[garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/"
π https://hackerone.com/reports/787815
πΉ Severity: Low
πΉ Reported To: Mail.ru
πΉ Reported By: #iframe
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2020, 9:26am (UTC)
π https://hackerone.com/reports/787815
πΉ Severity: Low
πΉ Reported To: Mail.ru
πΉ Reported By: #iframe
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2020, 9:26am (UTC)
Clickjacking lead to remove review
π https://hackerone.com/reports/965141
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #alaayousef
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2020, 6:07pm (UTC)
π https://hackerone.com/reports/965141
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #alaayousef
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2020, 6:07pm (UTC)
CRLF injection on www.starbucks.com
π https://hackerone.com/reports/858650
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Starbucks
πΉ Reported By: #x3n0nn3p
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2020, 9:59pm (UTC)
π https://hackerone.com/reports/858650
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Starbucks
πΉ Reported By: #x3n0nn3p
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2020, 9:59pm (UTC)
XSS by file (Active Storage `Proxying`)
π https://hackerone.com/reports/949513
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Ruby on Rails
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2020, 10:51pm (UTC)
π https://hackerone.com/reports/949513
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Ruby on Rails
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2020, 10:51pm (UTC)
Stored XSS in Post title (PoC)
π https://hackerone.com/reports/942859
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Imgur
πΉ Reported By: #zerox4
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 6:06am (UTC)
π https://hackerone.com/reports/942859
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Imgur
πΉ Reported By: #zerox4
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 6:06am (UTC)
Takeover an account that doesn't have a Shopify ID and more
π https://hackerone.com/reports/867513
πΉ Severity: Critical | π° 22,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 2:47pm (UTC)
π https://hackerone.com/reports/867513
πΉ Severity: Critical | π° 22,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 2:47pm (UTC)
Public access to Sidekiq dashboard at shopper.sbermarket.ru
π https://hackerone.com/reports/951190
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #avolume
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 4:09pm (UTC)
π https://hackerone.com/reports/951190
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #avolume
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 4:09pm (UTC)
looch.tv CORS crossite user information and stream_key access
π https://hackerone.com/reports/708886
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #iframe
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 5:43pm (UTC)
π https://hackerone.com/reports/708886
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #iframe
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 5:43pm (UTC)
[api.33slona.ru] ΠΠΎΡΡΡΠΏ ΠΊ API ΠΈΠ· Π·Π° Π½Π΅ΠΏΡΠ°Π²ΠΈΠ»ΡΠ½ΠΎΠΉ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΡΠ΅ΡΠ²Π΅ΡΠ° 302 ΡΠ΅Π΄ΠΈΡΠ΅Ρ.
π https://hackerone.com/reports/819714
πΉ Severity: No Rating
πΉ Reported To: Mail.ru
πΉ Reported By: #iframe
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 6:24pm (UTC)
π https://hackerone.com/reports/819714
πΉ Severity: No Rating
πΉ Reported To: Mail.ru
πΉ Reported By: #iframe
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 6:24pm (UTC)
Subdomain Takeover at analyticstest.geekbrains.ru
π https://hackerone.com/reports/942179
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #steal_wart
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 6:27pm (UTC)
π https://hackerone.com/reports/942179
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #steal_wart
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 6:27pm (UTC)
Denial of Service | twitter.com & mobile.twitter.com
π https://hackerone.com/reports/903740
πΉ Severity: Medium | π° 1,120 USD
πΉ Reported To: Twitter
πΉ Reported By: #cyanpiny
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 7:18pm (UTC)
π https://hackerone.com/reports/903740
πΉ Severity: Medium | π° 1,120 USD
πΉ Reported To: Twitter
πΉ Reported By: #cyanpiny
πΉ State: π’ Resolved
πΉ Disclosed: September 2, 2020, 7:18pm (UTC)
IDOR in locid parameter allowing to view others accounts Profile Locations
π https://hackerone.com/reports/966949
πΉ Severity: Low
πΉ Reported To: Yelp
πΉ Reported By: #cocoh__23
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 2, 2020, 7:26pm (UTC)
π https://hackerone.com/reports/966949
πΉ Severity: Low
πΉ Reported To: Yelp
πΉ Reported By: #cocoh__23
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 2, 2020, 7:26pm (UTC)
[static-server-gx] Path Traversal allowing to read any files on the server
π https://hackerone.com/reports/581939
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #lightangel1412
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 12:44am (UTC)
π https://hackerone.com/reports/581939
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #lightangel1412
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 12:44am (UTC)
Open SonarQube instance leaking internal source code
π https://hackerone.com/reports/947946
πΉ Severity: Critical
πΉ Reported To: Equifax
πΉ Reported By: #aksquare
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:59am (UTC)
π https://hackerone.com/reports/947946
πΉ Severity: Critical
πΉ Reported To: Equifax
πΉ Reported By: #aksquare
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:59am (UTC)
SQL injection at fleet.city-mobil.ru
π https://hackerone.com/reports/881901
πΉ Severity: High | π° 10,000 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #r0hack
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 1:19pm (UTC)
π https://hackerone.com/reports/881901
πΉ Severity: High | π° 10,000 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #r0hack
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 1:19pm (UTC)
REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter
π https://hackerone.com/reports/948259
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #yukusawa18
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 1:23pm (UTC)
π https://hackerone.com/reports/948259
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #yukusawa18
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 1:23pm (UTC)
Reflected XSS on βββββββ
π https://hackerone.com/reports/971360
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #nagli
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:20pm (UTC)
π https://hackerone.com/reports/971360
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #nagli
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:20pm (UTC)
Elmah.axd is publicly accessible and leaking Error Log for ROOT on βββββ_PRD_WEB1 βββββββββelmah.axd
π https://hackerone.com/reports/962753
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #rudra_2000
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:22pm (UTC)
π https://hackerone.com/reports/962753
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #rudra_2000
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:22pm (UTC)
CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.
π https://hackerone.com/reports/951508
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #professor1
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:23pm (UTC)
π https://hackerone.com/reports/951508
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #professor1
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:23pm (UTC)
βββ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability
π https://hackerone.com/reports/959187
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #secret_letters
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:24pm (UTC)
π https://hackerone.com/reports/959187
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #secret_letters
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:24pm (UTC)
Remote Code Execution on βββββββββ
π https://hackerone.com/reports/962013
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #hzllaga
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:25pm (UTC)
π https://hackerone.com/reports/962013
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #hzllaga
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:25pm (UTC)