Information Disclosure through DEBUG at Subscription [https://app.dropcontact.io/app/subscription?connector=salesforce](CRITICAL)
π https://hackerone.com/reports/963921
πΉ Severity: Critical
πΉ Reported To: Dropcontact
πΉ Reported By: #try___for_impossible
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 7:53am (UTC)
π https://hackerone.com/reports/963921
πΉ Severity: Critical
πΉ Reported To: Dropcontact
πΉ Reported By: #try___for_impossible
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 7:53am (UTC)
[javascript] CWE-117: CodeQL query to detect Log Injection
π https://hackerone.com/reports/963816
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 9:51pm (UTC)
π https://hackerone.com/reports/963816
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 20, 2020, 9:51pm (UTC)
Django DEBUG mode enabled and leaked system information.
π https://hackerone.com/reports/963542
πΉ Severity: High
πΉ Reported To: Dropcontact
πΉ Reported By: #aungkyawphyo
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 8:12am (UTC)
π https://hackerone.com/reports/963542
πΉ Severity: High
πΉ Reported To: Dropcontact
πΉ Reported By: #aungkyawphyo
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 8:12am (UTC)
Prototype Pollution lodash 4.17.15
π https://hackerone.com/reports/864701
πΉ Severity: High | π° 250 USD
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #awarau
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 10:34am (UTC)
π https://hackerone.com/reports/864701
πΉ Severity: High | π° 250 USD
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #awarau
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 10:34am (UTC)
Sensitive Information Disclosure
π https://hackerone.com/reports/963352
πΉ Severity: Critical
πΉ Reported To: Dropcontact
πΉ Reported By: #exploit_db
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 1:19pm (UTC)
π https://hackerone.com/reports/963352
πΉ Severity: Critical
πΉ Reported To: Dropcontact
πΉ Reported By: #exploit_db
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 1:19pm (UTC)
Django should not have debug mode enabled
π https://hackerone.com/reports/963809
πΉ Severity: Low
πΉ Reported To: Dropcontact
πΉ Reported By: #higbee
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 2:38pm (UTC)
π https://hackerone.com/reports/963809
πΉ Severity: Low
πΉ Reported To: Dropcontact
πΉ Reported By: #higbee
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 2:38pm (UTC)
Django debug enabled showing information about system, database, configuration files.
π https://hackerone.com/reports/963164
πΉ Severity: Low
πΉ Reported To: Dropcontact
πΉ Reported By: #vbdev
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 7:52pm (UTC)
π https://hackerone.com/reports/963164
πΉ Severity: Low
πΉ Reported To: Dropcontact
πΉ Reported By: #vbdev
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 7:52pm (UTC)
Unauthorized Use of Victim Credit Card
π https://hackerone.com/reports/391385
πΉ Severity: High | π° 400 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 8:20pm (UTC)
π https://hackerone.com/reports/391385
πΉ Severity: High | π° 400 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 8:20pm (UTC)
ClickJacking on IMPORTANT Functions of Yelp
π https://hackerone.com/reports/305128
πΉ Severity: Low | π° 500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 8:41pm (UTC)
π https://hackerone.com/reports/305128
πΉ Severity: Low | π° 500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 8:41pm (UTC)
CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse.
π https://hackerone.com/reports/355859
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 8:51pm (UTC)
π https://hackerone.com/reports/355859
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Yelp
πΉ Reported By: #hk755a
πΉ State: π’ Resolved
πΉ Disclosed: August 21, 2020, 8:51pm (UTC)
[extra-asciinema] Command Injection via insecure command formatting
π https://hackerone.com/reports/863956
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 22, 2020, 8:48am (UTC)
π https://hackerone.com/reports/863956
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 22, 2020, 8:48am (UTC)
[meemo-app] Denial of Service via LDAP Injection
π https://hackerone.com/reports/907311
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 22, 2020, 8:48am (UTC)
π https://hackerone.com/reports/907311
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 22, 2020, 8:48am (UTC)
[cloudron-surfer] Denial of Service via LDAP Injection
π https://hackerone.com/reports/906959
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 22, 2020, 8:48am (UTC)
π https://hackerone.com/reports/906959
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: August 22, 2020, 8:48am (UTC)
Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted
π https://hackerone.com/reports/958374
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #haxta4ok00
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 9:39am (UTC)
π https://hackerone.com/reports/958374
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #haxta4ok00
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 9:39am (UTC)
User registration using public domain email like gmail in place of professional email.
π https://hackerone.com/reports/963546
πΉ Severity: Medium
πΉ Reported To: Dropcontact
πΉ Reported By: #cyc0rpion
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:21am (UTC)
π https://hackerone.com/reports/963546
πΉ Severity: Medium
πΉ Reported To: Dropcontact
πΉ Reported By: #cyc0rpion
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:21am (UTC)
Null dereference in mcht_relational_validate ext-relational-common.c:136
π https://hackerone.com/reports/894446
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 11:42am (UTC)
π https://hackerone.com/reports/894446
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 11:42am (UTC)
No Valid SPF Records
π https://hackerone.com/reports/962909
πΉ Severity: Medium
πΉ Reported To: Dropcontact
πΉ Reported By: #harshita174
πΉ State: π€ Duplicate
πΉ Disclosed: August 24, 2020, 2:38pm (UTC)
π https://hackerone.com/reports/962909
πΉ Severity: Medium
πΉ Reported To: Dropcontact
πΉ Reported By: #harshita174
πΉ State: π€ Duplicate
πΉ Disclosed: August 24, 2020, 2:38pm (UTC)
Stored XSS via "my recent queries" selector in NRQL dashboard builder
π https://hackerone.com/reports/626082
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 2:58pm (UTC)
π https://hackerone.com/reports/626082
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 2:58pm (UTC)
NRQL Query allows restricted user to pull all data from Synthetics monitors without having read permissions enabled
π https://hackerone.com/reports/387290
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:00pm (UTC)
π https://hackerone.com/reports/387290
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:00pm (UTC)
Restricted user can view all account invoices, payment method details, PII of account owner through zoura_api endpoints
π https://hackerone.com/reports/501672
πΉ Severity: Medium | π° 900 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:01pm (UTC)
π https://hackerone.com/reports/501672
πΉ Severity: Medium | π° 900 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:01pm (UTC)
(Prerelease UI) Stored XSS via role name in JSON chart
π https://hackerone.com/reports/520630
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:03pm (UTC)
π https://hackerone.com/reports/520630
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:03pm (UTC)