Controllable read beyond bounds in lua_websocket_readbytes() [zhbug_httpd_126]
π https://hackerone.com/reports/1595290
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #tdp3kel9g
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 1:45pm (UTC)
π https://hackerone.com/reports/1595290
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #tdp3kel9g
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 1:45pm (UTC)
π1
Read beyond bounds in mod_isapi.c [zhbug_httpd_41]
π https://hackerone.com/reports/1595296
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #tdp3kel9g
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 1:50pm (UTC)
π https://hackerone.com/reports/1595296
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #tdp3kel9g
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 1:50pm (UTC)
Read beyond bounds via ap_rwrite() [zhbug_httpd_47.2]
π https://hackerone.com/reports/1595299
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #tdp3kel9g
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 1:54pm (UTC)
π https://hackerone.com/reports/1595299
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #tdp3kel9g
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 1:54pm (UTC)
Apache HTTP Server: mod_proxy_ajp: Possible request smuggling
π https://hackerone.com/reports/1594627
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #ricterz
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 7:25pm (UTC)
π https://hackerone.com/reports/1594627
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #ricterz
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 7:25pm (UTC)
DoS via lua_read_body() [zhbug_httpd_94]
π https://hackerone.com/reports/1596252
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #tdp3kel9g
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 8:19pm (UTC)
π https://hackerone.com/reports/1596252
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #tdp3kel9g
πΉ State: π’ Resolved
πΉ Disclosed: July 9, 2022, 8:19pm (UTC)
Blind SSRF at packagist.maximum.nl
π https://hackerone.com/reports/1538056
πΉ Severity: No Rating | π° 75 USD
πΉ Reported To: Radancy
πΉ Reported By: #dk4trin
πΉ State: π’ Resolved
πΉ Disclosed: July 10, 2022, 12:38pm (UTC)
π https://hackerone.com/reports/1538056
πΉ Severity: No Rating | π° 75 USD
πΉ Reported To: Radancy
πΉ Reported By: #dk4trin
πΉ State: π’ Resolved
πΉ Disclosed: July 10, 2022, 12:38pm (UTC)
Homograph attack bypass cause redirection
π https://hackerone.com/reports/1285245
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Vanilla
πΉ Reported By: #malek
πΉ State: π’ Resolved
πΉ Disclosed: July 10, 2022, 9:38pm (UTC)
π https://hackerone.com/reports/1285245
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Vanilla
πΉ Reported By: #malek
πΉ State: π’ Resolved
πΉ Disclosed: July 10, 2022, 9:38pm (UTC)
Server Side Template Injection on Name parameter during Sign Up process
π https://hackerone.com/reports/1104349
πΉ Severity: High
πΉ Reported To: Glovo
πΉ Reported By: #battle_angel
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 8:42am (UTC)
π https://hackerone.com/reports/1104349
πΉ Severity: High
πΉ Reported To: Glovo
πΉ Reported By: #battle_angel
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 8:42am (UTC)
Getting a free delivery by singing up from "[email protected]"
π https://hackerone.com/reports/1296584
πΉ Severity: Medium
πΉ Reported To: Glovo
πΉ Reported By: #cmuppin
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 8:42am (UTC)
π https://hackerone.com/reports/1296584
πΉ Severity: Medium
πΉ Reported To: Glovo
πΉ Reported By: #cmuppin
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 8:42am (UTC)
Mass Account Takeover at https://app.taxjar.com/ - No user Interaction
π https://hackerone.com/reports/1581240
πΉ Severity: Critical | π° 11,500 USD
πΉ Reported To: Stripe
πΉ Reported By: #beerboy_ankit
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 1:50pm (UTC)
π https://hackerone.com/reports/1581240
πΉ Severity: Critical | π° 11,500 USD
πΉ Reported To: Stripe
πΉ Reported By: #beerboy_ankit
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 1:50pm (UTC)
π3π2
Able to view hackerone reports attachments
π https://hackerone.com/reports/979787
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sateeshn
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 4:00pm (UTC)
π https://hackerone.com/reports/979787
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sateeshn
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 4:00pm (UTC)
π€―3π1
Theme editor `oseid` parameter is leaked to third-party services through the `Referer` header which leads to somekind of storefront password bypass.
π https://hackerone.com/reports/1262434
πΉ Severity: Low | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 5:13pm (UTC)
π https://hackerone.com/reports/1262434
πΉ Severity: Low | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 5:13pm (UTC)
Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps
π https://hackerone.com/reports/1555502
πΉ Severity: Medium | π° 1,900 USD
πΉ Reported To: Shopify
πΉ Reported By: #kun_19
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 5:50pm (UTC)
π https://hackerone.com/reports/1555502
πΉ Severity: Medium | π° 1,900 USD
πΉ Reported To: Shopify
πΉ Reported By: #kun_19
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 5:50pm (UTC)
π1
Improper deep link validation
π https://hackerone.com/reports/1087744
πΉ Severity: Low | π° 600 USD
πΉ Reported To: Shopify
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 7:51pm (UTC)
π https://hackerone.com/reports/1087744
πΉ Severity: Low | π° 600 USD
πΉ Reported To: Shopify
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 7:51pm (UTC)
[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement
π https://hackerone.com/reports/1085042
πΉ Severity: Medium | π° 950 USD
πΉ Reported To: Shopify
πΉ Reported By: #ramsexy
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:15pm (UTC)
π https://hackerone.com/reports/1085042
πΉ Severity: Medium | π° 950 USD
πΉ Reported To: Shopify
πΉ Reported By: #ramsexy
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:15pm (UTC)
[h1-2102] Stored XSS in product description via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]
π https://hackerone.com/reports/1085546
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:33pm (UTC)
π https://hackerone.com/reports/1085546
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:33pm (UTC)
[h1-2102] HTML injection in packing slips can lead to physical theft
π https://hackerone.com/reports/1087122
πΉ Severity: Low | π° 900 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:35pm (UTC)
π https://hackerone.com/reports/1087122
πΉ Severity: Low | π° 900 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:35pm (UTC)
π1
Github base action takeover which is used in `github.com/Shopify/unity-buy-sdk`
π https://hackerone.com/reports/1439355
πΉ Severity: Low | π° 800 USD
πΉ Reported To: Shopify
πΉ Reported By: #codermak
πΉ State: π’ Resolved
πΉ Disclosed: July 12, 2022, 4:17am (UTC)
π https://hackerone.com/reports/1439355
πΉ Severity: Low | π° 800 USD
πΉ Reported To: Shopify
πΉ Reported By: #codermak
πΉ State: π’ Resolved
πΉ Disclosed: July 12, 2022, 4:17am (UTC)
π€1
[CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day
π https://hackerone.com/reports/1425474
πΉ Severity: Critical | π° 1,000 USD
πΉ Reported To: Acronis
πΉ Reported By: #rhinestonecowboy
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 12:26am (UTC)
π https://hackerone.com/reports/1425474
πΉ Severity: Critical | π° 1,000 USD
πΉ Reported To: Acronis
πΉ Reported By: #rhinestonecowboy
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 12:26am (UTC)
π1
CVE-2021-40438 on cp-eu2.acronis.com
π https://hackerone.com/reports/1370731
πΉ Severity: High | π° 150 USD
πΉ Reported To: Acronis
πΉ Reported By: #savik
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:17am (UTC)
π https://hackerone.com/reports/1370731
πΉ Severity: High | π° 150 USD
πΉ Reported To: Acronis
πΉ Reported By: #savik
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:17am (UTC)
rubygems.org Batching attack to `confirmation_token` by bypass rate limit
π https://hackerone.com/reports/1559262
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 4:04am (UTC)
π https://hackerone.com/reports/1559262
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 4:04am (UTC)