Availing Zomato gold by using a random third-party `wallet_id`
π https://hackerone.com/reports/938021
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #pandaaaa
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 7:42pm (UTC)
π https://hackerone.com/reports/938021
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #pandaaaa
πΉ State: π’ Resolved
πΉ Disclosed: August 7, 2020, 7:42pm (UTC)
Ability to manipulate price with a max threshold of `<1 Rupee` in support rider parameter
π https://hackerone.com/reports/927661
πΉ Severity: Low | π° 150 USD
πΉ Reported To: Zomato
πΉ Reported By: #0xdexter
πΉ State: π’ Resolved
πΉ Disclosed: August 8, 2020, 7:36am (UTC)
π https://hackerone.com/reports/927661
πΉ Severity: Low | π° 150 USD
πΉ Reported To: Zomato
πΉ Reported By: #0xdexter
πΉ State: π’ Resolved
πΉ Disclosed: August 8, 2020, 7:36am (UTC)
Access control on https://eaccounting.stage.vismaonline.com/
π https://hackerone.com/reports/812143
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #brdoors3
πΉ State: π’ Resolved
πΉ Disclosed: August 9, 2020, 7:57pm (UTC)
π https://hackerone.com/reports/812143
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #brdoors3
πΉ State: π’ Resolved
πΉ Disclosed: August 9, 2020, 7:57pm (UTC)
Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json
π https://hackerone.com/reports/952501
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 7:50am (UTC)
π https://hackerone.com/reports/952501
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 7:50am (UTC)
Unauthenticated users can access all food.grammarly.io user's data
π https://hackerone.com/reports/745495
πΉ Severity: Low | π° 1,000 USD
πΉ Reported To: Grammarly
πΉ Reported By: #cript0nauta
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 10:10am (UTC)
π https://hackerone.com/reports/745495
πΉ Severity: Low | π° 1,000 USD
πΉ Reported To: Grammarly
πΉ Reported By: #cript0nauta
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 10:10am (UTC)
[www.zomato.com] Abusing LocalParams (city) to Inject SOLR query
π https://hackerone.com/reports/844428
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 1:23pm (UTC)
π https://hackerone.com/reports/844428
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 1:23pm (UTC)
[www.zomato.com] Blind SQL Injection in /php/geto2banner
π https://hackerone.com/reports/838855
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 1:27pm (UTC)
π https://hackerone.com/reports/838855
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 1:27pm (UTC)
[www.zomato.com] Blind SQL Injection in /php/widgets_handler.php
π https://hackerone.com/reports/836079
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 1:38pm (UTC)
π https://hackerone.com/reports/836079
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 10, 2020, 1:38pm (UTC)
[api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query
π https://hackerone.com/reports/953203
πΉ Severity: Low | π° 150 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 11, 2020, 8:34am (UTC)
π https://hackerone.com/reports/953203
πΉ Severity: Low | π° 150 USD
πΉ Reported To: Zomato
πΉ Reported By: #zzzhacker13
πΉ State: π’ Resolved
πΉ Disclosed: August 11, 2020, 8:34am (UTC)
Missing authorization allows sales only user to record payment.
π https://hackerone.com/reports/919008
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Visma Public
πΉ Reported By: #vapour
πΉ State: π’ Resolved
πΉ Disclosed: August 11, 2020, 9:46am (UTC)
π https://hackerone.com/reports/919008
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Visma Public
πΉ Reported By: #vapour
πΉ State: π’ Resolved
πΉ Disclosed: August 11, 2020, 9:46am (UTC)
Lack of Password Confirmation for Account Deletion
π https://hackerone.com/reports/950471
πΉ Severity: No Rating
πΉ Reported To: Zomato
πΉ Reported By: #cybrot
πΉ State: π΄ N/A
πΉ Disclosed: August 11, 2020, 12:22pm (UTC)
π https://hackerone.com/reports/950471
πΉ Severity: No Rating
πΉ Reported To: Zomato
πΉ Reported By: #cybrot
πΉ State: π΄ N/A
πΉ Disclosed: August 11, 2020, 12:22pm (UTC)
Golang : Improvements to Golang SSRF query
π https://hackerone.com/reports/956296
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #porcupineyhairs
πΉ State: π’ Resolved
πΉ Disclosed: August 11, 2020, 6:20pm (UTC)
π https://hackerone.com/reports/956296
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #porcupineyhairs
πΉ State: π’ Resolved
πΉ Disclosed: August 11, 2020, 6:20pm (UTC)
LDAP injection vulnerability in Java
π https://hackerone.com/reports/956295
πΉ Severity: Critical | π° 2,500 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #grzegol
πΉ State: π’ Resolved
πΉ Disclosed: August 11, 2020, 6:20pm (UTC)
π https://hackerone.com/reports/956295
πΉ Severity: Critical | π° 2,500 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #grzegol
πΉ State: π’ Resolved
πΉ Disclosed: August 11, 2020, 6:20pm (UTC)
Improper access control allows sales only user to view bank balance of company accounts.
π https://hackerone.com/reports/906328
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #vapour
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 8:44am (UTC)
π https://hackerone.com/reports/906328
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #vapour
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 8:44am (UTC)
A sales only user can edit the purchase invoice drafts.
π https://hackerone.com/reports/918938
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #vapour
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 8:44am (UTC)
π https://hackerone.com/reports/918938
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #vapour
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 8:44am (UTC)
information disclosure via IDOR on "https://target.my.com/api/v2/coverage/segment.json?id={id}" endpoint
π https://hackerone.com/reports/763258
πΉ Severity: No Rating
πΉ Reported To: Mail.ru
πΉ Reported By: #shuraros
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 9:53am (UTC)
π https://hackerone.com/reports/763258
πΉ Severity: No Rating
πΉ Reported To: Mail.ru
πΉ Reported By: #shuraros
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 9:53am (UTC)
tracker.my.com information disclosure via csrf bypass
π https://hackerone.com/reports/748538
πΉ Severity: Low
πΉ Reported To: Mail.ru
πΉ Reported By: #shuraros
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 9:56am (UTC)
π https://hackerone.com/reports/748538
πΉ Severity: Low
πΉ Reported To: Mail.ru
πΉ Reported By: #shuraros
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 9:56am (UTC)
[c-api.city-mobil.ru] IDOR chat messages between driver and customer
π https://hackerone.com/reports/850637
πΉ Severity: No Rating | π° 150 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #anyday
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 10:43am (UTC)
π https://hackerone.com/reports/850637
πΉ Severity: No Rating | π° 150 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #anyday
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 10:43am (UTC)
Vertical Privilege Escalation on {target.my.com}
π https://hackerone.com/reports/854973
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #dedsec69
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 2:44pm (UTC)
π https://hackerone.com/reports/854973
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #dedsec69
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 2:44pm (UTC)
Subdomain takeover at msproject.geekbrains.ru
π https://hackerone.com/reports/922506
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #steal_wart
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 2:46pm (UTC)
π https://hackerone.com/reports/922506
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #steal_wart
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 2:46pm (UTC)
Bypass OTP on contact back request at https://driver.city-mobil.ru/
π https://hackerone.com/reports/926228
πΉ Severity: No Rating
πΉ Reported To: Mail.ru
πΉ Reported By: #nitin1205
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 2:48pm (UTC)
π https://hackerone.com/reports/926228
πΉ Severity: No Rating
πΉ Reported To: Mail.ru
πΉ Reported By: #nitin1205
πΉ State: π’ Resolved
πΉ Disclosed: August 12, 2020, 2:48pm (UTC)