Internal API endpoint discloses full account name of email address associated with unconfirmed user
π https://hackerone.com/reports/332381
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:59am (UTC)
π https://hackerone.com/reports/332381
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 10:59am (UTC)
Initial mirror user can be assigned by other user even if the mirror was removed
π https://hackerone.com/reports/819821
πΉ Severity: Medium | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sky003
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 1:52pm (UTC)
π https://hackerone.com/reports/819821
πΉ Severity: Medium | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sky003
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 1:52pm (UTC)
Stealing data from customers.gitlab.com without user interaction
π https://hackerone.com/reports/674195
πΉ Severity: High | π° 3,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rpadovani
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:02pm (UTC)
π https://hackerone.com/reports/674195
πΉ Severity: High | π° 3,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rpadovani
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:02pm (UTC)
Privilege escalation from any user (including external) to gitlab admin when admin impersonates you
π https://hackerone.com/reports/493324
πΉ Severity: Critical | π° 10,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #skavans
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:10pm (UTC)
π https://hackerone.com/reports/493324
πΉ Severity: Critical | π° 10,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #skavans
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:10pm (UTC)
An attacker can run pipeline jobs as arbitrary user
π https://hackerone.com/reports/894569
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #u3mur4
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:11pm (UTC)
π https://hackerone.com/reports/894569
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #u3mur4
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:11pm (UTC)
Stored XSS in "Create Groups"
π https://hackerone.com/reports/647130
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rioncool22
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:15pm (UTC)
π https://hackerone.com/reports/647130
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rioncool22
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:15pm (UTC)
Graphql: Sorting the reports by jira_status field resulted to different value
π https://hackerone.com/reports/955286
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #0619
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 8:27am (UTC)
π https://hackerone.com/reports/955286
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #0619
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 8:27am (UTC)
Stored XSS in eaccounting.stage.vismaonline.com
π https://hackerone.com/reports/897523
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Visma Public
πΉ Reported By: #4mat
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 10:26am (UTC)
π https://hackerone.com/reports/897523
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Visma Public
πΉ Reported By: #4mat
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 10:26am (UTC)
Null dereference in `cmd_denotify_operation_execute`
π https://hackerone.com/reports/965881
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965881
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
Assert failed in `edit_mail_istream_read`
π https://hackerone.com/reports/965790
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965790
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
Failed assert in `mail_index_transaction_lookup`
π https://hackerone.com/reports/965782
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965782
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
[bl] Uninitialized memory exposure via negative .consume()
π https://hackerone.com/reports/966347
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 3:16pm (UTC)
π https://hackerone.com/reports/966347
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 3:16pm (UTC)
notevil - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser
π https://hackerone.com/reports/809012
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #phra
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 4:14pm (UTC)
π https://hackerone.com/reports/809012
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #phra
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 4:14pm (UTC)
The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes
π https://hackerone.com/reports/732415
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Ruby on Rails
πΉ Reported By: #jregele
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 4:25pm (UTC)
π https://hackerone.com/reports/732415
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Ruby on Rails
πΉ Reported By: #jregele
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 4:25pm (UTC)
CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files
π https://hackerone.com/reports/943255
πΉ Severity: Medium
πΉ Reported To: Khan Academy
πΉ Reported By: #demonia
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 6:56pm (UTC)
π https://hackerone.com/reports/943255
πΉ Severity: Medium
πΉ Reported To: Khan Academy
πΉ Reported By: #demonia
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 6:56pm (UTC)
Ability to publish a paid theme without purchasing it.
π https://hackerone.com/reports/927567
πΉ Severity: Low | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 7:41pm (UTC)
π https://hackerone.com/reports/927567
πΉ Severity: Low | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 7:41pm (UTC)
Ability to publish a paid theme without purchasing it.
π https://hackerone.com/reports/953083
πΉ Severity: Low | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 7:42pm (UTC)
π https://hackerone.com/reports/953083
πΉ Severity: Low | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 7:42pm (UTC)
XSS from arbitrary attachment upload.
π https://hackerone.com/reports/831703
πΉ Severity: High
πΉ Reported To: Qulture.Rocks
πΉ Reported By: #wisp
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 4:53am (UTC)
π https://hackerone.com/reports/831703
πΉ Severity: High
πΉ Reported To: Qulture.Rocks
πΉ Reported By: #wisp
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 4:53am (UTC)
XSS via unicode characters in upload filename
π https://hackerone.com/reports/179695
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: WordPress
πΉ Reported By: #kahoots
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 4:43pm (UTC)
π https://hackerone.com/reports/179695
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: WordPress
πΉ Reported By: #kahoots
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 4:43pm (UTC)
Remote Code Execution in Slack desktop apps + bonus
π https://hackerone.com/reports/783877
πΉ Severity: Critical | π° 1,750 USD
πΉ Reported To: Slack
πΉ Reported By: #oskarsv
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 6:04pm (UTC)
π https://hackerone.com/reports/783877
πΉ Severity: Critical | π° 1,750 USD
πΉ Reported To: Slack
πΉ Reported By: #oskarsv
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 6:04pm (UTC)
Private leaderboard owner email disclosure when sending invites
π https://hackerone.com/reports/969988
πΉ Severity: No Rating
πΉ Reported To: WakaTime
πΉ Reported By: #hy76t56f565
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 11:15pm (UTC)
π https://hackerone.com/reports/969988
πΉ Severity: No Rating
πΉ Reported To: WakaTime
πΉ Reported By: #hy76t56f565
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 11:15pm (UTC)