readme.md
January 20, 2023 · View on GitHub
Title
Access Projects And create projects in gitlab pre production server
URL
https://hackerone.com/reports/540711
Severity score
null
Reporter
uzsunnyz
Bounty paid
$1,000
Title
Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv
URL
https://hackerone.com/reports/452559
Severity score
null
Reporter
sp1d3rs
Bounty paid
$1,500
Title
Initial mirror user can be assigned by other user even if the mirror was removed
URL
https://hackerone.com/reports/819821
Severity score
null
Reporter
sky003
Bounty paid
$3,000
Title
User Able to Reopen a Ticket by Modify the Request
URL
https://hackerone.com/reports/998993
Severity score
3.7
Reporter
gnux
Bounty paid
$169
Title
Restricted user can remove NerdStorage documents/collections scoped to ACCOUNT or ENTITY
URL
https://hackerone.com/reports/766145
Severity score
null
Reporter
skavans
Bounty paid
$600
Title
User with removed manage shops permissions is still able to make changes to a shop
URL
https://hackerone.com/reports/273099
Severity score
null
Reporter
flashdisk
Bounty paid
$1,000
Title
xmlrpc.php file enabled - data.gov
URL
https://hackerone.com/reports/673384
Severity score
null
Reporter
ayan_saha
Bounty paid
null
Title
HTTP PUT method enabled
URL
https://hackerone.com/reports/369581
Severity score
null
Reporter
emitrani
Bounty paid
null
Title
Any user can completely delete their own account without authorization and/or going through any kind of membership cancellation protocol.
URL
https://hackerone.com/reports/317507
Severity score
null
Reporter
s3cur3
Bounty paid
null
Title
"Secure View" aka "Hide Download" can be bypassed easily
URL
https://hackerone.com/reports/788257
Severity score
null
Reporter
at5djl3pwjmunyutnoatp
Bounty paid
$100
Title
SharePoint Web Services Exposed to Anonymous Access
URL
https://hackerone.com/reports/920403
Severity score
null
Reporter
balisong
Bounty paid
null
Title
Import of repositories from GitHub is tied to username instead of immutable ID
URL
https://hackerone.com/reports/452920
Severity score
null
Reporter
emitrani
Bounty paid
null
Title
Attacker is able to access commit title and team member comments which are supposed to be private
URL
https://hackerone.com/reports/502593
Severity score
null
Reporter
yashrs
Bounty paid
$7,000
Title
H1514 Bypass Wholesale account signup restrictions
URL
https://hackerone.com/reports/423496
Severity score
5.3
Reporter
cablej
Bounty paid
$2,000
Title
staff can able to extend shopify trial period without admin permission
URL
https://hackerone.com/reports/947728
Severity score
null
Reporter
risinghunter
Bounty paid
$500
Title
SSL Key Certificate expires
URL
https://hackerone.com/reports/224904
Severity score
null
Reporter
unad
Bounty paid
null
Title
Able to view Backend Database dur to improper authentication
URL
https://hackerone.com/reports/258573
Severity score
null
Reporter
nobody_cares_
Bounty paid
null
Title
linkinfo - openbasedir bypass on Windows PHP
URL
https://hackerone.com/reports/384719
Severity score
null
Reporter
fms
Bounty paid
$500
Title
Read-only team members can read all properties of webhooks
URL
https://hackerone.com/reports/818848
Severity score
null
Reporter
bencode
Bounty paid
null
Title
CORS misconfiguration which leads to the disclosure of certain data concerning the user.
URL
https://hackerone.com/reports/769058
Severity score
null
Reporter
a_d_a_m
Bounty paid
$100
Title
Improper access control on easytopup.in.th transaction page leads to user's information disclosure and may lead to account hijacking
URL
https://hackerone.com/reports/776877
Severity score
null
Reporter
nnez
Bounty paid
$1,000
Title
xmlrpc.php is enabled - Nextcloud
URL
https://hackerone.com/reports/458696
Severity score
null
Reporter
jaimaakali
Bounty paid
null
Title
Bypassing push rules via MRs created by Email
URL
https://hackerone.com/reports/526570
Severity score
null
Reporter
xanbanx
Bounty paid
$3,000
Title
Through blocking the redirect in /* the attacker able to bypass Authentication To see Sensitive Data sush as Game Keys , Emails ,..
URL
https://hackerone.com/reports/736273
Severity score
null
Reporter
st00rm
Bounty paid
$1,000
Title
Access to Unclassified / FOUO Advanced Motion Platform of █████████.mil
URL
https://hackerone.com/reports/1003455
Severity score
null
Reporter
kaulse
Bounty paid
null
Title
Unauthorised Account Detail Modification
URL
https://hackerone.com/reports/868146
Severity score
null
Reporter
5kyw41k3r
Bounty paid
null
Title
Access to Employee calendar disclosing internal presentation and meetings
URL
https://hackerone.com/reports/489284
Severity score
null
Reporter
commandersnuggle
Bounty paid
$1,000
Title
Partner's non-verified business email change reflected into Shopify Collaborator Request
URL
https://hackerone.com/reports/874574
Severity score
null
Reporter
francisbeaudoin
Bounty paid
$1,000
Title
Subdomain takeover on mta1a1.spmail.uber.com
URL
https://hackerone.com/reports/707748
Severity score
null
Reporter
0x3c3e
Bounty paid
$500
Title
mrgs.my.games account takeover
URL
https://hackerone.com/reports/999314
Severity score
8.4
Reporter
maxarr
Bounty paid
$500
Title
Ticket Trick at https://account.acronis.com
URL
https://hackerone.com/reports/999765
Severity score
null
Reporter
sayaanalam
Bounty paid
$750
Title
API Webhooks Fire And Are Unlisted After Permissions Removed
URL
https://hackerone.com/reports/227230
Severity score
null
Reporter
yaworsk
Bounty paid
null
Title
Account takeover in cups.mail.ru using punycode characters
URL
https://hackerone.com/reports/922559
Severity score
null
Reporter
weev3kyaw
Bounty paid
$1,500
Title
easyXDM allows cross domain postmessaging with any origin, leaking sensitive info
URL
https://hackerone.com/reports/344557
Severity score
6
Reporter
chaosbolt
Bounty paid
$250
Title
Group search leaks private MRs, code, commits
URL
https://hackerone.com/reports/692252
Severity score
7.5
Reporter
rpadovani
Bounty paid
$7,000
Title
Improper access control to messages of Social app
URL
https://hackerone.com/reports/921717
Severity score
5
Reporter
sanktjodel
Bounty paid
null
Title
CI for [example.gov] can be logged in and accessible
URL
https://hackerone.com/reports/311289
Severity score
9
Reporter
kunal94
Bounty paid
$2,000
Title
Members from parent group keep their access level on a subgroup transfer and are invisible
URL
https://hackerone.com/reports/790786
Severity score
7.6
Reporter
kryword
Bounty paid
$4,000
Title
HTTP PUT method enabled
URL
https://hackerone.com/reports/460642
Severity score
null
Reporter
hach3ro
Bounty paid
null
Title
Allows any user to share their "Root" level folder by sharing "."
URL
https://hackerone.com/reports/889795
Severity score
0
Reporter
chevonphillip
Bounty paid
null
Title
Ability to publish a paid theme without purchasing it.
URL
https://hackerone.com/reports/953083
Severity score
null
Reporter
saltymermaid
Bounty paid
$2,000
Title
Can register any mobile number in MFA without current code.
URL
https://hackerone.com/reports/667740
Severity score
null
Reporter
chackmate
Bounty paid
$750
Title
No ACL on S3 Bucket in [https://www.██████████/]
URL
https://hackerone.com/reports/809212
Severity score
null
Reporter
yghonem
Bounty paid
null
Title
**.*.my.com open proxy
URL
https://hackerone.com/reports/424003
Severity score
0
Reporter
linkks
Bounty paid
$300
Title
[█████████] Administrative access to Oracle WebLogic Server using default credentials
URL
https://hackerone.com/reports/804548
Severity score
null
Reporter
arm4nd0
Bounty paid
null
Title
Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication.
URL
https://hackerone.com/reports/417360
Severity score
6.1
Reporter
radoooz
Bounty paid
null
Title
[pulse.mail.ru] Доступ к статистике чужих площадок
URL
https://hackerone.com/reports/831663
Severity score
6.7
Reporter
rainbow_json
Bounty paid
$400
Title
securitytemplate.site domain hijack
URL
https://hackerone.com/reports/538651
Severity score
5
Reporter
drstache
Bounty paid
null
Title
Able to bypass "Device credentials" Lock
URL
https://hackerone.com/reports/507172
Severity score
3.8
Reporter
blackdex
Bounty paid
$100
Title
[performancemarketing.geekbrains.ru] Tilda Subdomain Takeover
URL
https://hackerone.com/reports/928602
Severity score
null
Reporter
xaleraf4ra
Bounty paid
null
Title
Anonymous user login to Nexus Repository Manager
URL
https://hackerone.com/reports/540698
Severity score
7
Reporter
sbakhour
Bounty paid
null
Title
CORS misconfiguration which leads to the disclosure
URL
https://hackerone.com/reports/1005374
Severity score
null
Reporter
ahmed12ossman
Bounty paid
null
Title
Internal API endpoint is accesible for everyone
URL
https://hackerone.com/reports/1066790
Severity score
null
Reporter
arnonymous
Bounty paid
null
Title
[h1-415 2020] I got the flag
URL
https://hackerone.com/reports/777099
Severity score
null
Reporter
jllis
Bounty paid
null
Title
CORS on (ws.infogram.com)
URL
https://hackerone.com/reports/372452
Severity score
null
Reporter
real_loser
Bounty paid
null
Title
Arbitrary file creation with semi-controlled content (leads to DoS, EoP and others) at Steam Windows Client
URL
https://hackerone.com/reports/682774
Severity score
null
Reporter
xi-tauw
Bounty paid
$1,250
Title
Login bypass on travel.██████████ aka "Harvest Spring Summit 2017"
URL
https://hackerone.com/reports/219203
Severity score
5.3
Reporter
michiel
Bounty paid
null
Title
[IDOR] Deleting other people's tasks
URL
https://hackerone.com/reports/293845
Severity score
null
Reporter
mishre
Bounty paid
$300
Title
Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API
URL
https://hackerone.com/reports/836081
Severity score
null
Reporter
j0eii
Bounty paid
$4,750
Title
Unauthorized Access and updation of EMAIL settings of other user at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter.
URL
https://hackerone.com/reports/953866
Severity score
null
Reporter
kapkan
Bounty paid
null
Title
Private list members disclosure via GraphQL
URL
https://hackerone.com/reports/885539
Severity score
null
Reporter
ryotak
Bounty paid
$2,940
Title
Removed staff members who had "Manage shops" permission can still create development stores
URL
https://hackerone.com/reports/254588
Severity score
5
Reporter
zombiehelp54
Bounty paid
$500
Title
Low Privileged Staff Member Can Export Billing Charges
URL
https://hackerone.com/reports/1010835
Severity score
4.3
Reporter
ash_nz
Bounty paid
$1,900
Title
Blocked user Git access through CI/CD token
URL
https://hackerone.com/reports/497047
Severity score
null
Reporter
logan5
Bounty paid
$1,500
Title
Cross-origin resource sharing: arbitrary origin trusted on chatws25.stream.highwebmedia.com
URL
https://hackerone.com/reports/417453
Severity score
null
Reporter
mase289
Bounty paid
null
Title
Race condition in claiming program credentials
URL
https://hackerone.com/reports/488985
Severity score
3.4
Reporter
flashdisk
Bounty paid
$500
Title
Bypass Rejected ads so user can view it as normal live ad.
URL
https://hackerone.com/reports/669736
Severity score
null
Reporter
kishoretrommer
Bounty paid
null
Title
Organization Takeover
URL
https://hackerone.com/reports/809816
Severity score
8.9
Reporter
azraelsec
Bounty paid
$500
Title
Open S3 Bucket Accessible by any Aws User
URL
https://hackerone.com/reports/819278
Severity score
null
Reporter
kartarkat
Bounty paid
$100
Title
Missing server side controls when editing the board’s sharing permissions per user
URL
https://hackerone.com/reports/827816
Severity score
7.3
Reporter
warsocks
Bounty paid
$100
Title
unauthorized access to add admin endpoint
URL
https://hackerone.com/reports/725711
Severity score
0
Reporter
elmahdibenrais-
Bounty paid
null
Title
Thailand - SNMP Publicly Accessible
URL
https://hackerone.com/reports/455726
Severity score
null
Reporter
k3mlol
Bounty paid
null
Title
Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections
URL
https://hackerone.com/reports/698708
Severity score
null
Reporter
mariogh
Bounty paid
$1,000
Title
Captcha checker "pd-captcha_form_SURVEYID" cookie is accepting any value
URL
https://hackerone.com/reports/920357
Severity score
null
Reporter
bugra
Bounty paid
$100
Title
Removing a user from a private group doesn't remove him from group's project, if his project's role was changed
URL
https://hackerone.com/reports/310185
Severity score
6.3
Reporter
rpadovani
Bounty paid
$2,000
Title
Improper access control lead To delete anyone comment
URL
https://hackerone.com/reports/273805
Severity score
null
Reporter
ranjit_p
Bounty paid
$100
Title
Mssing Authorization on Private Message replies (BuddyPress)
URL
https://hackerone.com/reports/490782
Severity score
null
Reporter
klmunday
Bounty paid
$375
Title
Expired reshare links allow access to all files in share
URL
https://hackerone.com/reports/452854
Severity score
9.6
Reporter
frr
Bounty paid
$400
Title
Race condition leads to duplicate payouts
URL
https://hackerone.com/reports/220445
Severity score
3.1
Reporter
jigarthakkar39
Bounty paid
$750
Title
Bypass OTP verification when placing Order
URL
https://hackerone.com/reports/247158
Severity score
null
Reporter
madrobot
Bounty paid
$250
Title
User account compromised authentication bypass via oauth token impersonation
URL
https://hackerone.com/reports/739321
Severity score
null
Reporter
donhasan
Bounty paid
null
Title
Suspended users can bypass UGC upload ban
URL
https://hackerone.com/reports/354660
Severity score
null
Reporter
delite
Bounty paid
$500
Title
GitHub import allows user to create child group under existing namespace
URL
https://hackerone.com/reports/301137
Severity score
7.1
Reporter
jobert
Bounty paid
$750
Title
Secure credentials values disclosure to regular users due to access control issue in monitor creating function
URL
https://hackerone.com/reports/788499
Severity score
null
Reporter
skavans
Bounty paid
$500
Title
Bypass Email activation on http://axa.dxi.eu
URL
https://hackerone.com/reports/418267
Severity score
null
Reporter
madrobot
Bounty paid
null
Title
Improper access control allows sales only user to view bank balance of company accounts.
URL
https://hackerone.com/reports/906328
Severity score
null
Reporter
vapour
Bounty paid
$100
Title
Password reset link not expired at Stocky App
URL
https://hackerone.com/reports/898841
Severity score
null
Reporter
ayyoub
Bounty paid
$500
Title
Race condition (TOCTOU) in NordVPN can result in local privilege escalation
URL
https://hackerone.com/reports/768110
Severity score
4.5
Reporter
hexgold
Bounty paid
$500
Title
Unauthorized access to attachments details of Private Calendar appointments (Access control issue)
URL
https://hackerone.com/reports/220864
Severity score
null
Reporter
indoappsec
Bounty paid
$200
Title
Unrestricted access to Eureka server on ██████
URL
https://hackerone.com/reports/304240
Severity score
null
Reporter
reptou
Bounty paid
$500
Title
Group search with Elastic search enable leaks unrelated data
URL
https://hackerone.com/reports/708820
Severity score
8.6
Reporter
rpadovani
Bounty paid
$7,000
Title
Custom Field Attributes may be created and updated for customers with Custom Field Trial enabled
URL
https://hackerone.com/reports/634679
Severity score
5.2
Reporter
jobert
Bounty paid
null
Title
Unauthenticated users can access all food.grammarly.io user's data
URL
https://hackerone.com/reports/745495
Severity score
3.9
Reporter
cript0nauta
Bounty paid
$1,000
Title
app.lemlist.com : Admin Panel Access
URL
https://hackerone.com/reports/937921
Severity score
null
Reporter
omarelfarsaoui
Bounty paid
null
Title
Verify any unused email address
URL
https://hackerone.com/reports/574962
Severity score
null
Reporter
seifelsallamy
Bounty paid
$560
Title
Misconfigured s3 Bucket exposure
URL
https://hackerone.com/reports/700051
Severity score
null
Reporter
namunah
Bounty paid
$500
Title
Access to Tarantool
URL
https://hackerone.com/reports/722337
Severity score
null
Reporter
danila
Bounty paid
$4,000
Title
CORS Misconfiguration leading to Private Information Disclosure
URL
https://hackerone.com/reports/430249
Severity score
null
Reporter
sandh0t
Bounty paid
$500
Title
Cross-organization data access in city-mobil.ru
URL
https://hackerone.com/reports/863983
Severity score
7.1
Reporter
r0hack
Bounty paid
$8,000
Title
The email API to reset password is unlimited and can be used as a email bomb
URL
https://hackerone.com/reports/222080
Severity score
null
Reporter
xifengweiyu
Bounty paid
null
Title
Unrestricted access to https://██████.█████myteksi.net/
URL
https://hackerone.com/reports/304386
Severity score
null
Reporter
reptou
Bounty paid
$250
Title
by pass rate limit exceed
URL
https://hackerone.com/reports/246838
Severity score
null
Reporter
abhiram
Bounty paid
null
Title
Missing robots exclusion header for user uploads
URL
https://hackerone.com/reports/275443
Severity score
null
Reporter
d0rkerdevil
Bounty paid
$50
Title
[H1-2006 2020] Bounty Pay CTF challenge
URL
https://hackerone.com/reports/895798
Severity score
null
Reporter
0xfd
Bounty paid
null
Title
Lack or Origin check leads to Cross-Site Websocket Hijacking (CSWSH)
URL
https://hackerone.com/reports/535436
Severity score
null
Reporter
fisher
Bounty paid
$800
Title
Admin Access to a domain used for development and admin access to internal dashboards on that domain
URL
https://hackerone.com/reports/271407
Severity score
null
Reporter
prateek_0490
Bounty paid
$1,000
Title
Improper access control when an added email address is deleted from authentication
URL
https://hackerone.com/reports/223434
Severity score
null
Reporter
bountyoverflow
Bounty paid
null
Title
multiple email usage -my.stripo.email-
URL
https://hackerone.com/reports/887167
Severity score
null
Reporter
mraldersonn
Bounty paid
null
Title
Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki
URL
https://hackerone.com/reports/661977
Severity score
null
Reporter
nitish_mathur
Bounty paid
null
Title
[h1-415 2020] Spent a week and failed at solving the last step.
URL
https://hackerone.com/reports/781265
Severity score
null
Reporter
s1r1u5
Bounty paid
null
Title
Unauthenticated hidden groups disclosure via Ajax groups search
URL
https://hackerone.com/reports/282176
Severity score
6.1
Reporter
jdgrimes
Bounty paid
$275
Title
WordPress admin is accessible without HTTP authentication
URL
https://hackerone.com/reports/1022267
Severity score
null
Reporter
logicalh4x0r
Bounty paid
null
Title
File access control rules not enforced on image files
URL
https://hackerone.com/reports/358339
Severity score
3.5
Reporter
reinism
Bounty paid
$150
Title
Github wiki is editable by anyone
URL
https://hackerone.com/reports/457009
Severity score
null
Reporter
c0rv4x
Bounty paid
null
Title
Access control on https://eaccounting.stage.vismaonline.com/
URL
https://hackerone.com/reports/812143
Severity score
null
Reporter
brdoors3
Bounty paid
$100
Title
{███} It is posible download all information and files via S3 Bucket Misconfiguration
URL
https://hackerone.com/reports/998981
Severity score
null
Reporter
z3ck3bug
Bounty paid
null
Title
[support.wordcamp.org] - publicly accessible .svn repository
URL
https://hackerone.com/reports/309714
Severity score
null
Reporter
kazan71p
Bounty paid
null
Title
Stats Token doesn't expire after deactivating account
URL
https://hackerone.com/reports/394516
Severity score
2.7
Reporter
encrypt
Bounty paid
$250
Title
Order Creation Webhooks can be edited/deleted by STAFF with Settings only permission
URL
https://hackerone.com/reports/431633
Severity score
3.4
Reporter
h13-
Bounty paid
$500
Title
Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect
URL
https://hackerone.com/reports/499348
Severity score
null
Reporter
rahulkankrale
Bounty paid
$1,120
Title
Ability to delete projects from Archived companies (Read only version)
URL
https://hackerone.com/reports/849157
Severity score
null
Reporter
hacker_bullish
Bounty paid
$100
Title
The possibility that unintended file operation may be performed because some methods of Dir do not check NULL characters.
URL
https://hackerone.com/reports/302338
Severity score
null
Reporter
ooooooo_q
Bounty paid
$500
Title
Unclaimed Github Repository Takeover on https://www.data.gov/labs
URL
https://hackerone.com/reports/515574
Severity score
null
Reporter
noobzombie
Bounty paid
$150
Title
[H1-2006 2020] Multiple vulnerabilities allow to leak sensitive information
URL
https://hackerone.com/reports/895202
Severity score
null
Reporter
zoczus
Bounty paid
null
Title
Improper Access Control in Buddypress core allows reply,delete any user's activity
URL
https://hackerone.com/reports/837256
Severity score
null
Reporter
hoangkien1020
Bounty paid
$225
Title
User can delete data in shared folders he's not autorized to access
URL
https://hackerone.com/reports/642515
Severity score
null
Reporter
jlord87
Bounty paid
$250
Title
Unauthorized updates to extended_info properties in /store/ajaxpackagesave
URL
https://hackerone.com/reports/815547
Severity score
7.2
Reporter
njbooher
Bounty paid
$2,500
Title
Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN
URL
https://hackerone.com/reports/915541
Severity score
null
Reporter
3x3s
Bounty paid
null
Title
Unrestricted File Upload
URL
https://hackerone.com/reports/683024
Severity score
null
Reporter
javilarx8
Bounty paid
null
Title
subdomain takeover at news-static.semrush.com
URL
https://hackerone.com/reports/294201
Severity score
null
Reporter
0ways
Bounty paid
$500
Title
[www.zomato.com/dubai/gold] CRITICAL - Allowing arbitrary amount to become a GOLD Member
URL
https://hackerone.com/reports/254211
Severity score
null
Reporter
prateek_0490
Bounty paid
$500
Title
Content Spoofing @ https://irclogs.wordpress.org/
URL
https://hackerone.com/reports/278151
Severity score
null
Reporter
hackerwahab
Bounty paid
null
Title
Sidekiq web UI (Ruby background processing) accessible unauthenticated via https://gift-test.starbucks.co.jp/sidekiq/busy
URL
https://hackerone.com/reports/423286
Severity score
null
Reporter
jackds
Bounty paid
null
Title
Disabled account can still use GraphQL endpoint
URL
https://hackerone.com/reports/608656
Severity score
2.9
Reporter
tolo7010
Bounty paid
$500
Title
Open Selenoid instance at 188.93.63.186 leads to LFR/SSRF.
URL
https://hackerone.com/reports/512973
Severity score
6.5
Reporter
chaosbolt
Bounty paid
$6,000
Title
Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning
URL
https://hackerone.com/reports/347296
Severity score
null
Reporter
thehackerish
Bounty paid
$2,000
Title
The auto login link does not expire on changing email id
URL
https://hackerone.com/reports/472026
Severity score
null
Reporter
whitehattushu
Bounty paid
$250
Title
[Critical] Insufficient Access Control On Registration Page of Webapps Website Allows Privilege Escalation to Administrator
URL
https://hackerone.com/reports/796379
Severity score
null
Reporter
hunt4p1zza
Bounty paid
null
Title
password reset email spamming
URL
https://hackerone.com/reports/224095
Severity score
null
Reporter
xifengweiyu
Bounty paid
null
Title
[██████] Cross-origin resource sharing misconfiguration (CORS)
URL
https://hackerone.com/reports/470298
Severity score
null
Reporter
jarvis7
Bounty paid
null
Title
Bypass "Industry Documents" Validation
URL
https://hackerone.com/reports/997514
Severity score
null
Reporter
gnux
Bounty paid
$50
Title
Elasticsearch leaks data through the notes scope
URL
https://hackerone.com/reports/710006
Severity score
null
Reporter
rpadovani
Bounty paid
$1,000
Title
Unrestricted access to any "connected pack" on docs
URL
https://hackerone.com/reports/777942
Severity score
4.3
Reporter
0xcrypto
Bounty paid
$200
Title
[IDOR] API endpoint leaking sensitive user information
URL
https://hackerone.com/reports/723118
Severity score
6.5
Reporter
t4kemyh4nd
Bounty paid
$375
Title
Security issue: Github repo's wiki publicly editable
URL
https://hackerone.com/reports/461345
Severity score
null
Reporter
whitehat_hacker
Bounty paid
null
Title
Can buy Atavist Magazine subscription for free
URL
https://hackerone.com/reports/951230
Severity score
null
Reporter
bugra
Bounty paid
$100
Title
Github repo's wiki publicly editable
URL
https://hackerone.com/reports/461429
Severity score
null
Reporter
whitehat_hacker
Bounty paid
null
Title
H1514 Wholesale customer without checkout permission can complete purchases
URL
https://hackerone.com/reports/423546
Severity score
5.3
Reporter
cablej
Bounty paid
$500
Title
Access to completion page without performing any action
URL
https://hackerone.com/reports/223846
Severity score
null
Reporter
footstep
Bounty paid
null
Title
Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/
URL
https://hackerone.com/reports/761617
Severity score
null
Reporter
miguel_santareno
Bounty paid
null
Title
No password confirmation on changing primary email address
URL
https://hackerone.com/reports/276816
Severity score
null
Reporter
sec_ninja1
Bounty paid
null
Title
Design Flaw in session management of password reset
URL
https://hackerone.com/reports/229417
Severity score
null
Reporter
asaxena2190
Bounty paid
null
Title
any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store
URL
https://hackerone.com/reports/629150
Severity score
null
Reporter
modam3r5
Bounty paid
null
Title
Conversation API Leaks Details Of UnAuthorized Conversations
URL
https://hackerone.com/reports/674866
Severity score
4.3
Reporter
mindingdata
Bounty paid
$150
Title
Private and group tokens per minute endpoint active for disabled users
URL
https://hackerone.com/reports/403603
Severity score
null
Reporter
encrypt
Bounty paid
$150
Title
svcardproxydevus.starbucks.com Subdomain take over
URL
https://hackerone.com/reports/380158
Severity score
null
Reporter
txt3rob
Bounty paid
$2,000
Title
Apparent ██████████ website is publicly exposed, suggests default account details on page and has expired SSL/TLS cert
URL
https://hackerone.com/reports/1025217
Severity score
null
Reporter
mcbazza
Bounty paid
null
Title
Share recipient can modify a share's expiration date
URL
https://hackerone.com/reports/447494
Severity score
4.3
Reporter
icewater
Bounty paid
$100
Title
The mailbox verification API interface is unlimited and can be used as a mailbox bomb
URL
https://hackerone.com/reports/221948
Severity score
null
Reporter
xifengweiyu
Bounty paid
null
Title
Private API key leakage due to lack of access control
URL
https://hackerone.com/reports/376060
Severity score
null
Reporter
yox
Bounty paid
null
Title
[press.razer.com] Origin IP found, Cloudflare bypassed
URL
https://hackerone.com/reports/776933
Severity score
null
Reporter
snwlol
Bounty paid
$200
Title
Non-functional 2FA recovery codes
URL
https://hackerone.com/reports/249337
Severity score
null
Reporter
be6bfca755e616cb69c1a51
Bounty paid
$60
Title
Guest users can change the confidentiality attribute on those issues that have been assigned to them
URL
https://hackerone.com/reports/762271
Severity score
null
Reporter
0xwintermute
Bounty paid
$100
Title
Getting all the CD keys of any game
URL
https://hackerone.com/reports/391217
Severity score
null
Reporter
moskowsky
Bounty paid
$20,000
Title
Payment PIN Verification Bypass
URL
https://hackerone.com/reports/702383
Severity score
null
Reporter
iamsahana
Bounty paid
$1,000
Title
[ux.shopify.com] Subdomain takeover
URL
https://hackerone.com/reports/221631
Severity score
null
Reporter
bobrov
Bounty paid
null
Title
[H1-2006 2020] The Story of Making Bounty Hunters Happy
URL
https://hackerone.com/reports/889333
Severity score
null
Reporter
w31rd0
Bounty paid
null
Title
open Firebase Database: msdict-dev.firebaseio.com
URL
https://hackerone.com/reports/736283
Severity score
6.1
Reporter
kickino
Bounty paid
null
Title
Unauthenticated users can obtain information about Checklist objects with unclaimed ChecklistCheck objects
URL
https://hackerone.com/reports/781175
Severity score
4.4
Reporter
jobert
Bounty paid
null
Title
Milestones leaked via search API
URL
https://hackerone.com/reports/460815
Severity score
null
Reporter
xanbanx
Bounty paid
$1,000
Title
Пользователь может просматривать, удалять и изменять данные любой компании перебирая domain_id [biz.mail.ru]
URL
https://hackerone.com/reports/977092
Severity score
5
Reporter
kwel
Bounty paid
$150
Title
Head pipeline leaked to unauthorized users via blocking merge request feature
URL
https://hackerone.com/reports/667408
Severity score
3.5
Reporter
xanbanx
Bounty paid
$1,000
Title
No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal
URL
https://hackerone.com/reports/915110
Severity score
null
Reporter
bugra
Bounty paid
$750
Title
CORS Misconfiguration Leads to Exposing User Data
URL
https://hackerone.com/reports/733017
Severity score
null
Reporter
waymobetta
Bounty paid
null
Title
Adding external participants to unaccessible appointments
URL
https://hackerone.com/reports/294232
Severity score
null
Reporter
mishre
Bounty paid
$300
Title
Ability to reset password for account
URL
https://hackerone.com/reports/322985
Severity score
null
Reporter
exadmin
Bounty paid
$3,500
Title
Proper verification is not done before sending invitations to researchers for certain private programs with rules e.g. "Participants must be US-based"
URL
https://hackerone.com/reports/427502
Severity score
4.1
Reporter
ateek
Bounty paid
$2,500
Title
Improper validation of parameters while creating issues
URL
https://hackerone.com/reports/260632
Severity score
null
Reporter
samczsun
Bounty paid
$20
Title
Bug in GraphQL and API integration leads to limited user address disclosure
URL
https://hackerone.com/reports/473742
Severity score
null
Reporter
loxiran
Bounty paid
$1,000
Title
Unauthorized update of merchants' information via /php/merchant_details.php
URL
https://hackerone.com/reports/255651
Severity score
null
Reporter
adibou
Bounty paid
$200
Title
CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse.
URL
https://hackerone.com/reports/355859
Severity score
6.3
Reporter
hk755a
Bounty paid
$500
Title
[H1-2006] CTF Writeup
URL
https://hackerone.com/reports/895778
Severity score
null
Reporter
nirvana_msu
Bounty paid
null
Title
Ability to publish a paid theme without purchasing it.
URL
https://hackerone.com/reports/927567
Severity score
null
Reporter
saltymermaid
Bounty paid
$2,000
Title
Subdomain takeover on healthyhackathon.khanacademy.org and hackweek.khanacademy.org
URL
https://hackerone.com/reports/474798
Severity score
null
Reporter
katsuragicsl
Bounty paid
null
Title
Combination of content provider allows private data disclosure
URL
https://hackerone.com/reports/534541
Severity score
3.4
Reporter
doragon
Bounty paid
$100
Title
Forbidden access to https://apps-staging.pingone.com but "/packages.json" visible and full path disclosure
URL
https://hackerone.com/reports/770711
Severity score
null
Reporter
mjigar821
Bounty paid
$100
Title
Permissive CORS policy trusting arbitrary extensions origin
URL
https://hackerone.com/reports/412490
Severity score
null
Reporter
foobar7
Bounty paid
$500
Title
Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot
URL
https://hackerone.com/reports/357485
Severity score
3.8
Reporter
parth
Bounty paid
$500
Title
[Клевер/Android] Небезопасный BroadcastReceiver позволяет создавать окно диалога в приложении посредством другого неавторизованного приложения
URL
https://hackerone.com/reports/394332
Severity score
null
Reporter
norver
Bounty paid
$200
Title
S3 bucket unnecessarily discloses permissions
URL
https://hackerone.com/reports/330135
Severity score
0
Reporter
salmon
Bounty paid
$50
Title
Password Reset Link Works Multiple Times
URL
https://hackerone.com/reports/772886
Severity score
null
Reporter
enixium
Bounty paid
$100
Title
Able to download any hosted content on AWS S3 bucket(stripo)
URL
https://hackerone.com/reports/739858
Severity score
null
Reporter
benjieguy
Bounty paid
null
Title
ability to install paid themes for free
URL
https://hackerone.com/reports/273557
Severity score
4.6
Reporter
flashdisk
Bounty paid
$1,000
Title
Email Forwarding invitations for Drafts are not marked as accepted, allowing multiple users to join a program after disabling Email Forwarding
URL
https://hackerone.com/reports/331691
Severity score
3.8
Reporter
d4rk_g1rl
Bounty paid
$500
Title
Broken access control on apps
URL
https://hackerone.com/reports/491892
Severity score
9.6
Reporter
theappsec
Bounty paid
null
Title
API - Amazon S3 bucket misconfiguration
URL
https://hackerone.com/reports/764243
Severity score
null
Reporter
c37m
Bounty paid
$300
Title
Found Origin IP's Lead To Access To [ Grafana Instance , PgHero Instance [ Can SQL Injection ]
URL
https://hackerone.com/reports/687908
Severity score
null
Reporter
elmahdi
Bounty paid
$200
Title
SharePoint exposed web services in a subdomain
URL
https://hackerone.com/reports/761158
Severity score
null
Reporter
miguel_santareno
Bounty paid
null
Title
Edit Policy restriction does not prevent comments.
URL
https://hackerone.com/reports/923759
Severity score
null
Reporter
rhinosf1
Bounty paid
null
Title
Access control issue -- [Allow file system access not validated when using session auth]
URL
https://hackerone.com/reports/388515
Severity score
6.4
Reporter
born2hack
Bounty paid
$100
Title
ISteamAssets gives partners control over unrelated community market transactions
URL
https://hackerone.com/reports/577584
Severity score
7.1
Reporter
njbooher
Bounty paid
$5,000
Title
Add users to groups who have restricted group invites
URL
https://hackerone.com/reports/538008
Severity score
null
Reporter
yuvraj_dighe
Bounty paid
$275
Title
Add apps to packages 0, 61, 62 with /store/ajaxpackagemerge
URL
https://hackerone.com/reports/972243
Severity score
null
Reporter
njbooher
Bounty paid
$2,500
Title
IDOR in the https://market.semrush.com/
URL
https://hackerone.com/reports/837400
Severity score
null
Reporter
albatraoz
Bounty paid
$5,000
Title
MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more
URL
https://hackerone.com/reports/416123
Severity score
null
Reporter
osintopsec
Bounty paid
null
Title
Sourcemaps and Unminified Source Code Exposed on Pages
URL
https://hackerone.com/reports/845677
Severity score
null
Reporter
gennaro
Bounty paid
$250
Title
[engineering.udemy.com] - Subdomain Takeover (ghost.io)
URL
https://hackerone.com/reports/368119
Severity score
null
Reporter
kazan71p
Bounty paid
$100
Title
[v7lk.relap.io] Sending arbitrary emails to any user
URL
https://hackerone.com/reports/808730
Severity score
null
Reporter
empty-jack
Bounty paid
null
Title
"Basic user" which can only access a limited subset of the platform can access certain pages which are restricted to the user by the account owner.
URL
https://hackerone.com/reports/966531
Severity score
null
Reporter
jhimansh
Bounty paid
null
Title
[H1-2006 2020] Writeup
URL
https://hackerone.com/reports/894170
Severity score
null
Reporter
njbooher
Bounty paid
null
Title
Bypassing Access control, changing owner's name in a private leaderboard
URL
https://hackerone.com/reports/245340
Severity score
null
Reporter
tikoo_sahil
Bounty paid
null
Title
доступ к com.vk.usersstore.UsersContentProvider, возможна утечка exchange_token на android < 21
URL
https://hackerone.com/reports/473690
Severity score
null
Reporter
korniltsev
Bounty paid
$100
Title
The email API to test email-server settings is unlimited and can be used as a email bomb
URL
https://hackerone.com/reports/222660
Severity score
null
Reporter
xifengweiyu
Bounty paid
null
Title
[babel.mail.ru] Admin Page Found
URL
https://hackerone.com/reports/103182
Severity score
null
Reporter
bigbear_
Bounty paid
$400
Title
Overwrite Drafts of Everyone
URL
https://hackerone.com/reports/258201
Severity score
null
Reporter
geekboy
Bounty paid
$300
Title
ClickJacking on IMPORTANT Functions of Yelp
URL
https://hackerone.com/reports/305128
Severity score
3.5
Reporter
hk755a
Bounty paid
$500
Title
I can subscribe and unsubscribe any user with the same token for as many times as i want
URL
https://hackerone.com/reports/373899
Severity score
null
Reporter
iam1here
Bounty paid
$30
Title
Subdomain takeover on developer.openapi.starbucks.com
URL
https://hackerone.com/reports/275714
Severity score
null
Reporter
dpgribkov
Bounty paid
$2,000
Title
Improper Access Control on Onelogin in multi-layered architecture
URL
https://hackerone.com/reports/326080
Severity score
null
Reporter
orange
Bounty paid
$500
Title
..; bypass leading to tomcat scripts [Unauthenticated]
URL
https://hackerone.com/reports/1004007
Severity score
null
Reporter
nullfil3
Bounty paid
null
Title
PHPMYADMIN Setup is accessible without authentication on https://lml.lahitapiola.fi/
URL
https://hackerone.com/reports/297339
Severity score
null
Reporter
w00tr00t
Bounty paid
$600
Title
Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell
URL
https://hackerone.com/reports/699030
Severity score
null
Reporter
duckoverflow
Bounty paid
$200
Title
Unintentional file creation caused at Tempfile with directory traversal
URL
https://hackerone.com/reports/302298
Severity score
null
Reporter
ooooooo_q
Bounty paid
$500
Title
Circle email-members have still access to a shared folder/file after they are removed from the circle
URL
https://hackerone.com/reports/673724
Severity score
2
Reporter
michag86
Bounty paid
$200
Title
X-Forward-For Header allows to bypass access restrictions
URL
https://hackerone.com/reports/1011767
Severity score
6.1
Reporter
parzel
Bounty paid
$200
Title
Local File Download
URL
https://hackerone.com/reports/345162
Severity score
null
Reporter
z0mb13
Bounty paid
null
Title
Publicly editable GitHub wikis
URL
https://hackerone.com/reports/460121
Severity score
null
Reporter
strukt
Bounty paid
null
Title
Amazon S3 bucket misconfiguration (share)
URL
https://hackerone.com/reports/229690
Severity score
null
Reporter
glc
Bounty paid
null
Title
Add another email address without verification
URL
https://hackerone.com/reports/265987
Severity score
null
Reporter
tungpun
Bounty paid
null
Title
2FA bypass - confirmation tokens don't expire
URL
https://hackerone.com/reports/264090
Severity score
4.8
Reporter
muskecan
Bounty paid
null
Title
No Access Control
URL
https://hackerone.com/reports/535705
Severity score
null
Reporter
common
Bounty paid
null
Title
Periscope-all Firebase database takeover
URL
https://hackerone.com/reports/684099
Severity score
null
Reporter
deeptiman
Bounty paid
$560
Title
[Razer Pay] Broken Access Control at /v1/verifyPhone/ allows enumeration of usernames and ID information
URL
https://hackerone.com/reports/752443
Severity score
5.3
Reporter
sambal0x
Bounty paid
$500
Title
STAFF member with NO Explicit permissions can view ActivityFeed via GraphQL
URL
https://hackerone.com/reports/528940
Severity score
null
Reporter
h13-
Bounty paid
$500
Title
Improper protection of FileContentProvider
URL
https://hackerone.com/reports/331302
Severity score
null
Reporter
mmmds
Bounty paid
$50
Title
Github repo's wiki publicly editable
URL
https://hackerone.com/reports/475114
Severity score
null
Reporter
whitehat_hacker
Bounty paid
null
Title
Full account takeover
URL
https://hackerone.com/reports/314808
Severity score
null
Reporter
sandeep_hodkasia
Bounty paid
$800
Title
Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/
URL
https://hackerone.com/reports/870709
Severity score
null
Reporter
lordjerry0x01
Bounty paid
null
Title
Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg
URL
https://hackerone.com/reports/1027822
Severity score
9.8
Reporter
ko2sec
Bounty paid
$5,600
Title
HackerOne Pentesters can access any structured scope object through GraphQL node interface
URL
https://hackerone.com/reports/781150
Severity score
8.3
Reporter
jobert
Bounty paid
null
Title
Publicly Accessible Harshi Corp Consul
URL
https://hackerone.com/reports/665791
Severity score
6.1
Reporter
l33tcyberops
Bounty paid
$300
Title
Exfiltrate and mutate repository and project data through injected templated service
URL
https://hackerone.com/reports/446585
Severity score
9.9
Reporter
jobert
Bounty paid
$11,000
Title
Gaining access to private topics using quoting feature
URL
https://hackerone.com/reports/312647
Severity score
null
Reporter
mishre
Bounty paid
$256
Title
NR-wide cross account access through misconfigured CORS-policy of multiple endpoints
URL
https://hackerone.com/reports/751699
Severity score
null
Reporter
skavans
Bounty paid
$3,125
Title
Restricted user can manage the NerdGraph entities' tags
URL
https://hackerone.com/reports/757957
Severity score
null
Reporter
skavans
Bounty paid
$750
Title
Add store to new partner account without confirming email address.
URL
https://hackerone.com/reports/633371
Severity score
null
Reporter
jmp_35p
Bounty paid
null
Title
Potential leak of server side software at repogohi.nordvpn.com
URL
https://hackerone.com/reports/756182
Severity score
null
Reporter
zerody
Bounty paid
$500
Title
CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover
URL
https://hackerone.com/reports/758785
Severity score
null
Reporter
shardulb_23
Bounty paid
null
Title
Update App Store: Django account high jacking vulnerability
URL
https://hackerone.com/reports/761329
Severity score
6.5
Reporter
bernhardposselt
Bounty paid
null
Title
GraphQL query "namespace" leaks data
URL
https://hackerone.com/reports/614355
Severity score
5.3
Reporter
rpadovani
Bounty paid
$1,000
Title
SharePoint Web Services Exposed to Anonymous Access Users
URL
https://hackerone.com/reports/807915
Severity score
null
Reporter
balisong
Bounty paid
null
Title
A staff without export customers permissions can still export customers CSV file
URL
https://hackerone.com/reports/860197
Severity score
null
Reporter
ryat
Bounty paid
$500
Title
[h1-415 2020] h1ctf{y3s_1m_c0sm1c_n0w}
URL
https://hackerone.com/reports/781253
Severity score
null
Reporter
pirateducky
Bounty paid
null
Title
Graphql: Sorting the reports by jira_status field resulted to different value
URL
https://hackerone.com/reports/955286
Severity score
3.8
Reporter
0619
Bounty paid
$550
Title
Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report
URL
https://hackerone.com/reports/442843
Severity score
3.4
Reporter
npbhatter17
Bounty paid
$500
Title
Github wikis are editable by anyone
URL
https://hackerone.com/reports/457032
Severity score
null
Reporter
c0rv4x
Bounty paid
null
Title
Undocumented fileCopy GraphQL API
URL
https://hackerone.com/reports/981472
Severity score
4.2
Reporter
ash_nz
Bounty paid
$2,000
Title
Origin IP found, Cloudflare bypassed
URL
https://hackerone.com/reports/360825
Severity score
null
Reporter
europa
Bounty paid
null
Title
Restricted user can update Apdex target for applications by leveraging the GraphQL mutation
URL
https://hackerone.com/reports/776449
Severity score
null
Reporter
skavans
Bounty paid
$626
Title
Github wikis are editable by anyone #Githubwikistakeover
URL
https://hackerone.com/reports/545052
Severity score
null
Reporter
ronb1996
Bounty paid
null
Title
H1514 Lack of access control on edit packing slip template
URL
https://hackerone.com/reports/417839
Severity score
null
Reporter
fisher
Bounty paid
$500
Title
Examples directory is PUBLIC on https://████████mil, leading to multiple vulns
URL
https://hackerone.com/reports/674741
Severity score
null
Reporter
masonhck357
Bounty paid
null
Title
SOP bypass using browser cache
URL
https://hackerone.com/reports/761726
Severity score
2.6
Reporter
aaron_costello
Bounty paid
$1,500
Title
Previously created sessions continue being valid after MFA activation
URL
https://hackerone.com/reports/667739
Severity score
null
Reporter
brdoors3
Bounty paid
$2,500
Title
Accessing Private Files Shared in message of other users
URL
https://hackerone.com/reports/258260
Severity score
6.5
Reporter
geekboy
Bounty paid
$150
Title
Unauthorized access of Monero wallet by an unprivileged process
URL
https://hackerone.com/reports/462442
Severity score
null
Reporter
thanhb
Bounty paid
null
Title
Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information
URL
https://hackerone.com/reports/796557
Severity score
null
Reporter
hridoy-ahmed
Bounty paid
null
Title
In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access
URL
https://hackerone.com/reports/522876
Severity score
8.7
Reporter
theguynamedguy86
Bounty paid
null
Title
Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C
URL
https://hackerone.com/reports/351519
Severity score
2
Reporter
absshax
Bounty paid
$500
Title
Read-only user can access payroll information without having access to payroll.
URL
https://hackerone.com/reports/838563
Severity score
null
Reporter
base_64
Bounty paid
$250
Title
unuse domain still in using at wechat by Starbucks East China
URL
https://hackerone.com/reports/471265
Severity score
9.7
Reporter
k3mlol
Bounty paid
$1,000
Title
Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result
URL
https://hackerone.com/reports/748375
Severity score
null
Reporter
rpadovani
Bounty paid
$3,000
Title
API request signature can be reused with other parameters/data than the original in certain cases
URL
https://hackerone.com/reports/425314
Severity score
5.3
Reporter
p4fg
Bounty paid
$100
Title
Session Duplication due to Broken Access Control
URL
https://hackerone.com/reports/247225
Severity score
null
Reporter
anurag98
Bounty paid
null
Title
Reduced Payment amount while paying on Crypto Currencies
URL
https://hackerone.com/reports/803876
Severity score
null
Reporter
archerl
Bounty paid
null
Title
Users may still able to view chat room panel of password protected rooms
URL
https://hackerone.com/reports/386351
Severity score
null
Reporter
mikkz
Bounty paid
$350
Title
Response program can create bounty table
URL
https://hackerone.com/reports/460920
Severity score
3.8
Reporter
khoiasd
Bounty paid
$500
Title
Web cache deception attack - expose earning state information
URL
https://hackerone.com/reports/439021
Severity score
3.1
Reporter
memon
Bounty paid
null
Title
Insufficient Type Check on GraphQL leading to Maintainer delete repository
URL
https://hackerone.com/reports/858671
Severity score
null
Reporter
ledz1996
Bounty paid
$4,000
Title
API Does Not Apply Access Controls to Translations
URL
https://hackerone.com/reports/232994
Severity score
3.7
Reporter
4cad
Bounty paid
null
Title
Disclosure of Users Information On Wordpress Api [https://jitsi.org/]
URL
https://hackerone.com/reports/772778
Severity score
null
Reporter
0xelkomy
Bounty paid
null
Title
A 'Read only' user can modify the company logotype and invoice background image
URL
https://hackerone.com/reports/790528
Severity score
null
Reporter
base_64
Bounty paid
$100
Title
Cross-origin resource sharing misconfiguration (CORS)
URL
https://hackerone.com/reports/954512
Severity score
null
Reporter
drwx
Bounty paid
null
Title
[██████████] Unauthorized access to admin panel
URL
https://hackerone.com/reports/648222
Severity score
null
Reporter
jarvis7
Bounty paid
null
Title
Unpublished Product Images can be disclosed
URL
https://hackerone.com/reports/534554
Severity score
null
Reporter
h13-
Bounty paid
$500
Title
[H1-2006 2020] In-depth resolution of the h1-2006 CTF
URL
https://hackerone.com/reports/894174
Severity score
null
Reporter
enzyro
Bounty paid
null
Title
Improper Access Control in LINE Timeline API that returns a list of hidden friends
URL
https://hackerone.com/reports/853894
Severity score
4.3
Reporter
66ed3gs
Bounty paid
$1,346.85
Title
Container scanning and Dependency scanning report leaked to unauthorized users
URL
https://hackerone.com/reports/676976
Severity score
null
Reporter
xanbanx
Bounty paid
$3,000
Title
Cross-origin resource sharing (CORS)
URL
https://hackerone.com/reports/272432
Severity score
null
Reporter
nn1
Bounty paid
null
Title
invalid handling of redirect_uri at o2.mail.ru/jsapi/button
URL
https://hackerone.com/reports/341925
Severity score
null
Reporter
chaosbolt
Bounty paid
$150
Title
[ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File
URL
https://hackerone.com/reports/683957
Severity score
8.2
Reporter
elmahdi
Bounty paid
$4,000
Title
No Rate Limit (Leads to huge email flooding/email bombing)
URL
https://hackerone.com/reports/272596
Severity score
null
Reporter
saikiran-10099
Bounty paid
null
Title
Unix domain socket and a path containing a null character
URL
https://hackerone.com/reports/302997
Severity score
null
Reporter
ooooooo_q
Bounty paid
$500