/952501
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 7:50am (UTC)
π https://hackerone.com/reports/952501
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 7:50am (UTC)
Unauthenticated users can access all food.grammarly.io user's data
π https://hackerone.com/reports/745495
πΉ Severity: Low | π° 1,000 USD
πΉ Reported To: Grammarly
πΉ Reported By: #cript0nauta
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 10:10am (UTC)
π https://hackerone.com/reports/745495
πΉ Severity: Low | π° 1,000 USD
πΉ Reported To: Grammarly
πΉ Reported By: #cript0nauta
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 10:10am (UTC)
[www.zomato.com] Abusing LocalParams (city) to Inject SOLR query
π https://hackerone.com/reports/844428
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 1:23pm (UTC)
π https://hackerone.com/reports/844428
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 1:23pm (UTC)