Assert failed in `edit_mail_istream_read`

👉 https://hackerone.com/reports/965790

🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Open-Xchange
🔹 Reported By: #catenacyber
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 11:20am (UTC)

Failed assert in `mail_index_transaction_lookup`

👉 https://hackerone.com/reports/965782

🔹 Severity: No Rating | 💰 50 USD
🔹 Reported To: Open-Xchange
🔹 Reported By: #catenacyber
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 11:20am (UTC)

[bl] Uninitialized memory exposure via negative .consume()

👉 https://hackerone.com/reports/966347

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #chalker
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 3:16pm (UTC)

notevil - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser

👉 https://hackerone.com/reports/809012

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #phra
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 4:14pm (UTC)

The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes

👉 https://hackerone.com/reports/732415

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby on Rails
🔹 Reported By: #jregele
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 4:25pm (UTC)

CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files

👉 https://hackerone.com/reports/943255

🔹 Severity: Medium
🔹 Reported To: Khan Academy
🔹 Reported By: #demonia
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 6:56pm (UTC)

Ability to publish a paid theme without purchasing it.

👉 https://hackerone.com/reports/927567

🔹 Severity: Low | 💰 2,000 USD
🔹 Reported To: Shopify
🔹 Reported By: #saltymermaid
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 7:41pm (UTC)

Ability to publish a paid theme without purchasing it.

👉 https://hackerone.com/reports/953083

🔹 Severity: Low | 💰 2,000 USD
🔹 Reported To: Shopify
🔹 Reported By: #saltymermaid
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 7:42pm (UTC)

XSS from arbitrary attachment upload.

👉 https://hackerone.com/reports/831703

🔹 Severity: High
🔹 Reported To: Qulture.Rocks
🔹 Reported By: #wisp
🔹 State: 🟢 Resolved
🔹 Disclosed: August 28, 2020, 4:53am (UTC)

XSS via unicode characters in upload filename

👉 https://hackerone.com/reports/179695

🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: WordPress
🔹 Reported By: #kahoots
🔹 State: 🟢 Resolved
🔹 Disclosed: August 28, 2020, 4:43pm (UTC)

Remote Code Execution in Slack desktop apps + bonus

👉 https://hackerone.com/reports/783877

🔹 Severity: Critical | 💰 1,750 USD
🔹 Reported To: Slack
🔹 Reported By: #oskarsv
🔹 State: 🟢 Resolved
🔹 Disclosed: August 28, 2020, 6:04pm (UTC)

Private leaderboard owner email disclosure when sending invites

👉 https://hackerone.com/reports/969988

🔹 Severity: No Rating
🔹 Reported To: WakaTime
🔹 Reported By: #hy76t56f565
🔹 State: 🟢 Resolved
🔹 Disclosed: August 28, 2020, 11:15pm (UTC)

XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com

👉 https://hackerone.com/reports/964550

🔹 Severity: Low
🔹 Reported To: Shopify
🔹 Reported By: #zerox4
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2020, 3:06pm (UTC)

[sirloin] Web Server Directory Traversal via Crafted GET Request

👉 https://hackerone.com/reports/790623

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #bp0lr
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2020, 3:54pm (UTC)

[hangersteak] Web Server Directory Traversal via Crafted GET Request

👉 https://hackerone.com/reports/790873

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #bp0lr
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2020, 3:56pm (UTC)

DOM XSS triggered in secure support desk

👉 https://hackerone.com/reports/512065

🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: QIWI
🔹 Reported By: #honoki
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2020, 10:06am (UTC)

An implementation flaw in Mail.ru can be exploited for DKIM signature spoofing and email spoofing

👉 https://hackerone.com/reports/731878

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #jianjun
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2020, 12:53pm (UTC)

[self?] XSS в адресе пользователя [sbermarket.ru]

👉 https://hackerone.com/reports/900973

🔹 Severity: No Rating
🔹 Reported To: Mail.ru
🔹 Reported By: #pisarenko
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2020, 1:00pm (UTC)

Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru]

👉 https://hackerone.com/reports/924914

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #organdonor
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:14am (UTC)

IDOR позволяет изменить информацию о пользователе.

👉 https://hackerone.com/reports/708182

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:21am (UTC)

warofdragons.my.games: configuration files with database account are accessible

👉 https://hackerone.com/reports/786609

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:24am (UTC)