*.shopify.com - Authentication bypass
π https://hackerone.com/reports/838231
πΉ Severity: No Rating
πΉ Reported To: Shopify
πΉ Reported By: #nooblife
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:18pm (UTC)
π https://hackerone.com/reports/838231
πΉ Severity: No Rating
πΉ Reported To: Shopify
πΉ Reported By: #nooblife
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:18pm (UTC)
STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend
π https://hackerone.com/reports/917875
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #langduvnsec
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:41pm (UTC)
π https://hackerone.com/reports/917875
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #langduvnsec
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:41pm (UTC)
[com.smule.autorap.*] Cloud Messaging/Push Notification service takeover due to clear-text usage of Legacy FCM Server keys in the client app
π https://hackerone.com/reports/789370
πΉ Severity: Critical
πΉ Reported To: Smule
πΉ Reported By: #absshax
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 7:27pm (UTC)
π https://hackerone.com/reports/789370
πΉ Severity: Critical
πΉ Reported To: Smule
πΉ Reported By: #absshax
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 7:27pm (UTC)
Stocky App Administrator can create a backdoor admin account by using an existing POS User
π https://hackerone.com/reports/962895
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 9:58pm (UTC)
π https://hackerone.com/reports/962895
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 9:58pm (UTC)
[windows-edge] RCE via insecure command formatting
π https://hackerone.com/reports/878420
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #mik317
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:04pm (UTC)
π https://hackerone.com/reports/878420
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #mik317
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:04pm (UTC)
Path Traversal in App Proxy
π https://hackerone.com/reports/869888
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ngalog
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:27pm (UTC)
π https://hackerone.com/reports/869888
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ngalog
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:27pm (UTC)
Prototype pollution attack (lodash)
π https://hackerone.com/reports/841380
πΉ Severity: Medium
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #macasun
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:26am (UTC)
π https://hackerone.com/reports/841380
πΉ Severity: Medium
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #macasun
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:26am (UTC)
Recently added 'Country' field doesn't send email notification when changed
π https://hackerone.com/reports/961841
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #bugra
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 10:57am (UTC)
π https://hackerone.com/reports/961841
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #bugra
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 10:57am (UTC)
Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020)
π https://hackerone.com/reports/961929
πΉ Severity: No Rating | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:55pm (UTC)
π https://hackerone.com/reports/961929
πΉ Severity: No Rating | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:55pm (UTC)
Stored XSS on Broken Themes via filename
π https://hackerone.com/reports/406289
πΉ Severity: Low | π° 300 USD
πΉ Reported To: WordPress
πΉ Reported By: #apapedulimu
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:56pm (UTC)
π https://hackerone.com/reports/406289
πΉ Severity: Low | π° 300 USD
πΉ Reported To: WordPress
πΉ Reported By: #apapedulimu
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:56pm (UTC)
Self XSS in Timeline
π https://hackerone.com/reports/854299
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ryat
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 5:04pm (UTC)
π https://hackerone.com/reports/854299
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ryat
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 5:04pm (UTC)
Script Editor preview token still working with uninstalled application, even for unpublished script
π https://hackerone.com/reports/915940
πΉ Severity: No Rating | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:34pm (UTC)
π https://hackerone.com/reports/915940
πΉ Severity: No Rating | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:34pm (UTC)
[json-bigint] DoS via `__proto__` assignment
π https://hackerone.com/reports/916430
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 10:40pm (UTC)
π https://hackerone.com/reports/916430
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 10:40pm (UTC)
[min-http-server] List any file in the folder by using path traversal.
π https://hackerone.com/reports/569891
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #toannc123
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:20am (UTC)
π https://hackerone.com/reports/569891
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #toannc123
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:20am (UTC)
Information disclosure to "Permission as auditor" user
π https://hackerone.com/reports/959897
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #risinghunter
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 5:09am (UTC)
π https://hackerone.com/reports/959897
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #risinghunter
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 5:09am (UTC)
[New Relic Infrastructure] Restricted User can still integrate with AWS via forced browsing (plus, a few other bugs)
π https://hackerone.com/reports/255685
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:51am (UTC)
π https://hackerone.com/reports/255685
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:51am (UTC)
[NR Synthetics] Restricted user can view synthetics monitors and user permissions through .json endpoint at /permissions/securablemetadata/{GROUP ID}
π https://hackerone.com/reports/320689
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:54am (UTC)
π https://hackerone.com/reports/320689
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:54am (UTC)
Adding a new user discloses their full name in the "Users" section of NR Alerts notification channels page
π https://hackerone.com/reports/344309
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:57am (UTC)
π https://hackerone.com/reports/344309
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:57am (UTC)
Internal API endpoint discloses full account name of email address associated with unconfirmed user
π https://hackerone.com/reports/332381
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:59am (UTC)
π https://hackerone.com/reports/332381
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:59am (UTC)
Initial mirror user can be assigned by other user even if the mirror was removed
π https://hackerone.com/reports/819821
πΉ Severity: Medium | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sky003
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 1:52pm (UTC)
π https://hackerone.com/reports/819821
πΉ Severity: Medium | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sky003
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 1:52pm (UTC)
Stealing data from customers.gitlab.com without user interaction
π https://hackerone.com/reports/674195
πΉ Severity: High | π° 3,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rpadovani
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:02pm (UTC)
π https://hackerone.com/reports/674195
πΉ Severity: High | π° 3,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rpadovani
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:02pm (UTC)