| 2024-05-07 |
IBM: XSS in Aspera documentation website |
hackerone.com |
|
| 2024-05-04 |
Liberapay: Unsafe yaml load can lead to remote code execution |
hackerone.com |
|
| 2024-05-04 |
U.S. Dept Of Defense: Reflected XSS via Keycloak on ███ [CVE-2021-20323] |
hackerone.com |
|
| 2024-05-04 |
U.S. Dept Of Defense: reflected xss [CVE-2020-3580] |
hackerone.com |
|
| 2024-05-04 |
U.S. Dept Of Defense: Reflected Cross-site Scripting via search query on ██████ |
hackerone.com |
|
| 2024-05-04 |
U.S. Dept Of Defense: Reflected XSS on error message on Login Page |
hackerone.com |
|
| 2024-05-04 |
U.S. Dept Of Defense: Reflected XSS via Moodle on ███ [CVE-2022-35653] |
hackerone.com |
|
| 2024-05-04 |
U.S. Dept Of Defense: SQL injection on ██████████ via 'where' parameter |
hackerone.com |
|
| 2024-05-04 |
Node.js: fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect |
hackerone.com |
|
| 2024-05-04 |
Node.js: Proxy-Authorization header not cleared on cross-origin redirect in undici.request |
hackerone.com |
|
| 2024-05-04 |
Node.js: HTTP Request Smuggling via Content Length Obfuscation |
hackerone.com |
|
| 2024-05-03 |
Adobe: Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting on cbconnection.adobe.com |
hackerone.com |
|
| 2024-05-02 |
[$100.0] Deriv.com: Mailgun subdomain takeover |
hackerone.com |
|
| 2024-05-02 |
Shopify: Production Key and Data Found on Subdomain No Longer Operated by Shopify / Dangling DNS |
hackerone.com |
|
| 2024-05-02 |
[$500.0] Shopify: No Session Expiry after log-out, attacker can reuse the old cookies |
hackerone.com |
|
| 2024-05-01 |
IBM: Insecure Direct Object Reference Protection bypass by changing HTTP method in IBM Your Learning endpoint. |
hackerone.com |
|
| 2024-04-30 |
[$3645.0] Internet Bug Bounty: Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash |
hackerone.com |
|
| 2024-04-29 |
[$15000.0] HackerOne: Attachment disclosure via summary report |
hackerone.com |
|
| 2024-04-29 |
Hyperledger: Code exec on Github runner via Pull request name |
hackerone.com |
|
| 2024-04-29 |
[$2580.0] Internet Bug Bounty: CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID(2.0) is in use as AUTH_TYPE |
hackerone.com |
|
| 2024-04-29 |
[$2580.0] Internet Bug Bounty: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() |
hackerone.com |
|
| 2024-04-26 |
[$12500.0] PlayStation: Remote vulnerabilities in spp |
hackerone.com |
|
| 2024-04-25 |
[$2580.0] Internet Bug Bounty: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames |
hackerone.com |
|
| 2024-04-24 |
IBM: RXSS in hidden parameter |
hackerone.com |
|
| 2024-04-23 |
Mozilla: Jira Credential Disclosure within Mozilla Slack |
hackerone.com |
|
| 2024-04-23 |
[$2580.0] Internet Bug Bounty: CVE-2024-2398: HTTP/2 push headers memory-leak |
hackerone.com |
|
| 2024-04-23 |
[$4860.0] Internet Bug Bounty: Denial of Service caused by HTTP/2 CONTINUATION Flood |
hackerone.com |
|
| 2024-04-23 |
Adobe: Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting on cbconnection-stage.adobe.com |
hackerone.com |
|
| 2024-04-22 |
[$200.0] Sheer: Cleartext Transmission of password via Email |
hackerone.com |
|
| 2024-04-21 |
[$2000.0] Hyperledger: Docker Secret Disclosure via GitHub Actions Cache Poisoning |
hackerone.com |
|
| 2024-04-20 |
Revive Adserver: Login page password-guessing attack |
hackerone.com |
|
| 2024-04-17 |
[$500.0] SideFX: Stored XSS in messages |
hackerone.com |
|
| 2024-04-16 |
PortSwigger Web Security: Incorrect logic when buy one more license which may lead to extend the expire date of existing license |
hackerone.com |
|
| 2024-04-16 |
GitHub: Self XSS in Tag name pattern field /<username>/<reponame>/settings/tag_protection/new |
hackerone.com |
|
| 2024-04-11 |
[$100.0] inDrive: #1 XSS on watchdocs.indriverapp.com |
hackerone.com |
|
| 2024-04-11 |
[$100.0] inDrive: #2 XSS on watchdocs.indriverapp.com |
hackerone.com |
|
| 2024-04-11 |
[$234.0] inDrive: #3 XSS on watchdocs.indriverapp.com |
hackerone.com |
|
| 2024-04-11 |
8x8: Unprotected Atlantis Server at https://152.70.█.█ |
hackerone.com |
|
| 2024-04-09 |
Node.js: "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash |
hackerone.com |
|
| 2024-04-06 |
Snapchat: Intent Leads To Unauthorised Video Call Initiation Leaking Surrounding Informations Of Victim |
hackerone.com |
|
| 2024-04-05 |
[$5000.0] TikTok: Reflected XSS on Pangle Endpoint |
hackerone.com |
|
| 2024-04-05 |
[$3000.0] Tools for Humanity: Race Condition Enables Bypassing Verification Check |
hackerone.com |
|
| 2024-04-05 |
PortSwigger Web Security: [portswigger.net] Path Traversal al /cms/audioitems |
hackerone.com |
|
| 2024-04-03 |
TikTok: Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known |
hackerone.com |
|
| 2024-03-30 |
[$4860.0] Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc |
hackerone.com |
|
| 2024-03-30 |
[$4860.0] Internet Bug Bounty: Libuv: Improper Domain Lookup that potentially leads to SSRF attacks |
hackerone.com |
|
| 2024-03-30 |
[$2580.0] Internet Bug Bounty: CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request) |
hackerone.com |
|
| 2024-03-30 |
[$560.0] Internet Bug Bounty: CVE-2024-2379: QUIC certificate check bypass with wolfSSL |
hackerone.com |
|
| 2024-03-30 |
[$560.0] Internet Bug Bounty: Usage of disabled protocol in curl |
hackerone.com |
|
| 2024-03-28 |
HackerOne: New Hacktivity features:Bounty rewards leakage Where programs doesn’t decide to disclose bounty in limited disclosure report |
hackerone.com |
|
| 2024-03-28 |
curl: cookie is sent on redirect |
hackerone.com |
|
| 2024-03-28 |
curl: CVE-2024-2004: Usage of disabled protocol |
hackerone.com |
|
| 2024-03-28 |
Internet Bug Bounty: CVE-2024-0853: OCSP verification bypass with TLS session reuse |
hackerone.com |
|
| 2024-03-27 |
curl: HTTP/2 PUSH_PROMISE DoS |
hackerone.com |
|
| 2024-03-27 |
curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS |
hackerone.com |
|
| 2024-03-27 |
curl: CVE-2024-2398: HTTP/2 push headers memory-leak |
hackerone.com |
|
| 2024-03-27 |
curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL |
hackerone.com |
|
| 2024-03-27 |
GoCD: XSS in GOCD Analytics Plugin |
hackerone.com |
|
| 2024-03-27 |
[$250.0] X (Formerly Twitter): Bypassing x profile verification to receive instant blue checkmark and unlimited profile changes |
hackerone.com |
|
| 2024-03-27 |
HackerOne: View any user email using the Team's audit log section |
hackerone.com |
|
| 2024-03-26 |
HackerOne: Creation of bounties through Customer API leads to private email disclosure |
hackerone.com |
|
| 2021-04-06 |
XSS на странице "Платежи водителей" [city-mobil.ru/taxiserv] |
hackerone.com |
|
| 2021-04-06 |
DOM based XSS via postMessage at store.my.games |
hackerone.com |
|
| 2021-04-06 |
Открытая админка 1C эмулятора |
hackerone.com |
|
| 2021-04-06 |
This Github Repository Seems Leaking Incoming Samokat Project |
hackerone.com |
|
| 2021-04-06 |
"blog.skillfactory.ru" Vulnerable to Directory Traversal |
hackerone.com |
|
| 2021-04-06 |
Exposed Credentials May Leads to Tarantool Infrastructure Leak |
hackerone.com |
|
| 2021-04-06 |
DOM XSS on https://biz.mail.ru/domains/goto/mail/ via parameter pollution |
hackerone.com |
|
| 2021-04-06 |
Information Disclosure of Garbage Collection Cycle 'Again' |
hackerone.com |
|
| 2021-04-06 |
Ability to invite a new member on Sandbox Program |
hackerone.com |
|
| 2021-04-05 |
Login CSRF : Login Authentication Flaw on https://liberapay.com/ |
hackerone.com |
|
| 2021-04-03 |
Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform |
hackerone.com |
|
| 2021-04-03 |
Website vulnerable to POODLE (SSLv3) with expired certificate |
hackerone.com |
|
| 2021-04-03 |
Password Reset link hijacking via Host Header Poisoning leads to account takeover |
hackerone.com |
|
| 2021-04-03 |
Reflected XSS on ███ |
hackerone.com |
|
| 2021-04-03 |
Read-only path traversal (CVE-2020-3452) at https://██████.mil |
hackerone.com |
|
| 2021-04-03 |
XML Injection on https://www.█████████ (███ parameter) |
hackerone.com |
|
| 2021-04-03 |
External Service Interaction (HTTP/DNS) on https://www.███ (██████████ parameter) |
hackerone.com |
|
| 2021-04-03 |
Improper Access Control - Generic on https://████ |
hackerone.com |
|
| 2021-04-03 |
Read-only path traversal (CVE-2020-3452) at https://█████ |
hackerone.com |
|
| 2021-04-03 |
Read-only path traversal (CVE-2020-3452) at https://████████ |
hackerone.com |
|
| 2021-04-03 |
Reflected XSS in https://██████████ via "████████" parameter |
hackerone.com |
|
| 2021-04-03 |
Reflected XSS on ███████ |
hackerone.com |
|
| 2021-04-03 |
Reflected XSS on █████████ |
hackerone.com |
|
| 2021-04-02 |
KOPS documentation references domains which were not registered |
hackerone.com |
|
| 2021-04-02 |
Google API key leaks and security misconfiguration leads Open Redirect Vulnerability |
hackerone.com |
|
| 2021-04-02 |
HackerOne Jira integration plugin Leaked JWT to unauthorized jira users |
hackerone.com |
|
| 2021-04-02 |
Kubelet follows symlinks as root in /var/log from the /logs server endpoint |
hackerone.com |
|
| 2021-04-02 |
API Server DoS (crash?) if many large resources (~1MB each) are concurrently/repeatedly sent to an external Validating WebHook endpoint |
hackerone.com |
|
| 2021-04-02 |
SocialClub Account Take Over Through Import Friends feature |
hackerone.com |
|
| 2021-04-02 |
Access control issue on invoice documents downloading feature. |
hackerone.com |
|
| 2021-04-01 |
[Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service |
hackerone.com |
|
| 2021-04-01 |
[OPEN S3 BUCKET] All uploaded files are public. |
hackerone.com |
|
| 2021-04-01 |
Khan Academy ClickJacking to Steal Users's Credintials |
hackerone.com |
|
| 2021-03-31 |
HTML Injection on "polls" app - comments section (possibly XSS) |
hackerone.com |
|
| 2021-03-31 |
[Fixed] A vulnerability in KAVKIS 2020 products family allows full disabling of protection |
hackerone.com |
|
| 2021-03-31 |
Account takeover via XSS |
hackerone.com |
|
| 2021-03-31 |
mysql.initial.sql file is accessable for everyone |
hackerone.com |
|
| 2021-03-31 |
crlf injection на https://bug.qiwi.com |
hackerone.com |
|
| 2021-03-31 |
Reset any password |
hackerone.com |
|
