Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure
π https://hackerone.com/reports/1448550
πΉ Severity: Critical
πΉ Reported To: MTN Group
πΉ Reported By: #wallotry
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 5:34pm (UTC)
π https://hackerone.com/reports/1448550
πΉ Severity: Critical
πΉ Reported To: MTN Group
πΉ Reported By: #wallotry
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 5:34pm (UTC)
π±1
Subdomain Takeover at course.oberlo.com
π https://hackerone.com/reports/1690951
πΉ Severity: No Rating
πΉ Reported To: Shopify
πΉ Reported By: #m7mdharoun
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 7:22pm (UTC)
π https://hackerone.com/reports/1690951
πΉ Severity: No Rating
πΉ Reported To: Shopify
πΉ Reported By: #m7mdharoun
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 7:22pm (UTC)
Read/Write arbitrary (non-HttpOnly) cookies on checkout pages via GoogleAnalyticsAdditionalScripts postMessage handler
π https://hackerone.com/reports/1081167
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #bored-engineer
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 7:34pm (UTC)
π https://hackerone.com/reports/1081167
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #bored-engineer
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 7:34pm (UTC)
Disconnecting an external login provider does not revoke session
π https://hackerone.com/reports/1547684
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #attackerbhai
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 7:50pm (UTC)
π https://hackerone.com/reports/1547684
πΉ Severity: Medium | π° 1,600 USD
πΉ Reported To: Shopify
πΉ Reported By: #attackerbhai
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 7:50pm (UTC)
Stored XSS in /admin/product and /admin/collections
π https://hackerone.com/reports/1147433
πΉ Severity: Medium | π° 5,300 USD
πΉ Reported To: Shopify
πΉ Reported By: #ashketchum
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 10:44pm (UTC)
π https://hackerone.com/reports/1147433
πΉ Severity: Medium | π° 5,300 USD
πΉ Reported To: Shopify
πΉ Reported By: #ashketchum
πΉ State: π’ Resolved
πΉ Disclosed: December 1, 2022, 10:44pm (UTC)
Authentication bypass in https://nin.mtn.ng
π https://hackerone.com/reports/1747146
πΉ Severity: Critical
πΉ Reported To: MTN Group
πΉ Reported By: #roland_hack
πΉ State: π’ Resolved
πΉ Disclosed: December 2, 2022, 1:00pm (UTC)
π https://hackerone.com/reports/1747146
πΉ Severity: Critical
πΉ Reported To: MTN Group
πΉ Reported By: #roland_hack
πΉ State: π’ Resolved
πΉ Disclosed: December 2, 2022, 1:00pm (UTC)
XSS in Acronis Cloud Manager Admin Portal
π https://hackerone.com/reports/1388788
πΉ Severity: Medium | π° 100 USD
πΉ Reported To: Acronis
πΉ Reported By: #mooimacow
πΉ State: π’ Resolved
πΉ Disclosed: December 2, 2022, 7:48pm (UTC)
π https://hackerone.com/reports/1388788
πΉ Severity: Medium | π° 100 USD
πΉ Reported To: Acronis
πΉ Reported By: #mooimacow
πΉ State: π’ Resolved
πΉ Disclosed: December 2, 2022, 7:48pm (UTC)
POST following PUT confusion
π https://hackerone.com/reports/1752146
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #robbotic
πΉ State: π’ Resolved
πΉ Disclosed: December 2, 2022, 9:03pm (UTC)
π https://hackerone.com/reports/1752146
πΉ Severity: Medium | π° 2,400 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #robbotic
πΉ State: π’ Resolved
πΉ Disclosed: December 2, 2022, 9:03pm (UTC)
Exposed Cortex API at https://cortex-ingest.shopifycloud.com/
π https://hackerone.com/reports/1258871
πΉ Severity: Medium | π° 6,300 USD
πΉ Reported To: Shopify
πΉ Reported By: #ian
πΉ State: π’ Resolved
πΉ Disclosed: December 2, 2022, 10:25pm (UTC)
π https://hackerone.com/reports/1258871
πΉ Severity: Medium | π° 6,300 USD
πΉ Reported To: Shopify
πΉ Reported By: #ian
πΉ State: π’ Resolved
πΉ Disclosed: December 2, 2022, 10:25pm (UTC)
π1
CVE-2022-35260: .netrc parser out-of-bounds access
π https://hackerone.com/reports/1753224
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #kurohiro
πΉ State: π’ Resolved
πΉ Disclosed: December 3, 2022, 12:20am (UTC)
π https://hackerone.com/reports/1753224
πΉ Severity: Low | π° 480 USD
πΉ Reported To: Internet Bug Bounty
πΉ Reported By: #kurohiro
πΉ State: π’ Resolved
πΉ Disclosed: December 3, 2022, 12:20am (UTC)
π1
IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account
π https://hackerone.com/reports/1644436
πΉ Severity: No Rating | π° 1,000 USD
πΉ Reported To: EXNESS
πΉ Reported By: #ashwarya
πΉ State: π’ Resolved
πΉ Disclosed: December 5, 2022, 3:50pm (UTC)
π https://hackerone.com/reports/1644436
πΉ Severity: No Rating | π° 1,000 USD
πΉ Reported To: EXNESS
πΉ Reported By: #ashwarya
πΉ State: π’ Resolved
πΉ Disclosed: December 5, 2022, 3:50pm (UTC)
π9β€2