Exfiltrate GDrive access token using CSRF
π https://hackerone.com/reports/1468010
πΉ Severity: Medium | π° 1,728 USD
πΉ Reported To: Dropbox
πΉ Reported By: #staz0t
πΉ State: π’ Resolved
πΉ Disclosed: June 1, 2022, 9:04pm (UTC)
π https://hackerone.com/reports/1468010
πΉ Severity: Medium | π° 1,728 USD
πΉ Reported To: Dropbox
πΉ Reported By: #staz0t
πΉ State: π’ Resolved
πΉ Disclosed: June 1, 2022, 9:04pm (UTC)
π₯1
AWS Load Balancer Controller can be used by an attacker to modify rules of any Security Group that they are able to tag
π https://hackerone.com/reports/1238482
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Kubernetes
πΉ Reported By: #t0rr3sp3dr0
πΉ State: π΄ N/A
πΉ Disclosed: June 2, 2022, 12:49am (UTC)
π https://hackerone.com/reports/1238482
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Kubernetes
πΉ Reported By: #t0rr3sp3dr0
πΉ State: π΄ N/A
πΉ Disclosed: June 2, 2022, 12:49am (UTC)
AWS Load Balancer Controller Managed Security Groups can be replaced by an unprivileged attacker
π https://hackerone.com/reports/1238017
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Kubernetes
πΉ Reported By: #t0rr3sp3dr0
πΉ State: π΄ N/A
πΉ Disclosed: June 2, 2022, 12:49am (UTC)
π https://hackerone.com/reports/1238017
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Kubernetes
πΉ Reported By: #t0rr3sp3dr0
πΉ State: π΄ N/A
πΉ Disclosed: June 2, 2022, 12:49am (UTC)
8ybhy85kld9zp9xf84x6.imgur.com Subdomain Takeover
π https://hackerone.com/reports/1527405
πΉ Severity: High | π° 50 USD
πΉ Reported To: Imgur
πΉ Reported By: #mr_baka
πΉ State: π’ Resolved
πΉ Disclosed: June 3, 2022, 5:45pm (UTC)
π https://hackerone.com/reports/1527405
πΉ Severity: High | π° 50 USD
πΉ Reported To: Imgur
πΉ Reported By: #mr_baka
πΉ State: π’ Resolved
πΉ Disclosed: June 3, 2022, 5:45pm (UTC)
Github Account Takeover from Docs page of `kubernetes-csi.github.io`
π https://hackerone.com/reports/1434967
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Kubernetes
πΉ Reported By: #codermak
πΉ State: π’ Resolved
πΉ Disclosed: June 4, 2022, 5:58pm (UTC)
π https://hackerone.com/reports/1434967
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Kubernetes
πΉ Reported By: #codermak
πΉ State: π’ Resolved
πΉ Disclosed: June 4, 2022, 5:58pm (UTC)
KRB-FTP: Security level downgrade
π https://hackerone.com/reports/1590102
πΉ Severity: No Rating
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π΄ N/A
πΉ Disclosed: June 5, 2022, 8:58pm (UTC)
π https://hackerone.com/reports/1590102
πΉ Severity: No Rating
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π΄ N/A
πΉ Disclosed: June 5, 2022, 8:58pm (UTC)
Heap overflow via HTTP/2 PUSH_PROMISE
π https://hackerone.com/reports/1589847
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π΄ N/A
πΉ Disclosed: June 5, 2022, 8:59pm (UTC)
π https://hackerone.com/reports/1589847
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π΄ N/A
πΉ Disclosed: June 5, 2022, 8:59pm (UTC)
Registered users contact information disclosure on salesforce lightning endpoint https://disposal.gsa.gov
π https://hackerone.com/reports/1443654
πΉ Severity: High
πΉ Reported To: U.S. General Services Administration
πΉ Reported By: #rptl
πΉ State: π’ Resolved
πΉ Disclosed: June 6, 2022, 6:17am (UTC)
π https://hackerone.com/reports/1443654
πΉ Severity: High
πΉ Reported To: U.S. General Services Administration
πΉ Reported By: #rptl
πΉ State: π’ Resolved
πΉ Disclosed: June 6, 2022, 6:17am (UTC)
2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com
π https://hackerone.com/reports/1581454
πΉ Severity: High
πΉ Reported To: Exodus
πΉ Reported By: #bismillahfortuner
πΉ State: βͺοΈ Informative
πΉ Disclosed: June 6, 2022, 11:31am (UTC)
π https://hackerone.com/reports/1581454
πΉ Severity: High
πΉ Reported To: Exodus
πΉ Reported By: #bismillahfortuner
πΉ State: βͺοΈ Informative
πΉ Disclosed: June 6, 2022, 11:31am (UTC)
Misconfigurated login page able to lock login action for any account without user interaction
π https://hackerone.com/reports/1582778
πΉ Severity: Critical
πΉ Reported To: Reddit
πΉ Reported By: #h1ugroon
πΉ State: βͺοΈ Informative
πΉ Disclosed: June 6, 2022, 11:10pm (UTC)
π https://hackerone.com/reports/1582778
πΉ Severity: Critical
πΉ Reported To: Reddit
πΉ Reported By: #h1ugroon
πΉ State: βͺοΈ Informative
πΉ Disclosed: June 6, 2022, 11:10pm (UTC)
Stored Cross Site Scripting at https://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode
π https://hackerone.com/reports/1164853
πΉ Severity: Medium
πΉ Reported To: Acronis
πΉ Reported By: #ub3rsick
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 9:25am (UTC)
π https://hackerone.com/reports/1164853
πΉ Severity: Medium
πΉ Reported To: Acronis
πΉ Reported By: #ub3rsick
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 9:25am (UTC)
Store Admin Page Accessible Without Authentication at https://www.grouplogic.com/ADMIN/store/index.cfm
π https://hackerone.com/reports/1164854
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Acronis
πΉ Reported By: #ub3rsick
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 10:20am (UTC)
π https://hackerone.com/reports/1164854
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: Acronis
πΉ Reported By: #ub3rsick
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 10:20am (UTC)
Path traversal in Nuget Package Registry
π https://hackerone.com/reports/822262
πΉ Severity: High | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π https://hackerone.com/reports/822262
πΉ Severity: High | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π₯3
Private objects exposed through project import
π https://hackerone.com/reports/767770
πΉ Severity: Critical | π° 20,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π https://hackerone.com/reports/767770
πΉ Severity: Critical | π° 20,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π₯4
Steal private objects of other projects via project import
π https://hackerone.com/reports/743953
πΉ Severity: Critical | π° 20,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π https://hackerone.com/reports/743953
πΉ Severity: Critical | π° 20,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π₯4
Path traversal, to RCE
π https://hackerone.com/reports/733072
πΉ Severity: High | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π https://hackerone.com/reports/733072
πΉ Severity: High | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π₯5
Open redirect on https://www.glassdoor.com/profile/siwa.htm via state parameter
π https://hackerone.com/reports/1097208
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 11:44am (UTC)
π https://hackerone.com/reports/1097208
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 11:44am (UTC)
Reflected XSS on https://help.glassdoor.com/gd_requestsubmitpage
π https://hackerone.com/reports/1094224
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 11:46am (UTC)
π https://hackerone.com/reports/1094224
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 11:46am (UTC)
Reflected XSS on https://www.glassdoor.com/parts/header.htm
π https://hackerone.com/reports/1073712
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 12:00pm (UTC)
π https://hackerone.com/reports/1073712
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 12:00pm (UTC)
Stored XSS on issue comments and other pages which contain notes
π https://hackerone.com/reports/1398305
πΉ Severity: High | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #jarij
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:02pm (UTC)
π https://hackerone.com/reports/1398305
πΉ Severity: High | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #jarij
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:02pm (UTC)
"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request
π https://hackerone.com/reports/1375393
πΉ Severity: Medium | π° 610 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:04pm (UTC)
π https://hackerone.com/reports/1375393
πΉ Severity: Medium | π° 610 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:04pm (UTC)