Bugpoint – Telegram

Bugpoint

999 subscribers

3.73K photos

3.73K links

Latest updates about disclosure bug bounty reports: tech details, impacts, bounties 📣

Rate👇
https://cutt.ly/bugpoint_rate
Feedback👇
https://cutt.ly/bugpoint_feedback

#️⃣ bug bounty disclosed reports
#️⃣ bug bounty write-ups
#️⃣ bug bounty teleg

Download Telegram

About

Blog

Apps

Platform

999 subscribers

Reading arbitrary files via running arbitrary python code

👉 https://hackerone.com/reports/974697

🔹 Severity: No Rating
🔹 Reported To: BugPoC
🔹 Reported By: #hackk9
🔹 State: 🔴 N/A
🔹 Disclosed: September 6, 2020, 1:17pm (UTC)

40 views13:20

Keychain data persistence may lead to account takeover

👉 https://hackerone.com/reports/761975

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #0x3c3e
🔹 State: 🟢 Resolved
🔹 Disclosed: September 7, 2020, 2:47pm (UTC)

37 views14:50

XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024)

👉 https://hackerone.com/reports/963798

🔹 Severity: Medium
🔹 Reported To: Endless Hosting
🔹 Reported By: #pirneci
🔹 State: 🟢 Resolved
🔹 Disclosed: September 7, 2020, 5:42pm (UTC)

41 views17:44

[bugs.fuzzing-project.org] HTML Injection via 'custom_field_7[]' parameter in '/view_all_set.php'

👉 https://hackerone.com/reports/903869

🔹 Severity: Medium
🔹 Reported To: Hanno's projects
🔹 Reported By: #dragonjar
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 7:30am (UTC)

41 views07:32

No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address

👉 https://hackerone.com/reports/753386

🔹 Severity: Medium
🔹 Reported To: Stripo Inc
🔹 Reported By: #binit
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 11:17am (UTC)

44 views11:18

SSRF into Shared Runner, by replacing dockerd with malicious server in Executor

👉 https://hackerone.com/reports/809248

🔹 Severity: Medium | 💰 2,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #lucash-dev
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 1:28pm (UTC)

38 views13:30

Members from parent group keep their access level on a subgroup transfer and are invisible

👉 https://hackerone.com/reports/790786

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #kryword
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 1:44pm (UTC)

39 views13:46

Injection of `http.<url>.*` git config settings leading to SSRF

👉 https://hackerone.com/reports/855276

🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 1:46pm (UTC)

40 views13:48

EXIF metadata not stripped from JPG group logos

👉 https://hackerone.com/reports/446238

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: GitLab
🔹 Reported By: #jackb898
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 2:02pm (UTC)

42 views14:04

Blind SQL Injection

👉 https://hackerone.com/reports/758654

🔹 Severity: Critical | 💰 2,000 USD
🔹 Reported To: InnoGames
🔹 Reported By: #rzx007x
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 3:04pm (UTC)

40 views15:06

Race Condition when following a user

👉 https://hackerone.com/reports/927384

🔹 Severity: Low
🔹 Reported To: Staging.every.org
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 5:51am (UTC)

42 views05:54

damage to the timeline so that comment fields cannot be displayed or not available to all members in the store

👉 https://hackerone.com/reports/971599

🔹 Severity: No Rating
🔹 Reported To: Shopify
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 4:45pm (UTC)

37 views16:48

Add apps to packages 0, 61, 62 with /store/ajaxpackagemerge

👉 https://hackerone.com/reports/972243

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Valve
🔹 Reported By: #njbooher
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 8:07pm (UTC)

38 views20:10

Unauthorized updates to extended_info properties in /store/ajaxpackagesave

👉 https://hackerone.com/reports/815547

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Valve
🔹 Reported By: #njbooher
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 8:27pm (UTC)

37 views20:30

Stored XSS on PyPi simple API endpoint

👉 https://hackerone.com/reports/856836

🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 9:57pm (UTC)

38 views22:00

Stored XSS in markdown when redacting references

👉 https://hackerone.com/reports/836649

🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 9:58pm (UTC)

40 views22:00

Smartsheet employees email disclosure through enpoint after login.

👉 https://hackerone.com/reports/880089

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Smartsheet
🔹 Reported By: #soareswallace
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 10:15pm (UTC)

41 views22:18

SSRF at https://cognitive.topcoder.com leads to AWS instance metadata due to vulnerable email subscription feature

👉 https://hackerone.com/reports/876424

🔹 Severity: Critical
🔹 Reported To: Topcoder
🔹 Reported By: #mase289
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 12:42pm (UTC)

40 views12:44

THX Tuneup Survey feedback disclosure via Google cached content for apps.thx.com

👉 https://hackerone.com/reports/751729

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Razer
🔹 Reported By: #jackb898
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:04pm (UTC)

41 views16:06

bypass the [OKTA] login redirect can lead to disclosing limited-information about the sub-domain at [ shiptsec.com ]

👉 https://hackerone.com/reports/968699

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Shipt
🔹 Reported By: #tester1231233
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:23pm (UTC)

44 views16:26

Safe Redirect Bypass

👉 https://hackerone.com/reports/945990

🔹 Severity: Low | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #cyanpiny
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:57pm (UTC)

46 views17:00