SQL injection at fleet.city-mobil.ru
π https://hackerone.com/reports/881901
πΉ Severity: High | π° 10,000 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #r0hack
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 1:19pm (UTC)
π https://hackerone.com/reports/881901
πΉ Severity: High | π° 10,000 USD
πΉ Reported To: Mail.ru
πΉ Reported By: #r0hack
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 1:19pm (UTC)
REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter
π https://hackerone.com/reports/948259
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #yukusawa18
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 1:23pm (UTC)
π https://hackerone.com/reports/948259
πΉ Severity: Medium
πΉ Reported To: Mail.ru
πΉ Reported By: #yukusawa18
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 1:23pm (UTC)
Reflected XSS on βββββββ
π https://hackerone.com/reports/971360
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #nagli
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:20pm (UTC)
π https://hackerone.com/reports/971360
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #nagli
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:20pm (UTC)
Elmah.axd is publicly accessible and leaking Error Log for ROOT on βββββ_PRD_WEB1 βββββββββelmah.axd
π https://hackerone.com/reports/962753
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #rudra_2000
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:22pm (UTC)
π https://hackerone.com/reports/962753
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #rudra_2000
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:22pm (UTC)
CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.
π https://hackerone.com/reports/951508
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #professor1
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:23pm (UTC)
π https://hackerone.com/reports/951508
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #professor1
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:23pm (UTC)
βββ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability
π https://hackerone.com/reports/959187
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #secret_letters
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:24pm (UTC)
π https://hackerone.com/reports/959187
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #secret_letters
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:24pm (UTC)
Remote Code Execution on βββββββββ
π https://hackerone.com/reports/962013
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #hzllaga
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:25pm (UTC)
π https://hackerone.com/reports/962013
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #hzllaga
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:25pm (UTC)
Π‘ode injection host βββββββββ
π https://hackerone.com/reports/954398
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #e3xpl0it
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:27pm (UTC)
π https://hackerone.com/reports/954398
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #e3xpl0it
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:27pm (UTC)
Subdomain takeover due to an unclaimed Amazon S3 bucket on βββ
π https://hackerone.com/reports/918946
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #chron0x
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:29pm (UTC)
π https://hackerone.com/reports/918946
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #chron0x
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:29pm (UTC)
Local Privilege Escalation on Dropbox Desktop for Windows
π https://hackerone.com/reports/773571
πΉ Severity: Medium
πΉ Reported To: Dropbox
πΉ Reported By: #tesitura
πΉ State: π€ Duplicate
πΉ Disclosed: September 3, 2020, 6:50pm (UTC)
π https://hackerone.com/reports/773571
πΉ Severity: Medium
πΉ Reported To: Dropbox
πΉ Reported By: #tesitura
πΉ State: π€ Duplicate
πΉ Disclosed: September 3, 2020, 6:50pm (UTC)
Cross-origin resource sharing misconfiguration (CORS)
π https://hackerone.com/reports/954512
πΉ Severity: Low
πΉ Reported To: Brave Software
πΉ Reported By: #drwx
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 4, 2020, 12:34am (UTC)
π https://hackerone.com/reports/954512
πΉ Severity: Low
πΉ Reported To: Brave Software
πΉ Reported By: #drwx
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 4, 2020, 12:34am (UTC)
CodeQL query to detect XSLT injections
π https://hackerone.com/reports/974368
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #grzegol
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
π https://hackerone.com/reports/974368
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #grzegol
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
[CATENACYBER]: [CPP] CWE-476 Null Pointer Dereference : Another query to either missing or redundant NULL check
π https://hackerone.com/reports/974370
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
π https://hackerone.com/reports/974370
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
Query to find TLS configurations supporting hardcoded insecure versions of the protocol and cipher suites
π https://hackerone.com/reports/974369
πΉ Severity: High | π° 2,300 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #logicmap
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
π https://hackerone.com/reports/974369
πΉ Severity: High | π° 2,300 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #logicmap
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
[NR Synthetics] Restricted User can add/modify alert conditions on monitors without any synthetics privileges
π https://hackerone.com/reports/334143
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:54am (UTC)
π https://hackerone.com/reports/334143
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:54am (UTC)
User is able to access and create private synthetics locations without upgrading (regression of #276157)
π https://hackerone.com/reports/344468
πΉ Severity: Low | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
π https://hackerone.com/reports/344468
πΉ Severity: Low | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
IDOR via internal_api "users" endpoint
π https://hackerone.com/reports/349291
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
π https://hackerone.com/reports/349291
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
[NR Insights] Data app permissions setting does not fully prevent other users from modifying/changing changing data related to your data app
π https://hackerone.com/reports/388743
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:56am (UTC)
π https://hackerone.com/reports/388743
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:56am (UTC)
[NR Infrastructure] Restricted user can update integration provider account name via integrations API
π https://hackerone.com/reports/397483
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:57am (UTC)
π https://hackerone.com/reports/397483
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:57am (UTC)
Permissions leaks the full name of other NR accounts - Regression of #267636
π https://hackerone.com/reports/347665
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
π https://hackerone.com/reports/347665
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
[NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions
π https://hackerone.com/reports/386556
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
π https://hackerone.com/reports/386556
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)