CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files

👉 https://hackerone.com/reports/943255

🔹 Severity: Medium
🔹 Reported To: Khan Academy
🔹 Reported By: #demonia
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 6:56pm (UTC)

Ability to publish a paid theme without purchasing it.

👉 https://hackerone.com/reports/927567

🔹 Severity: Low | 💰 2,000 USD
🔹 Reported To: Shopify
🔹 Reported By: #saltymermaid
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 7:41pm (UTC)

Ability to publish a paid theme without purchasing it.

👉 https://hackerone.com/reports/953083

🔹 Severity: Low | 💰 2,000 USD
🔹 Reported To: Shopify
🔹 Reported By: #saltymermaid
🔹 State: 🟢 Resolved
🔹 Disclosed: August 27, 2020, 7:42pm (UTC)

XSS from arbitrary attachment upload.

👉 https://hackerone.com/reports/831703

🔹 Severity: High
🔹 Reported To: Qulture.Rocks
🔹 Reported By: #wisp
🔹 State: 🟢 Resolved
🔹 Disclosed: August 28, 2020, 4:53am (UTC)

XSS via unicode characters in upload filename

👉 https://hackerone.com/reports/179695

🔹 Severity: Medium | 💰 600 USD
🔹 Reported To: WordPress
🔹 Reported By: #kahoots
🔹 State: 🟢 Resolved
🔹 Disclosed: August 28, 2020, 4:43pm (UTC)

Remote Code Execution in Slack desktop apps + bonus

👉 https://hackerone.com/reports/783877

🔹 Severity: Critical | 💰 1,750 USD
🔹 Reported To: Slack
🔹 Reported By: #oskarsv
🔹 State: 🟢 Resolved
🔹 Disclosed: August 28, 2020, 6:04pm (UTC)

Private leaderboard owner email disclosure when sending invites

👉 https://hackerone.com/reports/969988

🔹 Severity: No Rating
🔹 Reported To: WakaTime
🔹 Reported By: #hy76t56f565
🔹 State: 🟢 Resolved
🔹 Disclosed: August 28, 2020, 11:15pm (UTC)

XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com

👉 https://hackerone.com/reports/964550

🔹 Severity: Low
🔹 Reported To: Shopify
🔹 Reported By: #zerox4
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2020, 3:06pm (UTC)

[sirloin] Web Server Directory Traversal via Crafted GET Request

👉 https://hackerone.com/reports/790623

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #bp0lr
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2020, 3:54pm (UTC)

[hangersteak] Web Server Directory Traversal via Crafted GET Request

👉 https://hackerone.com/reports/790873

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #bp0lr
🔹 State: 🟢 Resolved
🔹 Disclosed: August 30, 2020, 3:56pm (UTC)

DOM XSS triggered in secure support desk

👉 https://hackerone.com/reports/512065

🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: QIWI
🔹 Reported By: #honoki
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2020, 10:06am (UTC)

An implementation flaw in Mail.ru can be exploited for DKIM signature spoofing and email spoofing

👉 https://hackerone.com/reports/731878

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #jianjun
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2020, 12:53pm (UTC)

[self?] XSS в адресе пользователя [sbermarket.ru]

👉 https://hackerone.com/reports/900973

🔹 Severity: No Rating
🔹 Reported To: Mail.ru
🔹 Reported By: #pisarenko
🔹 State: 🟢 Resolved
🔹 Disclosed: August 31, 2020, 1:00pm (UTC)

Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru]

👉 https://hackerone.com/reports/924914

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #organdonor
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:14am (UTC)

IDOR позволяет изменить информацию о пользователе.

👉 https://hackerone.com/reports/708182

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:21am (UTC)

warofdragons.my.games: configuration files with database account are accessible

👉 https://hackerone.com/reports/786609

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:24am (UTC)

[garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/"

👉 https://hackerone.com/reports/787815

🔹 Severity: Low
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:26am (UTC)

Clickjacking lead to remove review

👉 https://hackerone.com/reports/965141

🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #alaayousef
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 6:07pm (UTC)

CRLF injection on www.starbucks.com

👉 https://hackerone.com/reports/858650

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Starbucks
🔹 Reported By: #x3n0nn3p
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:59pm (UTC)

XSS by file (Active Storage `Proxying`)

👉 https://hackerone.com/reports/949513

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby on Rails
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 10:51pm (UTC)

Stored XSS in Post title (PoC)

👉 https://hackerone.com/reports/942859

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Imgur
🔹 Reported By: #zerox4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2020, 6:06am (UTC)