Homograph attack bypass cause redirection
π https://hackerone.com/reports/1285245
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Vanilla
πΉ Reported By: #malek
πΉ State: π’ Resolved
πΉ Disclosed: July 10, 2022, 9:38pm (UTC)
π https://hackerone.com/reports/1285245
πΉ Severity: No Rating | π° 50 USD
πΉ Reported To: Vanilla
πΉ Reported By: #malek
πΉ State: π’ Resolved
πΉ Disclosed: July 10, 2022, 9:38pm (UTC)
Server Side Template Injection on Name parameter during Sign Up process
π https://hackerone.com/reports/1104349
πΉ Severity: High
πΉ Reported To: Glovo
πΉ Reported By: #battle_angel
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 8:42am (UTC)
π https://hackerone.com/reports/1104349
πΉ Severity: High
πΉ Reported To: Glovo
πΉ Reported By: #battle_angel
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 8:42am (UTC)
Getting a free delivery by singing up from "[email protected]"
π https://hackerone.com/reports/1296584
πΉ Severity: Medium
πΉ Reported To: Glovo
πΉ Reported By: #cmuppin
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 8:42am (UTC)
π https://hackerone.com/reports/1296584
πΉ Severity: Medium
πΉ Reported To: Glovo
πΉ Reported By: #cmuppin
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 8:42am (UTC)
Mass Account Takeover at https://app.taxjar.com/ - No user Interaction
π https://hackerone.com/reports/1581240
πΉ Severity: Critical | π° 11,500 USD
πΉ Reported To: Stripe
πΉ Reported By: #beerboy_ankit
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 1:50pm (UTC)
π https://hackerone.com/reports/1581240
πΉ Severity: Critical | π° 11,500 USD
πΉ Reported To: Stripe
πΉ Reported By: #beerboy_ankit
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 1:50pm (UTC)
π3π2
Able to view hackerone reports attachments
π https://hackerone.com/reports/979787
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sateeshn
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 4:00pm (UTC)
π https://hackerone.com/reports/979787
πΉ Severity: Critical | π° 12,000 USD
πΉ Reported To: GitLab
πΉ Reported By: #sateeshn
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 4:00pm (UTC)
π€―3π1
Theme editor `oseid` parameter is leaked to third-party services through the `Referer` header which leads to somekind of storefront password bypass.
π https://hackerone.com/reports/1262434
πΉ Severity: Low | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 5:13pm (UTC)
π https://hackerone.com/reports/1262434
πΉ Severity: Low | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 5:13pm (UTC)
Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps
π https://hackerone.com/reports/1555502
πΉ Severity: Medium | π° 1,900 USD
πΉ Reported To: Shopify
πΉ Reported By: #kun_19
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 5:50pm (UTC)
π https://hackerone.com/reports/1555502
πΉ Severity: Medium | π° 1,900 USD
πΉ Reported To: Shopify
πΉ Reported By: #kun_19
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 5:50pm (UTC)
π1
Improper deep link validation
π https://hackerone.com/reports/1087744
πΉ Severity: Low | π° 600 USD
πΉ Reported To: Shopify
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 7:51pm (UTC)
π https://hackerone.com/reports/1087744
πΉ Severity: Low | π° 600 USD
πΉ Reported To: Shopify
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 7:51pm (UTC)
[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement
π https://hackerone.com/reports/1085042
πΉ Severity: Medium | π° 950 USD
πΉ Reported To: Shopify
πΉ Reported By: #ramsexy
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:15pm (UTC)
π https://hackerone.com/reports/1085042
πΉ Severity: Medium | π° 950 USD
πΉ Reported To: Shopify
πΉ Reported By: #ramsexy
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:15pm (UTC)
[h1-2102] Stored XSS in product description via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]
π https://hackerone.com/reports/1085546
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:33pm (UTC)
π https://hackerone.com/reports/1085546
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:33pm (UTC)
[h1-2102] HTML injection in packing slips can lead to physical theft
π https://hackerone.com/reports/1087122
πΉ Severity: Low | π° 900 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:35pm (UTC)
π https://hackerone.com/reports/1087122
πΉ Severity: Low | π° 900 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:35pm (UTC)
π1
Github base action takeover which is used in `github.com/Shopify/unity-buy-sdk`
π https://hackerone.com/reports/1439355
πΉ Severity: Low | π° 800 USD
πΉ Reported To: Shopify
πΉ Reported By: #codermak
πΉ State: π’ Resolved
πΉ Disclosed: July 12, 2022, 4:17am (UTC)
π https://hackerone.com/reports/1439355
πΉ Severity: Low | π° 800 USD
πΉ Reported To: Shopify
πΉ Reported By: #codermak
πΉ State: π’ Resolved
πΉ Disclosed: July 12, 2022, 4:17am (UTC)
π€1
[CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day
π https://hackerone.com/reports/1425474
πΉ Severity: Critical | π° 1,000 USD
πΉ Reported To: Acronis
πΉ Reported By: #rhinestonecowboy
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 12:26am (UTC)
π https://hackerone.com/reports/1425474
πΉ Severity: Critical | π° 1,000 USD
πΉ Reported To: Acronis
πΉ Reported By: #rhinestonecowboy
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 12:26am (UTC)
π1
CVE-2021-40438 on cp-eu2.acronis.com
π https://hackerone.com/reports/1370731
πΉ Severity: High | π° 150 USD
πΉ Reported To: Acronis
πΉ Reported By: #savik
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:17am (UTC)
π https://hackerone.com/reports/1370731
πΉ Severity: High | π° 150 USD
πΉ Reported To: Acronis
πΉ Reported By: #savik
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:17am (UTC)
rubygems.org Batching attack to `confirmation_token` by bypass rate limit
π https://hackerone.com/reports/1559262
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 4:04am (UTC)
π https://hackerone.com/reports/1559262
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 4:04am (UTC)
One Click XSS in [www.shopify.com]
π https://hackerone.com/reports/1563334
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #comwrg
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 6:13am (UTC)
π https://hackerone.com/reports/1563334
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #comwrg
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 6:13am (UTC)
Undici ProxyAgent vulnerable to MITM
π https://hackerone.com/reports/1599063
πΉ Severity: High | π° 1,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #pimterry
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 1:20pm (UTC)
π https://hackerone.com/reports/1599063
πΉ Severity: High | π° 1,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #pimterry
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 1:20pm (UTC)
Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy
π https://hackerone.com/reports/1583680
πΉ Severity: High
πΉ Reported To: Node.js
πΉ Reported By: #pimterry
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 2:47pm (UTC)
π https://hackerone.com/reports/1583680
πΉ Severity: High
πΉ Reported To: Node.js
πΉ Reported By: #pimterry
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 2:47pm (UTC)
Stored XSS for Grafana dashboard URL
π https://hackerone.com/reports/684268
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #xanbanx
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:12pm (UTC)
π https://hackerone.com/reports/684268
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #xanbanx
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:12pm (UTC)
π1
[h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones
π https://hackerone.com/reports/1085332
πΉ Severity: Medium | π° 1,900 USD
πΉ Reported To: Shopify
πΉ Reported By: #inhibitor181
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 8:23am (UTC)
π https://hackerone.com/reports/1085332
πΉ Severity: Medium | π° 1,900 USD
πΉ Reported To: Shopify
πΉ Reported By: #inhibitor181
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 8:23am (UTC)
π3
POST BASED REFLECTED XSS IN dailydeals.mtn.co.za
π https://hackerone.com/reports/1451394
πΉ Severity: High
πΉ Reported To: MTN Group
πΉ Reported By: #shuvam321
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 9:56am (UTC)
π https://hackerone.com/reports/1451394
πΉ Severity: High
πΉ Reported To: MTN Group
πΉ Reported By: #shuvam321
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 9:56am (UTC)