Get analytics token using only apps permission
π https://hackerone.com/reports/901775
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #jmp_35p
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 9:29pm (UTC)
π https://hackerone.com/reports/901775
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #jmp_35p
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 9:29pm (UTC)
Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation
π https://hackerone.com/reports/409973
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #tolo7010
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:09pm (UTC)
π https://hackerone.com/reports/409973
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #tolo7010
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:09pm (UTC)
Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters
π https://hackerone.com/reports/768345
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Starbucks
πΉ Reported By: #rexvuz
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:38pm (UTC)
π https://hackerone.com/reports/768345
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Starbucks
πΉ Reported By: #rexvuz
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:38pm (UTC)
Password reset link not expired at Stocky App
π https://hackerone.com/reports/898841
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ayyoub
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:53pm (UTC)
π https://hackerone.com/reports/898841
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ayyoub
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:53pm (UTC)
I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure)
π https://hackerone.com/reports/361984
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 12:59am (UTC)
π https://hackerone.com/reports/361984
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 12:59am (UTC)
I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD)
π https://hackerone.com/reports/391092
πΉ Severity: Critical | π° 2,500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:11am (UTC)
π https://hackerone.com/reports/391092
πΉ Severity: Critical | π° 2,500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:11am (UTC)
CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card
π https://hackerone.com/reports/358143
πΉ Severity: High | π° 2,000 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:26am (UTC)
π https://hackerone.com/reports/358143
πΉ Severity: High | π° 2,000 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:26am (UTC)
Buffer overflow In hl.exe's launch -game argument allows an attacker to execute arbitrary code locally or from browser
π https://hackerone.com/reports/832750
πΉ Severity: High | π° 1,150 USD
πΉ Reported To: Valve
πΉ Reported By: #irukandjisecresearch
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 3:20am (UTC)
π https://hackerone.com/reports/832750
πΉ Severity: High | π° 1,150 USD
πΉ Reported To: Valve
πΉ Reported By: #irukandjisecresearch
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 3:20am (UTC)
[GoldSrc] RCE via malformed BSP file
π https://hackerone.com/reports/763403
πΉ Severity: High | π° 450 USD
πΉ Reported To: Valve
πΉ Reported By: #gamer7112
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 3:29am (UTC)
π https://hackerone.com/reports/763403
πΉ Severity: High | π° 450 USD
πΉ Reported To: Valve
πΉ Reported By: #gamer7112
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 3:29am (UTC)
[GoldSrc] RCE via 'spk' Console Command
π https://hackerone.com/reports/769014
πΉ Severity: High | π° 350 USD
πΉ Reported To: Valve
πΉ Reported By: #gamer7112
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 4:37am (UTC)
π https://hackerone.com/reports/769014
πΉ Severity: High | π° 350 USD
πΉ Reported To: Valve
πΉ Reported By: #gamer7112
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 4:37am (UTC)
Denial of Service when entring an Array in email at seetings
π https://hackerone.com/reports/961997
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #ja3far
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 19, 2020, 11:02am (UTC)
π https://hackerone.com/reports/961997
πΉ Severity: Medium
πΉ Reported To: Nextcloud
πΉ Reported By: #ja3far
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 19, 2020, 11:02am (UTC)
Missing SPF Records
π https://hackerone.com/reports/652447
πΉ Severity: Medium
πΉ Reported To: Avito
πΉ Reported By: #harshita174
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:15pm (UTC)
π https://hackerone.com/reports/652447
πΉ Severity: Medium
πΉ Reported To: Avito
πΉ Reported By: #harshita174
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 1:15pm (UTC)
IDOR at [https://dropcontact.firstpromote] which allows an UNAUTHORIZED user to ACCESS and EDIT Paypal GMAIL by Changing the ID.
π https://hackerone.com/reports/959697
πΉ Severity: High
πΉ Reported To: Dropcontact
πΉ Reported By: #try___for_impossible
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:13am (UTC)
π https://hackerone.com/reports/959697
πΉ Severity: High
πΉ Reported To: Dropcontact
πΉ Reported By: #try___for_impossible
πΉ State: π’ Resolved
πΉ Disclosed: August 18, 2020, 10:13am (UTC)
Rate Limit too lenient for endpoint sending emails
π https://hackerone.com/reports/658089
πΉ Severity: No Rating
πΉ Reported To: WakaTime
πΉ Reported By: #harshita174
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 3:11pm (UTC)
π https://hackerone.com/reports/658089
πΉ Severity: No Rating
πΉ Reported To: WakaTime
πΉ Reported By: #harshita174
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 3:11pm (UTC)
Ability to generate shipping labels in another store orders
π https://hackerone.com/reports/884159
πΉ Severity: No Rating | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 5:58pm (UTC)
π https://hackerone.com/reports/884159
πΉ Severity: No Rating | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 19, 2020, 5:58pm (UTC)
[vboxmanage.js] Command Injection via insecure command concatenation
π https://hackerone.com/reports/864777
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 9:08am (UTC)
π https://hackerone.com/reports/864777
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 9:08am (UTC)
[object-path-set] Prototype pollution
π https://hackerone.com/reports/878332
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 9:08am (UTC)
π https://hackerone.com/reports/878332
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 9:08am (UTC)
[extra-ffmpeg] Command Injection via insecure command formatting
π https://hackerone.com/reports/863944
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 9:08am (UTC)
π https://hackerone.com/reports/863944
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 9:08am (UTC)
[supermixer] Prototype pollution
π https://hackerone.com/reports/959987
πΉ Severity: No Rating
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #0x1337r00t
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 11:10am (UTC)
π https://hackerone.com/reports/959987
πΉ Severity: No Rating
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #0x1337r00t
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 11:10am (UTC)
Insufficient validation on Digits bridge
π https://hackerone.com/reports/168116
πΉ Severity: No Rating | π° 5,040 USD
πΉ Reported To: Twitter
πΉ Reported By: #filedescriptor
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 11:20am (UTC)
π https://hackerone.com/reports/168116
πΉ Severity: No Rating | π° 5,040 USD
πΉ Reported To: Twitter
πΉ Reported By: #filedescriptor
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 11:20am (UTC)
API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation.
π https://hackerone.com/reports/962033
πΉ Severity: Medium
πΉ Reported To: Dropcontact
πΉ Reported By: #try___for_impossible
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 2:16pm (UTC)
π https://hackerone.com/reports/962033
πΉ Severity: Medium
πΉ Reported To: Dropcontact
πΉ Reported By: #try___for_impossible
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 2:16pm (UTC)