Unauthorized updates to extended_info properties in /store/ajaxpackagesave

👉 https://hackerone.com/reports/815547

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Valve
🔹 Reported By: #njbooher
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 8:27pm (UTC)

Stored XSS on PyPi simple API endpoint

👉 https://hackerone.com/reports/856836

🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 9:57pm (UTC)

Stored XSS in markdown when redacting references

👉 https://hackerone.com/reports/836649

🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 9:58pm (UTC)

Smartsheet employees email disclosure through enpoint after login.

👉 https://hackerone.com/reports/880089

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Smartsheet
🔹 Reported By: #soareswallace
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 10:15pm (UTC)

SSRF at https://cognitive.topcoder.com leads to AWS instance metadata due to vulnerable email subscription feature

👉 https://hackerone.com/reports/876424

🔹 Severity: Critical
🔹 Reported To: Topcoder
🔹 Reported By: #mase289
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 12:42pm (UTC)

THX Tuneup Survey feedback disclosure via Google cached content for apps.thx.com

👉 https://hackerone.com/reports/751729

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Razer
🔹 Reported By: #jackb898
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:04pm (UTC)

bypass the [OKTA] login redirect can lead to disclosing limited-information about the sub-domain at [ shiptsec.com ]

👉 https://hackerone.com/reports/968699

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Shipt
🔹 Reported By: #tester1231233
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:23pm (UTC)

Safe Redirect Bypass

👉 https://hackerone.com/reports/945990

🔹 Severity: Low | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #cyanpiny
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:57pm (UTC)

Team object in GraphQL disclosed private_comment

👉 https://hackerone.com/reports/978143

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 7:05pm (UTC)

Unsafe deserialization in Nexus Repository helm plugin

👉 https://hackerone.com/reports/917843

🔹 Severity: Critical
🔹 Reported To: Central Security Project
🔹 Reported By: #c0d3p1ut0s
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 10:07pm (UTC)

http request smuggling in pscp.tv and periscope.tv

👉 https://hackerone.com/reports/713285

🔹 Severity: High | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #protostar0
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 10:52pm (UTC)

Blind HTTP GET SSRF via website icon fetch (bypass of pull#812)

👉 https://hackerone.com/reports/925527

🔹 Severity: Low
🔹 Reported To: Bitwarden
🔹 Reported By: #shielder
🔹 State: 🟢 Resolved
🔹 Disclosed: September 11, 2020, 1:24pm (UTC)

Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog

👉 https://hackerone.com/reports/977851

🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: Shopify
🔹 Reported By: #dakitu
🔹 State: 🟢 Resolved
🔹 Disclosed: September 11, 2020, 5:03pm (UTC)

[keyd] Prototype pollution

👉 https://hackerone.com/reports/877515

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #d3lla
🔹 State: 🟢 Resolved
🔹 Disclosed: September 14, 2020, 10:51am (UTC)

[objtools] Prototype pollution

👉 https://hackerone.com/reports/878394

🔹 Severity: High
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #d3lla
🔹 State: 🟢 Resolved
🔹 Disclosed: September 14, 2020, 10:51am (UTC)

[flsaba] Stored XSS in the file and directory name when directories listing

👉 https://hackerone.com/reports/856588

🔹 Severity: Low
🔹 Reported To: Node.js third-party modules
🔹 Reported By: #d3lla
🔹 State: 🟢 Resolved
🔹 Disclosed: September 14, 2020, 10:52am (UTC)

Password protection can be removed for newly created development store

👉 https://hackerone.com/reports/965510

🔹 Severity: No Rating | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #francisbeaudoin
🔹 State: 🟢 Resolved
🔹 Disclosed: September 14, 2020, 6:59pm (UTC)

Admin web sessions remain active after logout of Shopify ID

👉 https://hackerone.com/reports/952035

🔹 Severity: No Rating | 💰 1,000 USD
🔹 Reported To: Shopify
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: September 14, 2020, 6:59pm (UTC)

XSS / SELF XSS

👉 https://hackerone.com/reports/906201

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #whoami991
🔹 State: 🟢 Resolved
🔹 Disclosed: September 14, 2020, 7:25pm (UTC)

Partner's non-verified business email change reflected into Shopify Collaborator Request

👉 https://hackerone.com/reports/874574

🔹 Severity: No Rating | 💰 1,000 USD
🔹 Reported To: Shopify
🔹 Reported By: #francisbeaudoin
🔹 State: 🟢 Resolved
🔹 Disclosed: September 14, 2020, 7:45pm (UTC)

Staff member with no permission can delete POS staff from account settings

👉 https://hackerone.com/reports/860348

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: Shopify
🔹 Reported By: #kunal94
🔹 State: 🟢 Resolved
🔹 Disclosed: September 14, 2020, 7:56pm (UTC)