Authenticity token doesnt expire after single use leading to CSRF
π https://hackerone.com/reports/919112
πΉ Severity: No Rating
πΉ Reported To: Omise
πΉ Reported By: #justlife_4x4
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 17, 2020, 1:36am (UTC)
π https://hackerone.com/reports/919112
πΉ Severity: No Rating
πΉ Reported To: Omise
πΉ Reported By: #justlife_4x4
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 17, 2020, 1:36am (UTC)
RTLO character allowed in shared files
π https://hackerone.com/reports/229170
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #inhibitor181
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 17, 2020, 8:34am (UTC)
π https://hackerone.com/reports/229170
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #inhibitor181
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 17, 2020, 8:34am (UTC)
Linux client is vulnerable to directory traversal when downloading files
π https://hackerone.com/reports/590319
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Nextcloud
πΉ Reported By: #icewater
πΉ State: π’ Resolved
πΉ Disclosed: August 17, 2020, 12:57pm (UTC)
π https://hackerone.com/reports/590319
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Nextcloud
πΉ Reported By: #icewater
πΉ State: π’ Resolved
πΉ Disclosed: August 17, 2020, 12:57pm (UTC)
SSRF In plantuml (on plantuml.pre.gitlab.com)
π https://hackerone.com/reports/689245
πΉ Severity: Medium | π° 100 USD
πΉ Reported To: GitLab
πΉ Reported By: #plazmaz
πΉ State: π’ Resolved
πΉ Disclosed: August 17, 2020, 1:55pm (UTC)
π https://hackerone.com/reports/689245
πΉ Severity: Medium | π° 100 USD
πΉ Reported To: GitLab
πΉ Reported By: #plazmaz
πΉ State: π’ Resolved
πΉ Disclosed: August 17, 2020, 1:55pm (UTC)
i don't the important and it's impact . the affected asset : https://github.com/solana-labs/solana/blob/master/.buildkite/env/secrets.ejson
π https://hackerone.com/reports/961167
πΉ Severity: High
πΉ Reported To: Solana BBP
πΉ Reported By: #hussein_mersal
πΉ State: π€ Duplicate
πΉ Disclosed: August 18, 2020, 2:44am (UTC)
π https://hackerone.com/reports/961167
πΉ Severity: High
πΉ Reported To: Solana BBP
πΉ Reported By: #hussein_mersal
πΉ State: π€ Duplicate
πΉ Disclosed: August 18, 2020, 2:44am (UTC)
i don't the important and it's impact . the affected asset: https://github.com/solana-labs/solana/blob/master/.buildkite/env/secrets.ejson
π https://hackerone.com/reports/961175
πΉ Severity: Medium
πΉ Reported To: Solana BBP
πΉ Reported By: #hussein_mersal
πΉ State: π€ Duplicate
πΉ Disclosed: August 18, 2020, 2:47am (UTC)
π https://hackerone.com/reports/961175
πΉ Severity: Medium
πΉ Reported To: Solana BBP
πΉ Reported By: #hussein_mersal
πΉ State: π€ Duplicate
πΉ Disclosed: August 18, 2020, 2:47am (UTC)
Sensitive data leaks [username, password, keys]
π https://hackerone.com/reports/961170
πΉ Severity: Critical
πΉ Reported To: Solana BBP
πΉ Reported By: #anjpan
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 18, 2020, 3:02am (UTC)
π https://hackerone.com/reports/961170
πΉ Severity: Critical
πΉ Reported To: Solana BBP
πΉ Reported By: #anjpan
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 18, 2020, 3:02am (UTC)
Session not invalidated after password reset
π https://hackerone.com/reports/917213
πΉ Severity: Medium
πΉ Reported To: Gener8
πΉ Reported By: #5hu8h4m_n4g4
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 8:53am (UTC)
π https://hackerone.com/reports/917213
πΉ Severity: Medium
πΉ Reported To: Gener8
πΉ Reported By: #5hu8h4m_n4g4
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 8:53am (UTC)
pre-auth Stored XSS in comments via javascript: url when administrator edits user supplied comment
π https://hackerone.com/reports/633231
πΉ Severity: High | π° 650 USD
πΉ Reported To: WordPress
πΉ Reported By: #simonscannell
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 6:01pm (UTC)
π https://hackerone.com/reports/633231
πΉ Severity: High | π° 650 USD
πΉ Reported To: WordPress
πΉ Reported By: #simonscannell
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 6:01pm (UTC)
Stored XSS in Post Preview as Contributor
π https://hackerone.com/reports/497724
πΉ Severity: Medium | π° 650 USD
πΉ Reported To: WordPress
πΉ Reported By: #simonscannell
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 6:02pm (UTC)
π https://hackerone.com/reports/497724
πΉ Severity: Medium | π° 650 USD
πΉ Reported To: WordPress
πΉ Reported By: #simonscannell
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 6:02pm (UTC)
Blind Stored XSS Via Staff Name
π https://hackerone.com/reports/948929
πΉ Severity: High | π° 3,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #rioncool22
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 7:41pm (UTC)
π https://hackerone.com/reports/948929
πΉ Severity: High | π° 3,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #rioncool22
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 7:41pm (UTC)
access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify-
π https://hackerone.com/reports/870001
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #jaka_tingkir
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 7:44pm (UTC)
π https://hackerone.com/reports/870001
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #jaka_tingkir
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 7:44pm (UTC)
OrderListInitial leaks order details
π https://hackerone.com/reports/882412
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #sreeju_kc
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 7:52pm (UTC)
π https://hackerone.com/reports/882412
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #sreeju_kc
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 7:52pm (UTC)
Get analytics token using only apps permission
π https://hackerone.com/reports/901775
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #jmp_35p
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 9:29pm (UTC)
π https://hackerone.com/reports/901775
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #jmp_35p
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 9:29pm (UTC)
Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation
π https://hackerone.com/reports/409973
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #tolo7010
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:09pm (UTC)
π https://hackerone.com/reports/409973
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #tolo7010
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:09pm (UTC)
Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters
π https://hackerone.com/reports/768345
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Starbucks
πΉ Reported By: #rexvuz
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:38pm (UTC)
π https://hackerone.com/reports/768345
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Starbucks
πΉ Reported By: #rexvuz
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:38pm (UTC)
Password reset link not expired at Stocky App
π https://hackerone.com/reports/898841
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ayyoub
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:53pm (UTC)
π https://hackerone.com/reports/898841
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ayyoub
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:53pm (UTC)
I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure)
π https://hackerone.com/reports/361984
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 12:59am (UTC)
π https://hackerone.com/reports/361984
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 12:59am (UTC)
I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD)
π https://hackerone.com/reports/391092
πΉ Severity: Critical | π° 2,500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:11am (UTC)
π https://hackerone.com/reports/391092
πΉ Severity: Critical | π° 2,500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:11am (UTC)
CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card
π https://hackerone.com/reports/358143
πΉ Severity: High | π° 2,000 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:26am (UTC)
π https://hackerone.com/reports/358143
πΉ Severity: High | π° 2,000 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:26am (UTC)
Buffer overflow In hl.exe's launch -game argument allows an attacker to execute arbitrary code locally or from browser
π https://hackerone.com/reports/832750
πΉ Severity: High | π° 1,150 USD
πΉ Reported To: Valve
πΉ Reported By: #irukandjisecresearch
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 3:20am (UTC)
π https://hackerone.com/reports/832750
πΉ Severity: High | π° 1,150 USD
πΉ Reported To: Valve
πΉ Reported By: #irukandjisecresearch
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 3:20am (UTC)