[NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894
π https://hackerone.com/reports/267636
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:08pm (UTC)
π https://hackerone.com/reports/267636
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:08pm (UTC)
Logic flaw enables restricted account to access account license key
π https://hackerone.com/reports/200576
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:08pm (UTC)
π https://hackerone.com/reports/200576
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:08pm (UTC)
GET request to accounts.json on support site leaks the root account license key and the browser license key to a restricted user
π https://hackerone.com/reports/479135
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:09pm (UTC)
π https://hackerone.com/reports/479135
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:09pm (UTC)
Reflected-XSS on https://www.topcoder.com/tc via pt parameter
π https://hackerone.com/reports/789652
πΉ Severity: Medium
πΉ Reported To: Topcoder
πΉ Reported By: #laz0rde
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 7:53pm (UTC)
π https://hackerone.com/reports/789652
πΉ Severity: Medium
πΉ Reported To: Topcoder
πΉ Reported By: #laz0rde
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 7:53pm (UTC)
[extend-merge] Prototype pollution
π https://hackerone.com/reports/878339
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: September 6, 2020, 1:00pm (UTC)
π https://hackerone.com/reports/878339
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: September 6, 2020, 1:00pm (UTC)
Reading arbitrary files via running arbitrary python code
π https://hackerone.com/reports/974697
πΉ Severity: No Rating
πΉ Reported To: BugPoC
πΉ Reported By: #hackk9
πΉ State: π΄ N/A
πΉ Disclosed: September 6, 2020, 1:17pm (UTC)
π https://hackerone.com/reports/974697
πΉ Severity: No Rating
πΉ Reported To: BugPoC
πΉ Reported By: #hackk9
πΉ State: π΄ N/A
πΉ Disclosed: September 6, 2020, 1:17pm (UTC)
Keychain data persistence may lead to account takeover
π https://hackerone.com/reports/761975
πΉ Severity: Low | π° 100 USD
πΉ Reported To: QIWI
πΉ Reported By: #0x3c3e
πΉ State: π’ Resolved
πΉ Disclosed: September 7, 2020, 2:47pm (UTC)
π https://hackerone.com/reports/761975
πΉ Severity: Low | π° 100 USD
πΉ Reported To: QIWI
πΉ Reported By: #0x3c3e
πΉ State: π’ Resolved
πΉ Disclosed: September 7, 2020, 2:47pm (UTC)
XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024)
π https://hackerone.com/reports/963798
πΉ Severity: Medium
πΉ Reported To: Endless Hosting
πΉ Reported By: #pirneci
πΉ State: π’ Resolved
πΉ Disclosed: September 7, 2020, 5:42pm (UTC)
π https://hackerone.com/reports/963798
πΉ Severity: Medium
πΉ Reported To: Endless Hosting
πΉ Reported By: #pirneci
πΉ State: π’ Resolved
πΉ Disclosed: September 7, 2020, 5:42pm (UTC)
[bugs.fuzzing-project.org] HTML Injection via 'custom_field_7[]' parameter in '/view_all_set.php'
π https://hackerone.com/reports/903869
πΉ Severity: Medium
πΉ Reported To: Hanno's projects
πΉ Reported By: #dragonjar
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 7:30am (UTC)
π https://hackerone.com/reports/903869
πΉ Severity: Medium
πΉ Reported To: Hanno's projects
πΉ Reported By: #dragonjar
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 7:30am (UTC)
No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address
π https://hackerone.com/reports/753386
πΉ Severity: Medium
πΉ Reported To: Stripo Inc
πΉ Reported By: #binit
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 11:17am (UTC)
π https://hackerone.com/reports/753386
πΉ Severity: Medium
πΉ Reported To: Stripo Inc
πΉ Reported By: #binit
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 11:17am (UTC)
SSRF into Shared Runner, by replacing dockerd with malicious server in Executor
π https://hackerone.com/reports/809248
πΉ Severity: Medium | π° 2,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #lucash-dev
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 1:28pm (UTC)
π https://hackerone.com/reports/809248
πΉ Severity: Medium | π° 2,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #lucash-dev
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 1:28pm (UTC)
Members from parent group keep their access level on a subgroup transfer and are invisible
π https://hackerone.com/reports/790786
πΉ Severity: High | π° 4,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #kryword
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 1:44pm (UTC)
π https://hackerone.com/reports/790786
πΉ Severity: High | π° 4,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #kryword
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 1:44pm (UTC)
Injection of `http.<url>.*` git config settings leading to SSRF
π https://hackerone.com/reports/855276
πΉ Severity: High | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #vakzz
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 1:46pm (UTC)
π https://hackerone.com/reports/855276
πΉ Severity: High | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #vakzz
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 1:46pm (UTC)
EXIF metadata not stripped from JPG group logos
π https://hackerone.com/reports/446238
πΉ Severity: Low | π° 500 USD
πΉ Reported To: GitLab
πΉ Reported By: #jackb898
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 2:02pm (UTC)
π https://hackerone.com/reports/446238
πΉ Severity: Low | π° 500 USD
πΉ Reported To: GitLab
πΉ Reported By: #jackb898
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 2:02pm (UTC)
Blind SQL Injection
π https://hackerone.com/reports/758654
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: InnoGames
πΉ Reported By: #rzx007x
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 3:04pm (UTC)
π https://hackerone.com/reports/758654
πΉ Severity: Critical | π° 2,000 USD
πΉ Reported To: InnoGames
πΉ Reported By: #rzx007x
πΉ State: π’ Resolved
πΉ Disclosed: September 8, 2020, 3:04pm (UTC)
Race Condition when following a user
π https://hackerone.com/reports/927384
πΉ Severity: Low
πΉ Reported To: Staging.every.org
πΉ Reported By: #bugra
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 5:51am (UTC)
π https://hackerone.com/reports/927384
πΉ Severity: Low
πΉ Reported To: Staging.every.org
πΉ Reported By: #bugra
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 5:51am (UTC)
damage to the timeline so that comment fields cannot be displayed or not available to all members in the store
π https://hackerone.com/reports/971599
πΉ Severity: No Rating
πΉ Reported To: Shopify
πΉ Reported By: #jaka_tingkir
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 4:45pm (UTC)
π https://hackerone.com/reports/971599
πΉ Severity: No Rating
πΉ Reported To: Shopify
πΉ Reported By: #jaka_tingkir
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 4:45pm (UTC)
Add apps to packages 0, 61, 62 with /store/ajaxpackagemerge
π https://hackerone.com/reports/972243
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: Valve
πΉ Reported By: #njbooher
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 8:07pm (UTC)
π https://hackerone.com/reports/972243
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: Valve
πΉ Reported By: #njbooher
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 8:07pm (UTC)
Unauthorized updates to extended_info properties in /store/ajaxpackagesave
π https://hackerone.com/reports/815547
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: Valve
πΉ Reported By: #njbooher
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 8:27pm (UTC)
π https://hackerone.com/reports/815547
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: Valve
πΉ Reported By: #njbooher
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 8:27pm (UTC)
Stored XSS on PyPi simple API endpoint
π https://hackerone.com/reports/856836
πΉ Severity: Medium | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #vakzz
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 9:57pm (UTC)
π https://hackerone.com/reports/856836
πΉ Severity: Medium | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #vakzz
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 9:57pm (UTC)
Stored XSS in markdown when redacting references
π https://hackerone.com/reports/836649
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #vakzz
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 9:58pm (UTC)
π https://hackerone.com/reports/836649
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #vakzz
πΉ State: π’ Resolved
πΉ Disclosed: September 9, 2020, 9:58pm (UTC)