Bugpoint
@bugpoint
999 subscribers
3.73K photos
3.73K links
Latest updates about disclosure bug bounty reports: tech details, impacts, bounties πŸ“£

RateπŸ‘‡
https://cutt.ly/bugpoint_rate
FeedbackπŸ‘‡
https://cutt.ly/bugpoint_feedback

#️⃣ bug bounty disclosed reports
#️⃣ bug bounty write-ups
#️⃣ bug bounty teleg
Download Telegram
About
Blog
Apps
Platform
Join
Bugpoint
999 subscribers
Bugpoint
Restricted user can bypass permissions restriction to create NR Alert policies

πŸ‘‰ https://hackerone.com/reports/380413

πŸ”Ή Severity: Medium | πŸ’° 500 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 11:00am (UTC)
28 views
Bugpoint
[NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint

πŸ‘‰ https://hackerone.com/reports/459443

πŸ”Ή Severity: High | πŸ’° 2,500 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 11:00am (UTC)
26 views
Bugpoint
Upgrade menu exposes the mobile application token meant to only be visible to administrators

πŸ‘‰ https://hackerone.com/reports/447975

πŸ”Ή Severity: Low | πŸ’° 750 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 11:00am (UTC)
27 views
Bugpoint
Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter

πŸ‘‰ https://hackerone.com/reports/462321

πŸ”Ή Severity: High | πŸ’° 2,000 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 11:03am (UTC)
28 views
Bugpoint
[NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users

πŸ‘‰ https://hackerone.com/reports/419875

πŸ”Ή Severity: Medium | πŸ’° 1,500 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 11:04am (UTC)
29 views
Bugpoint
Full name of other accounts exposed through NR API Explorer (another workaround of #476958)

πŸ‘‰ https://hackerone.com/reports/520518

πŸ”Ή Severity: Medium | πŸ’° 750 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 11:07am (UTC)
30 views
Bugpoint
[Synthetics/Infrastructure/everything] Individual account permissions are not properly managed and inherited on sub accounts

πŸ‘‰ https://hackerone.com/reports/268541

πŸ”Ή Severity: Medium | πŸ’° 750 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 5:06pm (UTC)
32 views
Bugpoint
[NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894

πŸ‘‰ https://hackerone.com/reports/267636

πŸ”Ή Severity: Medium | πŸ’° 1,500 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 5:08pm (UTC)
35 views
Bugpoint
Logic flaw enables restricted account to access account license key

πŸ‘‰ https://hackerone.com/reports/200576

πŸ”Ή Severity: Medium | πŸ’° 500 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 5:08pm (UTC)
37 views
Bugpoint
GET request to accounts.json on support site leaks the root account license key and the browser license key to a restricted user

πŸ‘‰ https://hackerone.com/reports/479135

πŸ”Ή Severity: Medium | πŸ’° 750 USD
πŸ”Ή Reported To: New Relic
πŸ”Ή Reported By: #jon_bottarini
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 5:09pm (UTC)
39 views
Bugpoint
Reflected-XSS on https://www.topcoder.com/tc via pt parameter

πŸ‘‰ https://hackerone.com/reports/789652

πŸ”Ή Severity: Medium
πŸ”Ή Reported To: Topcoder
πŸ”Ή Reported By: #laz0rde
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 4, 2020, 7:53pm (UTC)
39 views
Bugpoint
[extend-merge] Prototype pollution

πŸ‘‰ https://hackerone.com/reports/878339

πŸ”Ή Severity: High
πŸ”Ή Reported To: Node.js third-party modules
πŸ”Ή Reported By: #d3lla
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 6, 2020, 1:00pm (UTC)
39 views
Bugpoint
Reading arbitrary files via running arbitrary python code

πŸ‘‰ https://hackerone.com/reports/974697

πŸ”Ή Severity: No Rating
πŸ”Ή Reported To: BugPoC
πŸ”Ή Reported By: #hackk9
πŸ”Ή State: πŸ”΄ N/A
πŸ”Ή Disclosed: September 6, 2020, 1:17pm (UTC)
40 views
Bugpoint
Keychain data persistence may lead to account takeover

πŸ‘‰ https://hackerone.com/reports/761975

πŸ”Ή Severity: Low | πŸ’° 100 USD
πŸ”Ή Reported To: QIWI
πŸ”Ή Reported By: #0x3c3e
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 7, 2020, 2:47pm (UTC)
37 views
Bugpoint
XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024)

πŸ‘‰ https://hackerone.com/reports/963798

πŸ”Ή Severity: Medium
πŸ”Ή Reported To: Endless Hosting
πŸ”Ή Reported By: #pirneci
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 7, 2020, 5:42pm (UTC)
41 views
Bugpoint
[bugs.fuzzing-project.org] HTML Injection via 'custom_field_7[]' parameter in '/view_all_set.php'

πŸ‘‰ https://hackerone.com/reports/903869

πŸ”Ή Severity: Medium
πŸ”Ή Reported To: Hanno's projects
πŸ”Ή Reported By: #dragonjar
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 8, 2020, 7:30am (UTC)
41 views
Bugpoint
No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address

πŸ‘‰ https://hackerone.com/reports/753386

πŸ”Ή Severity: Medium
πŸ”Ή Reported To: Stripo Inc
πŸ”Ή Reported By: #binit
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 8, 2020, 11:17am (UTC)
44 views
Bugpoint
SSRF into Shared Runner, by replacing dockerd with malicious server in Executor

πŸ‘‰ https://hackerone.com/reports/809248

πŸ”Ή Severity: Medium | πŸ’° 2,000 USD
πŸ”Ή Reported To: GitLab
πŸ”Ή Reported By: #lucash-dev
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 8, 2020, 1:28pm (UTC)
38 views
Bugpoint
Members from parent group keep their access level on a subgroup transfer and are invisible

πŸ‘‰ https://hackerone.com/reports/790786

πŸ”Ή Severity: High | πŸ’° 4,000 USD
πŸ”Ή Reported To: GitLab
πŸ”Ή Reported By: #kryword
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 8, 2020, 1:44pm (UTC)
39 views
Bugpoint
Injection of `http.<url>.*` git config settings leading to SSRF

πŸ‘‰ https://hackerone.com/reports/855276

πŸ”Ή Severity: High | πŸ’° 3,000 USD
πŸ”Ή Reported To: GitLab
πŸ”Ή Reported By: #vakzz
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 8, 2020, 1:46pm (UTC)
40 views
Bugpoint
EXIF metadata not stripped from JPG group logos

πŸ‘‰ https://hackerone.com/reports/446238

πŸ”Ή Severity: Low | πŸ’° 500 USD
πŸ”Ή Reported To: GitLab
πŸ”Ή Reported By: #jackb898
πŸ”Ή State: 🟒 Resolved
πŸ”Ή Disclosed: September 8, 2020, 2:02pm (UTC)
42 views