Cross-site Scripting (XSS) - Reflected

👉 https://hackerone.com/reports/1183336

🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: October 30, 2022, 9:54pm (UTC)

Cross-Site Request Forgery (CSRF) to xss

👉 https://hackerone.com/reports/1183241

🔹 Severity: Medium
🔹 Reported To: MTN Group
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: October 30, 2022, 9:54pm (UTC)

XSS in SocialIcon Link

👉 https://hackerone.com/reports/1698652

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Linktree
🔹 Reported By: #sudi
🔹 State: 🟢 Resolved
🔹 Disclosed: October 31, 2022, 4:04am (UTC)

Authentication bypass for ███ leads to take over any users account.

👉 https://hackerone.com/reports/1608151

🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Krisp
🔹 Reported By: #n0_m3rcy
🔹 State: 🟢 Resolved
🔹 Disclosed: October 31, 2022, 5:56pm (UTC)

IDOR in API applications (able to see any API token, leads to account takeover)

👉 https://hackerone.com/reports/1695454

🔹 Severity: Critical | 💰 500 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 1, 2022, 10:46pm (UTC)

Stored XSS in intensedebate.com via the Comments RSS

👉 https://hackerone.com/reports/1664914

🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Automattic
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: November 2, 2022, 9:20am (UTC)

CVE-2022-42916: HSTS bypass via IDN

👉 https://hackerone.com/reports/1753226

🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #kurohiro
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 12:19am (UTC)

Archived / Deleted / Private Poll Can Be Viewed by Another Users [Crowdsignal WordPress plugins]

👉 https://hackerone.com/reports/1711318

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Automattic
🔹 Reported By: #apapedulimu
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 11:41am (UTC)

Command injection in GitHub Actions ContainerStepHost

👉 https://hackerone.com/reports/1637621

🔹 Severity: No Rating | 💰 4,000 USD
🔹 Reported To: GitHub
🔹 Reported By: #jupenur
🔹 State: 🟢 Resolved
🔹 Disclosed: November 3, 2022, 3:33pm (UTC)

RepositoryPipeline allows importing of local git repos

👉 https://hackerone.com/reports/1685822

🔹 Severity: Medium | 💰 22,300 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:43am (UTC)

DOS via move_issue

👉 https://hackerone.com/reports/1543584

🔹 Severity: Medium | 💰 2,300 USD
🔹 Reported To: GitLab
🔹 Reported By: #legit-security
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:44am (UTC)

Path paths and file disclosure vulnerabilities at influxdb.quality.gitlab.net

👉 https://hackerone.com/reports/1643962

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: GitLab
🔹 Reported By: #otoyyy
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:46am (UTC)

DOS via issue preview

👉 https://hackerone.com/reports/1543718

🔹 Severity: High | 💰 7,640 USD
🔹 Reported To: GitLab
🔹 Reported By: #legit-security
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 3:47am (UTC)

CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud

👉 https://hackerone.com/reports/1245165

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #mr-medi
🔹 State: 🟢 Resolved
🔹 Disclosed: November 4, 2022, 7:38pm (UTC)

CVE-2022-35252: control code in cookie denial of service

👉 https://hackerone.com/reports/1686935

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #haxatron1
🔹 State: 🟢 Resolved
🔹 Disclosed: November 5, 2022, 2:50pm (UTC)

Completely remove VPN profile from locked WARP iOS cient.

👉 https://hackerone.com/reports/1633231

🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 10:59am (UTC)

Bypass Cloudflare WARP lock on iOS.

👉 https://hackerone.com/reports/1542450

🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 11:02am (UTC)

I found another way to bypass Cloudflare Warp lock!

👉 https://hackerone.com/reports/1605847

🔹 Severity: High | 💰 1,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #joshatmotion
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 11:02am (UTC)

Exceed photo dimensions, Flickr.com

👉 https://hackerone.com/reports/1755552

🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Flickr
🔹 Reported By: #0xcyborg
🔹 State: ⚪️ Informative
🔹 Disclosed: November 7, 2022, 5:53pm (UTC)

Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly)

👉 https://hackerone.com/reports/1102537

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: TikTok
🔹 Reported By: #daik0n
🔹 State: 🟢 Resolved
🔹 Disclosed: November 7, 2022, 9:34pm (UTC)

Public Github Repo Leaking Internal Credentials

👉 https://hackerone.com/reports/1763266

🔹 Severity: Critical
🔹 Reported To: Yelp
🔹 Reported By: #xinfohuggerx
🔹 State: ⚪️ Informative
🔹 Disclosed: November 7, 2022, 11:45pm (UTC)