Bypass for Domain-level redirects (Unvalidated Redirects and Forwar)
π https://hackerone.com/reports/1582160
πΉ Severity: Medium
πΉ Reported To: GitLab
πΉ Reported By: #thypon
πΉ State: βͺοΈ Informative
πΉ Disclosed: June 22, 2022, 10:57pm (UTC)
π https://hackerone.com/reports/1582160
πΉ Severity: Medium
πΉ Reported To: GitLab
πΉ Reported By: #thypon
πΉ State: βͺοΈ Informative
πΉ Disclosed: June 22, 2022, 10:57pm (UTC)
User can link non-public file attachments, leading to file disclose on edit by higher-privileged user
π https://hackerone.com/reports/763177
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Phabricator
πΉ Reported By: #foobar7
πΉ State: π’ Resolved
πΉ Disclosed: June 26, 2022, 6:25pm (UTC)
π https://hackerone.com/reports/763177
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Phabricator
πΉ Reported By: #foobar7
πΉ State: π’ Resolved
πΉ Disclosed: June 26, 2022, 6:25pm (UTC)
Credential leak when use two url
π https://hackerone.com/reports/1569926
πΉ Severity: Medium
πΉ Reported To: curl
πΉ Reported By: #chen172
πΉ State: π΄ N/A
πΉ Disclosed: June 27, 2022, 6:55am (UTC)
π https://hackerone.com/reports/1569926
πΉ Severity: Medium
πΉ Reported To: curl
πΉ Reported By: #chen172
πΉ State: π΄ N/A
πΉ Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32208: FTP-KRB bad message verification
π https://hackerone.com/reports/1590071
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 6:55am (UTC)
π https://hackerone.com/reports/1590071
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32207: Unpreserved file permissions
π https://hackerone.com/reports/1573634
πΉ Severity: Medium
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 6:55am (UTC)
π https://hackerone.com/reports/1573634
πΉ Severity: Medium
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32206: HTTP compression denial of service
π https://hackerone.com/reports/1570651
πΉ Severity: Medium
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 6:55am (UTC)
π https://hackerone.com/reports/1570651
πΉ Severity: Medium
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 6:55am (UTC)
CVE-2022-32205: Set-Cookie denial of service
π https://hackerone.com/reports/1569946
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 6:56am (UTC)
π https://hackerone.com/reports/1569946
πΉ Severity: Low
πΉ Reported To: curl
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 6:56am (UTC)
Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
π https://hackerone.com/reports/1599573
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #windshock
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 11:46am (UTC)
π https://hackerone.com/reports/1599573
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #windshock
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 11:46am (UTC)
API docs expose an active token for the sample domain theburritobot.com
π https://hackerone.com/reports/1507412
πΉ Severity: High | π° 500 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #sainaen
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:23pm (UTC)
π https://hackerone.com/reports/1507412
πΉ Severity: High | π° 500 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #sainaen
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:23pm (UTC)
Sign in with Apple works on existing accounts, bypasses 2FA
π https://hackerone.com/reports/1593404
πΉ Severity: High | π° 1,000 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #mattipv4
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:24pm (UTC)
π https://hackerone.com/reports/1593404
πΉ Severity: High | π° 1,000 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #mattipv4
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:24pm (UTC)
π1
Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts
π https://hackerone.com/reports/1593413
πΉ Severity: Low | π° 250 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #mattipv4
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:25pm (UTC)
π https://hackerone.com/reports/1593413
πΉ Severity: Low | π° 250 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #mattipv4
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:25pm (UTC)
Bypassing Cache Deception Armor using .avif extension file
π https://hackerone.com/reports/1391635
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #bombon
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:27pm (UTC)
π https://hackerone.com/reports/1391635
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #bombon
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:27pm (UTC)
HTTP request smuggling with Origin Rules using newlines in the host_header action parameter
π https://hackerone.com/reports/1575912
πΉ Severity: Critical | π° 3,100 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #albertspedersen
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:32pm (UTC)
π https://hackerone.com/reports/1575912
πΉ Severity: Critical | π° 3,100 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #albertspedersen
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 4:32pm (UTC)
Reflected XSS via `ββββββββ` parameter
π https://hackerone.com/reports/1536215
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #mdakh404
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:23pm (UTC)
π https://hackerone.com/reports/1536215
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #mdakh404
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:23pm (UTC)
Unauthorized Access to Internal Server Panel without Authentication
π https://hackerone.com/reports/1548067
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #ahmd_halabi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:24pm (UTC)
π https://hackerone.com/reports/1548067
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #ahmd_halabi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:24pm (UTC)
CVE-2022-32207: Unpreserved file permissions
π https://hackerone.com/reports/1614331
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:52pm (UTC)
π https://hackerone.com/reports/1614331
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:52pm (UTC)
CVE-2022-32205: Set-Cookie denial of service
π https://hackerone.com/reports/1614328
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:53pm (UTC)
π https://hackerone.com/reports/1614328
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:53pm (UTC)
CVE-2022-32206: HTTP compression denial of service
π https://hackerone.com/reports/1614330
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:53pm (UTC)
π https://hackerone.com/reports/1614330
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 7:53pm (UTC)
CVE-2022-32208: FTP-KRB bad message verification
π https://hackerone.com/reports/1614332
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 8:09pm (UTC)
π https://hackerone.com/reports/1614332
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #nyymi
πΉ State: π’ Resolved
πΉ Disclosed: June 27, 2022, 8:09pm (UTC)
XSS Payload on TikTok Seller Center endpoint
π https://hackerone.com/reports/1554048
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: TikTok
πΉ Reported By: #aidilarf_2000
πΉ State: π’ Resolved
πΉ Disclosed: June 29, 2022, 1:10am (UTC)
π https://hackerone.com/reports/1554048
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: TikTok
πΉ Reported By: #aidilarf_2000
πΉ State: π’ Resolved
πΉ Disclosed: June 29, 2022, 1:10am (UTC)
Browser is not following proper flow for redirection cause open redirect
π https://hackerone.com/reports/1579374
πΉ Severity: High | π° 500 USD
πΉ Reported To: Brave Software
πΉ Reported By: #abhinavsecondary
πΉ State: π’ Resolved
πΉ Disclosed: June 30, 2022, 5:45pm (UTC)
π https://hackerone.com/reports/1579374
πΉ Severity: High | π° 500 USD
πΉ Reported To: Brave Software
πΉ Reported By: #abhinavsecondary
πΉ State: π’ Resolved
πΉ Disclosed: June 30, 2022, 5:45pm (UTC)