An attacker can run pipeline jobs as arbitrary user
π https://hackerone.com/reports/894569
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #u3mur4
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:11pm (UTC)
π https://hackerone.com/reports/894569
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #u3mur4
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:11pm (UTC)
Stored XSS in "Create Groups"
π https://hackerone.com/reports/647130
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rioncool22
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:15pm (UTC)
π https://hackerone.com/reports/647130
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #rioncool22
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2020, 2:15pm (UTC)
Graphql: Sorting the reports by jira_status field resulted to different value
π https://hackerone.com/reports/955286
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #0619
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 8:27am (UTC)
π https://hackerone.com/reports/955286
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #0619
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 8:27am (UTC)
Stored XSS in eaccounting.stage.vismaonline.com
π https://hackerone.com/reports/897523
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Visma Public
πΉ Reported By: #4mat
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 10:26am (UTC)
π https://hackerone.com/reports/897523
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Visma Public
πΉ Reported By: #4mat
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 10:26am (UTC)
Null dereference in `cmd_denotify_operation_execute`
π https://hackerone.com/reports/965881
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965881
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
Assert failed in `edit_mail_istream_read`
π https://hackerone.com/reports/965790
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965790
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
Failed assert in `mail_index_transaction_lookup`
π https://hackerone.com/reports/965782
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
π https://hackerone.com/reports/965782
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Open-Xchange
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 11:20am (UTC)
[bl] Uninitialized memory exposure via negative .consume()
π https://hackerone.com/reports/966347
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 3:16pm (UTC)
π https://hackerone.com/reports/966347
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #chalker
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 3:16pm (UTC)
notevil - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser
π https://hackerone.com/reports/809012
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #phra
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 4:14pm (UTC)
π https://hackerone.com/reports/809012
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #phra
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 4:14pm (UTC)
The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes
π https://hackerone.com/reports/732415
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Ruby on Rails
πΉ Reported By: #jregele
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 4:25pm (UTC)
π https://hackerone.com/reports/732415
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Ruby on Rails
πΉ Reported By: #jregele
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 4:25pm (UTC)
CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files
π https://hackerone.com/reports/943255
πΉ Severity: Medium
πΉ Reported To: Khan Academy
πΉ Reported By: #demonia
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 6:56pm (UTC)
π https://hackerone.com/reports/943255
πΉ Severity: Medium
πΉ Reported To: Khan Academy
πΉ Reported By: #demonia
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 6:56pm (UTC)
Ability to publish a paid theme without purchasing it.
π https://hackerone.com/reports/927567
πΉ Severity: Low | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 7:41pm (UTC)
π https://hackerone.com/reports/927567
πΉ Severity: Low | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 7:41pm (UTC)
Ability to publish a paid theme without purchasing it.
π https://hackerone.com/reports/953083
πΉ Severity: Low | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 7:42pm (UTC)
π https://hackerone.com/reports/953083
πΉ Severity: Low | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 27, 2020, 7:42pm (UTC)
XSS from arbitrary attachment upload.
π https://hackerone.com/reports/831703
πΉ Severity: High
πΉ Reported To: Qulture.Rocks
πΉ Reported By: #wisp
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 4:53am (UTC)
π https://hackerone.com/reports/831703
πΉ Severity: High
πΉ Reported To: Qulture.Rocks
πΉ Reported By: #wisp
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 4:53am (UTC)
XSS via unicode characters in upload filename
π https://hackerone.com/reports/179695
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: WordPress
πΉ Reported By: #kahoots
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 4:43pm (UTC)
π https://hackerone.com/reports/179695
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: WordPress
πΉ Reported By: #kahoots
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 4:43pm (UTC)
Remote Code Execution in Slack desktop apps + bonus
π https://hackerone.com/reports/783877
πΉ Severity: Critical | π° 1,750 USD
πΉ Reported To: Slack
πΉ Reported By: #oskarsv
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 6:04pm (UTC)
π https://hackerone.com/reports/783877
πΉ Severity: Critical | π° 1,750 USD
πΉ Reported To: Slack
πΉ Reported By: #oskarsv
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 6:04pm (UTC)
Private leaderboard owner email disclosure when sending invites
π https://hackerone.com/reports/969988
πΉ Severity: No Rating
πΉ Reported To: WakaTime
πΉ Reported By: #hy76t56f565
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 11:15pm (UTC)
π https://hackerone.com/reports/969988
πΉ Severity: No Rating
πΉ Reported To: WakaTime
πΉ Reported By: #hy76t56f565
πΉ State: π’ Resolved
πΉ Disclosed: August 28, 2020, 11:15pm (UTC)
XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com
π https://hackerone.com/reports/964550
πΉ Severity: Low
πΉ Reported To: Shopify
πΉ Reported By: #zerox4
πΉ State: π’ Resolved
πΉ Disclosed: August 30, 2020, 3:06pm (UTC)
π https://hackerone.com/reports/964550
πΉ Severity: Low
πΉ Reported To: Shopify
πΉ Reported By: #zerox4
πΉ State: π’ Resolved
πΉ Disclosed: August 30, 2020, 3:06pm (UTC)
[sirloin] Web Server Directory Traversal via Crafted GET Request
π https://hackerone.com/reports/790623
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #bp0lr
πΉ State: π’ Resolved
πΉ Disclosed: August 30, 2020, 3:54pm (UTC)
π https://hackerone.com/reports/790623
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #bp0lr
πΉ State: π’ Resolved
πΉ Disclosed: August 30, 2020, 3:54pm (UTC)
[hangersteak] Web Server Directory Traversal via Crafted GET Request
π https://hackerone.com/reports/790873
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #bp0lr
πΉ State: π’ Resolved
πΉ Disclosed: August 30, 2020, 3:56pm (UTC)
π https://hackerone.com/reports/790873
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #bp0lr
πΉ State: π’ Resolved
πΉ Disclosed: August 30, 2020, 3:56pm (UTC)
DOM XSS triggered in secure support desk
π https://hackerone.com/reports/512065
πΉ Severity: Critical | π° 500 USD
πΉ Reported To: QIWI
πΉ Reported By: #honoki
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2020, 10:06am (UTC)
π https://hackerone.com/reports/512065
πΉ Severity: Critical | π° 500 USD
πΉ Reported To: QIWI
πΉ Reported By: #honoki
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2020, 10:06am (UTC)