Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application.
π https://hackerone.com/reports/1596663
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: Reddit
πΉ Reported By: #41bin
πΉ State: π’ Resolved
πΉ Disclosed: November 14, 2022, 4:34am (UTC)
π https://hackerone.com/reports/1596663
πΉ Severity: High | π° 5,000 USD
πΉ Reported To: Reddit
πΉ Reported By: #41bin
πΉ State: π’ Resolved
πΉ Disclosed: November 14, 2022, 4:34am (UTC)
Open redirect at mc-beta-cloud-acronis.com
π https://hackerone.com/reports/846389
πΉ Severity: No Rating
πΉ Reported To: Acronis
πΉ Reported By: #angeltsvetkov
πΉ State: π’ Resolved
πΉ Disclosed: November 15, 2022, 9:49am (UTC)
π https://hackerone.com/reports/846389
πΉ Severity: No Rating
πΉ Reported To: Acronis
πΉ Reported By: #angeltsvetkov
πΉ State: π’ Resolved
πΉ Disclosed: November 15, 2022, 9:49am (UTC)
New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields
π https://hackerone.com/reports/1578400
πΉ Severity: High | π° 13,950 USD
πΉ Reported To: GitLab
πΉ Reported By: #cryptopone
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 1:07am (UTC)
π https://hackerone.com/reports/1578400
πΉ Severity: High | π° 13,950 USD
πΉ Reported To: GitLab
πΉ Reported By: #cryptopone
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 1:07am (UTC)
XSS: `v-safe-html` is not safe enough
π https://hackerone.com/reports/1579645
πΉ Severity: High | π° 6,580 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 1:08am (UTC)
π https://hackerone.com/reports/1579645
πΉ Severity: High | π° 6,580 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 1:08am (UTC)
CSP-bypass XSS in project settings page
π https://hackerone.com/reports/1588732
πΉ Severity: High | π° 10,270 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 1:08am (UTC)
π https://hackerone.com/reports/1588732
πΉ Severity: High | π° 10,270 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 1:08am (UTC)
RCE via github import
π https://hackerone.com/reports/1672388
πΉ Severity: Critical | π° 33,510 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 1:10am (UTC)
π https://hackerone.com/reports/1672388
πΉ Severity: Critical | π° 33,510 USD
πΉ Reported To: GitLab
πΉ Reported By: #yvvdwf
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 1:10am (UTC)
Ability to bypass locked Cloudflare WARP on wifi networks.
π https://hackerone.com/reports/1635748
πΉ Severity: High | π° 1,000 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #joshatmotion
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 8:59am (UTC)
π https://hackerone.com/reports/1635748
πΉ Severity: High | π° 1,000 USD
πΉ Reported To: Cloudflare Public Bug Bounty
πΉ Reported By: #joshatmotion
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 8:59am (UTC)
[Git Gud] GitHub.com Svnbridge memcached deserialization vulnerability chain leading to Remote Code Execution
π https://hackerone.com/reports/1593913
πΉ Severity: Medium | π° 17,500 USD
πΉ Reported To: GitHub
πΉ Reported By: #ajxchapman
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 9:22pm (UTC)
π https://hackerone.com/reports/1593913
πΉ Severity: Medium | π° 17,500 USD
πΉ Reported To: GitHub
πΉ Reported By: #ajxchapman
πΉ State: π’ Resolved
πΉ Disclosed: November 16, 2022, 9:22pm (UTC)
CSRF in AppSearch allows creation of "curations"
π https://hackerone.com/reports/1477050
πΉ Severity: Medium | π° 833 USD
πΉ Reported To: Elastic
πΉ Reported By: #dee-see
πΉ State: π’ Resolved
πΉ Disclosed: November 17, 2022, 1:26pm (UTC)
π https://hackerone.com/reports/1477050
πΉ Severity: Medium | π° 833 USD
πΉ Reported To: Elastic
πΉ Reported By: #dee-see
πΉ State: π’ Resolved
πΉ Disclosed: November 17, 2022, 1:26pm (UTC)
Directory Listing at https://β.β.β.β
π https://hackerone.com/reports/1771051
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #shuvam321
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 1:49am (UTC)
π https://hackerone.com/reports/1771051
πΉ Severity: Low
πΉ Reported To: 8x8
πΉ Reported By: #shuvam321
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 1:49am (UTC)
Default password on 34.120.209.175
π https://hackerone.com/reports/1415241
πΉ Severity: Medium | π° 245 USD
πΉ Reported To: Elastic
πΉ Reported By: #newspaper
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 8:14am (UTC)
π https://hackerone.com/reports/1415241
πΉ Severity: Medium | π° 245 USD
πΉ Reported To: Elastic
πΉ Reported By: #newspaper
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 8:14am (UTC)
LOGJ4 VUlnerability [HtUS]
π https://hackerone.com/reports/1624137
πΉ Severity: Critical | π° 1,000 USD
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #fklet
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:07pm (UTC)
π https://hackerone.com/reports/1624137
πΉ Severity: Critical | π° 1,000 USD
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #fklet
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:07pm (UTC)
Reflected XSS | https://ββββββββ
π https://hackerone.com/reports/1736433
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #x3ph_
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:33pm (UTC)
π https://hackerone.com/reports/1736433
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #x3ph_
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:33pm (UTC)
Reflected XSS | https://ββββ
π https://hackerone.com/reports/1736432
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #x3ph_
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:34pm (UTC)
π https://hackerone.com/reports/1736432
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #x3ph_
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:34pm (UTC)
IDOR on βββββββ [HtUS]
π https://hackerone.com/reports/1627974
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #nightm4re
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:36pm (UTC)
π https://hackerone.com/reports/1627974
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #nightm4re
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:36pm (UTC)
Open Redirect at βββββ
π https://hackerone.com/reports/1634105
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #angeltsvetkov
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:37pm (UTC)
π https://hackerone.com/reports/1634105
πΉ Severity: Medium
πΉ Reported To: U.S. Dept Of Defense
πΉ Reported By: #angeltsvetkov
πΉ State: π’ Resolved
πΉ Disclosed: November 18, 2022, 6:37pm (UTC)
Reflected XSS in chatbot
π https://hackerone.com/reports/1735622
πΉ Severity: Medium
πΉ Reported To: MTN Group
πΉ Reported By: #roland_hack
πΉ State: π’ Resolved
πΉ Disclosed: November 19, 2022, 3:56pm (UTC)
π https://hackerone.com/reports/1735622
πΉ Severity: Medium
πΉ Reported To: MTN Group
πΉ Reported By: #roland_hack
πΉ State: π’ Resolved
πΉ Disclosed: November 19, 2022, 3:56pm (UTC)
No rate limiting for Remove Account lead to huge Mass mailings
π https://hackerone.com/reports/1723445
πΉ Severity: No Rating
πΉ Reported To: Weblate
πΉ Reported By: #tanvir_0x
πΉ State: π’ Resolved
πΉ Disclosed: November 20, 2022, 9:08am (UTC)
π https://hackerone.com/reports/1723445
πΉ Severity: No Rating
πΉ Reported To: Weblate
πΉ Reported By: #tanvir_0x
πΉ State: π’ Resolved
πΉ Disclosed: November 20, 2022, 9:08am (UTC)
Dependecy Confusion via Lookup Request Forwarding to PyPi.org
π https://hackerone.com/reports/1681275
πΉ Severity: No Rating
πΉ Reported To: GitLab
πΉ Reported By: #usd-responsible-disclosure
πΉ State: βͺοΈ Informative
πΉ Disclosed: November 21, 2022, 3:49am (UTC)
π https://hackerone.com/reports/1681275
πΉ Severity: No Rating
πΉ Reported To: GitLab
πΉ Reported By: #usd-responsible-disclosure
πΉ State: βͺοΈ Informative
πΉ Disclosed: November 21, 2022, 3:49am (UTC)
Open redirect that can lead to malicious websites
π https://hackerone.com/reports/1771749
πΉ Severity: No Rating
πΉ Reported To: AMBER AI
πΉ Reported By: #mrdot404
πΉ State: βͺοΈ Informative
πΉ Disclosed: November 21, 2022, 7:24am (UTC)
π https://hackerone.com/reports/1771749
πΉ Severity: No Rating
πΉ Reported To: AMBER AI
πΉ Reported By: #mrdot404
πΉ State: βͺοΈ Informative
πΉ Disclosed: November 21, 2022, 7:24am (UTC)