getUsersOfRoom discloses users in private channels
π https://hackerone.com/reports/1410357
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:04pm (UTC)
π https://hackerone.com/reports/1410357
πΉ Severity: Medium
πΉ Reported To: Rocket.Chat
πΉ Reported By: #gronke
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 4:04pm (UTC)
Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at `{group_id}.gitlab.io`
π https://hackerone.com/reports/1591412
πΉ Severity: Medium | π° 1,990 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 9:31pm (UTC)
π https://hackerone.com/reports/1591412
πΉ Severity: Medium | π° 1,990 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 9:31pm (UTC)
π₯1
Content injection in Jira issue title enabling sending arbitrary POST request as victim
π https://hackerone.com/reports/1533976
πΉ Severity: High | π° 8,690 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 9:32pm (UTC)
π https://hackerone.com/reports/1533976
πΉ Severity: High | π° 8,690 USD
πΉ Reported To: GitLab
πΉ Reported By: #joaxcar
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 9:32pm (UTC)
π₯1
Open Redirect on www.redditinc.com via `failed` query param
π https://hackerone.com/reports/1257753
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Reddit
πΉ Reported By: #lu3ky-13
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 11:27pm (UTC)
π https://hackerone.com/reports/1257753
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Reddit
πΉ Reported By: #lu3ky-13
πΉ State: π’ Resolved
πΉ Disclosed: September 22, 2022, 11:27pm (UTC)
com.basecamp.bc3 Webview Javascript Injection and JS bridge takeover
π https://hackerone.com/reports/1343300
πΉ Severity: High | π° 1,210 USD
πΉ Reported To: Basecamp
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 9:33am (UTC)
π https://hackerone.com/reports/1343300
πΉ Severity: High | π° 1,210 USD
πΉ Reported To: Basecamp
πΉ Reported By: #fr4via
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 9:33am (UTC)
CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
π https://hackerone.com/reports/1671140
πΉ Severity: High | π° 4,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #happyhacking123
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:16pm (UTC)
π https://hackerone.com/reports/1671140
πΉ Severity: High | π° 4,000 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #happyhacking123
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:16pm (UTC)
CVE-2022-35948: CRLF Injection in Nodejs βundiciβ via Content-Type
π https://hackerone.com/reports/1664019
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #happyhacking123
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:38pm (UTC)
π https://hackerone.com/reports/1664019
πΉ Severity: Medium | π° 600 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #happyhacking123
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:38pm (UTC)
π1
[CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname
π https://hackerone.com/reports/1663788
πΉ Severity: Medium | π° 1,200 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:51pm (UTC)
π https://hackerone.com/reports/1663788
πΉ Severity: Medium | π° 1,200 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #haxatron1
πΉ State: π’ Resolved
πΉ Disclosed: September 23, 2022, 5:51pm (UTC)
Reflected xss on videostore.mtnonline.com
π https://hackerone.com/reports/1646248
πΉ Severity: High
πΉ Reported To: MTN Group
πΉ Reported By: #possowski
πΉ State: π’ Resolved
πΉ Disclosed: September 25, 2022, 7:10pm (UTC)
π https://hackerone.com/reports/1646248
πΉ Severity: High
πΉ Reported To: MTN Group
πΉ Reported By: #possowski
πΉ State: π’ Resolved
πΉ Disclosed: September 25, 2022, 7:10pm (UTC)
Main Domain Takeover at https://www.marketo.net/
π https://hackerone.com/reports/1661914
πΉ Severity: Critical
πΉ Reported To: Adobe
πΉ Reported By: #gdattacker
πΉ State: π’ Resolved
πΉ Disclosed: September 26, 2022, 3:05pm (UTC)
π https://hackerone.com/reports/1661914
πΉ Severity: Critical
πΉ Reported To: Adobe
πΉ Reported By: #gdattacker
πΉ State: π’ Resolved
πΉ Disclosed: September 26, 2022, 3:05pm (UTC)
XSS Reflected on reddit.com via url path
π https://hackerone.com/reports/1051373
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: Reddit
πΉ Reported By: #criptex
πΉ State: π’ Resolved
πΉ Disclosed: September 27, 2022, 4:04pm (UTC)
π https://hackerone.com/reports/1051373
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: Reddit
πΉ Reported By: #criptex
πΉ State: π’ Resolved
πΉ Disclosed: September 27, 2022, 4:04pm (UTC)
insecure gitlab repositories at ββββββββ [HtUS]
π https://hackerone.com/reports/1624152
πΉ Severity: High | π° 500 USD
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #thpless
πΉ State: π’ Resolved
πΉ Disclosed: September 27, 2022, 6:18pm (UTC)
π https://hackerone.com/reports/1624152
πΉ Severity: High | π° 500 USD
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #thpless
πΉ State: π’ Resolved
πΉ Disclosed: September 27, 2022, 6:18pm (UTC)
password field autocomplete enabled
π https://hackerone.com/reports/1023773
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #er_salil
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 27, 2022, 11:26pm (UTC)
π https://hackerone.com/reports/1023773
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #er_salil
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 27, 2022, 11:26pm (UTC)
CORS Misconfiguration on Yelp
π https://hackerone.com/reports/1707616
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #qualwin3001
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 28, 2022, 3:43am (UTC)
π https://hackerone.com/reports/1707616
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #qualwin3001
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 28, 2022, 3:43am (UTC)
Directory Listing vulnerability on β.packet8.net/php/include/
π https://hackerone.com/reports/790846
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #rajauzairabdullah
πΉ State: π’ Resolved
πΉ Disclosed: September 28, 2022, 4:41am (UTC)
π https://hackerone.com/reports/790846
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #rajauzairabdullah
πΉ State: π’ Resolved
πΉ Disclosed: September 28, 2022, 4:41am (UTC)
Server-side request forgery (ssrf)
π https://hackerone.com/reports/1712240
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #raja404
πΉ State: π΄ N/A
πΉ Disclosed: September 28, 2022, 7:54am (UTC)
π https://hackerone.com/reports/1712240
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #raja404
πΉ State: π΄ N/A
πΉ Disclosed: September 28, 2022, 7:54am (UTC)
DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)
π https://hackerone.com/reports/1632921
πΉ Severity: High
πΉ Reported To: Node.js
πΉ Reported By: #zeyu2001
πΉ State: π’ Resolved
πΉ Disclosed: September 28, 2022, 8:38am (UTC)
π https://hackerone.com/reports/1632921
πΉ Severity: High
πΉ Reported To: Node.js
πΉ Reported By: #zeyu2001
πΉ State: π’ Resolved
πΉ Disclosed: September 28, 2022, 8:38am (UTC)
Take over subdomains of r2.dev using R2 custom domains
π https://hackerone.com/reports/1700276
πΉ Severity: Medium | π° 1,125 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #albertspedersen
πΉ State: π’ Resolved
πΉ Disclosed: September 28, 2022, 12:49pm (UTC)
π https://hackerone.com/reports/1700276
πΉ Severity: Medium | π° 1,125 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #albertspedersen
πΉ State: π’ Resolved
πΉ Disclosed: September 28, 2022, 12:49pm (UTC)
CSV export/import functionality allows administrators to modify member and message content of a workspace
π https://hackerone.com/reports/1661310
πΉ Severity: No Rating | π° 250 USD
πΉ Reported To: Slack
πΉ Reported By: #security_warrior
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 28, 2022, 8:30pm (UTC)
π https://hackerone.com/reports/1661310
πΉ Severity: No Rating | π° 250 USD
πΉ Reported To: Slack
πΉ Reported By: #security_warrior
πΉ State: βͺοΈ Informative
πΉ Disclosed: September 28, 2022, 8:30pm (UTC)
XSS in Widget Review Form Preview in settings
π https://hackerone.com/reports/1595905
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Judge.me
πΉ Reported By: #penguinshelp
πΉ State: π’ Resolved
πΉ Disclosed: September 29, 2022, 8:35am (UTC)
π https://hackerone.com/reports/1595905
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Judge.me
πΉ Reported By: #penguinshelp
πΉ State: π’ Resolved
πΉ Disclosed: September 29, 2022, 8:35am (UTC)
no rate limit in forgot password session
π https://hackerone.com/reports/1714970
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #irfadps
πΉ State: π΄ N/A
πΉ Disclosed: September 29, 2022, 6:17pm (UTC)
π https://hackerone.com/reports/1714970
πΉ Severity: Medium
πΉ Reported To: Yelp
πΉ Reported By: #irfadps
πΉ State: π΄ N/A
πΉ Disclosed: September 29, 2022, 6:17pm (UTC)