Off-by-slash vulnerability in nodejs.org and iojs.org
π https://hackerone.com/reports/1631350
πΉ Severity: Medium
πΉ Reported To: Node.js
πΉ Reported By: #nagaro
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2022, 2:11pm (UTC)
π https://hackerone.com/reports/1631350
πΉ Severity: Medium
πΉ Reported To: Node.js
πΉ Reported By: #nagaro
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2022, 2:11pm (UTC)
Golang expvar Information Disclosure
π https://hackerone.com/reports/1650035
πΉ Severity: Low | π° 500 USD
πΉ Reported To: Uber
πΉ Reported By: #mustafa_farrag
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2022, 3:44pm (UTC)
π https://hackerone.com/reports/1650035
πΉ Severity: Low | π° 500 USD
πΉ Reported To: Uber
πΉ Reported By: #mustafa_farrag
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2022, 3:44pm (UTC)
Reflected XSS on pages.email.sel.sony.com/page.aspx via jobid parameter
π https://hackerone.com/reports/1309949
πΉ Severity: Medium
πΉ Reported To: Sony
πΉ Reported By: #leo_rac
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2022, 5:59pm (UTC)
π https://hackerone.com/reports/1309949
πΉ Severity: Medium
πΉ Reported To: Sony
πΉ Reported By: #leo_rac
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2022, 5:59pm (UTC)
NordVPN Linux Client - Unsafe service file permissions leads to Local Privilege Escalation
π https://hackerone.com/reports/1218523
πΉ Severity: Medium | π° 700 USD
πΉ Reported To: Nord Security
πΉ Reported By: #bashketchum
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2022, 6:48pm (UTC)
π https://hackerone.com/reports/1218523
πΉ Severity: Medium | π° 700 USD
πΉ Reported To: Nord Security
πΉ Reported By: #bashketchum
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2022, 6:48pm (UTC)
Pause-based desync in Apache HTTPD
π https://hackerone.com/reports/1667974
πΉ Severity: High | π° 4,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #albinowax
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2022, 7:02am (UTC)
π https://hackerone.com/reports/1667974
πΉ Severity: High | π° 4,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #albinowax
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2022, 7:02am (UTC)
π₯4π1
Default Login Credentials on https://broadbandmaps.mtn.com.gh/
π https://hackerone.com/reports/1297480
πΉ Severity: Critical
πΉ Reported To: MTN Group
πΉ Reported By: #theranger
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2022, 11:05am (UTC)
π https://hackerone.com/reports/1297480
πΉ Severity: Critical
πΉ Reported To: MTN Group
πΉ Reported By: #theranger
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2022, 11:05am (UTC)
Non-revoked API Key Information disclosure via Stripo_report()
π https://hackerone.com/reports/1613714
πΉ Severity: Medium
πΉ Reported To: Stripo Inc
πΉ Reported By: #deb0con
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2022, 11:05am (UTC)
π https://hackerone.com/reports/1613714
πΉ Severity: Medium
πΉ Reported To: Stripo Inc
πΉ Reported By: #deb0con
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2022, 11:05am (UTC)
Unauthorized access
π https://hackerone.com/reports/1669176
πΉ Severity: Medium
πΉ Reported To: GitLab
πΉ Reported By: #mega7
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 25, 2022, 2:14pm (UTC)
π https://hackerone.com/reports/1669176
πΉ Severity: Medium
πΉ Reported To: GitLab
πΉ Reported By: #mega7
πΉ State: βͺοΈ Informative
πΉ Disclosed: August 25, 2022, 2:14pm (UTC)
Privilege Escalation - "Analyst" Role Can View Email Domains of a Company - [GET /voyager/api/voyagerOrganizationDashEmailDomainMappings]
π https://hackerone.com/reports/1572591
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: LinkedIn
πΉ Reported By: #naaash
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2022, 6:38pm (UTC)
π https://hackerone.com/reports/1572591
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: LinkedIn
πΉ Reported By: #naaash
πΉ State: π’ Resolved
πΉ Disclosed: August 26, 2022, 6:38pm (UTC)
weak protection against brute-forcing on login api leads to account takeover
π https://hackerone.com/reports/766875
πΉ Severity: Critical
πΉ Reported To: Palo Alto Software
πΉ Reported By: #zer0code
πΉ State: π’ Resolved
πΉ Disclosed: August 29, 2022, 6:23pm (UTC)
π https://hackerone.com/reports/766875
πΉ Severity: Critical
πΉ Reported To: Palo Alto Software
πΉ Reported By: #zer0code
πΉ State: π’ Resolved
πΉ Disclosed: August 29, 2022, 6:23pm (UTC)
TikTok's pixel/sdk.js leaks current URL from websites using postMessage
π https://hackerone.com/reports/1598749
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: TikTok
πΉ Reported By: #fransrosen
πΉ State: π’ Resolved
πΉ Disclosed: August 30, 2022, 6:25pm (UTC)
π https://hackerone.com/reports/1598749
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: TikTok
πΉ Reported By: #fransrosen
πΉ State: π’ Resolved
πΉ Disclosed: August 30, 2022, 6:25pm (UTC)
π3
Blind SSRF on platform.dash.cloudflare.com Due to Sentry misconfiguration
π https://hackerone.com/reports/1467044
πΉ Severity: Low | π° 200 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #lohigowda
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2022, 10:54am (UTC)
π https://hackerone.com/reports/1467044
πΉ Severity: Low | π° 200 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #lohigowda
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2022, 10:54am (UTC)
CVE-2022-35252: control code in cookie denial of service
π https://hackerone.com/reports/1613943
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2022, 10:55am (UTC)
π https://hackerone.com/reports/1613943
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2022, 10:55am (UTC)
π1
Enable 2Fa verification without verifying email leads account takeover
π https://hackerone.com/reports/1618021
πΉ Severity: Medium | π° 350 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #motu-vai
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2022, 3:43pm (UTC)
π https://hackerone.com/reports/1618021
πΉ Severity: Medium | π° 350 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #motu-vai
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2022, 3:43pm (UTC)
Password reset tokens sent to CSP reporting endpoints
π https://hackerone.com/reports/1626281
πΉ Severity: Low | π° 250 USD
πΉ Reported To: Snapchat
πΉ Reported By: #mahfujwhh
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2022, 11:53pm (UTC)
π https://hackerone.com/reports/1626281
πΉ Severity: Low | π° 250 USD
πΉ Reported To: Snapchat
πΉ Reported By: #mahfujwhh
πΉ State: π’ Resolved
πΉ Disclosed: August 31, 2022, 11:53pm (UTC)
Any expired reset password link can still be used to reset the password
π https://hackerone.com/reports/1615790
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Acronis
πΉ Reported By: #mrccrqr
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2022, 9:31am (UTC)
π https://hackerone.com/reports/1615790
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Acronis
πΉ Reported By: #mrccrqr
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2022, 9:31am (UTC)
Remote denial of service in HyperLedger Fabric
π https://hackerone.com/reports/1635854
πΉ Severity: High | π° 1,500 USD
πΉ Reported To: Hyperledger
πΉ Reported By: #fatal0
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2022, 2:05pm (UTC)
π https://hackerone.com/reports/1635854
πΉ Severity: High | π° 1,500 USD
πΉ Reported To: Hyperledger
πΉ Reported By: #fatal0
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2022, 2:05pm (UTC)
API Key reported in #1465145 not rotated and thus is still valid and can be used by anyone
π https://hackerone.com/reports/1591770
πΉ Severity: Low
πΉ Reported To: Adobe
πΉ Reported By: #aneeeketh
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 1, 2022, 4:05pm (UTC)
π https://hackerone.com/reports/1591770
πΉ Severity: Low
πΉ Reported To: Adobe
πΉ Reported By: #aneeeketh
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 1, 2022, 4:05pm (UTC)
Remote code execution due to unvalidated file upload
π https://hackerone.com/reports/1164452
πΉ Severity: Critical
πΉ Reported To: MTN Group
πΉ Reported By: #aliyugombe
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2022, 5:29pm (UTC)
π https://hackerone.com/reports/1164452
πΉ Severity: Critical
πΉ Reported To: MTN Group
πΉ Reported By: #aliyugombe
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2022, 5:29pm (UTC)
Password reset token leak on third party website via Referer header [cloudivr.mtnbusiness.com.ng]
π https://hackerone.com/reports/1320242
πΉ Severity: Medium
πΉ Reported To: MTN Group
πΉ Reported By: #ibrahimatix0x01
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2022, 8:21pm (UTC)
π https://hackerone.com/reports/1320242
πΉ Severity: Medium
πΉ Reported To: MTN Group
πΉ Reported By: #ibrahimatix0x01
πΉ State: π’ Resolved
πΉ Disclosed: September 1, 2022, 8:21pm (UTC)