Π‘ode injection host βββββββββ
π https://hackerone.com/reports/954398
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #e3xpl0it
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:27pm (UTC)
π https://hackerone.com/reports/954398
πΉ Severity: High
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #e3xpl0it
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:27pm (UTC)
Subdomain takeover due to an unclaimed Amazon S3 bucket on βββ
π https://hackerone.com/reports/918946
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #chron0x
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:29pm (UTC)
π https://hackerone.com/reports/918946
πΉ Severity: Critical
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #chron0x
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 5:29pm (UTC)
Local Privilege Escalation on Dropbox Desktop for Windows
π https://hackerone.com/reports/773571
πΉ Severity: Medium
πΉ Reported To: Dropbox
πΉ Reported By: #tesitura
πΉ State: π€ Duplicate
πΉ Disclosed: September 3, 2020, 6:50pm (UTC)
π https://hackerone.com/reports/773571
πΉ Severity: Medium
πΉ Reported To: Dropbox
πΉ Reported By: #tesitura
πΉ State: π€ Duplicate
πΉ Disclosed: September 3, 2020, 6:50pm (UTC)
Cross-origin resource sharing misconfiguration (CORS)
π https://hackerone.com/reports/954512
πΉ Severity: Low
πΉ Reported To: Brave Software
πΉ Reported By: #drwx
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 4, 2020, 12:34am (UTC)
π https://hackerone.com/reports/954512
πΉ Severity: Low
πΉ Reported To: Brave Software
πΉ Reported By: #drwx
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 4, 2020, 12:34am (UTC)
CodeQL query to detect XSLT injections
π https://hackerone.com/reports/974368
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #grzegol
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
π https://hackerone.com/reports/974368
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #grzegol
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
[CATENACYBER]: [CPP] CWE-476 Null Pointer Dereference : Another query to either missing or redundant NULL check
π https://hackerone.com/reports/974370
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
π https://hackerone.com/reports/974370
πΉ Severity: Medium | π° 1,800 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #catenacyber
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
Query to find TLS configurations supporting hardcoded insecure versions of the protocol and cipher suites
π https://hackerone.com/reports/974369
πΉ Severity: High | π° 2,300 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #logicmap
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
π https://hackerone.com/reports/974369
πΉ Severity: High | π° 2,300 USD
πΉ Reported To: GitHub Security Lab
πΉ Reported By: #logicmap
πΉ State: π’ Resolved
πΉ Disclosed: September 3, 2020, 9:56pm (UTC)
[NR Synthetics] Restricted User can add/modify alert conditions on monitors without any synthetics privileges
π https://hackerone.com/reports/334143
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:54am (UTC)
π https://hackerone.com/reports/334143
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:54am (UTC)
User is able to access and create private synthetics locations without upgrading (regression of #276157)
π https://hackerone.com/reports/344468
πΉ Severity: Low | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
π https://hackerone.com/reports/344468
πΉ Severity: Low | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
IDOR via internal_api "users" endpoint
π https://hackerone.com/reports/349291
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
π https://hackerone.com/reports/349291
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
[NR Insights] Data app permissions setting does not fully prevent other users from modifying/changing changing data related to your data app
π https://hackerone.com/reports/388743
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:56am (UTC)
π https://hackerone.com/reports/388743
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:56am (UTC)
[NR Infrastructure] Restricted user can update integration provider account name via integrations API
π https://hackerone.com/reports/397483
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:57am (UTC)
π https://hackerone.com/reports/397483
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:57am (UTC)
Permissions leaks the full name of other NR accounts - Regression of #267636
π https://hackerone.com/reports/347665
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
π https://hackerone.com/reports/347665
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
[NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions
π https://hackerone.com/reports/386556
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
π https://hackerone.com/reports/386556
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
[NR Alerts/Synthetics?] User with no Synthetics permissions can view synthetic monitor details through /internal_api/ endpoint
π https://hackerone.com/reports/320200
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:59am (UTC)
π https://hackerone.com/reports/320200
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:59am (UTC)
Restricted user can bypass permissions restriction to create NR Alert policies
π https://hackerone.com/reports/380413
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
π https://hackerone.com/reports/380413
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
[NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint
π https://hackerone.com/reports/459443
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
π https://hackerone.com/reports/459443
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
Upgrade menu exposes the mobile application token meant to only be visible to administrators
π https://hackerone.com/reports/447975
πΉ Severity: Low | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
π https://hackerone.com/reports/447975
πΉ Severity: Low | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter
π https://hackerone.com/reports/462321
πΉ Severity: High | π° 2,000 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:03am (UTC)
π https://hackerone.com/reports/462321
πΉ Severity: High | π° 2,000 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:03am (UTC)
[NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users
π https://hackerone.com/reports/419875
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:04am (UTC)
π https://hackerone.com/reports/419875
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:04am (UTC)
Full name of other accounts exposed through NR API Explorer (another workaround of #476958)
π https://hackerone.com/reports/520518
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:07am (UTC)
π https://hackerone.com/reports/520518
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:07am (UTC)