Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020)
π https://hackerone.com/reports/961929
πΉ Severity: No Rating | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:55pm (UTC)
π https://hackerone.com/reports/961929
πΉ Severity: No Rating | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:55pm (UTC)
Stored XSS on Broken Themes via filename
π https://hackerone.com/reports/406289
πΉ Severity: Low | π° 300 USD
πΉ Reported To: WordPress
πΉ Reported By: #apapedulimu
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:56pm (UTC)
π https://hackerone.com/reports/406289
πΉ Severity: Low | π° 300 USD
πΉ Reported To: WordPress
πΉ Reported By: #apapedulimu
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:56pm (UTC)
Self XSS in Timeline
π https://hackerone.com/reports/854299
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ryat
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 5:04pm (UTC)
π https://hackerone.com/reports/854299
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ryat
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 5:04pm (UTC)
Script Editor preview token still working with uninstalled application, even for unpublished script
π https://hackerone.com/reports/915940
πΉ Severity: No Rating | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:34pm (UTC)
π https://hackerone.com/reports/915940
πΉ Severity: No Rating | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:34pm (UTC)
[json-bigint] DoS via `__proto__` assignment
π https://hackerone.com/reports/916430
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 10:40pm (UTC)
π https://hackerone.com/reports/916430
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 10:40pm (UTC)
[min-http-server] List any file in the folder by using path traversal.
π https://hackerone.com/reports/569891
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #toannc123
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:20am (UTC)
π https://hackerone.com/reports/569891
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #toannc123
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:20am (UTC)
Information disclosure to "Permission as auditor" user
π https://hackerone.com/reports/959897
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #risinghunter
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 5:09am (UTC)
π https://hackerone.com/reports/959897
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Visma Public
πΉ Reported By: #risinghunter
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 5:09am (UTC)
[New Relic Infrastructure] Restricted User can still integrate with AWS via forced browsing (plus, a few other bugs)
π https://hackerone.com/reports/255685
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:51am (UTC)
π https://hackerone.com/reports/255685
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:51am (UTC)
[NR Synthetics] Restricted user can view synthetics monitors and user permissions through .json endpoint at /permissions/securablemetadata/{GROUP ID}
π https://hackerone.com/reports/320689
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:54am (UTC)
π https://hackerone.com/reports/320689
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:54am (UTC)
Adding a new user discloses their full name in the "Users" section of NR Alerts notification channels page
π https://hackerone.com/reports/344309
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:57am (UTC)
π https://hackerone.com/reports/344309
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:57am (UTC)
Internal API endpoint discloses full account name of email address associated with unconfirmed user
π https://hackerone.com/reports/332381
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:59am (UTC)
π https://hackerone.com/reports/332381
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:59am (UTC)
Initial mirror user can be assigned by other user even if the mirror was removed
π https://hackerone.com/reports/819821
πΉ Severity: Medium | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sky003
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 1:52pm (UTC)
π https://hackerone.com/reports/819821
πΉ Severity: Medium | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sky003
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 1:52pm (UTC)
Stealing data from customers.gitlab.com without user interaction
π https://hackerone.com/reports/674195
πΉ Severity: High | π° 3,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rpadovani
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:02pm (UTC)
π https://hackerone.com/reports/674195
πΉ Severity: High | π° 3,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rpadovani
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:02pm (UTC)
Privilege escalation from any user (including external) to gitlab admin when admin impersonates you
π https://hackerone.com/reports/493324
πΉ Severity: Critical | π° 10,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #skavans
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:10pm (UTC)
π https://hackerone.com/reports/493324
πΉ Severity: Critical | π° 10,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #skavans
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:10pm (UTC)
An attacker can run pipeline jobs as arbitrary user
π https://hackerone.com/reports/894569
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #u3mur4
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:11pm (UTC)
π https://hackerone.com/reports/894569
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #u3mur4
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:11pm (UTC)
Stored XSS in "Create Groups"
π https://hackerone.com/reports/647130
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rioncool22
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:15pm (UTC)
π https://hackerone.com/reports/647130
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rioncool22
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:15pm (UTC)
Graphql: Sorting the reports by jira_status field resulted to different value
π https://hackerone.com/reports/955286
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #0619
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 8:27am (UTC)
π https://hackerone.com/reports/955286
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #0619
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 8:27am (UTC)
Stored XSS in eaccounting.stage.vismaonline.com
π https://hackerone.com/reports/897523
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Visma Public
πΉ Reported By: #4mat
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 10:26am (UTC)
π https://hackerone.com/reports/897523
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Visma Public
πΉ Reported By: #4mat
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 10:26am (UTC)
Null dereference in `cmd_denotify_operation_execute`
π https://hackerone.com/reports/965881
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965881
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
Assert failed in `edit_mail_istream_read`
π https://hackerone.com/reports/965790
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965790
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
Failed assert in `mail_index_transaction_lookup`
π https://hackerone.com/reports/965782
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965782
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)