Improper deep link validation
π https://hackerone.com/reports/1087744
πΉ Severity: Low | π° 600 USD
πΉ Reported To: Shopify
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 7:51pm (UTC)
π https://hackerone.com/reports/1087744
πΉ Severity: Low | π° 600 USD
πΉ Reported To: Shopify
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 7:51pm (UTC)
[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement
π https://hackerone.com/reports/1085042
πΉ Severity: Medium | π° 950 USD
πΉ Reported To: Shopify
πΉ Reported By: #ramsexy
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:15pm (UTC)
π https://hackerone.com/reports/1085042
πΉ Severity: Medium | π° 950 USD
πΉ Reported To: Shopify
πΉ Reported By: #ramsexy
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:15pm (UTC)
[h1-2102] Stored XSS in product description via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]
π https://hackerone.com/reports/1085546
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:33pm (UTC)
π https://hackerone.com/reports/1085546
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:33pm (UTC)
[h1-2102] HTML injection in packing slips can lead to physical theft
π https://hackerone.com/reports/1087122
πΉ Severity: Low | π° 900 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:35pm (UTC)
π https://hackerone.com/reports/1087122
πΉ Severity: Low | π° 900 USD
πΉ Reported To: Shopify
πΉ Reported By: #intidc
πΉ State: π’ Resolved
πΉ Disclosed: July 11, 2022, 9:35pm (UTC)
π1
Github base action takeover which is used in `github.com/Shopify/unity-buy-sdk`
π https://hackerone.com/reports/1439355
πΉ Severity: Low | π° 800 USD
πΉ Reported To: Shopify
πΉ Reported By: #codermak
πΉ State: π’ Resolved
πΉ Disclosed: July 12, 2022, 4:17am (UTC)
π https://hackerone.com/reports/1439355
πΉ Severity: Low | π° 800 USD
πΉ Reported To: Shopify
πΉ Reported By: #codermak
πΉ State: π’ Resolved
πΉ Disclosed: July 12, 2022, 4:17am (UTC)
π€1
[CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day
π https://hackerone.com/reports/1425474
πΉ Severity: Critical | π° 1,000 USD
πΉ Reported To: Acronis
πΉ Reported By: #rhinestonecowboy
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 12:26am (UTC)
π https://hackerone.com/reports/1425474
πΉ Severity: Critical | π° 1,000 USD
πΉ Reported To: Acronis
πΉ Reported By: #rhinestonecowboy
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 12:26am (UTC)
π1
CVE-2021-40438 on cp-eu2.acronis.com
π https://hackerone.com/reports/1370731
πΉ Severity: High | π° 150 USD
πΉ Reported To: Acronis
πΉ Reported By: #savik
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:17am (UTC)
π https://hackerone.com/reports/1370731
πΉ Severity: High | π° 150 USD
πΉ Reported To: Acronis
πΉ Reported By: #savik
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:17am (UTC)
rubygems.org Batching attack to `confirmation_token` by bypass rate limit
π https://hackerone.com/reports/1559262
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 4:04am (UTC)
π https://hackerone.com/reports/1559262
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #ooooooo_q
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 4:04am (UTC)
One Click XSS in [www.shopify.com]
π https://hackerone.com/reports/1563334
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #comwrg
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 6:13am (UTC)
π https://hackerone.com/reports/1563334
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #comwrg
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 6:13am (UTC)
Undici ProxyAgent vulnerable to MITM
π https://hackerone.com/reports/1599063
πΉ Severity: High | π° 1,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #pimterry
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 1:20pm (UTC)
π https://hackerone.com/reports/1599063
πΉ Severity: High | π° 1,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #pimterry
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 1:20pm (UTC)
Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy
π https://hackerone.com/reports/1583680
πΉ Severity: High
πΉ Reported To: Node.js
πΉ Reported By: #pimterry
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 2:47pm (UTC)
π https://hackerone.com/reports/1583680
πΉ Severity: High
πΉ Reported To: Node.js
πΉ Reported By: #pimterry
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 2:47pm (UTC)
Stored XSS for Grafana dashboard URL
π https://hackerone.com/reports/684268
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #xanbanx
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:12pm (UTC)
π https://hackerone.com/reports/684268
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: GitLab
πΉ Reported By: #xanbanx
πΉ State: π’ Resolved
πΉ Disclosed: July 13, 2022, 3:12pm (UTC)
π1
[h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones
π https://hackerone.com/reports/1085332
πΉ Severity: Medium | π° 1,900 USD
πΉ Reported To: Shopify
πΉ Reported By: #inhibitor181
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 8:23am (UTC)
π https://hackerone.com/reports/1085332
πΉ Severity: Medium | π° 1,900 USD
πΉ Reported To: Shopify
πΉ Reported By: #inhibitor181
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 8:23am (UTC)
π3
POST BASED REFLECTED XSS IN dailydeals.mtn.co.za
π https://hackerone.com/reports/1451394
πΉ Severity: High
πΉ Reported To: MTN Group
πΉ Reported By: #shuvam321
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 9:56am (UTC)
π https://hackerone.com/reports/1451394
πΉ Severity: High
πΉ Reported To: MTN Group
πΉ Reported By: #shuvam321
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 9:56am (UTC)
Add me email address Authentication bypass
π https://hackerone.com/reports/1607645
πΉ Severity: No Rating
πΉ Reported To: LinkedIn
πΉ Reported By: #raajeevrathnam
πΉ State: βͺοΈ Informative
πΉ Disclosed: July 15, 2022, 4:33pm (UTC)
π https://hackerone.com/reports/1607645
πΉ Severity: No Rating
πΉ Reported To: LinkedIn
πΉ Reported By: #raajeevrathnam
πΉ State: βͺοΈ Informative
πΉ Disclosed: July 15, 2022, 4:33pm (UTC)
Insecure Object Permissions for Guest User leads to access to internal documents!
π https://hackerone.com/reports/1089583
πΉ Severity: Critical
πΉ Reported To: IBM
πΉ Reported By: #mocr7
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 5:40pm (UTC)
π https://hackerone.com/reports/1089583
πΉ Severity: Critical
πΉ Reported To: IBM
πΉ Reported By: #mocr7
πΉ State: π’ Resolved
πΉ Disclosed: July 15, 2022, 5:40pm (UTC)
Can use the Reddit android app as usual even though revoking the access of it from reddit.com
π https://hackerone.com/reports/1632186
πΉ Severity: Critical
πΉ Reported To: Reddit
πΉ Reported By: #sateeshn
πΉ State: βͺοΈ Informative
πΉ Disclosed: July 16, 2022, 11:10am (UTC)
π https://hackerone.com/reports/1632186
πΉ Severity: Critical
πΉ Reported To: Reddit
πΉ Reported By: #sateeshn
πΉ State: βͺοΈ Informative
πΉ Disclosed: July 16, 2022, 11:10am (UTC)
Information disclosure ( Google Sales Channel )
π https://hackerone.com/reports/1584718
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #hydraxanon82
πΉ State: π’ Resolved
πΉ Disclosed: July 17, 2022, 2:10pm (UTC)
π https://hackerone.com/reports/1584718
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #hydraxanon82
πΉ State: π’ Resolved
πΉ Disclosed: July 17, 2022, 2:10pm (UTC)
Open Redirect βββ.8x8.com
π https://hackerone.com/reports/1637571
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #mr_k0anti
πΉ State: π’ Resolved
πΉ Disclosed: July 17, 2022, 11:54pm (UTC)
π https://hackerone.com/reports/1637571
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #mr_k0anti
πΉ State: π’ Resolved
πΉ Disclosed: July 17, 2022, 11:54pm (UTC)
Public Apache Tomcat /examples example directory
π https://hackerone.com/reports/1622624
πΉ Severity: Medium
πΉ Reported To: 8x8
πΉ Reported By: #mr_k0anti
πΉ State: π’ Resolved
πΉ Disclosed: July 18, 2022, 12:04am (UTC)
π https://hackerone.com/reports/1622624
πΉ Severity: Medium
πΉ Reported To: 8x8
πΉ Reported By: #mr_k0anti
πΉ State: π’ Resolved
πΉ Disclosed: July 18, 2022, 12:04am (UTC)
CVE-2019-11248 on https://β.β.β.β:9100/debug/pprof/goroutine
π https://hackerone.com/reports/1607940
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #mr_k0anti
πΉ State: π’ Resolved
πΉ Disclosed: July 18, 2022, 12:14am (UTC)
π https://hackerone.com/reports/1607940
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #mr_k0anti
πΉ State: π’ Resolved
πΉ Disclosed: July 18, 2022, 12:14am (UTC)