Path traversal, to RCE
π https://hackerone.com/reports/733072
πΉ Severity: High | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π https://hackerone.com/reports/733072
πΉ Severity: High | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #saltyyolk
πΉ State: π’ Resolved
πΉ Disclosed: June 7, 2022, 2:16pm (UTC)
π₯5
Open redirect on https://www.glassdoor.com/profile/siwa.htm via state parameter
π https://hackerone.com/reports/1097208
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 11:44am (UTC)
π https://hackerone.com/reports/1097208
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 11:44am (UTC)
Reflected XSS on https://help.glassdoor.com/gd_requestsubmitpage
π https://hackerone.com/reports/1094224
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 11:46am (UTC)
π https://hackerone.com/reports/1094224
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 11:46am (UTC)
Reflected XSS on https://www.glassdoor.com/parts/header.htm
π https://hackerone.com/reports/1073712
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 12:00pm (UTC)
π https://hackerone.com/reports/1073712
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: Glassdoor
πΉ Reported By: #0x7
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 12:00pm (UTC)
Stored XSS on issue comments and other pages which contain notes
π https://hackerone.com/reports/1398305
πΉ Severity: High | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #jarij
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:02pm (UTC)
π https://hackerone.com/reports/1398305
πΉ Severity: High | π° 3,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #jarij
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:02pm (UTC)
"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request
π https://hackerone.com/reports/1375393
πΉ Severity: Medium | π° 610 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:04pm (UTC)
π https://hackerone.com/reports/1375393
πΉ Severity: Medium | π° 610 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:04pm (UTC)
Gitlab Pages token theft using service workers
π https://hackerone.com/reports/1439552
πΉ Severity: Medium | π° 1,680 USD
πΉ Reported To: GitLab
πΉ Reported By: #ehhthing
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:06pm (UTC)
π https://hackerone.com/reports/1439552
πΉ Severity: Medium | π° 1,680 USD
πΉ Reported To: GitLab
πΉ Reported By: #ehhthing
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:06pm (UTC)
XSS by clicking Jira's link
π https://hackerone.com/reports/1194254
πΉ Severity: Medium | π° 1,130 USD
πΉ Reported To: GitLab
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:07pm (UTC)
π https://hackerone.com/reports/1194254
πΉ Severity: Medium | π° 1,130 USD
πΉ Reported To: GitLab
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: June 8, 2022, 2:07pm (UTC)
Several Subdomains Takeover
π https://hackerone.com/reports/1591085
πΉ Severity: High
πΉ Reported To: Reddit
πΉ Reported By: #3amii
πΉ State: π΄ N/A
πΉ Disclosed: June 8, 2022, 8:36pm (UTC)
π https://hackerone.com/reports/1591085
πΉ Severity: High
πΉ Reported To: Reddit
πΉ Reported By: #3amii
πΉ State: π΄ N/A
πΉ Disclosed: June 8, 2022, 8:36pm (UTC)
match
π https://hackerone.com/reports/1555440
πΉ Severity: High
πΉ Reported To: curl
πΉ Reported By: #maslahhunter
πΉ State: π΄ N/A
πΉ Disclosed: June 9, 2022, 7:09am (UTC)
π https://hackerone.com/reports/1555440
πΉ Severity: High
πΉ Reported To: curl
πΉ Reported By: #maslahhunter
πΉ State: π΄ N/A
πΉ Disclosed: June 9, 2022, 7:09am (UTC)
Integer overflows in unescape_word()
π https://hackerone.com/reports/1564922
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #ddme
πΉ State: π΄ N/A
πΉ Disclosed: June 9, 2022, 7:10am (UTC)
π https://hackerone.com/reports/1564922
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #ddme
πΉ State: π΄ N/A
πΉ Disclosed: June 9, 2022, 7:10am (UTC)
Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic
π https://hackerone.com/reports/1520685
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Nextcloud
πΉ Reported By: #michag86
πΉ State: π’ Resolved
πΉ Disclosed: June 9, 2022, 12:42pm (UTC)
π https://hackerone.com/reports/1520685
πΉ Severity: Low | π° 100 USD
πΉ Reported To: Nextcloud
πΉ Reported By: #michag86
πΉ State: π’ Resolved
πΉ Disclosed: June 9, 2022, 12:42pm (UTC)
RXSS on βββββββββ
π https://hackerone.com/reports/1555582
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #tmz900
πΉ State: π’ Resolved
πΉ Disclosed: June 10, 2022, 2:44pm (UTC)
π https://hackerone.com/reports/1555582
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #tmz900
πΉ State: π’ Resolved
πΉ Disclosed: June 10, 2022, 2:44pm (UTC)
bd-j exploit chain
π https://hackerone.com/reports/1379975
πΉ Severity: High | π° 20,000 USD
πΉ Reported To: PlayStation
πΉ Reported By: #theflow0
πΉ State: π’ Resolved
πΉ Disclosed: June 10, 2022, 8:26pm (UTC)
π https://hackerone.com/reports/1379975
πΉ Severity: High | π° 20,000 USD
πΉ Reported To: PlayStation
πΉ Reported By: #theflow0
πΉ State: π’ Resolved
πΉ Disclosed: June 10, 2022, 8:26pm (UTC)
π3
Email address disclosure via invite token validatiion
π https://hackerone.com/reports/1560072
πΉ Severity: Low | π° 250 USD
πΉ Reported To: TikTok
πΉ Reported By: #noob_but_cut3
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 12:28am (UTC)
π https://hackerone.com/reports/1560072
πΉ Severity: Low | π° 250 USD
πΉ Reported To: TikTok
πΉ Reported By: #noob_but_cut3
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 12:28am (UTC)
disclosure the live_analytics information of any livestream.
π https://hackerone.com/reports/1561299
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: TikTok
πΉ Reported By: #datph4m
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 12:33am (UTC)
π https://hackerone.com/reports/1561299
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: TikTok
πΉ Reported By: #datph4m
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 12:33am (UTC)
CVE-2022-27779: cookie for trailing dot TLD
π https://hackerone.com/reports/1565615
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 6:58pm (UTC)
π https://hackerone.com/reports/1565615
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 6:58pm (UTC)
π1
CVE-2022-27780: percent-encoded path separator in URL host
π https://hackerone.com/reports/1565619
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 6:58pm (UTC)
π https://hackerone.com/reports/1565619
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 6:58pm (UTC)
CVE-2022-30115: HSTS bypass via trailing dot
π https://hackerone.com/reports/1565622
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 6:58pm (UTC)
π https://hackerone.com/reports/1565622
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 6:58pm (UTC)
All user password hash can be seen from admin panel
π https://hackerone.com/reports/1489892
πΉ Severity: Medium
πΉ Reported To: UPchieve
πΉ Reported By: #dark_haxor
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 11:31pm (UTC)
π https://hackerone.com/reports/1489892
πΉ Severity: Medium
πΉ Reported To: UPchieve
πΉ Reported By: #dark_haxor
πΉ State: π’ Resolved
πΉ Disclosed: June 11, 2022, 11:31pm (UTC)
π1
lack of rate limit on athentification login page & forgot password page
π https://hackerone.com/reports/1591764
πΉ Severity: Medium
πΉ Reported To: Showmax
πΉ Reported By: #saidkira
πΉ State: βͺοΈ Informative
πΉ Disclosed: June 13, 2022, 7:09am (UTC)
π https://hackerone.com/reports/1591764
πΉ Severity: Medium
πΉ Reported To: Showmax
πΉ Reported By: #saidkira
πΉ State: βͺοΈ Informative
πΉ Disclosed: June 13, 2022, 7:09am (UTC)