Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru]

👉 https://hackerone.com/reports/924914

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #organdonor
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:14am (UTC)

IDOR позволяет изменить информацию о пользователе.

👉 https://hackerone.com/reports/708182

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:21am (UTC)

warofdragons.my.games: configuration files with database account are accessible

👉 https://hackerone.com/reports/786609

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:24am (UTC)

[garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/"

👉 https://hackerone.com/reports/787815

🔹 Severity: Low
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:26am (UTC)

Clickjacking lead to remove review

👉 https://hackerone.com/reports/965141

🔹 Severity: Medium
🔹 Reported To: Yelp
🔹 Reported By: #alaayousef
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 6:07pm (UTC)

CRLF injection on www.starbucks.com

👉 https://hackerone.com/reports/858650

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Starbucks
🔹 Reported By: #x3n0nn3p
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 9:59pm (UTC)

XSS by file (Active Storage `Proxying`)

👉 https://hackerone.com/reports/949513

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Ruby on Rails
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: September 1, 2020, 10:51pm (UTC)

Stored XSS in Post title (PoC)

👉 https://hackerone.com/reports/942859

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Imgur
🔹 Reported By: #zerox4
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2020, 6:06am (UTC)

Takeover an account that doesn't have a Shopify ID and more

👉 https://hackerone.com/reports/867513

🔹 Severity: Critical | 💰 22,500 USD
🔹 Reported To: Shopify
🔹 Reported By: #francisbeaudoin
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2020, 2:47pm (UTC)

Public access to Sidekiq dashboard at shopper.sbermarket.ru

👉 https://hackerone.com/reports/951190

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #avolume
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2020, 4:09pm (UTC)

looch.tv CORS crossite user information and stream_key access

👉 https://hackerone.com/reports/708886

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2020, 5:43pm (UTC)

[api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет.

👉 https://hackerone.com/reports/819714

🔹 Severity: No Rating
🔹 Reported To: Mail.ru
🔹 Reported By: #iframe
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2020, 6:24pm (UTC)

Subdomain Takeover at analyticstest.geekbrains.ru

👉 https://hackerone.com/reports/942179

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #steal_wart
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2020, 6:27pm (UTC)

Denial of Service | twitter.com & mobile.twitter.com

👉 https://hackerone.com/reports/903740

🔹 Severity: Medium | 💰 1,120 USD
🔹 Reported To: Twitter
🔹 Reported By: #cyanpiny
🔹 State: 🟢 Resolved
🔹 Disclosed: September 2, 2020, 7:18pm (UTC)

IDOR in locid parameter allowing to view others accounts Profile Locations

👉 https://hackerone.com/reports/966949

🔹 Severity: Low
🔹 Reported To: Yelp
🔹 Reported By: #cocoh__23
🔹 State: ⚪️ Informative
🔹 Disclosed: September 2, 2020, 7:26pm (UTC)

[static-server-gx] Path Traversal allowing to read any files on the server

👉 https://hackerone.com/reports/581939

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #lightangel1412
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2020, 12:44am (UTC)

Open SonarQube instance leaking internal source code

👉 https://hackerone.com/reports/947946

🔹 Severity: Critical
🔹 Reported To: Equifax
🔹 Reported By: #aksquare
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2020, 5:59am (UTC)

SQL injection at fleet.city-mobil.ru

👉 https://hackerone.com/reports/881901

🔹 Severity: High | 💰 10,000 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #r0hack
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2020, 1:19pm (UTC)

REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter

👉 https://hackerone.com/reports/948259

🔹 Severity: Medium
🔹 Reported To: Mail.ru
🔹 Reported By: #yukusawa18
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2020, 1:23pm (UTC)

Reflected XSS on ███████

👉 https://hackerone.com/reports/971360

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #nagli
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2020, 5:20pm (UTC)

Elmah.axd is publicly accessible and leaking Error Log for ROOT on █████_PRD_WEB1 █████████elmah.axd

👉 https://hackerone.com/reports/962753

🔹 Severity: Medium
🔹 Reported To: U.S. Dept Of Defense
🔹 Reported By: #rudra_2000
🔹 State: 🟢 Resolved
🔹 Disclosed: September 3, 2020, 5:22pm (UTC)