getRoomRoles Method leaks Channel Owner
π https://hackerone.com/reports/1447440
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:03pm (UTC)
π https://hackerone.com/reports/1447440
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:03pm (UTC)
NoSQL-Injection discloses S3 File Upload URLs
π https://hackerone.com/reports/1458020
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:03pm (UTC)
π https://hackerone.com/reports/1458020
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:03pm (UTC)
API route chat.getThreadsList leaks private message content
π https://hackerone.com/reports/1446767
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:03pm (UTC)
π https://hackerone.com/reports/1446767
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:03pm (UTC)
Message ID Enumeration with Regular Expression in getReadReceipts Meteor method
π https://hackerone.com/reports/1377105
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:03pm (UTC)
π https://hackerone.com/reports/1377105
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:03pm (UTC)
Rocket.chat user info security issue
π https://hackerone.com/reports/1517377
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #mikolajczak
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:04pm (UTC)
π https://hackerone.com/reports/1517377
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #mikolajczak
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:04pm (UTC)
getUsersOfRoom discloses users in private channels
π https://hackerone.com/reports/1410357
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:04pm (UTC)
π https://hackerone.com/reports/1410357
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:04pm (UTC)
Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at `{group_id}.gitlab.io`
π https://hackerone.com/reports/1591412
πΉ Severity: Medium | π° 1,990 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 9:31pm (UTC)
π https://hackerone.com/reports/1591412
πΉ Severity: Medium | π° 1,990 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 9:31pm (UTC)
π₯1
Content injection in Jira issue title enabling sending arbitrary POST request as victim
π https://hackerone.com/reports/1533976
πΉ Severity: High | π° 8,690 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 9:32pm (UTC)
π https://hackerone.com/reports/1533976
πΉ Severity: High | π° 8,690 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 9:32pm (UTC)
π₯1
Open Redirect on www.redditinc.com via `failed` query param
π https://hackerone.com/reports/1257753
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Reddit
πΉ Reported By: #lu3ky-13
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 11:27pm (UTC)
π https://hackerone.com/reports/1257753
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Reddit
πΉ Reported By: #lu3ky-13
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 11:27pm (UTC)
com.basecamp.bc3 Webview Javascript Injection and JS bridge takeover
π https://hackerone.com/reports/1343300
πΉ Severity: High | π° 1,210 USD
πΉ Reported To: Basecamp
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 9:33am (UTC)
π https://hackerone.com/reports/1343300
πΉ Severity: High | π° 1,210 USD
πΉ Reported To: Basecamp
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 9:33am (UTC)
CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
π https://hackerone.com/reports/1671140
πΉ Severity: High | π° 4,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #happyhacking123
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:16pm (UTC)
π https://hackerone.com/reports/1671140
πΉ Severity: High | π° 4,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #happyhacking123
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:16pm (UTC)
CVE-2022-35948: CRLF Injection in Nodejs βundiciβ via Content-Type
π https://hackerone.com/reports/1664019
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #happyhacking123
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:38pm (UTC)
π https://hackerone.com/reports/1664019
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #happyhacking123
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:38pm (UTC)
π1
[CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname
π https://hackerone.com/reports/1663788
πΉ Severity: Medium | π° 1,200 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:51pm (UTC)
π https://hackerone.com/reports/1663788
πΉ Severity: Medium | π° 1,200 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:51pm (UTC)
Reflected xss on videostore.mtnonline.com
π https://hackerone.com/reports/1646248
πΉ Severity: High
πΉ Reported To: MTN Group
πΉ Reported By: #possowski
πΉ State: π’ Resolved
πΉ Disclosed: September 25, 2022, 7:10pm (UTC)
π https://hackerone.com/reports/1646248
πΉ Severity: High
πΉ Reported To: MTN Group
πΉ Reported By: #possowski
πΉ State: π’ Resolved
πΉ Disclosed: September 25, 2022, 7:10pm (UTC)
Main Domain Takeover at https://www.marketo.net/
π https://hackerone.com/reports/1661914
πΉ Severity: Critical
πΉ Reported To: Adobe
πΉ Reported By: #gdattacker
πΉ State: π’ Resolved
πΉ Disclosed: September 26, 2022, 3:05pm (UTC)
π https://hackerone.com/reports/1661914
πΉ Severity: Critical
πΉ Reported To: Adobe
πΉ Reported By: #gdattacker
πΉ State: π’ Resolved
πΉ Disclosed: September 26, 2022, 3:05pm (UTC)
XSS Reflected on reddit.com via url path
π https://hackerone.com/reports/1051373
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: Reddit
πΉ Reported By: #criptex
πΉ State: π’ Resolved
πΉ Disclosed: September 27, 2022, 4:04pm (UTC)
π https://hackerone.com/reports/1051373
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: Reddit
πΉ Reported By: #criptex
πΉ State: π’ Resolved
πΉ Disclosed: September 27, 2022, 4:04pm (UTC)
insecure gitlab repositories at ββββββββ [HtUS]
π https://hackerone.com/reports/1624152
πΉ Severity: High | π° 500 USD
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #thpless
πΉ State: π’ Resolved
πΉ Disclosed: September 27, 2022, 6:18pm (UTC)
π https://hackerone.com/reports/1624152
πΉ Severity: High | π° 500 USD
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #thpless
πΉ State: π’ Resolved
πΉ Disclosed: September 27, 2022, 6:18pm (UTC)
password field autocomplete enabled
π https://hackerone.com/reports/1023773
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #er_salil
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 27, 2022, 11:26pm (UTC)
π https://hackerone.com/reports/1023773
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #er_salil
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 27, 2022, 11:26pm (UTC)
CORS Misconfiguration on Yelp
π https://hackerone.com/reports/1707616
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #qualwin3001
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 28, 2022, 3:43am (UTC)
π https://hackerone.com/reports/1707616
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #qualwin3001
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 28, 2022, 3:43am (UTC)
Directory Listing vulnerability on β.packet8.net/php/include/
π https://hackerone.com/reports/790846
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #rajauzairabdullah
πΉ State: π’ Resolved
πΉ Disclosed: September 28, 2022, 4:41am (UTC)
π https://hackerone.com/reports/790846
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #rajauzairabdullah
πΉ State: π’ Resolved
πΉ Disclosed: September 28, 2022, 4:41am (UTC)
Server-side request forgery (ssrf)
π https://hackerone.com/reports/1712240
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #raja404
πΉ State: π΄ N/A
πΉ Disclosed: September 28, 2022, 7:54am (UTC)
π https://hackerone.com/reports/1712240
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #raja404
πΉ State: π΄ N/A
πΉ Disclosed: September 28, 2022, 7:54am (UTC)