110, https://hackerone.com/reports/110, Login page password-guessing attack, informative
120, https://hackerone.com/reports/120, Missing SPF for hackerone.com, resolved
263, https://hackerone.com/reports/263, Report title autocompletion, resolved
275, https://hackerone.com/reports/275, Flawed account creation process allows registration of usernames corresponding to existing file names, resolved
280, https://hackerone.com/reports/280, Real impersonation, resolved
284, https://hackerone.com/reports/284, Broken Authentication and session management OWASP A2, resolved
288, https://hackerone.com/reports/288, Session Management, resolved
298, https://hackerone.com/reports/298, RTL override symbol not stripped from file names, resolved
321, https://hackerone.com/reports/321, CSP not consistently applied, resolved
345, https://hackerone.com/reports/345, Privilege escalation..., or not?!, resolved
353, https://hackerone.com/reports/353, Session not expired on logout, resolved
390, https://hackerone.com/reports/390, Pixel flood attack, resolved
400, https://hackerone.com/reports/400, GIF flooding, resolved
454, https://hackerone.com/reports/454, PNG compression DoS, resolved
477, https://hackerone.com/reports/477, Flawed account creation process allows registration of usernames corresponding to existing file names, resolved
487, https://hackerone.com/reports/487, DNS Cache Poisoning, resolved
499, https://hackerone.com/reports/499, Ruby: Heap Overflow in Floating Point Parsing, resolved
500, https://hackerone.com/reports/500, OpenSSH: Memory corruption in AES-GCM support, resolved
501, https://hackerone.com/reports/501, TLS Virtual Host Confusion, resolved
523, https://hackerone.com/reports/523, PHP openssl_x509_parse() Memory Corruption Vulnerability, resolved
546, https://hackerone.com/reports/546, Logical issues with account settings, resolved
547, https://hackerone.com/reports/547, CSRF login, resolved
575, https://hackerone.com/reports/575, Email spoofing , resolved
713, https://hackerone.com/reports/713, Upload profile photo from URL, resolved
727, https://hackerone.com/reports/727, Switching the user to the attacker's account, resolved
737, https://hackerone.com/reports/737, Improper session management, resolved
738, https://hackerone.com/reports/738, Information disclosure (reset password token) and changing the user's password, resolved
742, https://hackerone.com/reports/742, A password reset page does not properly validate the authenticity token at the server side., resolved
761, https://hackerone.com/reports/761, Enumeration of users, informative
774, https://hackerone.com/reports/774, Log in a user to another account, resolved
809, https://hackerone.com/reports/809, Improperly implemented password recovery link functionality, resolved
842, https://hackerone.com/reports/842, Autocomplete enabled in Paypal preferences, resolved
914, https://hackerone.com/reports/914, XSS Yahoo Messenger Via Calendar.Yahoo.Com , resolved
916, https://hackerone.com/reports/916, Cross-site scripting on the main page of flickr by tagging a user., resolved
933, https://hackerone.com/reports/933, Java Applet Execution On Y! Messenger, informative
940, https://hackerone.com/reports/940, Store XSS Flicker main page, resolved
1011, https://hackerone.com/reports/1011, XSS using yql and developers console proxy, informative
1066, https://hackerone.com/reports/1066, Bypass of anti-SSRF defenses in YahooCacheSystem (affecting at least YQL and Pipes), informative
1091, https://hackerone.com/reports/1091, Information Disclosure , informative
1092, https://hackerone.com/reports/1092, Directory Traversal , resolved
1171, https://hackerone.com/reports/1171, Security.allowDomain("*") in SWFs on img.autos.yahoo.com allows data theft from Yahoo Mail (and others), resolved
1203, https://hackerone.com/reports/1203, XSS in my yahoo, resolved
1207, https://hackerone.com/reports/1207, clickjacking , informative
1209, https://hackerone.com/reports/1209, Authentication Bypass in Yahoo Groups, informative
1229, https://hackerone.com/reports/1229, ClickJacking on http://au.launch.yahoo.com, informative
1258, https://hackerone.com/reports/1258, Vulnerability found, XSS (Cross site Scripting), informative
1356, https://hackerone.com/reports/1356, PHP Heap Overflow Vulnerability in imagecrop(), resolved
1376, https://hackerone.com/reports/1376, HTML Code Injection , resolved
1407, https://hackerone.com/reports/1407, Yahoo YQL Injection? , informative
1409, https://hackerone.com/reports/1409, Proxy discloses internal web servers, resolved
1425, https://hackerone.com/reports/1425, SSL Not Enforced, resolved
1429, https://hackerone.com/reports/1429, URL Redirection, resolved
1483, https://hackerone.com/reports/1483, HTML Injection on flickr screename using IOS App, resolved
1498, https://hackerone.com/reports/1498, Strict Transport Security on secret.ly, resolved
1509, https://hackerone.com/reports/1509, DNS Misconfiguration, resolved
1533, https://hackerone.com/reports/1533, Flickr: Invitations disclosure (resend feature), resolved
1538, https://hackerone.com/reports/1538, SQLi on http://sports.yahoo.com/nfl/draft, resolved
1553, https://hackerone.com/reports/1553, XSS Reflected - Yahoo Travel, resolved
1620, https://hackerone.com/reports/1620, A csrf vulnerability which add and remove a favorite team from a user account., informative
1675, https://hackerone.com/reports/1675, Local file inclusion , resolved
2101, https://hackerone.com/reports/2101, In Fantasy Sports iOS app, signup page is requested over HTTP, informative
2106, https://hackerone.com/reports/2106, Flash type confusion vulnerability leads to code execution, resolved
2107, https://hackerone.com/reports/2107, Handling of jar: URIs bypasses AllowScriptAccess=never, resolved
2126, https://hackerone.com/reports/2126, Insufficient validation of redirect URL on login page allows hijacking user name and password, informative
2127, https://hackerone.com/reports/2127, HK.Yahoo.Net Remote Command Execution, resolved
2140, https://hackerone.com/reports/2140, Flash local-with-fileaccess Sandbox Bypass, resolved
2168, https://hackerone.com/reports/2168, XSS on Every sports.yahoo.com page, resolved
2170, https://hackerone.com/reports/2170, Flash double free vulnerability leads to code execution, resolved
2193, https://hackerone.com/reports/2193, harvesting attack on user registration, informative
2221, https://hackerone.com/reports/2221, CSS leaks SCSS debug info, resolved
2224, https://hackerone.com/reports/2224, Bypass auth.email-domains, resolved
2228, https://hackerone.com/reports/2228, Login CSRF using Twitter OAuth, resolved
2233, https://hackerone.com/reports/2233, Bypass auth.email-domains (2), resolved
2240, https://hackerone.com/reports/2240, Reflected XSS in mail.yahoo.com, informative
2293, https://hackerone.com/reports/2293, Widespread failure of certificate validation in Android apps, resolved
2322, https://hackerone.com/reports/2322, Yahoo open redirect using ad, informative
2414, https://hackerone.com/reports/2414, open redirect, informative
2421, https://hackerone.com/reports/2421, Value of JSESSIONID  and XSRF token parameter in cookie remains same before and after login, resolved
2427, https://hackerone.com/reports/2427, XSRF token problem, resolved
2429, https://hackerone.com/reports/2429, Hackerone Email Addresses Enumeration, informative
2439, https://hackerone.com/reports/2439, Cross Site Scripting (XSS) - app.relateiq.com, resolved
2497, https://hackerone.com/reports/2497, Reflective XSS can be triggered in IE, resolved
2559, https://hackerone.com/reports/2559, Broken Authentication (including Slack OAuth bugs), resolved
2575, https://hackerone.com/reports/2575, Slack OAuth2 "redirect_uri" Bypass , resolved
2582, https://hackerone.com/reports/2582, Session Fixation disclosing email address, informative
2584, https://hackerone.com/reports/2584, Weird Bug - Ability to see partial of other user's notification, resolved
2596, https://hackerone.com/reports/2596, Yahoo mail login page bruteforce protection bypass, informative
2598, https://hackerone.com/reports/2598, http://conf.member.yahoo.com configuration file disclosure, resolved
2617, https://hackerone.com/reports/2617, Stored XSS in www.slack-files.com, resolved
2622, https://hackerone.com/reports/2622, URL redirection flaw, resolved
2625, https://hackerone.com/reports/2625, Stored XSS in username.slack.com, resolved
2628, https://hackerone.com/reports/2628, CSRF vulnerability on https://sehacure.slack.com/account/settings, resolved
2635, https://hackerone.com/reports/2635, csrf, resolved
2638, https://hackerone.com/reports/2638, CSRF on add comment section, resolved
2639, https://hackerone.com/reports/2639, Stored XSS on this link https://sehacure.slack.com/help/requests/, resolved
2652, https://hackerone.com/reports/2652, Stored XSS in Channel Chat , resolved
2688, https://hackerone.com/reports/2688, State parameter missing on google OAuth, resolved
2731, https://hackerone.com/reports/2731, Open redirect vulnerability , informative
2735, https://hackerone.com/reports/2735, HTML injection in "Invite Collaborators", resolved
2746, https://hackerone.com/reports/2746, Data exports stored on S3 can be scraped easily, resolved
2766, https://hackerone.com/reports/2766, Email enumeration, informative
2777, https://hackerone.com/reports/2777, Reflected Xss, resolved
2857, https://hackerone.com/reports/2857, CSRF token valid even after the session logout of a particular user, informative
2926, https://hackerone.com/reports/2926, Stored XSS , resolved
2975, https://hackerone.com/reports/2975, Deleting Teams implemenation, informative
2979, https://hackerone.com/reports/2979, Content Spoofing, informative
3039, https://hackerone.com/reports/3039, SQL Injection ON HK.Promotion, resolved
3227, https://hackerone.com/reports/3227, Control Characters Not Stripped From Username on Signup, resolved
3356, https://hackerone.com/reports/3356, UnAuthorized Editorial Publishing to Blogs, resolved
3370, https://hackerone.com/reports/3370, Directory traversal attack in view resolver, resolved
3432, https://hackerone.com/reports/3432, RelateIQ GWT based application visible to unauthenticated users, informative
3441, https://hackerone.com/reports/3441, Captcha Bypass With Extension, resolved
3455, https://hackerone.com/reports/3455, flash content type sniff vulnerability in api.slack.com, resolved
3577, https://hackerone.com/reports/3577, Authentication bypass at fast.corp.yahoo.com, informative
3578, https://hackerone.com/reports/3578, Clickjacking at surveylink.yahoo.com, informative
3596, https://hackerone.com/reports/3596, OAuth access_token stealing in Phabricator, resolved
3709, https://hackerone.com/reports/3709, Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!), resolved
3722, https://hackerone.com/reports/3722, User impersonation is possible with incoming webhooks, informative
3921, https://hackerone.com/reports/3921, Control character allowed in username, resolved
3923, https://hackerone.com/reports/3923, Adding an user email address to the list before confirming., informative
3930, https://hackerone.com/reports/3930, OAuth Stealing Attack (New), resolved
3986, https://hackerone.com/reports/3986, Securing sensitive pages from SearchBots, resolved
3991, https://hackerone.com/reports/3991, Accepting Invalid characters on email address, resolved
4114, https://hackerone.com/reports/4114, Persistent XSS: Editor link, resolved
4184, https://hackerone.com/reports/4184, javascript: and mailto: links are allowed on users' profiles, resolved
4256, https://hackerone.com/reports/4256, XSS Vulnerability (my.yahoo.com), resolved
4276, https://hackerone.com/reports/4276, Here is another XSS i got for you, resolved
4277, https://hackerone.com/reports/4277, Stored Cross Site Scripting Vulnerability in Yahoo Mail, informative
4359, https://hackerone.com/reports/4359, Almost all the subdomains are infected., informative
4409, https://hackerone.com/reports/4409, TRACE disclosure attack may be possible, resolved
4461, https://hackerone.com/reports/4461, Server Side Request Forgery, resolved
4521, https://hackerone.com/reports/4521, Open URL Redirection, informative
4549, https://hackerone.com/reports/4549, Open Redirect in Slack, informative
4561, https://hackerone.com/reports/4561, Stored XSS in Slackbot Direct Messages, resolved
4570, https://hackerone.com/reports/4570, Open redirect on tw.money.yahoo.com, resolved
4638, https://hackerone.com/reports/4638, Duplicate of #4550, resolved
4689, https://hackerone.com/reports/4689, SPDY memory corruption, resolved
4690, https://hackerone.com/reports/4690, SPDY heap buffer overflow, resolved
4777, https://hackerone.com/reports/4777, XSS in Theme Preview Tools File, resolved
4792, https://hackerone.com/reports/4792, HttpOnly flag not set for cookie on concrete5.org, resolved
4795, https://hackerone.com/reports/4795, Bypass auth.email-domains, resolved
4808, https://hackerone.com/reports/4808, /index.php/dashboard/sitemap/explore/ Cross-site scripting, resolved
4811, https://hackerone.com/reports/4811, dashboard/pages/types [Unknown column 'Array' in 'where clause'] disclosure., resolved
4826, https://hackerone.com/reports/4826, XSS in private message, resolved
4836, https://hackerone.com/reports/4836, From Unrestricted File Upload to Remote Command Execution, resolved
4839, https://hackerone.com/reports/4839, XSS IN member List (Because of City Textbox), resolved
4931, https://hackerone.com/reports/4931, CONCRETE5 - path disclosure., resolved
4938, https://hackerone.com/reports/4938, page_controls_menu_js can reveal collection version of page, resolved
5073, https://hackerone.com/reports/5073, Information Disclosure That shows the webroot of CoinBase Server, informative
5199, https://hackerone.com/reports/5199, Improper Validation of the Referrer header leading to Open URL Redirection, informative
5200, https://hackerone.com/reports/5200, User Enumeration, Information Disclosure and Lack of Rate Limitation on API, informative
5204, https://hackerone.com/reports/5204,  Cookie missing the HttpOnly flag  , informative
5205, https://hackerone.com/reports/5205, IFRAME loaded from External Domains  , informative
5221, https://hackerone.com/reports/5221, Out of date version, informative
5314, https://hackerone.com/reports/5314, Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code, resolved
5426, https://hackerone.com/reports/5426, CRITICAL BUG!, resolved
5437, https://hackerone.com/reports/5437, Please contact me @sehacure otherwise i am going to disclose in Full disclosure mailing list :p , informative
5441, https://hackerone.com/reports/5441, Hack administrator password even if you are a guest, resolved
5442, https://hackerone.com/reports/5442, XSS in Yahoo! Web Analytics, resolved
5466, https://hackerone.com/reports/5466, Bug in Source Code Files(v1.1), resolved
5499, https://hackerone.com/reports/5499, Arbitrary command execution in MS-DOS, resolved
5534, https://hackerone.com/reports/5534, Permanent Denial of Service , resolved
5549, https://hackerone.com/reports/5549, History Disclosure of MS-Dos, resolved
5559, https://hackerone.com/reports/5559, Injecting Distrust and Disbelief in Addicted Gamers , resolved
5596, https://hackerone.com/reports/5596, एमएस  डॉस प्राणघाती है।  , informative
5617, https://hackerone.com/reports/5617, TLS1/SSLv3 Renegotiation Vulnerability, informative
5654, https://hackerone.com/reports/5654, OPTIONS Method Enabled, resolved
5688, https://hackerone.com/reports/5688, User guessing/enumeration at  https://app.c2fo.com/api/password-reset, resolved
5691, https://hackerone.com/reports/5691, Password reset token leakage through referrer at https://app.c2fo.com/password/reset/, informative
5786, https://hackerone.com/reports/5786, Coinbase Android Security Vulnerabilities, informative
5928, https://hackerone.com/reports/5928, Uncontrolled Resource Consumption with XMPP-Layer Compression, resolved
5933, https://hackerone.com/reports/5933, Multiple Issues related to registering applications, resolved
5946, https://hackerone.com/reports/5946, Marking notifications as read CSRF bug, resolved
5986, https://hackerone.com/reports/5986, Information Disclosure, groups.yahoo.com,6-april-2014, #SpringClean, informative
6002, https://hackerone.com/reports/6002, Stored XSS in Slack.com, resolved
6017, https://hackerone.com/reports/6017, Facebook Takeover using Slack using 302 from files.slack.com with access_token, resolved
6035, https://hackerone.com/reports/6035, open redirect in https://slack.com, informative
6194, https://hackerone.com/reports/6194, Significant Information Disclosure/Load balancer access, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean, resolved
6195, https://hackerone.com/reports/6195, reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean, resolved
6268, https://hackerone.com/reports/6268, Cross-origin issue on rmaiauth.ads.vip.bf1.yahoo.com, resolved
6322, https://hackerone.com/reports/6322, Header injection on rmaitrack.ads.vip.bf1.yahoo.com, resolved
6344, https://hackerone.com/reports/6344, http://smarthistory.khanacademy.org/search-results.html XSS, resolved
6350, https://hackerone.com/reports/6350, creating titleless and non-closable bugs , resolved
6352, https://hackerone.com/reports/6352, Dom based XSS https://www.khanacademy.org/, resolved
6353, https://hackerone.com/reports/6353, Wildcard DNS in website, resolved
6357, https://hackerone.com/reports/6357, https://www.khanacademy.org/login open-redirect, resolved
6362, https://hackerone.com/reports/6362, Full Path Disclosure on [smarthistory.khanacademy.org], resolved
6369, https://hackerone.com/reports/6369, Stored XSS {dangerous?} https://www.khanacademy.org/coach/roster/?listId=allStudents, resolved
6370, https://hackerone.com/reports/6370, Possible clickjacking at shop.khanacademy.org, informative
6371, https://hackerone.com/reports/6371, Lighttpd version disclosure / directory listing, resolved
6376, https://hackerone.com/reports/6376, User guessing/enumeration at sw.khanacademy.org, informative
6378, https://hackerone.com/reports/6378, CSRF - Adding/Removing items to cart - shop.khanacademy.org, informative
6380, https://hackerone.com/reports/6380, Same Origin Security Bypass Vulnerability, resolved
6389, https://hackerone.com/reports/6389, Integer overflow in strop.expandtabs, resolved
6409, https://hackerone.com/reports/6409, https://www.khanacademy.org/coach/reports/activity XSS, resolved
6412, https://hackerone.com/reports/6412, Persistent class XSS [the fuck], resolved
6475, https://hackerone.com/reports/6475, https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160), resolved
6488, https://hackerone.com/reports/6488, Weak Ciphers Enabled, resolved
6491, https://hackerone.com/reports/6491, c2fo.com is releasing sensitive Information about Database Configuration., resolved
6504, https://hackerone.com/reports/6504, Session Fixation Found, resolved
6547, https://hackerone.com/reports/6547, (lack of) smtp transport layer security, informative
6564, https://hackerone.com/reports/6564, Open Redirection in SmartHistory KhanAcademy, resolved
6574, https://hackerone.com/reports/6574, Login page password-guessing attack, resolved
6575, https://hackerone.com/reports/6575, XSS at  http://smarthistory.khanacademy.org, resolved
6626, https://hackerone.com/reports/6626, TLS heartbeat read overrun, resolved
6665, https://hackerone.com/reports/6665, Comment Spoofing  at  http://suggestions.yahoo.com/detail/?prop=directory&fid=97721, resolved
6674, https://hackerone.com/reports/6674, REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean, resolved
6697, https://hackerone.com/reports/6697, No Captcha or rate limit on Login Page, resolved
6700, https://hackerone.com/reports/6700, CSRF Token missing on  http://baseball.fantasysports.yahoo.com/b1/127146/messages, resolved
6702, https://hackerone.com/reports/6702, CSRF Token is missing on DELETE message option on  http://baseball.fantasysports.yahoo.com/b1/127146/messages, resolved
6704, https://hackerone.com/reports/6704, Open Proxy, http://www.smushit.com/ysmush.it/, 4/09/14, #SpringClean, resolved
6794, https://hackerone.com/reports/6794, The server supports only older protocols for HTTPS connections, resolved
6826, https://hackerone.com/reports/6826, Blocking yourself, resolved
6843, https://hackerone.com/reports/6843, Cross-Site Scripting in getMarketplacePurchaseFrame, resolved
6853, https://hackerone.com/reports/6853, XSS on [/concrete/concrete/elements/dashboard/sitemap.php], resolved
6871, https://hackerone.com/reports/6871, Login CSRF, resolved
6872, https://hackerone.com/reports/6872, Sign up CSRF, resolved
6877, https://hackerone.com/reports/6877, Unsecure cookies, cookie flag secure not set, resolved
6883, https://hackerone.com/reports/6883, Bruteforcing irccloud login, resolved
6888, https://hackerone.com/reports/6888, HTML Form without CSRF protection, resolved
6907, https://hackerone.com/reports/6907, Session Token is not Verified while changing Account Setting's which Result In account Takeover, resolved
6910, https://hackerone.com/reports/6910, Full account takeover using CSRF and password reset, resolved
6927, https://hackerone.com/reports/6927, Session cookie can be leaked over an unencrypted HTTP connection, resolved
6935, https://hackerone.com/reports/6935, Missing X-Content-Type-Options, resolved
7033, https://hackerone.com/reports/7033, "SESSION"  Cookie without HttpOnly flag set, informative
7036, https://hackerone.com/reports/7036, Bug in iOS application which could lead to unauthorised access., resolved
7041, https://hackerone.com/reports/7041, iOS application does not destroy session upon logout., resolved
7051, https://hackerone.com/reports/7051,  User Account Creation CSRF , resolved
7085, https://hackerone.com/reports/7085, DNS Misconfiguration, resolved
7116, https://hackerone.com/reports/7116, CSRF to Account Take Over Bug , resolved
7121, https://hackerone.com/reports/7121, Persistent Cross Site Scripting within the IRCCloud Pastebin , resolved
7226, https://hackerone.com/reports/7226, Login page password-guessing attack(Brute-force attack-High)., informative
7264, https://hackerone.com/reports/7264, Bypass of the Clickjacking protection on Flickr using data URL in iframes, resolved
7266, https://hackerone.com/reports/7266, XSS in https://hk.user.auctions.yahoo.com, resolved
7270, https://hackerone.com/reports/7270, Bruteforce attack in login panel, resolved
7277, https://hackerone.com/reports/7277, TLS Triple Handshake Attack, resolved
7332, https://hackerone.com/reports/7332, CSRF - Creating accounts, resolved
7357, https://hackerone.com/reports/7357, Host Header is not validated resulting in Open Redirect, resolved
7369, https://hackerone.com/reports/7369, 2 factor authentication design flaw, resolved
7436, https://hackerone.com/reports/7436, Unwanted Spamming Using CSRF [LOGGED IN USER], informative
7441, https://hackerone.com/reports/7441, Dangerous Persistent xss, resolved
7516, https://hackerone.com/reports/7516, Log Out Cross site Request Forgery, resolved
7531, https://hackerone.com/reports/7531, Login CSRF can be bypassed (Similar approach to previous one)., resolved
7571, https://hackerone.com/reports/7571, Simplenote Silverlight cross-domain policy misconfiguration, resolved
7608, https://hackerone.com/reports/7608, invite1.us2.msg.vip.bf1.yahoo.com/ - CSRF/email disclosure, resolved
7680, https://hackerone.com/reports/7680, Session Cookie without Secure flag set, informative
7731, https://hackerone.com/reports/7731, ads.yahoo.com Unvalidate open url redirection, informative
7736, https://hackerone.com/reports/7736, FULL PATH DISCLOSUR , resolved
7745, https://hackerone.com/reports/7745, clickjacking on leaving group(flick), informative
7779, https://hackerone.com/reports/7779, Local File Include on marketing-dam.yahoo.com, resolved
7803, https://hackerone.com/reports/7803, Security bypass could lead to information disclosure, resolved
7813, https://hackerone.com/reports/7813, readble .htaccess + Source Code Disclosure  (+ .SVN repository), resolved
7843, https://hackerone.com/reports/7843, Session Cookie without Secure flag set, informative
7849, https://hackerone.com/reports/7849, HTML form without CSRF protection, informative
7862, https://hackerone.com/reports/7862, ClickJacking, resolved
7863, https://hackerone.com/reports/7863, HTML Form Without CSRF protection, resolved
7865, https://hackerone.com/reports/7865, Sign-up Form CSRF, resolved
7868, https://hackerone.com/reports/7868, XSS in Groups, resolved
7869, https://hackerone.com/reports/7869, No BruteForce Protection, resolved
7870, https://hackerone.com/reports/7870, Change user settings through CSRF, resolved
7873, https://hackerone.com/reports/7873, Stored XSS, resolved
7876, https://hackerone.com/reports/7876, XSS & HTML injection, resolved
7882, https://hackerone.com/reports/7882, XSS in main page, resolved
7883, https://hackerone.com/reports/7883, Password Policy, resolved
7886, https://hackerone.com/reports/7886, XSS in main page (invitation), resolved
7887, https://hackerone.com/reports/7887, XSS in invite approval, resolved
7888, https://hackerone.com/reports/7888, Unexpected array leaks information about the system, resolved
7890, https://hackerone.com/reports/7890, XSS in Localize.io, resolved
7894, https://hackerone.com/reports/7894, Full path disclosure, resolved
7897, https://hackerone.com/reports/7897, HTML/Javascript possible in "Discussion" section of reviews, resolved
7898, https://hackerone.com/reports/7898, Persistent Cross-site scripting vulnerability settings., resolved
7900, https://hackerone.com/reports/7900, OAuth open redirect, resolved
7903, https://hackerone.com/reports/7903, Path Disclosure (Info Disclosure) in  http://www.localize.io, resolved
7909, https://hackerone.com/reports/7909, Business logic Failure - Browser cache management and logout vulnerability., resolved
7913, https://hackerone.com/reports/7913, Import emails from Gmail are activate XSS, resolved
7914, https://hackerone.com/reports/7914, Server header - information disclosure , resolved
7915, https://hackerone.com/reports/7915, Uninitialized variable error message leaks information , resolved
7916, https://hackerone.com/reports/7916, No Cross-Site Request Forgery protection at multiple locations, resolved
7917, https://hackerone.com/reports/7917, Find, private notes Cross-site scripting., resolved
7919, https://hackerone.com/reports/7919, XSS via Email, resolved
7921, https://hackerone.com/reports/7921, Assigning a non-existing role to user causes exception when opening project page, resolved
7923, https://hackerone.com/reports/7923, Apache2 /icons/ folder accessible, resolved
7924, https://hackerone.com/reports/7924, Clickjacking - changing role, resolved
7929, https://hackerone.com/reports/7929, Arbitrary file uploads to Amazon WS., informative
7930, https://hackerone.com/reports/7930, Information Disclosure (Directory Structure), resolved
7931, https://hackerone.com/reports/7931, Issue with remember_user_token, resolved
7936, https://hackerone.com/reports/7936, Login CSRF in Secret.ly, resolved
7941, https://hackerone.com/reports/7941, A Serious Bug on SIGNUP Process!, resolved
7945, https://hackerone.com/reports/7945, x-frame options-sameorigin warning, resolved
7949, https://hackerone.com/reports/7949, DNS Misconfiguration, resolved
7950, https://hackerone.com/reports/7950, User credentials are sent in clear text, informative
7954, https://hackerone.com/reports/7954, Password type input with auto-complete enabled, informative
7962, https://hackerone.com/reports/7962, CSRF in adding phrase., resolved
7968, https://hackerone.com/reports/7968, Sensitive file, resolved
7969, https://hackerone.com/reports/7969, HTTP Strict transport security policy not enabled, resolved
7972, https://hackerone.com/reports/7972, Full Path Disclosure, resolved
7995, https://hackerone.com/reports/7995, XSS in password, resolved
8010, https://hackerone.com/reports/8010, XSS via Email Link, resolved
8013, https://hackerone.com/reports/8013, Full Path Disclosure (2), resolved
8017, https://hackerone.com/reports/8017, Login page password-guessing attack, duplicate
8019, https://hackerone.com/reports/8019, Possible sensitive files, duplicate
8053, https://hackerone.com/reports/8053, X-Content-Type-Options header missing, resolved
8055, https://hackerone.com/reports/8055, Apache Documentation, resolved
8059, https://hackerone.com/reports/8059, X-Content-Type-Options header missing, resolved
8064, https://hackerone.com/reports/8064, Numerous open ports/services, resolved
8082, https://hackerone.com/reports/8082, Password Reset Bug, resolved
8088, https://hackerone.com/reports/8088, Full Path Disclosure (FPD) in www.localize.io, resolved
8090, https://hackerone.com/reports/8090, Full Path Disclosure / Info Disclosure in Creating New Group, resolved
8091, https://hackerone.com/reports/8091, Full Path Disclosure / Info Disclosure in Importing XML Section!, resolved
8093, https://hackerone.com/reports/8093, infinite number of new project creation!, resolved
8102, https://hackerone.com/reports/8102, Making groups in any project without permission , resolved
8104, https://hackerone.com/reports/8104, Deleting groups in any project without permission , resolved
8184, https://hackerone.com/reports/8184, OPTIONS Method Enabled, resolved
8216, https://hackerone.com/reports/8216, Group Creation Via CSRF, resolved
8218, https://hackerone.com/reports/8218, Group Deletion Via CSRF, resolved
8224, https://hackerone.com/reports/8224,  Private Project Access Request Accpeted Via CSRF , resolved
8226, https://hackerone.com/reports/8226, Private Project Access Request Invitation Sent Via CSRF , resolved
8239, https://hackerone.com/reports/8239, No Wildcard DNS, resolved
8242, https://hackerone.com/reports/8242, Allowed method disclosure, resolved
8273, https://hackerone.com/reports/8273, Projects Watch or Notifications Settings Change Via CSRF, resolved
8281, https://hackerone.com/reports/8281, https://caldav.calendar.yahoo.com/ - XSS (STORED) , resolved
8284, https://hackerone.com/reports/8284, information disclosure (LOAD BALANCER + URI XSS), resolved
8375, https://hackerone.com/reports/8375, rs.mail.ru - Flash Based XSS, resolved
8448, https://hackerone.com/reports/8448, Xss On http://my.mail.ru/, resolved
8459, https://hackerone.com/reports/8459, Clicjacking on Login panel, resolved
8472, https://hackerone.com/reports/8472, Reflected XSS, resolved
8724, https://hackerone.com/reports/8724, Clickjacking, resolved
8737, https://hackerone.com/reports/8737, Deleting team members, resolved
8767, https://hackerone.com/reports/8767, CSRF in Cloudflare login, resolved
8780, https://hackerone.com/reports/8780, Information Disclosure (FPD) - stopthehacker.com, resolved
8786, https://hackerone.com/reports/8786, jplayer.swf Cross-site scripting, resolved
8803, https://hackerone.com/reports/8803, Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly, resolved
8806, https://hackerone.com/reports/8806, Content spoofing /CSRF at https://www.cloudflare.com/ajax/modal-dialog.html, resolved
8817, https://hackerone.com/reports/8817, http://cdnjs.cloudflare.com/ Cross-site scripting 2, resolved
8843, https://hackerone.com/reports/8843, CSRF - Disabling orders at https://panel.stopthehacker.com/manage/disable-order/order/ID, informative
8846, https://hackerone.com/reports/8846, localStorage не чистится после выхода, resolved
8849, https://hackerone.com/reports/8849, csrf on password change functionality , resolved
8862, https://hackerone.com/reports/8862, XSS in Stopthehacker support, resolved
8873, https://hackerone.com/reports/8873, Apache Multiviews are enabled, informative
8920, https://hackerone.com/reports/8920, XSS - http://js.cloudflare.com, informative
8943, https://hackerone.com/reports/8943, System Status Update CSRF, resolved
8996, https://hackerone.com/reports/8996, No Bruteforce Protection, resolved
9008, https://hackerone.com/reports/9008, Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!), resolved
9017, https://hackerone.com/reports/9017, Flash-based XSS in cdnjs.cloudflare.com subdomain, resolved
9031, https://hackerone.com/reports/9031,  Cookie missing the Secure flag  , informative
9062, https://hackerone.com/reports/9062, No CSRF token used in Phone Verification POST, informative
9088, https://hackerone.com/reports/9088, Atttacker can send "Invitation Request" to a Project that is not even created yet!, resolved
9116, https://hackerone.com/reports/9116, Unproper usage of Mobile Number that will lead to Information Disclosure, informative
9137, https://hackerone.com/reports/9137, Full Path Disclosure, resolved
9148, https://hackerone.com/reports/9148, XSS Reflected - https://www.stopthehacker.com/, resolved
9230, https://hackerone.com/reports/9230, XSS 1, resolved
9256, https://hackerone.com/reports/9256, Full Path Disclosure (FPD) in www.localize.im, resolved
9318, https://hackerone.com/reports/9318, Home page reflected XSS, resolved
9375, https://hackerone.com/reports/9375, Stored XSS in all fields in Basic Google Maps Placemarks Settings, resolved
9391, https://hackerone.com/reports/9391, Xss in CampTix Event Ticketing, resolved
9460, https://hackerone.com/reports/9460, OAuth Bug, resolved
9479, https://hackerone.com/reports/9479, Anti-MIME-Sniffing header X-Content-Type-Options header has not been set., resolved
9485, https://hackerone.com/reports/9485, Multiple Path Disclosure, informative
9516, https://hackerone.com/reports/9516, PHP and Wordpress version disclosure, informative
9522, https://hackerone.com/reports/9522, https://polldaddy.com storage.swf XSS, resolved
9560, https://hackerone.com/reports/9560, Security issue with your "bag" script, resolved
9703, https://hackerone.com/reports/9703, Loadbalancer + URI XSS #3, resolved
9735, https://hackerone.com/reports/9735, Reflected cross site scripting in login page , resolved
9745, https://hackerone.com/reports/9745, Full Path Disclosure (FPD) in www.localize.im, resolved
9774, https://hackerone.com/reports/9774, Stored XSS Found, resolved
9775, https://hackerone.com/reports/9775, Threat control information leak, resolved
9919, https://hackerone.com/reports/9919, SQL injection [дырка в движке форума], resolved
9921, https://hackerone.com/reports/9921, Time based sql injection, resolved
9950, https://hackerone.com/reports/9950, All Active user sessions should be deleted when user change his password!, resolved
10027, https://hackerone.com/reports/10027, Login without SSL-Protection, informative
10037, https://hackerone.com/reports/10037, SQL inj, resolved
10081, https://hackerone.com/reports/10081, SQL , resolved
10109, https://hackerone.com/reports/10109, Flooding mailbox of user, informative
10154, https://hackerone.com/reports/10154, Persistent XSS in afisha.mail.ru, resolved
10186, https://hackerone.com/reports/10186, Old Sessions remain valid after the password change., informative
10297, https://hackerone.com/reports/10297, Stored XSS in slack.com (integrations), resolved
10373, https://hackerone.com/reports/10373, Bypassing Same Origin Policy With JSONP APIs and Flash, resolved
10377, https://hackerone.com/reports/10377, All Active user sessions should be destroyed when user change his password!, resolved
10468, https://hackerone.com/reports/10468, SQL inj, resolved
10554, https://hackerone.com/reports/10554, Bypassing 2FA for BTC transfers, resolved
10563, https://hackerone.com/reports/10563, CSRF on "Set as primary" option on the accounts page, resolved
10577, https://hackerone.com/reports/10577, XSS in Team Only Area, resolved
10767, https://hackerone.com/reports/10767, Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow, informative
10829, https://hackerone.com/reports/10829, CSRF in function "Set as primary" on  accounts page, resolved
10841, https://hackerone.com/reports/10841, User's data leak, resolved
10912, https://hackerone.com/reports/10912, Authentication Bypass due to Session Mismanagement, informative
10927, https://hackerone.com/reports/10927, Content Spoofing vulnerability in Mail.ru mobile, informative
10975, https://hackerone.com/reports/10975, Bug Report, resolved
11073, https://hackerone.com/reports/11073, XSS in gist integration, resolved
11410, https://hackerone.com/reports/11410, XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use), resolved
11414, https://hackerone.com/reports/11414, Infrastructure and Application Admin Interfaces (OWASP‐CM‐007), resolved
11625, https://hackerone.com/reports/11625, Subscribe User bug, resolved
11722, https://hackerone.com/reports/11722, Simultaneous Session Logon : Improper Session Management, informative
11729, https://hackerone.com/reports/11729, Path Disclosure Vulnerability, not-applicable
11828, https://hackerone.com/reports/11828, Password reset threshold not set, informative
11861, https://hackerone.com/reports/11861, SQL injection update.mail.ru, resolved
11919, https://hackerone.com/reports/11919, Stored XSS on http://top.mail.ru, resolved
11927, https://hackerone.com/reports/11927, Stored XSS on http://cards.mail.ru, resolved
11945, https://hackerone.com/reports/11945, HTTP Strict Transport Security (HSTS) Policy Not Enabled, informative
11951, https://hackerone.com/reports/11951, SSH Port Wide Open, informative
12011, https://hackerone.com/reports/12011, TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001), resolved
12034, https://hackerone.com/reports/12034, CSRF and No password requirement in this URL Billing Info, resolved
12035, https://hackerone.com/reports/12035, http://us.rd.yahoo.com/, informative
12042, https://hackerone.com/reports/12042, Login password guessing attack, resolved
12297, https://hackerone.com/reports/12297, Python vulnerability: reading arbitrary process memory, resolved
12341, https://hackerone.com/reports/12341, MISSING SPF (Sender Policy Framework) for meteorapm.com, resolved
12355, https://hackerone.com/reports/12355, Undeletable File, resolved
12389, https://hackerone.com/reports/12389, XSS in the input, resolved
12425, https://hackerone.com/reports/12425, API keys being cached , informative
12453, https://hackerone.com/reports/12453, Strict Transport Security Misconfiguration, resolved
12454, https://hackerone.com/reports/12454, Browser cross-site scripting filter misconfiguration, resolved
12457, https://hackerone.com/reports/12457,  Content Sniffing not disabled, resolved
12497, https://hackerone.com/reports/12497, Adobe Flash Player FileReference Use-after-Free Vulnerability, resolved
12506, https://hackerone.com/reports/12506, Content Sniffing not disabled, resolved
12583, https://hackerone.com/reports/12583, XXE and SSRF on webmaster.mail.ru, resolved
12588, https://hackerone.com/reports/12588, XSS in a file or folder name, resolved
12613, https://hackerone.com/reports/12613, X-Content-Type-Options header missing, resolved
12617, https://hackerone.com/reports/12617, Account hijacking possible through ADB backup feature, resolved
12685, https://hackerone.com/reports/12685, Authorization issue on creative.yahoo.com, resolved
12708, https://hackerone.com/reports/12708, Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com, resolved
12782, https://hackerone.com/reports/12782, Spamming any user from Reset Password Function, not-applicable
12794, https://hackerone.com/reports/12794, Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/berserk-online.com/public_html/forum/Themes/berserker/Profile.template.php, resolved
12804, https://hackerone.com/reports/12804, Reflected  XSS in User-Agent, resolved
12815, https://hackerone.com/reports/12815, Improper filtering of classes used in codeblocks in Markdown, resolved
12836, https://hackerone.com/reports/12836, missing sender policy framework (SPF), resolved
12929, https://hackerone.com/reports/12929, Reflected XSS connect.mail.ru (IE6-IE8), resolved
12949, https://hackerone.com/reports/12949, Open Redirection, resolved
12964, https://hackerone.com/reports/12964, Open URL Redirection, resolved
12977, https://hackerone.com/reports/12977, secret app for iOS and android is sending some info over HTTP, resolved
13195, https://hackerone.com/reports/13195, auth.mail.ru: XSS in login form, resolved
13200, https://hackerone.com/reports/13200, (m.mail.ru)  Password type input with auto-complete enabled , informative
13237, https://hackerone.com/reports/13237, full path disclosure from false language, resolved
13285, https://hackerone.com/reports/13285, Suffix of url-path is vulnerable to XSS-attack, resolved
13286, https://hackerone.com/reports/13286, Host Header Injection - irccloud.com, resolved
13302, https://hackerone.com/reports/13302, api.video.mail.ru: XSS, resolved
13313, https://hackerone.com/reports/13313, files.mail.ru: XSS, resolved
13314, https://hackerone.com/reports/13314, CRLF Injection, informative
13319, https://hackerone.com/reports/13319, touch.afisha.mail.ru: XSS, resolved
13482, https://hackerone.com/reports/13482, https://217.69.135.63/rb/: money.mail.ru sources disclosure, resolved
13506, https://hackerone.com/reports/13506, Unchecking hidden parameter is vulnerable to XSS-attack, informative
13550, https://hackerone.com/reports/13550, Click jacking, resolved
13551, https://hackerone.com/reports/13551, HTML5 cross-origin resource sharing, resolved
13553, https://hackerone.com/reports/13553, Url Redirection, informative
13555, https://hackerone.com/reports/13555, Login CSRF using Twitter oauth, resolved
13557, https://hackerone.com/reports/13557, Leaking of password reset token through referer, informative
13563, https://hackerone.com/reports/13563, Missing SPF for factlink.com and Staging.factlink.com, resolved
13567, https://hackerone.com/reports/13567, Password Complexity very low., resolved
13583, https://hackerone.com/reports/13583, Sign  up CSRF, resolved
13602, https://hackerone.com/reports/13602, Session not expired on logout, informative
13628, https://hackerone.com/reports/13628, Password type input with auto-complete enabled, informative
13634, https://hackerone.com/reports/13634, Missing Character Restriction, informative
13639, https://hackerone.com/reports/13639, X/Csrf token problem, resolved
13652, https://hackerone.com/reports/13652, Proxy service crash DoS, resolved
13679, https://hackerone.com/reports/13679, Meta characters not filtered on signup, resolved
13703, https://hackerone.com/reports/13703, xss in app.simplenote.com, resolved
13705, https://hackerone.com/reports/13705, logout csrf app.simplenote.com/logout, resolved
13746, https://hackerone.com/reports/13746, xss in simperium.com, resolved
13748, https://hackerone.com/reports/13748, Potential denial of service in hackerone.com/teams/new, resolved
13794, https://hackerone.com/reports/13794, XSS on gravatar, resolved
13856, https://hackerone.com/reports/13856, CSRF   in crashlytics.com, resolved
13939, https://hackerone.com/reports/13939, information disclosure, resolved
13959, https://hackerone.com/reports/13959, privilege escalation, resolved
14033, https://hackerone.com/reports/14033, connect.mail.ru: SSRF, resolved
14080, https://hackerone.com/reports/14080, XSS in "About Video" , resolved
14092, https://hackerone.com/reports/14092, Remote file Inclusion - RFI in upload, informative
14127, https://hackerone.com/reports/14127, SSRF on https://whitehataudit.slack.com/account/photo, resolved
14177, https://hackerone.com/reports/14177, Token remains alive ever after logging out!, informative
14199, https://hackerone.com/reports/14199, uclfinal.twitter.com and euro2012.twitter.com are vulnerable to CRIME attack, informative
14248, https://hackerone.com/reports/14248, Multiple vulnerabilities, resolved
14303, https://hackerone.com/reports/14303, http://jetpack.me/ Self XSS, resolved
14305, https://hackerone.com/reports/14305, genericons.com - DOM based XSS., resolved
14461, https://hackerone.com/reports/14461, Password reset link doesn't expire., resolved
14485, https://hackerone.com/reports/14485, Flash XSS - http://hi-tech.mail.ru/, resolved
14494, https://hackerone.com/reports/14494, Clickjacking & CSRF attack can be done at https://app.mavenlink.com/login, resolved
14529, https://hackerone.com/reports/14529, The web application https://mavenlink.com discloses version details of the underlying Platform / Server, informative
14570, https://hackerone.com/reports/14570, Login password guessing attack, resolved
14631, https://hackerone.com/reports/14631, Clickjacking at https://www.mavenlink.com/ main website , resolved
14747, https://hackerone.com/reports/14747, Anonymous Proxy and IP leak , resolved
14803, https://hackerone.com/reports/14803, Serving Transitions From: HTTP Protocol (not secure), informative
14883, https://hackerone.com/reports/14883, [mobile.twitter.com / twitter.com] CSRF protection bypass, resolved
15047, https://hackerone.com/reports/15047, Captcha bypass with extension at http://www.mopub.com/about/contact/, informative
15125, https://hackerone.com/reports/15125, XSS vulnerability in video player page, resolved
15166, https://hackerone.com/reports/15166, Password reset token not expiring, resolved
15232, https://hackerone.com/reports/15232, Cookie not marked as secure., resolved
15250, https://hackerone.com/reports/15250, Flash XSS in http://lingvo.mail.ru, resolved
15298, https://hackerone.com/reports/15298, Open Redirect via Request-URI, resolved
15330, https://hackerone.com/reports/15330, Flash XSS in http://go.mail.ru, resolved
15356, https://hackerone.com/reports/15356, XSS ON MOPUB.COM, resolved
15362, https://hackerone.com/reports/15362, Flash Sandbox Bypass, resolved
15412, https://hackerone.com/reports/15412, Leaking CSRF token over HTTP resulting in CSRF protection bypass, resolved
15454, https://hackerone.com/reports/15454, NO CSRF token found on user details update, resolved
15476, https://hackerone.com/reports/15476, Session Token is not Verified while changing Account Setting's which Result In account Takeover, resolved
15492, https://hackerone.com/reports/15492, [corp.mail.ru] CRLF Injection / Insecure nginx configuration, resolved
15518, https://hackerone.com/reports/15518, Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!), resolved
15574, https://hackerone.com/reports/15574, Reporting Bugs, resolved
15578, https://hackerone.com/reports/15578, Same user name and uuid for multiple user names, resolved
15619, https://hackerone.com/reports/15619, Cookie fixation, resolved
15652, https://hackerone.com/reports/15652, Перечисление каталогов за счёт уязвимости в IIS, resolved
15654, https://hackerone.com/reports/15654, Reflected XSS, resolved
15679, https://hackerone.com/reports/15679, Bug on registration as new Translator user, resolved
15762, https://hackerone.com/reports/15762, SQL Injection on 11x11.mail.ru, resolved
15777, https://hackerone.com/reports/15777, Process of changing email address and password does not asks old Password., informative
15785, https://hackerone.com/reports/15785, Session not invalidated after password reset, resolved
15802, https://hackerone.com/reports/15802, Раскрытие полного серверного пути, resolved
15852, https://hackerone.com/reports/15852, Non Validation of session after password reset, resolved
15899, https://hackerone.com/reports/15899, PHP PDOException and Full Path Disclosure, resolved
16315, https://hackerone.com/reports/16315, Abusing VCS control on phabricator, resolved
16330, https://hackerone.com/reports/16330, Multiple issues in looking-glass software (aka from web to BGP injections), resolved
16392, https://hackerone.com/reports/16392, Abusing daemon logs for Privilege escalation under certain scenarios, resolved
16414, https://hackerone.com/reports/16414, Yahoo Sports Fantasy Golf (Join Public Group), resolved
16439, https://hackerone.com/reports/16439, User Enumeration and Guessable User Account Attack on WORDPRESS, informative
16568, https://hackerone.com/reports/16568, Failed Certificate Validation On Custom Server (Register), resolved
16571, https://hackerone.com/reports/16571, SSRF (Portscan) via Register Function (Custom Server), resolved
16696, https://hackerone.com/reports/16696, 2FA settings allowed to be changed with no delay/freeze on funds, informative
16718, https://hackerone.com/reports/16718, Open Redirect login account, resolved
16910, https://hackerone.com/reports/16910, Cross-site information assertion leak via Content Security Policy, resolved
16935, https://hackerone.com/reports/16935, e.mail.ru: SMS spam with custom content, resolved
16967, https://hackerone.com/reports/16967, my.mail.ru: HTTP Header Injection, resolved
17105, https://hackerone.com/reports/17105, Cache leads to Privacy leaks, resolved
17160, https://hackerone.com/reports/17160, Password Policy issue (Weak Protect), resolved
17225, https://hackerone.com/reports/17225, SQL injection, tile ID, resolved
17227, https://hackerone.com/reports/17227, SQL injection, time zoom script, tile ID, resolved
17235, https://hackerone.com/reports/17235, Album image XSS, resolved
17239, https://hackerone.com/reports/17239, Missing HSTS (Strict Transport Security), resolved
17241, https://hackerone.com/reports/17241, Cross-site scripting  vulnerability detected, resolved
17252, https://hackerone.com/reports/17252, All Active user sessions should be destroyed when user change his password!, resolved
17256, https://hackerone.com/reports/17256, Language version disclosure in response header , resolved
17287, https://hackerone.com/reports/17287, email field doesn't filtered against XSS, resolved
17297, https://hackerone.com/reports/17297, CMS Information Disclosure, resolved
17299, https://hackerone.com/reports/17299, Cross site scripting in type parameter, resolved
17311, https://hackerone.com/reports/17311, Breach Attack Vulnerability, informative
17312, https://hackerone.com/reports/17312, HTML Form Without CSRF Protection Vulnerability, informative
17315, https://hackerone.com/reports/17315, Clickjacking at https://staging.uzbey.com/, informative
17321, https://hackerone.com/reports/17321, Email Flooding Vuln, resolved
17357, https://hackerone.com/reports/17357, tp-demo1.corp.mail.ru: SVN наружу торчит, resolved
17383, https://hackerone.com/reports/17383, Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met), resolved
17390, https://hackerone.com/reports/17390, Flash Content-Type Sniffing Vulnerability , resolved
17474, https://hackerone.com/reports/17474, Broken Authentication and Session Management, resolved
17502, https://hackerone.com/reports/17502, Price Manipulation, resolved
17506, https://hackerone.com/reports/17506, Default /docs folder of PHPBB3 installation on gamesnet.yahoo.com, resolved
17512, https://hackerone.com/reports/17512, Account takeover, informative
17514, https://hackerone.com/reports/17514, Information Disclosure (phpinfo()), resolved
17540, https://hackerone.com/reports/17540, Reflected XSS in Pastebin-view, resolved
17638, https://hackerone.com/reports/17638, Mass invitation send, informative
17664, https://hackerone.com/reports/17664, Click-Jacking due to missing X-frame header, informative
17688, https://hackerone.com/reports/17688, LZ4 Core, resolved
17766, https://hackerone.com/reports/17766, Tap Jacking Attack on Button Tags, resolved
17785, https://hackerone.com/reports/17785, Denial of Service, resolved
18279, https://hackerone.com/reports/18279, Yahoo! Reflected XSS, resolved
18371, https://hackerone.com/reports/18371, Directory Traversal at http://staging.jsdelivr.net/, resolved
18372, https://hackerone.com/reports/18372, XSS, resolved
18382, https://hackerone.com/reports/18382, Using nmap revealing sensitive information , resolved
18398, https://hackerone.com/reports/18398, HSTS Policy not enabled on cdn.jsdelivr.net, informative
18503, https://hackerone.com/reports/18503, Top 10 2013-A2-Broken Authentication and Session Management - wordpress.com, informative
18691, https://hackerone.com/reports/18691, XSS in editor by any user, resolved
18698, https://hackerone.com/reports/18698, Resubmitted with POC #18685 Password reset CSRF, resolved
18805, https://hackerone.com/reports/18805, XSS 01 on staging.fct.li, resolved
18843, https://hackerone.com/reports/18843, use-after-free vulnerability in Flash Player, resolved
18846, https://hackerone.com/reports/18846, Email changing, informative
18992, https://hackerone.com/reports/18992, Possibility to attach any mobile number to any email, resolved
19210, https://hackerone.com/reports/19210, ClientId gives away platform (iOS/Android) from which a secret was posted., resolved
19334, https://hackerone.com/reports/19334, target.mail.ru: XSS, resolved
19336, https://hackerone.com/reports/19336, target.mail.ru: XSS через Referer, resolved
19363, https://hackerone.com/reports/19363, PHP PDOException and Full Path Disclosure, resolved
19451, https://hackerone.com/reports/19451, IFXSS (image filename XSS) by creating a new Photo Gallery, resolved
19532, https://hackerone.com/reports/19532, Missing "size check" on files to upload could make memory leaks., resolved
19640, https://hackerone.com/reports/19640, Session Hijacking attack (Different Scenario), informative
20049, https://hackerone.com/reports/20049, Cross-site Scripting in mailing (username), resolved
20071, https://hackerone.com/reports/20071, Missing HSTS header in https://public-api.wordpress.com, informative
20072, https://hackerone.com/reports/20072, Missing HSTS header in https://app.simplenote.com, informative
20081, https://hackerone.com/reports/20081, password sent over HTTP, resolved
20122, https://hackerone.com/reports/20122, No option to logout concurrent sessions, informative
20221, https://hackerone.com/reports/20221, Cross Site Scripting (Stored) , resolved
20279, https://hackerone.com/reports/20279, Verbose SQL error messages, resolved
20305, https://hackerone.com/reports/20305, USER Account is not being deleted after user "Delete Account" from DASHBOARD, resolved
20391, https://hackerone.com/reports/20391, m.agent.mail.ru: Подделываем j2me app-descriptor, resolved
20400, https://hackerone.com/reports/20400, files.mail.ru: HTTP Header Injection, resolved
20616, https://hackerone.com/reports/20616, e.mail.ru: File upload "Chapito" circus, resolved
20671, https://hackerone.com/reports/20671, integer overflow in 'buffer' type allows reading memory, resolved
20720, https://hackerone.com/reports/20720, cloud.mail.ru: File upload XSS using Content-Type header, resolved
20861, https://hackerone.com/reports/20861, moderate: mod_deflate denial of service, resolved
20873, https://hackerone.com/reports/20873, rsync hash collisions may allow an attacker to corrupt or modify files, resolved
21034, https://hackerone.com/reports/21034, Invoice Details activate JS that filled in , resolved
21064, https://hackerone.com/reports/21064, Back - Refresh - Attack To  Obtain User Credentials, informative
21069, https://hackerone.com/reports/21069, Login CSRF, resolved
21083, https://hackerone.com/reports/21083, Account Hijacking (Only rare case scenario), informative
21110, https://hackerone.com/reports/21110, Clickjacking, resolved
21150, https://hackerone.com/reports/21150, Flash XSS  on swfupload.swf showing at app.mavenlink.com, resolved
21172, https://hackerone.com/reports/21172, Cookies are not cleared from Server side on Logout, duplicate
21210, https://hackerone.com/reports/21210, privilege escalation, resolved
21248, https://hackerone.com/reports/21248, Content spoofing at Stripe Integrations, resolved
21603, https://hackerone.com/reports/21603, Bruteforce protection not enabled on the login page https://www.irccloud.com/, informative
21899, https://hackerone.com/reports/21899, caesary.yahoo.net Blind Sql Injection, resolved
22012, https://hackerone.com/reports/22012, Password reset link not validated., informative
22093, https://hackerone.com/reports/22093, Content Spoofing all Integrations in https://team.slack.com/services/new/, resolved
22142, https://hackerone.com/reports/22142, Open Redirect in WordPress Feed Statistics {Affected All Versions}, resolved
22203, https://hackerone.com/reports/22203, Broken authentication and invalidated email address leads to account takeover, informative
22858, https://hackerone.com/reports/22858, Password Reset Links Not Expiring, informative
23010, https://hackerone.com/reports/23010, XSS in 3rd party plugin (not affecting Uzbey's users), resolved
23014, https://hackerone.com/reports/23014, SQL Injection, resolved
23363, https://hackerone.com/reports/23363, Forgot Password Issue, resolved
23386, https://hackerone.com/reports/23386, Redirect while opening links in new tabs, resolved
23447, https://hackerone.com/reports/23447, Version Disclosure (NginX), informative
23579, https://hackerone.com/reports/23579, Broken Authentication and Session Management, resolved
23852, https://hackerone.com/reports/23852, money.mail.ru: Странное поведение SMS, resolved
23913, https://hackerone.com/reports/23913, User's DM won't deleted after logout from Twitter for iOS (com.atebits.xxx.application-state), resolved
23921, https://hackerone.com/reports/23921, broken authentication, resolved
24183, https://hackerone.com/reports/24183, Не уверен, что этому место на периметре: 94.100.180.95, 94.100.180.96, 94.100.180.97, 94.100.180.98, resolved
24684, https://hackerone.com/reports/24684, Potential XSS vulnerability to HTML minification, resolved
24984, https://hackerone.com/reports/24984, openssh-server Forced Command Handling Information Disclosure Vulnerability on blog.greenhouse.io, resolved
25128, https://hackerone.com/reports/25128, HTML form without CSRF protection at http://try.crashlytics.com/enterprise/, resolved
25160, https://hackerone.com/reports/25160, Open redirection on secure.phabricator.com, resolved
25191, https://hackerone.com/reports/25191, SMTP protection not used (please read carefully ), informative
25270, https://hackerone.com/reports/25270, User can request for password reset link without giving his website, eventhough he have it, informative
25275, https://hackerone.com/reports/25275, [greenhouse.io] CRLF Injection / Insecure nginx configuration, resolved
25281, https://hackerone.com/reports/25281, Change Any username and profile link in hackerone, resolved
25382, https://hackerone.com/reports/25382, Apache mod_negotiation filename bruteforcing, informative
25537, https://hackerone.com/reports/25537, external entity expansion in Apache POI , resolved
26181, https://hackerone.com/reports/26181, DNS load balancing not enabled, informative
26395, https://hackerone.com/reports/26395, Notification of previous signed out user leakage., informative
26482, https://hackerone.com/reports/26482, Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration, resolved
26647, https://hackerone.com/reports/26647, CSRF protection bypass on any Django powered site via Google Analytics, resolved
26758, https://hackerone.com/reports/26758, Password Policy issue, informative
26763, https://hackerone.com/reports/26763, HTTP Strict Transport Policy not enabled on newly made accounts, resolved
26825, https://hackerone.com/reports/26825, Full path disclosure at ads.twitter.com, resolved
26935, https://hackerone.com/reports/26935, XSS via .eml file, resolved
26962, https://hackerone.com/reports/26962, open redirect in rfc6749, resolved
27166, https://hackerone.com/reports/27166, Missing Rate Limiting on https://twitter.com/account/complete, resolved
27404, https://hackerone.com/reports/27404, Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability], resolved
27511, https://hackerone.com/reports/27511, ads.twitter.com xss, resolved
27564, https://hackerone.com/reports/27564, Content spoofing, informative
27594, https://hackerone.com/reports/27594, Clickjacking: X-Frame-Options header missing, resolved
27651, https://hackerone.com/reports/27651, Flash Local Sandbox Bypass, resolved
27846, https://hackerone.com/reports/27846, Stored xss, resolved
27987, https://hackerone.com/reports/27987, Window Opener Property Bug, resolved
28150, https://hackerone.com/reports/28150, Cross site scripting on ads.twitter.com, resolved
28445, https://hackerone.com/reports/28445, SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities, resolved
28449, https://hackerone.com/reports/28449, Active Record SQL Injection Vulnerability Affecting PostgreSQL, resolved
28450, https://hackerone.com/reports/28450, Active Record SQL Injection Vulnerability Affecting PostgreSQL, resolved
28500, https://hackerone.com/reports/28500, iOS App can establish Facetime calls without user's permission, resolved
28632, https://hackerone.com/reports/28632, Email field filtering problem., resolved
28640, https://hackerone.com/reports/28640, Ericsson Erlang OTP Core Allocation Subsystem Integer Overflow (All Versions), resolved
28703, https://hackerone.com/reports/28703, Weak password policy, informative
28792, https://hackerone.com/reports/28792, Content Spoofing through URL, informative
28832, https://hackerone.com/reports/28832, touch.mail.ru XSS via message id, resolved
28865, https://hackerone.com/reports/28865, Redirect FILTER bypass in report/comment, resolved
29185, https://hackerone.com/reports/29185, "early preview" programs disclosure, informative
29206, https://hackerone.com/reports/29206, Twitter Flight SSL 2.0 deprecated protocol vulnerability., resolved
29234, https://hackerone.com/reports/29234, Credit Card Validation Issue, resolved
29328, https://hackerone.com/reports/29328, XSS platform.twitter.com, resolved
29331, https://hackerone.com/reports/29331, No email verification on username change, resolved
29360, https://hackerone.com/reports/29360, XSS platform.twitter.com | video-js metadata, resolved
29480, https://hackerone.com/reports/29480, Unvalidated Channel names causes IRC Command Injection, resolved
29491, https://hackerone.com/reports/29491, homograph attack. IDNs displayed in unicode in bug reports and on external link warning page, resolved
29835, https://hackerone.com/reports/29835, Profile Pic padding (Length-hiding) fails due to use of GZIP, resolved
29839, https://hackerone.com/reports/29839, GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability, resolved
30019, https://hackerone.com/reports/30019, Stored XSS in concrete5 5.7.0.4., resolved
30238, https://hackerone.com/reports/30238, New Device confirmation tokens are not properly validated., resolved
30567, https://hackerone.com/reports/30567, Adobe Flash Player MP4 Use-After-Free Vulnerability, resolved
30575, https://hackerone.com/reports/30575, Missing Function Level Access Control in /cindex.php/widget/customize/, resolved
30787, https://hackerone.com/reports/30787, PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings., resolved
30852, https://hackerone.com/reports/30852, Relateiq SSLv3 deprecated protocol vulnerability., resolved
30975, https://hackerone.com/reports/30975, Improper Verification of email address while saving Account Settings, resolved
31023, https://hackerone.com/reports/31023, Sql injection And XSS, resolved
31082, https://hackerone.com/reports/31082, Unauthorized Tweeting on behalf of Account Owners, resolved
31166, https://hackerone.com/reports/31166, Weak Random Number Generator for Auth Tokens, resolved
31167, https://hackerone.com/reports/31167, Timing Attack Side-Channel on API Token Verification, resolved
31168, https://hackerone.com/reports/31168, Cryptographic Side Channel in OAuth Library, resolved
31171, https://hackerone.com/reports/31171, Weak random number generator used in concrete/authentication/concrete/controller.php, resolved
31187, https://hackerone.com/reports/31187, Reflected XSS on www.bookfresh.com/index.html?view=upload_form, resolved
31188, https://hackerone.com/reports/31188, Creating Unauthorized Audience Lists, informative
31255, https://hackerone.com/reports/31255, files likes of README.md is public, resolved
31383, https://hackerone.com/reports/31383, Ability to see common response titles of other teams (limited), resolved
31408, https://hackerone.com/reports/31408, Adobe Flash Player Out-of-Bound Read/Write Vulnerability, resolved
31415, https://hackerone.com/reports/31415, PoodleBleed, resolved
31418, https://hackerone.com/reports/31418, Авторизуюсь от имени любого пользователя parapa.mail.ru, resolved
31554, https://hackerone.com/reports/31554, Singup Page HTML Injection Vulnerability, resolved
31756, https://hackerone.com/reports/31756, Drupal 7 pre auth sql injection and remote code execution, resolved
32137, https://hackerone.com/reports/32137, Content Spoofing via reports, resolved
32519, https://hackerone.com/reports/32519, XSS in fabric.io, resolved
32570, https://hackerone.com/reports/32570, OpenSSL HeartBleed (CVE-2014-0160), resolved
32825, https://hackerone.com/reports/32825, URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS, resolved
32944, https://hackerone.com/reports/32944, MD5 used for Key-Auth signatures, informative
32990, https://hackerone.com/reports/32990, Enumeration/Guess of Private (Invited) Programs, resolved
33018, https://hackerone.com/reports/33018, a stored xss in  slack integration  https://onerror.slack.com/services/import, resolved
33091, https://hackerone.com/reports/33091, DOM Cross-Site Scripting ( XSS ), resolved
33153, https://hackerone.com/reports/33153, Test, resolved
33154, https://hackerone.com/reports/33154, Test, resolved
33331, https://hackerone.com/reports/33331, Flaw in valid password policy., informative
33358, https://hackerone.com/reports/33358, test, resolved
33432, https://hackerone.com/reports/33432, BROKEN AUTHENTICATION IN MOBILE VERIFICATION  , informative
33935, https://hackerone.com/reports/33935, File Name Enumeration , resolved
33986, https://hackerone.com/reports/33986, Option Method Enabled on web server, informative
33987, https://hackerone.com/reports/33987, Options Method Enabled, informative
34084, https://hackerone.com/reports/34084, Bad extended ascii handling in HTTP 301 redirects of t.co, resolved
34112, https://hackerone.com/reports/34112, SMPT Protection not used, I can hijack your email server., resolved
34130, https://hackerone.com/reports/34130, Flash XSS на old.corp.mail.ru, resolved
34188, https://hackerone.com/reports/34188, Various Low level Vulnerabilities, resolved
34686, https://hackerone.com/reports/34686, Ошибка фильтрации, resolved
34725, https://hackerone.com/reports/34725, XSS via Fabrico Account Name, resolved
34799, https://hackerone.com/reports/34799, Нежелательная информация, resolved
34917, https://hackerone.com/reports/34917, Bypassed or command injection, informative
35036, https://hackerone.com/reports/35036, XSS in Tagregator plugin, not-applicable
35102, https://hackerone.com/reports/35102, Locale::parseLocale Double Free, resolved
35237, https://hackerone.com/reports/35237, Gain reputation by creating a duplicate of an existing report, resolved
35287, https://hackerone.com/reports/35287, getting emails of users/removing them from victims account [using typical attack], resolved
35363, https://hackerone.com/reports/35363, [static.qiwi.com] XSS proxy.html, resolved
35413, https://hackerone.com/reports/35413, [send.qiwi.ru] XSS at auth?login=, resolved
35532, https://hackerone.com/reports/35532, Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number, informative
35823, https://hackerone.com/reports/35823, File name/folder enumeration., resolved
36053, https://hackerone.com/reports/36053, Headers Missing, informative
36105, https://hackerone.com/reports/36105, CRLF Injection [ishop.qiwi.com], resolved
36112, https://hackerone.com/reports/36112, Content injection , informative
36211, https://hackerone.com/reports/36211, Logic Issue with Reputation: Boost Reputation Points, resolved
36264, https://hackerone.com/reports/36264, mod_proxy_fcgi buffer overflow, resolved
36279, https://hackerone.com/reports/36279, Adobe Flash Player MP4 Use-After-Free Vulnerability, resolved
36319, https://hackerone.com/reports/36319, [qiwi.com] /oauth/confirm.action XSS, resolved
36409, https://hackerone.com/reports/36409, Options Method Enabled, informative
36450, https://hackerone.com/reports/36450, [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ , resolved
36459, https://hackerone.com/reports/36459, Missing SPF header on revert.io, resolved
36586, https://hackerone.com/reports/36586, Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails, informative
36594, https://hackerone.com/reports/36594, New Device Confirmation, token is valid until not used. , resolved
36980, https://hackerone.com/reports/36980, Notifications can mark as read by CSRF, informative
36986, https://hackerone.com/reports/36986, [Stored XSS] vine.co - profile page, resolved
37108, https://hackerone.com/reports/37108,  Homograph attack. , informative
37240, https://hackerone.com/reports/37240, Race condition in Flash workers may cause an exploitabl​e double free, resolved
37822, https://hackerone.com/reports/37822, Abuse of "Remember Me" functionality., informative
38007, https://hackerone.com/reports/38007, Subdomain Takeover using blog.greenhouse.io pointing to Hubspot, resolved
38012, https://hackerone.com/reports/38012, Stored xss in agent.qiwi.com, resolved
38157, https://hackerone.com/reports/38157, [qiwi.com] Open Redirect, resolved
38170, https://hackerone.com/reports/38170, Misc Python bugs (Memory Corruption & Use After Free), resolved
38189, https://hackerone.com/reports/38189, xss in /browse/contacts/, resolved
38232, https://hackerone.com/reports/38232, Breaking Bugs as team member, resolved
38343, https://hackerone.com/reports/38343, Issue with password change, resolved
38345, https://hackerone.com/reports/38345, [sms.qiwi.ru] XSS via Request-URI, resolved
38615, https://hackerone.com/reports/38615, [connect.mail.ru] Memory Disclosure / IE XSS, resolved
38778, https://hackerone.com/reports/38778, SQL injection in conc/index.php/ccm/system/search/users/submit, resolved
38890, https://hackerone.com/reports/38890, stored XSS in concrete5 5.7.2.1, resolved
38965, https://hackerone.com/reports/38965, Phabricator Diffusion application allows unauthorized users to delete mirrors, resolved
39139, https://hackerone.com/reports/39139, URL Crashing browser. {Tested on firefox, Chrome and Safari}, resolved
39181, https://hackerone.com/reports/39181, [vimeopro.com] CRLF Injection, resolved
39198, https://hackerone.com/reports/39198, [admin.c2fo.com] Open Redirect, resolved
39250, https://hackerone.com/reports/39250, Missing SPF for informatica.com, informative
39261, https://hackerone.com/reports/39261, [monitor.sjc.dropbox.com] CRLF Injection, resolved
39316, https://hackerone.com/reports/39316, [odnoklassniki.ru] XSS via Host, resolved
39428, https://hackerone.com/reports/39428, Phabricator Phame Blog Skins Local File Inclusion, resolved
39486, https://hackerone.com/reports/39486, No bruteforce protection leads to enumeration of emails in http://e.mail.ru/, resolved
39631, https://hackerone.com/reports/39631, Open redirection in fabric.io, resolved
39658, https://hackerone.com/reports/39658, Reflected File Download, resolved
41240, https://hackerone.com/reports/41240, POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com, resolved
41469, https://hackerone.com/reports/41469, Error stack trace, resolved
41758, https://hackerone.com/reports/41758, Stored XSS in api key of operator wallet, resolved
41856, https://hackerone.com/reports/41856, HTML/XSS rendered in Android App of Crashlytics through fabric.io, resolved
41939, https://hackerone.com/reports/41939, GET /surveys/2auth: XSS, resolved
41940, https://hackerone.com/reports/41940,  /surveys/2auth: DOM-based XSS, resolved
42154, https://hackerone.com/reports/42154, Gain access to any user's email address, resolved
42161, https://hackerone.com/reports/42161, stored xss in transaction, resolved
42236, https://hackerone.com/reports/42236, URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue  of report #32825, resolved
42240, https://hackerone.com/reports/42240, chrome allows POST requests with custom headers using flash + 307 redirect, resolved
42248, https://hackerone.com/reports/42248, Stored XSS in adding fileset, resolved
42250, https://hackerone.com/reports/42250, No rate limiting on creating lists, informative
42393, https://hackerone.com/reports/42393, XSS on partners.uber.com, resolved
42403, https://hackerone.com/reports/42403, Account Deleted without any confirmation, informative
42537, https://hackerone.com/reports/42537, [careers.informatica.com] Cross Site Script Vulnerability on informatica, resolved
42582, https://hackerone.com/reports/42582, Vimeo.com - Reflected XSS Vulnerability, resolved
42584, https://hackerone.com/reports/42584, Vimeo.com - reflected xss vulnerability, resolved
42587, https://hackerone.com/reports/42587, Vimeo.com Insecure Direct Object References Reset Password, resolved
42702, https://hackerone.com/reports/42702, APIs for channels allow HTML entities that may cause XSS issue, resolved
42728, https://hackerone.com/reports/42728, Data-Tags and the New HTML Sanitizer Subverts CSRF protection, resolved
42780, https://hackerone.com/reports/42780, Web Server information disclosure., resolved
42961, https://hackerone.com/reports/42961, fabric.io - app member can make himself an admin, resolved
43065, https://hackerone.com/reports/43065, Fabric.io - an app admin can delete team members from other user apps, resolved
43070, https://hackerone.com/reports/43070, Misconfigured crossdomain.xml - vimeo.com, informative
43269, https://hackerone.com/reports/43269, WP User Enumeration is possible at https://blog.dropbox.com, informative
43280, https://hackerone.com/reports/43280, HTTPS is not enforced for objects stored by HackerOne on Amazon S3, resolved
43440, https://hackerone.com/reports/43440, Arbitrary file existence disclosure in Action Pack, resolved
43443, https://hackerone.com/reports/43443, PyUnicode_FromFormatV crasher, resolved
43602, https://hackerone.com/reports/43602, Buying ondemand videos that  0.1  and sometimes for free , resolved
43617, https://hackerone.com/reports/43617, Adding profile picture to anyone on Vimeo, resolved
43672, https://hackerone.com/reports/43672, player.vimeo.com - Reflected XSS Vulnerability, resolved
43723, https://hackerone.com/reports/43723, 3k.mail.ru: XSS, resolved
43752, https://hackerone.com/reports/43752, Раскрытие номера мобильного телефона при двухфакторной аутентификации, resolved
43758, https://hackerone.com/reports/43758, profile photo update bypass , resolved
43770, https://hackerone.com/reports/43770, Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`), resolved
43807, https://hackerone.com/reports/43807, Securing "Reset password" pages from bots, resolved
43846, https://hackerone.com/reports/43846, No Limitation on Following allows user to follow people automatically!, resolved
43850, https://hackerone.com/reports/43850, abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video, resolved
43988, https://hackerone.com/reports/43988, twitter android app Fragment Injection, resolved
43998, https://hackerone.com/reports/43998, CRITICAL full source code/config disclosure for Cameo, resolved
44052, https://hackerone.com/reports/44052, Hadoop Node available to public, resolved
44056, https://hackerone.com/reports/44056, USER PRIVACY VIOLATED (PRIVATE DATA GETTING TRANSFER OVER INSECURE CHANNEL ) , informative
44146, https://hackerone.com/reports/44146, Make API calls on behalf of another user (CSRF protection bypass), resolved
44157, https://hackerone.com/reports/44157, Open Redirection Security Filter bypassed, resolved
44202, https://hackerone.com/reports/44202, Poodle bleed vulnerability in cloud sub domain, resolved
44217, https://hackerone.com/reports/44217, Application XSS filter function Bypass may allow Multiple stored XSS, resolved
44294, https://hackerone.com/reports/44294, Heartbleed: my.com (185.30.178.33) port 1433, resolved
44295, https://hackerone.com/reports/44295, http://217.69.136.200/?p=2&c=Fetcher%20cluster&h=fetcher1.mail.ru, resolved
44359, https://hackerone.com/reports/44359, Add text to the title of the page "Thanks", resolved
44371, https://hackerone.com/reports/44371, Path disclosure in platform0.twitter.com, informative
44425, https://hackerone.com/reports/44425, unvalid open authentication with facebook, resolved
44492, https://hackerone.com/reports/44492, Flaw in login with twitter to steal Oauth tokens, resolved
44512, https://hackerone.com/reports/44512, XSS on any site that includes the moogaloop flash player | deprecated embed code , resolved
44578, https://hackerone.com/reports/44578, URGENT - SUBDOMAIN TAKEOVER ON TWITTER ACQ., resolved
44652, https://hackerone.com/reports/44652, Insecure crossdomain.xml, resolved
44739, https://hackerone.com/reports/44739, Unvalidated Redirects and Stored XSS, informative
44798, https://hackerone.com/reports/44798, Vimeo Search - XSS Vulnerability [http://vimeo.com/search], resolved
44888, https://hackerone.com/reports/44888, Improper way of validating a program, resolved
45050, https://hackerone.com/reports/45050, [community.informatica.com] - CSRF in Private Messages allows to move user's messages to Trash, resolved
45084, https://hackerone.com/reports/45084, Full account takeover via Add a New Email to account without email verified and without password confirmation., informative
45233, https://hackerone.com/reports/45233, Stored XSS in Direct debit name, resolved
45243, https://hackerone.com/reports/45243, Number, username and name disclosure, resolved
45368, https://hackerone.com/reports/45368, ftp upload of video allows naming that is not sanitized as the manual naming, resolved
45428, https://hackerone.com/reports/45428, CSRF bypass, informative
45484, https://hackerone.com/reports/45484, XSS on Vimeo, resolved
45516, https://hackerone.com/reports/45516, [zaption.com] Open Redirect, resolved
45960, https://hackerone.com/reports/45960, CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`., resolved
46019, https://hackerone.com/reports/46019, Explicit, dynamic render path: Dir. Trav + RCE, resolved
46072, https://hackerone.com/reports/46072, Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered, resolved
46109, https://hackerone.com/reports/46109, Brute force on "vimeo" cookie, informative
46113, https://hackerone.com/reports/46113, Can message users without the proper authorization, resolved
46312, https://hackerone.com/reports/46312, In markdown, parsing things like @danlec and #46072 after links is unsafe, resolved
46345, https://hackerone.com/reports/46345, Directory index and information disclosure, resolved
46366, https://hackerone.com/reports/46366, Error stack trace, resolved
46379, https://hackerone.com/reports/46379, Group Invite not properly authenticated, resolved
46397, https://hackerone.com/reports/46397, Insecure Direct Object Reference vulnerability, resolved
46429, https://hackerone.com/reports/46429, Team member invitations to sandboxed teams are not invalidated consistently, resolved
46485, https://hackerone.com/reports/46485, Problem with OAuth, resolved
46618, https://hackerone.com/reports/46618, Frictionless Transferring of Wallet Ownership, resolved
46736, https://hackerone.com/reports/46736, CSRF token leakage, informative
46747, https://hackerone.com/reports/46747, Team admin can change unauthorized team setting (require_at_for_mention), resolved
46750, https://hackerone.com/reports/46750, Team admin can change unauthorized team setting (allow_message_deletion), resolved
46818, https://hackerone.com/reports/46818, Twitter Card - Parent Window Redirection, resolved
46916, https://hackerone.com/reports/46916, Markdown parsing issue enables insertion of malicious tags and event handlers, resolved
46952, https://hackerone.com/reports/46952, Markdown code block sequence makes report unreadable, resolved
46954, https://hackerone.com/reports/46954, subdomain takeover 1511493148.cloud.vimeo.com, resolved
47012, https://hackerone.com/reports/47012, Adobe Flash Player Out-of-Bound Access Vulnerability, resolved
47227, https://hackerone.com/reports/47227, Race condition in workers may cause an exploitable double free by abusing bytearray.compress()  , resolved
47232, https://hackerone.com/reports/47232, Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution, resolved
47234, https://hackerone.com/reports/47234, Use After Free in Flash MessageChannel.send can cause arbitrary code execution, resolved
47235, https://hackerone.com/reports/47235, XSS in Search Communities Function, resolved
47322, https://hackerone.com/reports/47322, XSS Vulnerability in cfire.mail.ru/screen/1/, resolved
47341, https://hackerone.com/reports/47341, Reflected xss in user name thru cookie, resolved
47343, https://hackerone.com/reports/47343, Stored xss in user name, informative
47349, https://hackerone.com/reports/47349, Stored xss in user name (2) affected another user., resolved
47357, https://hackerone.com/reports/47357, CSRF token from another valid user session accepted, informative
47358, https://hackerone.com/reports/47358, Username and sim id enum, informative
47362, https://hackerone.com/reports/47362, Enum phone numbers thru /en/sims/topup/add/, resolved
47384, https://hackerone.com/reports/47384, Approve topup method by sender of this method, resolved
47472, https://hackerone.com/reports/47472, CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain, resolved
47495, https://hackerone.com/reports/47495, Same Origin Policy bypass, resolved
47536, https://hackerone.com/reports/47536, [ishop.qiwi.com] XSS + Misconfiguration, resolved
47627, https://hackerone.com/reports/47627, Email Enumeration (POC), resolved
47779, https://hackerone.com/reports/47779, Heap overflow in H. Spencer’s regex library on 32 bit systems , resolved
47876, https://hackerone.com/reports/47876, Full Path Disclosure, resolved
47888, https://hackerone.com/reports/47888, Reporting user's profile by using another people's ID, resolved
47940, https://hackerone.com/reports/47940, Team admin can add billing contacts, resolved
48065, https://hackerone.com/reports/48065, open authentication bug, resolved
48100, https://hackerone.com/reports/48100, Bad Write in TTF font parsing (win32k.sys), resolved
48416, https://hackerone.com/reports/48416, Restrict any user from logging into his account., resolved
48516, https://hackerone.com/reports/48516, Redirect URL in /intent/ functionality is not properly escaped, resolved
49035, https://hackerone.com/reports/49035, HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp, resolved
49139, https://hackerone.com/reports/49139, scfbp.tng.mail.ru: Heartbleed, resolved
49170, https://hackerone.com/reports/49170, Information disclosure - emails disclosed in response > staging.seatme.us, resolved
49304, https://hackerone.com/reports/49304, Bypassing Email verification , informative
49356, https://hackerone.com/reports/49356, I Can Delete Any Airbnb Users Symbol!, resolved
49357, https://hackerone.com/reports/49357, Substantially weakened authenticity verification when using 'Remember me for a week', informative
49378, https://hackerone.com/reports/49378, Create N Accounts In Dropbox Irrespective Of Domain, informative
49408, https://hackerone.com/reports/49408, RCE через JDWP, resolved
49474, https://hackerone.com/reports/49474, Cross site Port Scanning bug in twitter developers console , informative
49499, https://hackerone.com/reports/49499, Generating Unlimited Free Travel Gift Invites | IDOR, informative
49513, https://hackerone.com/reports/49513, Vulnerability type xss uncovered in airbnb.es, resolved
49537, https://hackerone.com/reports/49537, SSL Issues, resolved
49561, https://hackerone.com/reports/49561, Vimeo + & Vimeo PRO Unautorised Tax bypass, resolved
49566, https://hackerone.com/reports/49566, Auto Approval of Invitation to join Team as a Team member, resolved
49652, https://hackerone.com/reports/49652, Improperly validated fields allows injection of arbitrary HTML via spoofed React objects, resolved
49663, https://hackerone.com/reports/49663, URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io, resolved
49759, https://hackerone.com/reports/49759, Open Redirect leak of authenticity_token lead to full account take over., resolved
49806, https://hackerone.com/reports/49806, Twitter Ads Campaign information disclosure through admin without any authentication., resolved
49888, https://hackerone.com/reports/49888, Missing X-Frame-Options header, duplicate
49974, https://hackerone.com/reports/49974, The csrf token remains same after user logs in, resolved
50134, https://hackerone.com/reports/50134, XSS in original referrer after follow, resolved
50157, https://hackerone.com/reports/50157, Reflected Cross Site Scripting - 'puser' Parameter in login page, resolved
50170, https://hackerone.com/reports/50170, FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers, resolved
50358, https://hackerone.com/reports/50358, files.acrobat.com stored XSS via send file, resolved
50379, https://hackerone.com/reports/50379, Open redirect and reflected xss in http://youthvoices.adobe.com/community?return_url=[payload her], resolved
50389, https://hackerone.com/reports/50389, Adobe XSS, resolved
50481, https://hackerone.com/reports/50481, Self Xss on File Replace, resolved
50537, https://hackerone.com/reports/50537, Server Side Request Forgery in macro creation, informative
50552, https://hackerone.com/reports/50552, Stored XSS on Blog's page Tile, resolved
50554, https://hackerone.com/reports/50554, Stored XSS on Title of Page List in edit page list, resolved
50556, https://hackerone.com/reports/50556, Stored XSS on Search Title, resolved
50564, https://hackerone.com/reports/50564, Stored XSS in Contact Form, resolved
50626, https://hackerone.com/reports/50626, Stored XSS in Title of the topic List, resolved
50627, https://hackerone.com/reports/50627, Stored XSS in title of date navigation, resolved
50639, https://hackerone.com/reports/50639, Stored XSS in Feature tile , resolved
50642, https://hackerone.com/reports/50642, Stored Xss in Feature Paragraph, resolved
50644, https://hackerone.com/reports/50644, Stored XSS in  Testimonial  name, resolved
50645, https://hackerone.com/reports/50645, Stored XSS in Testimonial Position, resolved
50656, https://hackerone.com/reports/50656, Stored XSS in testimonial Company, resolved
50658, https://hackerone.com/reports/50658, Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain, resolved
50662, https://hackerone.com/reports/50662, Stored XSS In Company URL, resolved
50703, https://hackerone.com/reports/50703, CSRF in login form would led to account takeover, resolved
50752, https://hackerone.com/reports/50752, open redirect sends authenticity_token to any website or (ip address), resolved
50776, https://hackerone.com/reports/50776, A user can edit comments even after video comments are disabled, resolved
50779, https://hackerone.com/reports/50779, Stored XSS in Bio/Quote, resolved
50780, https://hackerone.com/reports/50780, Stored XSS in Message to Display When No Pages Listed., resolved
50782, https://hackerone.com/reports/50782, Stored XSS in Image Alt. Text, resolved
50786, https://hackerone.com/reports/50786, A user can add videos to other user's private groups, resolved
50829, https://hackerone.com/reports/50829, A user can post comments on other user's private videos, resolved
50884, https://hackerone.com/reports/50884, Bypass pin(4 digit passcode on your android app), resolved
50885, https://hackerone.com/reports/50885, CVE-2014-0224 openssl ccs vulnerability, resolved
50941, https://hackerone.com/reports/50941, A user can enhance their videos with paid tracks without buying the track, resolved
51060, https://hackerone.com/reports/51060, XSS in realty.mail.ru, resolved
51061, https://hackerone.com/reports/51061, XSS in ad.mail.ru, resolved
51140, https://hackerone.com/reports/51140, XSS in touch.sports.mail.ru, resolved
51166, https://hackerone.com/reports/51166, Email verification links still valid after changing it 2x, informative
51265, https://hackerone.com/reports/51265, Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome, resolved
51817, https://hackerone.com/reports/51817, Post in private groups after getting removed, resolved
52176, https://hackerone.com/reports/52176, Insecure Direct Object References in https://vimeo.com/forums, resolved
52181, https://hackerone.com/reports/52181, Insecure Direct Object References that allows to read any comment (even if it should be private), resolved
52532, https://hackerone.com/reports/52532, "learn more here", reward email - domain expired., resolved
52635, https://hackerone.com/reports/52635, UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass, resolved
52646, https://hackerone.com/reports/52646, Insecure direct object reference - have access to deleted DM's, resolved
52707, https://hackerone.com/reports/52707, Invite any user to your group without even following him, resolved
52708, https://hackerone.com/reports/52708, Share your channel to any user on vimeo without following him, resolved
52822, https://hackerone.com/reports/52822, XSS with Time-of-Day Format, resolved
52982, https://hackerone.com/reports/52982, [URGENT ISSUE] Add or Delete the videos in watch later list of any user ., resolved
53004, https://hackerone.com/reports/53004, Blacklist bypass on Callback URLs, resolved
53088, https://hackerone.com/reports/53088, SSRF vulnerability (access to metadata server on EC2 and OpenStack), resolved
53098, https://hackerone.com/reports/53098, XSS in twitter.com/safety/unsafe_link_warning, resolved
53531, https://hackerone.com/reports/53531, Logging a user into attacker's account using password reset link, resolved
53730, https://hackerone.com/reports/53730, Stored xss in editor , resolved
53858, https://hackerone.com/reports/53858, Insecure Direct Object Reference - access to other user/group DM's, resolved
54034, https://hackerone.com/reports/54034, Reflected Filename Download, resolved
54094, https://hackerone.com/reports/54094, HTTP MitM on Flash Player settings manager allows attacker to set sandbox settings, resolved
54321, https://hackerone.com/reports/54321, Xss in website's link, resolved
54610, https://hackerone.com/reports/54610, Logout any user of same team, resolved
54631, https://hackerone.com/reports/54631, Vulnerable to JavaScript injection. (WXS)  (Javascript injection)!, resolved
54641, https://hackerone.com/reports/54641, Captcha Bypass in Snapchat's Geofilter Submission Process, resolved
54719, https://hackerone.com/reports/54719, e.mail.ru stored XSS in agent via sticker (smile), resolved
54733, https://hackerone.com/reports/54733, Sandboxed iframes don't show confirmation screen, resolved
54779, https://hackerone.com/reports/54779, Missing spf flags for myshopify.com, resolved
55009, https://hackerone.com/reports/55009, Frameset Proxy Problem, informative
55017, https://hackerone.com/reports/55017, Multiple Python integer overflows, resolved
55018, https://hackerone.com/reports/55018, Segmentation fault for invalid PSS parameters, resolved
55028, https://hackerone.com/reports/55028, Free called on unitialized pointer in exif.c, resolved
55029, https://hackerone.com/reports/55029, Use after free vulnerability in unserialize() with DateTimeZone, resolved
55030, https://hackerone.com/reports/55030, SoapClient's __call() type confusion through unserialize(), resolved
55033, https://hackerone.com/reports/55033, Use after free vulnerability in unserialize(), resolved
55064, https://hackerone.com/reports/55064, Bypass Setup by External Activity Invoke, resolved
55140, https://hackerone.com/reports/55140, Race Conditions in OAuth 2 API implementations, resolved
55431, https://hackerone.com/reports/55431, XML Parser Bug: XXE over which leads to RCE, resolved
55506, https://hackerone.com/reports/55506, Privacy Issue on protected tweets, informative
55525, https://hackerone.com/reports/55525, Open redirection in OAuth, resolved
55530, https://hackerone.com/reports/55530, Authentication Failed Mobile version, resolved
55546, https://hackerone.com/reports/55546, Open Redirect after login at http://ecommerce.shopify.com, resolved
55644, https://hackerone.com/reports/55644, Lack of SSL Pinning on POS Application ( iOS ), informative
55670, https://hackerone.com/reports/55670, Fabric.io:  Ex-admin of an organization can delete team members, resolved
55716, https://hackerone.com/reports/55716, Force 500 Internal Server Error on any shop (for one user), resolved
55827, https://hackerone.com/reports/55827, iframes considered harmful, informative
55842, https://hackerone.com/reports/55842, [persistent cross-site scripting] customers can target admins, resolved
56002, https://hackerone.com/reports/56002, Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content, resolved
56119, https://hackerone.com/reports/56119, Privecy Issue : view "Protected users" followers and following, informative
56177, https://hackerone.com/reports/56177, SMTP protection not used, resolved
56182, https://hackerone.com/reports/56182, May cause account take over (Via invitation page), informative
56385, https://hackerone.com/reports/56385, Double free vulnerability in Flash Player Settings Manager (CVE-2015-0346), resolved
56511, https://hackerone.com/reports/56511, IDOR expire other user sessions, resolved
56628, https://hackerone.com/reports/56628, Payment gateway status transferred to Shopify without authentication, resolved
56662, https://hackerone.com/reports/56662, XSS - URL Redirects, informative
56726, https://hackerone.com/reports/56726, Invitation issue, resolved
56742, https://hackerone.com/reports/56742, SPF whitelist of mandrill leads to email forgery, resolved
56760, https://hackerone.com/reports/56760, XSS on support.shopify.com, resolved
56779, https://hackerone.com/reports/56779, XSS on ecommerce.shopify.com, resolved
56793, https://hackerone.com/reports/56793, Missing DMARC record, informative
56800, https://hackerone.com/reports/56800, Multiple issues on Checkout Process, informative
56803, https://hackerone.com/reports/56803, XSS in version history of an HTML file in a shared folder, informative
56828, https://hackerone.com/reports/56828, SSRF vulnerablity in app webhooks, resolved
56936, https://hackerone.com/reports/56936, Notification request disclose private information about other myshopify accounts, resolved
57125, https://hackerone.com/reports/57125, comment out causes information disclosure, resolved
57263, https://hackerone.com/reports/57263, Rank Creation function not validating user inputs., informative
57356, https://hackerone.com/reports/57356, DOM based cookie bomb, resolved
57459, https://hackerone.com/reports/57459, XSS in experts.shopify.com, resolved
57505, https://hackerone.com/reports/57505, amazon aws s3 bucket content is public :-  http://shopify.com.s3.amazonaws.com/, resolved
57603, https://hackerone.com/reports/57603, API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass, resolved
57692, https://hackerone.com/reports/57692, Server responds with the server error logs on account creation, resolved
57736, https://hackerone.com/reports/57736, Missing spf flags for hackerone.com, resolved
57764, https://hackerone.com/reports/57764, ByPassing the email Validation Email on Sign up process in mobile apps, resolved
57914, https://hackerone.com/reports/57914, HTML injection in email sent by romit.io, resolved
57918, https://hackerone.com/reports/57918, Insecure Local Data Storage  : Application stores data using a binary sqlite database, resolved
58612, https://hackerone.com/reports/58612, Homograph attack, resolved
58630, https://hackerone.com/reports/58630, Content Spoofing, resolved
58679, https://hackerone.com/reports/58679, SSL cookie without secure flag set, resolved
58831, https://hackerone.com/reports/58831, Flash XSS on img.mail.ru, resolved
58897, https://hackerone.com/reports/58897, SSRF issue in "URL target" allows [REDACTED], resolved
58914, https://hackerone.com/reports/58914, Remote code execution as root on [REDACTED], resolved
59015, https://hackerone.com/reports/59015, Stored XSS in the Shopify Discussion Forums, resolved
59179, https://hackerone.com/reports/59179, Race condition when redeeming coupon codes, resolved
59356, https://hackerone.com/reports/59356, XSS in dropbox main domain , resolved
59372, https://hackerone.com/reports/59372, Homograph Attack, resolved
59375, https://hackerone.com/reports/59375, Homograph attack, resolved
59469, https://hackerone.com/reports/59469, Fake URL + Additional vectors for homograph attack, resolved
59505, https://hackerone.com/reports/59505, Create and Update patients vulnerability, resolved
59508, https://hackerone.com/reports/59508, Accessing all appointments vulnerability, resolved
59659, https://hackerone.com/reports/59659, Reopen Disable Accounts/ Hidden Access After Disable, resolved
59660, https://hackerone.com/reports/59660, Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1, resolved
59661, https://hackerone.com/reports/59661, Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1, resolved
59662, https://hackerone.com/reports/59662, Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1, resolved
59663, https://hackerone.com/reports/59663, Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1, resolved
59664, https://hackerone.com/reports/59664, SQL Injection Vulnerability in Concrete5 version 5.7.3.1, resolved
59665, https://hackerone.com/reports/59665, Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1, resolved
59666, https://hackerone.com/reports/59666, Unsafe usage of Host HTTP header in Concrete5 version 5.7.3.1, informative
60016, https://hackerone.com/reports/60016, xss profile, resolved
60058, https://hackerone.com/reports/60058, teach.udemy.com log poison vulnerability through wordpress debug.log being publically available, resolved
60201, https://hackerone.com/reports/60201, XSS Vulnerability on all pages, resolved
60260, https://hackerone.com/reports/60260, Misconfigured SPF Record Flag, informative
60402, https://hackerone.com/reports/60402, Content Spoofing - External Link Warning Page, resolved
60420, https://hackerone.com/reports/60420, store-agent.mail.ru: stacked blind injection, resolved
60429, https://hackerone.com/reports/60429, Logical Issue (Boosting Reputation points), informative
60573, https://hackerone.com/reports/60573, http://fitter1.i.mail.ru/browser/ торчит Graphite в мир, resolved
61312, https://hackerone.com/reports/61312, Bypass of the SSRF protection (Slack commands, Phabricator integration), resolved
61367, https://hackerone.com/reports/61367, xss on autoserch, resolved
61371, https://hackerone.com/reports/61371, leak receipt of another user, resolved
62294, https://hackerone.com/reports/62294, Multiple XSS Vulnerabilities in Concrete5 5.7.3.1, resolved
62301, https://hackerone.com/reports/62301, Ability to add pishing links in discusion ," Bypassing uneductional Links  add ", resolved
62400, https://hackerone.com/reports/62400, XSS on https://www.udemy.com/asset/export.html, resolved
62427, https://hackerone.com/reports/62427, XSS in myshopify.com Admin site in TAX Overrides, resolved
62531, https://hackerone.com/reports/62531, tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password, resolved
62544, https://hackerone.com/reports/62544, http://tp-dev1.tp.smailru.net/, resolved
62778, https://hackerone.com/reports/62778, Multiple sub domain are vulnerable because of leaking full path , resolved
62827, https://hackerone.com/reports/62827, Email Notification should be get while changing Paypal Email, resolved
62861, https://hackerone.com/reports/62861, Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS, resolved
63075, https://hackerone.com/reports/63075, https://voip.agent.mail.ru/phpinfo.php, resolved
63131, https://hackerone.com/reports/63131, Changeable model ids on vanilla update can lead to severely bad side-effects, informative
63158, https://hackerone.com/reports/63158, External URL page bypass, resolved
63324, https://hackerone.com/reports/63324, Flash Player information disclosure (etc.) CVE-2015-3044, PSIRT-3298, resolved
63537, https://hackerone.com/reports/63537, XSS in https://app.mavenlink.com/workspaces/, resolved
63729, https://hackerone.com/reports/63729, Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account, resolved
63865, https://hackerone.com/reports/63865, Potential denial of service in hackerone.com/<program>/reward_settings, resolved
63888, https://hackerone.com/reports/63888, Cross site scripting, resolved
64164, https://hackerone.com/reports/64164, Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using  `Order Printer APP` , resolved
64529, https://hackerone.com/reports/64529, Page replacement and redirect loop, resolved
64561, https://hackerone.com/reports/64561, missing SPF for legalrobot.com , resolved
64626, https://hackerone.com/reports/64626, Not Completed Accounts Take Over (Urgent bug), resolved
64645, https://hackerone.com/reports/64645, Missing security headers, possible clickjacking, resolved
64666, https://hackerone.com/reports/64666, Bypass verification of email while creating account(No rate limiting enable for verification code), resolved
64731, https://hackerone.com/reports/64731, Able to intercept app Traffic after choosing up the Secured Connection using SSL (HTTPS), resolved
64754, https://hackerone.com/reports/64754, Просмотр лайков и репостов фотографии, которая находятся в приватном альбоме, resolved
64941, https://hackerone.com/reports/64941, Header Misconfiguration - PHP API, resolved
64946, https://hackerone.com/reports/64946, Registration bypass using OAuth logical bug, resolved
64963, https://hackerone.com/reports/64963, API: Bug in method auth.validatePhone, resolved
65084, https://hackerone.com/reports/65084, Big Bug with Vault which i have already reported: Case #606962, resolved
65167, https://hackerone.com/reports/65167, CSRF, resolved
65324, https://hackerone.com/reports/65324, XSS on added name album on videos., resolved
65330, https://hackerone.com/reports/65330, Не достаточная проверка логина скайп, resolved
65729, https://hackerone.com/reports/65729, Activities are not Protected and able to crash app using other app (Can Malware or third parry app)., resolved
65808, https://hackerone.com/reports/65808, No CSRF protection when creating new community points actions, and related stored XSS, resolved
65825, https://hackerone.com/reports/65825, OAuth authorization page vulnerable to clickjacking, resolved
65921, https://hackerone.com/reports/65921, help2.m.smailru.net: XSS, resolved
65966, https://hackerone.com/reports/65966, Уязвимость приватных записей пользователя (личных), resolved
66151, https://hackerone.com/reports/66151, Invitation is not properly cancelled while inviting to bug reports., resolved
66223, https://hackerone.com/reports/66223, Two-factor authentication (via SMS), informative
66257, https://hackerone.com/reports/66257, [s.mail.ru] CRLF Injection, resolved
66262, https://hackerone.com/reports/66262, mailto: link injection on https://hackerone.com/directory, resolved
66385, https://hackerone.com/reports/66385, No valid SPF record, resolved
66386, https://hackerone.com/reports/66386, [www.*.myshopify.com] CRLF Injection, resolved
66391, https://hackerone.com/reports/66391, [engineeringblog.yelp.com] CRLF Injection, not-applicable
66422, https://hackerone.com/reports/66422, [mrgs.mail.ru] Internet Explorer XSS via Request-URI, resolved
66423, https://hackerone.com/reports/66423, [tanks.mail.ru] Internet Explorer XSS via Request-URI, resolved
66724, https://hackerone.com/reports/66724, type confusion in Sass::ParserState::ParserState(Sass::ParserState const&), resolved
66845, https://hackerone.com/reports/66845, - Guessing registered users in legalrobot.com, resolved
66962, https://hackerone.com/reports/66962, Misusing of FPU Instruction Could Cause Security Vulnerabilities in Adobe Flash Player, resolved
66994, https://hackerone.com/reports/66994, Link vulnerability leads to phishing attacks, informative
67125, https://hackerone.com/reports/67125, XSS at importing Product List, resolved
67132, https://hackerone.com/reports/67132, XSS at Bulk editing products, resolved
67161, https://hackerone.com/reports/67161, Possible xWork classLoader RCE: shared.mail.ru, resolved
67220, https://hackerone.com/reports/67220, Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS, resolved
67317, https://hackerone.com/reports/67317, Уязвимость получения всех номеров телефонов вк (по совместительству логинов профилей), resolved
67386, https://hackerone.com/reports/67386, [my.mail.ru] CRLF Injection, resolved
67557, https://hackerone.com/reports/67557, Bypass access restrictions from API, resolved
67562, https://hackerone.com/reports/67562, Issue in the implementation of captcha and race condition, resolved
67660, https://hackerone.com/reports/67660, Verification code issues for Two-Step Authentication, resolved
67929, https://hackerone.com/reports/67929, Redirection Page throwing error instead of redirecting to site, resolved
71337, https://hackerone.com/reports/71337, Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну, resolved
71614, https://hackerone.com/reports/71614, XSS in Myshopify Admin Site in DISCOUNTS, resolved
72272, https://hackerone.com/reports/72272, Multiple endpoints are vulnerable to XML External Entity injection (XXE) , resolved
72331, https://hackerone.com/reports/72331, XSS at Bulk editing ProductVariants, resolved
72526, https://hackerone.com/reports/72526, Xss via Dropbox, resolved
72735, https://hackerone.com/reports/72735, Unauthenticated access to Content Management System - www1.pornhubpremium.com, resolved
72775, https://hackerone.com/reports/72775, Уязвимость Создание фотографий без ведома пользователей, resolved
72785, https://hackerone.com/reports/72785, CSV Injection with the CVS export feature, resolved
72793, https://hackerone.com/reports/72793, Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App, resolved
72976, https://hackerone.com/reports/72976, Body injection in mailto link while commenting shop blog, resolved
73234, https://hackerone.com/reports/73234, out of bounds read crashes php-cgi, resolved
73235, https://hackerone.com/reports/73235, Use After Free Vulnerability in unserialize(), resolved
73236, https://hackerone.com/reports/73236, X509_to_X509_REQ NULL pointer deref, resolved
73237, https://hackerone.com/reports/73237, Buffer Over flow when parsing tar/zip/phar in phar_set_inode, resolved
73238, https://hackerone.com/reports/73238, Buffer Over-read in unserialize when parsing Phar, resolved
73239, https://hackerone.com/reports/73239, ZIP Integer Overflow leads to writing past heap boundary, resolved
73240, https://hackerone.com/reports/73240, Integer overflow in ftp_genlist() resulting in heap overflow, resolved
73241, https://hackerone.com/reports/73241, Malformed ECParameters causes infinite loop, resolved
73242, https://hackerone.com/reports/73242, libcurl: URL request injection, resolved
73244, https://hackerone.com/reports/73244, Use after free vulnerability in unserialize() with DateInterval, resolved
73245, https://hackerone.com/reports/73245, Type Confusion Vulnerability in SoapClient, resolved
73246, https://hackerone.com/reports/73246, Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER, resolved
73247, https://hackerone.com/reports/73247, php_stream_url_wrap_http_ex() type-confusion vulnerability, resolved
73248, https://hackerone.com/reports/73248, Tokenizer crash when processing undecodable source code, resolved
73249, https://hackerone.com/reports/73249, Multiple use after free bugs in element module, resolved
73250, https://hackerone.com/reports/73250, Multiple use after free bugs in heapq module, resolved
73251, https://hackerone.com/reports/73251, Multiple use after free bugs in json encoding, resolved
73252, https://hackerone.com/reports/73252, Use after free in get_filter, resolved
73253, https://hackerone.com/reports/73253, Multiple type confusions in unicode error handlers, resolved
73255, https://hackerone.com/reports/73255, str_repeat() sign mismatch based memory corruption, resolved
73256, https://hackerone.com/reports/73256, PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free, resolved
73257, https://hackerone.com/reports/73257, PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization, resolved
73258, https://hackerone.com/reports/73258, Python: imageop Unsafe Arithmetic, resolved
73259, https://hackerone.com/reports/73259, Integer overflow in _pickle.c, resolved
73260, https://hackerone.com/reports/73260, Integer overflow in _json_encode_unicode leads to crash, resolved
73276, https://hackerone.com/reports/73276, Internet-based attacker can run Flash apps in local sandboxes by using  special URL schemes (PSIRT-3299, CVE-2015-3079), resolved
73429, https://hackerone.com/reports/73429, pngcrush_measure_idat() off-by-one error (CVE-2015-2158), resolved
73480, https://hackerone.com/reports/73480, Arbritrary file Upload on AirMax, resolved
73491, https://hackerone.com/reports/73491, Buffer Overflow in PHP of the AirMax Products, resolved
73566, https://hackerone.com/reports/73566, Reflected XSS in chat, resolved
73808, https://hackerone.com/reports/73808, Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to., resolved
74004, https://hackerone.com/reports/74004, Other Buffer Overflow in PHP of the AirMax Products, resolved
74025, https://hackerone.com/reports/74025, Yet another Buffer Overflow in PHP of the AirMax Products, resolved
74147, https://hackerone.com/reports/74147, Potential for financial loss, negative Values for "Buy fee" and "Sell Fee", resolved
74514, https://hackerone.com/reports/74514, Own downloading link isn't properly checked in the email template, informative
74515, https://hackerone.com/reports/74515, Error stack trace enabled, resolved
74518, https://hackerone.com/reports/74518, The email updates issues, resolved
74595, https://hackerone.com/reports/74595, The product/status method CSRF, resolved
74933, https://hackerone.com/reports/74933, Disclosure of map information, resolved
75357, https://hackerone.com/reports/75357, Session Cookie without HttpOnly and secure flag set, resolved
75702, https://hackerone.com/reports/75702, No rate limit which leads to "Users information Disclosure" including verfification documents etc., resolved
75727, https://hackerone.com/reports/75727, Stored Cross site scripting In developer.zendesk.com, resolved
75936, https://hackerone.com/reports/75936, Security Missconfiguration in Autologin  , informative
76303, https://hackerone.com/reports/76303, weak ssl cipher suites, resolved
76307, https://hackerone.com/reports/76307, Self XSS Protection not used , I can trick users to insert JavaScript, resolved
76738, https://hackerone.com/reports/76738, Open redirect filter bypass, resolved
76784, https://hackerone.com/reports/76784, Cheating at gallery rating, resolved
77058, https://hackerone.com/reports/77058, NO SPF RECORDS , resolved
77060, https://hackerone.com/reports/77060, SMTP protection not used, resolved
77065, https://hackerone.com/reports/77065, Stealing CSRF Tokens, resolved
77067, https://hackerone.com/reports/77067, No rate limiting for sensitive actions (like "forgot password") enables user enumeration, resolved
77076, https://hackerone.com/reports/77076, GA code not verified on the server side allows sending Verification Documents on behalf of another user, resolved
77081, https://hackerone.com/reports/77081, Content Sniffing not disabled, resolved
77231, https://hackerone.com/reports/77231, Weak Cryptographic Hash, resolved
77319, https://hackerone.com/reports/77319, Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json, resolved
77679, https://hackerone.com/reports/77679, http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script, resolved
77802, https://hackerone.com/reports/77802, TCP Source Port Pass Firewall, resolved
77817, https://hackerone.com/reports/77817, SSRF/XSPA в форме загрузки видео по URL, resolved
77904, https://hackerone.com/reports/77904, cross siite scripting in the blog , resolved
78003, https://hackerone.com/reports/78003, Cross site scripting On api Calculator API requests, resolved
78052, https://hackerone.com/reports/78052, xss in group, resolved
78158, https://hackerone.com/reports/78158, Wrong Handling of Content-Type allows Flash injection and Rosseta flash patch bypass, resolved
78219, https://hackerone.com/reports/78219, Покупка песни дешевле, чем она стоит., resolved
78253, https://hackerone.com/reports/78253, Покупка=>скачка песен, которые не предназначены для продажи, resolved
78260, https://hackerone.com/reports/78260, Stored XSS в имени песни (2) на платёжном гейте., resolved
78412, https://hackerone.com/reports/78412, Cross site scripting, resolved
78436, https://hackerone.com/reports/78436, (URGENT!) Покупка OK дешевле, чем он стоит, resolved
78516, https://hackerone.com/reports/78516, Доступ к чужим приватным фотографиям (3) через обложку видео, resolved
78685, https://hackerone.com/reports/78685, Email spoofing configuration missing, informative
78765, https://hackerone.com/reports/78765, information disclosure, resolved
78781, https://hackerone.com/reports/78781, Critical : Access to group videos where videos are restricted for all users(Broken authentication ), resolved
79046, https://hackerone.com/reports/79046, Доступ к чужим групповым беседам., resolved
79185, https://hackerone.com/reports/79185, Content spoofing through Referel header, resolved
79348, https://hackerone.com/reports/79348, OSX slack:// protocol handler javascript injection, resolved
79393, https://hackerone.com/reports/79393, Открытый доступ к корпоративным данным., resolved
79552, https://hackerone.com/reports/79552, [gratipay.com] CRLF Injection, resolved
80298, https://hackerone.com/reports/80298, Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта, resolved
80512, https://hackerone.com/reports/80512, Runtime manipulation iOS app breaking the PIN, informative
80597, https://hackerone.com/reports/80597, Number of invited researchers disclosed as part of JSON search response, resolved
80694, https://hackerone.com/reports/80694, Reflective Xss Vulnerability , resolved
80883, https://hackerone.com/reports/80883, Authentication errors in server side validaton of E-MAIL, informative
80936, https://hackerone.com/reports/80936, Private Program and bounty details disclosed as part of JSON search response, resolved
80990, https://hackerone.com/reports/80990, JetBrains .idea project directory, resolved
81083, https://hackerone.com/reports/81083, Internal bounty and swag details disclosed as part of JSON response, resolved
81212, https://hackerone.com/reports/81212, Potential XSS on sanitize/Rails::Html::WhiteListSanitizer, resolved
81396, https://hackerone.com/reports/81396, [Rails42] We can inject HTML tags when server is using strip_tags method, resolved
81441, https://hackerone.com/reports/81441, XSS https://delivery.shopifyapps.com/  (Digital Downloads App  in myshopify.com), resolved
81701, https://hackerone.com/reports/81701, Possible SQL injection on "Jump to twitter", resolved
82725, https://hackerone.com/reports/82725, Stored XSS in comments, resolved
82929, https://hackerone.com/reports/82929, Cross Site Scripting – Album Page, resolved
83178, https://hackerone.com/reports/83178, owncloud.com: DOM Based XSS, resolved
83239, https://hackerone.com/reports/83239, owncloud.com: Allowed an attacker to force a user to change profile details. (XCSRF), resolved
83251, https://hackerone.com/reports/83251, owncloud.com: Content Sniffing not disabled, resolved
83373, https://hackerone.com/reports/83373, owncloud.com: Cross Site Tracing, resolved
83374, https://hackerone.com/reports/83374, apps.owncloud.com: XSS via referrer, resolved
83381, https://hackerone.com/reports/83381, apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only), resolved
83565, https://hackerone.com/reports/83565, Content spoofing в http://my.mail.ru/cgi-bin/app/paymentm, resolved
83566, https://hackerone.com/reports/83566, [reflected xss, pornhub.com] /blog, any, resolved
83576, https://hackerone.com/reports/83576, [start.icq.com] Reflected XSS via Cookies, resolved
83585, https://hackerone.com/reports/83585, [riot.mail.ru] Reflected XSS in debug-mode, resolved
83604, https://hackerone.com/reports/83604, Html injection on khanacademy, resolved
83667, https://hackerone.com/reports/83667, apps.owncloud.com: Session Cookie in URL can be captured by hackers, resolved
83710, https://hackerone.com/reports/83710, apps.owncloud.com: SSL Session cookie without secure flag set, resolved
83801, https://hackerone.com/reports/83801, apps.owncloud.com: Path Disclosure, resolved
83803, https://hackerone.com/reports/83803, apps.owncloud.com: SSL Server Allows Anonymous Authentication Vulnerability (SMTP), resolved
83837, https://hackerone.com/reports/83837, demo.owncloud.org: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability, resolved
83855, https://hackerone.com/reports/83855, s2.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability, resolved
83856, https://hackerone.com/reports/83856, s2.owncloud.com: SSL Session cookie without secure flag set, resolved
83962, https://hackerone.com/reports/83962, DoS Attack in Controller Lookup Code, resolved
83971, https://hackerone.com/reports/83971, test1.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability, resolved
84078, https://hackerone.com/reports/84078, *.owncloud.com / *.owncloud.org: Using not strong enough SSL ciphers, resolved
84085, https://hackerone.com/reports/84085, daily.owncloud.com: Information disclosure, resolved
84105, https://hackerone.com/reports/84105, demo.owncloud.org: HTTP compression is enabled potentially leading to BREACH attack, resolved
84287, https://hackerone.com/reports/84287, DKIM records not present, Email Hijacking is possible, resolved
84371, https://hackerone.com/reports/84371, apps.owncloud.com: Stored XSS in profile page, resolved
84372, https://hackerone.com/reports/84372, owncloud.com: Account Compromise Through CSRF, resolved
84374, https://hackerone.com/reports/84374, apps.owncloud.com: Malicious file upload leads to remote code execution, resolved
84395, https://hackerone.com/reports/84395, CSRF in apps.owncloud.com, resolved
84453, https://hackerone.com/reports/84453, Lack of HSTS on https://apps.owncloud.com, resolved
84581, https://hackerone.com/reports/84581, owncloud.com: Outdated plugins contains public exploits  , resolved
84601, https://hackerone.com/reports/84601, XSS and cache poisoning via upload.twitter.com on ton.twitter.com, resolved
84709, https://hackerone.com/reports/84709, [API ISSUE] agents can Create agents even after they are disabled ! , resolved
84740, https://hackerone.com/reports/84740, Stored XSS On Statement, resolved
84797, https://hackerone.com/reports/84797, Config, resolved
85011, https://hackerone.com/reports/85011, Dashboard panel embedded onto itself causes a denial of service, resolved
85201, https://hackerone.com/reports/85201, Full Path Disclosure , resolved
85291, https://hackerone.com/reports/85291, XSS https://www.shopify.com/signup, resolved
85421, https://hackerone.com/reports/85421, XSS at af.attachmail.ru, resolved
85488, https://hackerone.com/reports/85488, Stored XSS on player.vimeo.com, resolved
85532, https://hackerone.com/reports/85532, apps.owncloud.com: Edit Question didn't check ACLs, resolved
85541, https://hackerone.com/reports/85541, apps.owncloud.com: Mixed Active Scripting Issue , resolved
85559, https://hackerone.com/reports/85559, Password appears in user name field, informative
85565, https://hackerone.com/reports/85565, apps.owncloud.com: CSRF change privacy settings, resolved
85577, https://hackerone.com/reports/85577, apps.owncloud.com: Potential XSS, resolved
85615, https://hackerone.com/reports/85615, Reflected XSS on vimeo.com/musicstore, resolved
85720, https://hackerone.com/reports/85720, IDOR on remoing Share, resolved
86022, https://hackerone.com/reports/86022, Multiple so called  'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases., resolved
86067, https://hackerone.com/reports/86067, Weak HSTS age in support hackerone site, resolved
86504, https://hackerone.com/reports/86504, [CRITICAL] Login To Any Account Linked With Google+ With Email Only, resolved
87027, https://hackerone.com/reports/87027, [keybase.io] Open Redirect, resolved
87168, https://hackerone.com/reports/87168, www.shopify.com XSS on blog pages via sharing buttons, resolved
87505, https://hackerone.com/reports/87505, Full Path Disclosure , resolved
87531, https://hackerone.com/reports/87531, Mail spaming, resolved
87561, https://hackerone.com/reports/87561, OAUTH pemission set as true= lead to authorize malicious application, resolved
87577, https://hackerone.com/reports/87577, Stored XSS on vimeo.com and player.vimeo.com, resolved
87588, https://hackerone.com/reports/87588, XSS Vulnerability, resolved
87752, https://hackerone.com/reports/87752, gallery_plus: Content Spoofing , resolved
87804, https://hackerone.com/reports/87804, [rabota.mail.ru] Open Redirect, resolved
87806, https://hackerone.com/reports/87806, [support.my.com] Internet Explorer XSS, resolved
87835, https://hackerone.com/reports/87835, Webview Vulnerablity [OwnCloudAndroid Application] , resolved
87854, https://hackerone.com/reports/87854, XSS on vimeo.com/home after other user follows you, resolved
88088, https://hackerone.com/reports/88088, XSS on mobile version of vimeo.com where the button "Follow" appears, resolved
88105, https://hackerone.com/reports/88105, XSS on vimeo.com | "Search within these results" feature (requires user interaction), resolved
88395, https://hackerone.com/reports/88395, Information leakage through Graphviz blocks, resolved
88508, https://hackerone.com/reports/88508, XSS when using captions/subtitles on video player based on Flash (requires user interaction), resolved
88719, https://hackerone.com/reports/88719, Multiple DOMXSS on Amplify Web Player, resolved
88881, https://hackerone.com/reports/88881, XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо, resolved
88904, https://hackerone.com/reports/88904, Apache Range Header Denial of Service Attack (Confirmed PoC), resolved
89081, https://hackerone.com/reports/89081, Vulnerability :- "XSS vulnerability", resolved
89097, https://hackerone.com/reports/89097, owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service), resolved
89178, https://hackerone.com/reports/89178, No rate limit or captcha to identify humans, resolved
89505, https://hackerone.com/reports/89505, Self-XSS in posts by formatting text as code, resolved
89624, https://hackerone.com/reports/89624, Cross-site Scripting https://www.zendesk.com/product/pricing/, resolved
90083, https://hackerone.com/reports/90083, Reflected XSS на https://aw.mail.ru/news/, resolved
90131, https://hackerone.com/reports/90131, CSV Excel Macro Injection Vulnerability in export customer tickets, resolved
90165, https://hackerone.com/reports/90165, CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa, resolved
90172, https://hackerone.com/reports/90172, Tweetdeck (twitter owned app) not revoked, resolved
90274, https://hackerone.com/reports/90274, CSV Excel Macro Injection Vulnerability in export chat logs, resolved
90308, https://hackerone.com/reports/90308, User email enumuration using Gmail, resolved
90321, https://hackerone.com/reports/90321, Apache documentation, resolved
90367, https://hackerone.com/reports/90367, Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc., resolved
90415, https://hackerone.com/reports/90415, CSV Excel Macro Injection in Export Response, resolved
90457, https://hackerone.com/reports/90457, Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter, resolved
90601, https://hackerone.com/reports/90601, [s3.owncloud.com] Web Server HTTP Trace/Track Method Support , resolved
90643, https://hackerone.com/reports/90643, No email verification during registration, informative
90671, https://hackerone.com/reports/90671, Privilege escalation vulnerability, resolved
90688, https://hackerone.com/reports/90688, create staff member without owner access, resolved
90691, https://hackerone.com/reports/90691, [ling.go.mail.ru] Server-Status opened for all users, resolved
90753, https://hackerone.com/reports/90753, Content Spoofing , resolved
90778, https://hackerone.com/reports/90778, implement a cross-domain policy for Adobe products, not-applicable
90805, https://hackerone.com/reports/90805, change bank account numbers, resolved
90912, https://hackerone.com/reports/90912, Inadequate input validation on API endpoint leading to self denial of service and increased system load., resolved
90980, https://hackerone.com/reports/90980, owncloud.com: WP Super Cache plugin is outdated, resolved
91332, https://hackerone.com/reports/91332, Open Url redirection on login with facebook, informative
91343, https://hackerone.com/reports/91343, Information disclosure (No rate limting in forgot password & other login), resolved
91350, https://hackerone.com/reports/91350, "Sign me out everywhere" does not work for desktop sessions, resolved
91366, https://hackerone.com/reports/91366, Content Sniffing not enabled, resolved
91421, https://hackerone.com/reports/91421, Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event, resolved
91599, https://hackerone.com/reports/91599, WooCommerce: Support Ticket indirect object reference, resolved
91604, https://hackerone.com/reports/91604, Crossdomain.xml settings on api.imgur.com too open, resolved
91816, https://hackerone.com/reports/91816, Server Side Request Forgery In Video to GIF Functionality, informative
92113, https://hackerone.com/reports/92113, Уязвимость дает возможность смотреть кто лайкал приватным фото или видео , resolved
92251, https://hackerone.com/reports/92251, Issue with Password reset functionality, resolved
92271, https://hackerone.com/reports/92271, Недочет в поиске по хештегам, resolved
92344, https://hackerone.com/reports/92344, customers password hash leak!!!!, resolved
92353, https://hackerone.com/reports/92353, CSV Injection in polldaddy.com, resolved
92453, https://hackerone.com/reports/92453, unauthorized access to all customers first and last name , resolved
92472, https://hackerone.com/reports/92472, Tokens from services like Facebook can be stolen, resolved
92481, https://hackerone.com/reports/92481, Accessing Payments page and adding payment methods with limited access accounts, resolved
92607, https://hackerone.com/reports/92607, Content spoofing on invitations page , resolved
92633, https://hackerone.com/reports/92633, The POS Firmware is leaking the root Password which can be used for unauthorized access to the device., informative
92644, https://hackerone.com/reports/92644, apps.owncloud.com: Referer protection Bypassed, resolved
92716, https://hackerone.com/reports/92716, HackerOne Private Programs users disclosure and de-anonymous-ize, informative
92740, https://hackerone.com/reports/92740, SPF records not found, resolved
92915, https://hackerone.com/reports/92915, xss , informative
93004, https://hackerone.com/reports/93004, unauthorized access to all collections name, resolved
93020, https://hackerone.com/reports/93020, Способ узнать имя человека и ВУЗ удаленной страницы, resolved
93154, https://hackerone.com/reports/93154, Csrf near report abuse meme , resolved
93157, https://hackerone.com/reports/93157, SPF Protection not used, I can hijack your email server, informative
93294, https://hackerone.com/reports/93294, First & Last Name Disclosure of any Shopify Store Admin, resolved
93394, https://hackerone.com/reports/93394, Unauthenticated access to details of hidden products in any shop via title emuneration, resolved
93546, https://hackerone.com/reports/93546, pngcrush double-free/segfault could result in DoS (CVE-2015-7700), resolved
93550, https://hackerone.com/reports/93550, Reflected XSS via. search, resolved
93616, https://hackerone.com/reports/93616, get users information without full access, resolved
93680, https://hackerone.com/reports/93680, Missing authorization check on dashboard overviews, resolved
93691, https://hackerone.com/reports/93691, Arbitrary write on s3://shopify-delivery-app-storage/files, resolved
93807, https://hackerone.com/reports/93807, XSS by image file name, resolved
94230, https://hackerone.com/reports/94230, Cross-site Scripting in all Zopim, resolved
94502, https://hackerone.com/reports/94502, Some S3 Buckets are world readable (and one is world writeable), resolved
94517, https://hackerone.com/reports/94517, Reflective Xss on news.mail.ru and admin.news.mail.ru, resolved
94568, https://hackerone.com/reports/94568, http_basic_authenticate_with is suseptible to timing attacks., resolved
94584, https://hackerone.com/reports/94584, Sql-inj in https://maximum.com/ajax/people, resolved
94610, https://hackerone.com/reports/94610, Version Disclosure (NginX), resolved
94637, https://hackerone.com/reports/94637, Host Header Injection/Redirection, resolved
94642, https://hackerone.com/reports/94642, SMS Invite Form Abuse, resolved
94909, https://hackerone.com/reports/94909, XSS risk reduction with X-XSS-Protection: 1; mode=block header, resolved
94925, https://hackerone.com/reports/94925, Balance Manipulation - BUG, informative
95089, https://hackerone.com/reports/95089, Reflected XSS in cart at hardware.shopify.com, resolved
95146, https://hackerone.com/reports/95146, Reflected XSS., resolved
95231, https://hackerone.com/reports/95231, XSS in the "Poll" Feature on Twitter.com, resolved
95243, https://hackerone.com/reports/95243, Following a User Actually Follows Another User, resolved
95441, https://hackerone.com/reports/95441, Unauthorized access to any Store Admin's First & Last name, resolved
95552, https://hackerone.com/reports/95552, IDOR- Activate Mopub on different organizations- steal api token- Fabric.io, resolved
95564, https://hackerone.com/reports/95564, Persistent XSS in image title, resolved
95599, https://hackerone.com/reports/95599, Cross Site Scripting, resolved
95640, https://hackerone.com/reports/95640, Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification, informative
95804, https://hackerone.com/reports/95804, [api.allodsteam.com] Authentication Data, resolved
95841, https://hackerone.com/reports/95841, [allods.mail.ru] Reflected XSS, resolved
95981, https://hackerone.com/reports/95981, Http Response Splitting - Validate link, resolved
96007, https://hackerone.com/reports/96007, Domain takoever - https://sellocdn.com, resolved
96218, https://hackerone.com/reports/96218, Uses unsafe-inline without nonce , resolved
96229, https://hackerone.com/reports/96229, XSS on player.vimeo.com without user interaction and vimeo.com with user interaction, resolved
96294, https://hackerone.com/reports/96294, DDOS using xmlrpc.php, resolved
96337, https://hackerone.com/reports/96337, Stored XSS in Slack (weird, trial and error), resolved
96381, https://hackerone.com/reports/96381, Reflected XSS., resolved
96467, https://hackerone.com/reports/96467, Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics, resolved
96470, https://hackerone.com/reports/96470, Missing of csrf protection , resolved
96474, https://hackerone.com/reports/96474, [it.mail.ru] Open Redirect, resolved
96662, https://hackerone.com/reports/96662, crossdomain.xml too permissive on eu1.badoo.com, us1.badoo.com, etc., resolved
96724, https://hackerone.com/reports/96724, [wos.my.com] Reflected XSS, resolved
96847, https://hackerone.com/reports/96847, Un-handled exception leads to Information Disclosure, resolved
96855, https://hackerone.com/reports/96855, Staff members with no permission to  access domains can access them., resolved
96908, https://hackerone.com/reports/96908, An administrator without the 'Settings' permission is able to see payment gateways, resolved
97150, https://hackerone.com/reports/97150, [aw.my.com] Reflected XSS, resolved
97152, https://hackerone.com/reports/97152, [games.my.com] Reflected XSS, resolved
97153, https://hackerone.com/reports/97153, [sf.my.com] Reflected XSS, resolved
97161, https://hackerone.com/reports/97161, Can see private tweets via keyword searches on tweetdeck, resolved
97268, https://hackerone.com/reports/97268, [evo2.my.com] Reflected XSS, resolved
97292, https://hackerone.com/reports/97292, HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com, resolved
97295, https://hackerone.com/reports/97295, Multiple critical vulnerabilities in Odnoklassniki Android application, resolved
97312, https://hackerone.com/reports/97312, [mg.my.com] Reflected XSS, resolved
97317, https://hackerone.com/reports/97317, [allods.my.com] Full SQL Disclosure, resolved
97319, https://hackerone.com/reports/97319, [allods.my.com] Full Path Disclosure, resolved
97332, https://hackerone.com/reports/97332, [evo.my.com] Reflected XSS, resolved
97333, https://hackerone.com/reports/97333, [lucky-fields.my.com] Reflected XSS, resolved
97334, https://hackerone.com/reports/97334, [support.my.com] Reflected XSS, resolved
97395, https://hackerone.com/reports/97395, Potential SSRF in sales.mail.ru, resolved
97430, https://hackerone.com/reports/97430, [allods.my.com] Reflected XSS, resolved
97431, https://hackerone.com/reports/97431, [id.my.com] Reflected XSS, resolved
97432, https://hackerone.com/reports/97432, [furry.aw.my.com] Reflected XSS, resolved
97445, https://hackerone.com/reports/97445, [legal.my.com] Reflected XSS, resolved
97452, https://hackerone.com/reports/97452, Staff members with no permission can access to the files, uploaded by the administrator, resolved
97501, https://hackerone.com/reports/97501, SVG parser loads external resources on image upload, resolved
97510, https://hackerone.com/reports/97510, Following a User After Favoriting Actually Follows Another User (related to #95243), resolved
97609, https://hackerone.com/reports/97609, User Enumeration : Due to rate limiting on registration, informative
97646, https://hackerone.com/reports/97646, [account.my.com] Reflected XSS, resolved
97657, https://hackerone.com/reports/97657, File upload XSS (Java applet) on http://slackatwork.com/, resolved
97672, https://hackerone.com/reports/97672, File Upload XSS in image uploading of App in mopub, resolved
97683, https://hackerone.com/reports/97683, Reflected Self-XSS in Slack, resolved
97938, https://hackerone.com/reports/97938, XSS m.imgur.com, resolved
98012, https://hackerone.com/reports/98012, Stored XSS on https://www.algolia.com/realtime-search-demo/*, resolved
98281, https://hackerone.com/reports/98281, XSS Reflected in test.qiwi.ru, resolved
98432, https://hackerone.com/reports/98432, Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) , resolved
98512, https://hackerone.com/reports/98512, [maps.me] Reflected XSS, resolved
98559, https://hackerone.com/reports/98559, RCE in ci.owncloud.com / ci.owncloud.org, resolved
98819, https://hackerone.com/reports/98819, S3 Buckets open to the world thanks to  'Authenticated Users' ACL , resolved
99054, https://hackerone.com/reports/99054, [opensource.mail.ru] Debug Mode, resolved
99157, https://hackerone.com/reports/99157, RC4 cipher suites detected on status.slack.com, resolved
99262, https://hackerone.com/reports/99262, [otus.p.mail.ru] Full Path Disclosure, resolved
99268, https://hackerone.com/reports/99268, [otus.p.mail.ru] CRLF Injection, resolved
99273, https://hackerone.com/reports/99273, [gitmm.corp.mail.ru] Auth Bypass, Information Disclosure, resolved
99279, https://hackerone.com/reports/99279, XML External Entity (XXE) in qiwi.com + waf bypass, resolved
99321, https://hackerone.com/reports/99321,  [CSRF] Activate PayPal Express Checkout, resolved
99368, https://hackerone.com/reports/99368, an xss issue, resolved
99374, https://hackerone.com/reports/99374, deleted staff member can add his amazon marketplace web services account to the store., resolved
99424, https://hackerone.com/reports/99424, Mass Assignment Vulnerability in partners.uber.com, resolved
99435, https://hackerone.com/reports/99435, Open redirect helps to steal Facebook access_token, resolved
99516, https://hackerone.com/reports/99516, open redirect in <your_zendesk>.zendesk.com, resolved
99594, https://hackerone.com/reports/99594, Reflected XSS on www.boozt.com, resolved
99600, https://hackerone.com/reports/99600, Urgent : Unauthorised Access to Media content of all Direct messages and protected tweets(Indirect object reference), resolved
99647, https://hackerone.com/reports/99647, CSRF  Add Album On  onpatient.com , resolved
99686, https://hackerone.com/reports/99686, [w1.dwar.ru] Core Dump, resolved
99687, https://hackerone.com/reports/99687, profile cover can also load external URL's , resolved
99708, https://hackerone.com/reports/99708, Limited CSRF bypass., resolved
99857, https://hackerone.com/reports/99857, Request Accepts without X-CSRFToken  [ Header - Cookie ], resolved
99863, https://hackerone.com/reports/99863, From full-access account to Account Owner, resolved
100186, https://hackerone.com/reports/100186, Transactions visible on Unconfirmed devices, resolved
100200, https://hackerone.com/reports/100200, Open Redirect in meeting.qiwi.com, resolved
100509, https://hackerone.com/reports/100509, Pre-generation of 2FA secret/backup codes seems like an unnecessary risk, resolved
100550, https://hackerone.com/reports/100550, [xss, pornhub.com] /user/[username], multiple parameters, resolved
100552, https://hackerone.com/reports/100552, Cross Site Scripting - On Mouse Over, Blog page, resolved
100565, https://hackerone.com/reports/100565, Executing scripts on slack-files.com using SVG, resolved
100755, https://hackerone.com/reports/100755, Reflected XSS on hi-tech.mail.ru, resolved
100820, https://hackerone.com/reports/100820, Add tweet to collection CSRF , resolved
100829, https://hackerone.com/reports/100829, Stored-XSS in https://www.coinbase.com/, resolved
100849, https://hackerone.com/reports/100849, URGENT : NICHE.co Account Take Over Vulnerability, resolved
100916, https://hackerone.com/reports/100916, Imgur dev environments facing the Internet, resolved
100926, https://hackerone.com/reports/100926, Access to internal CMS containing private Data, resolved
100931, https://hackerone.com/reports/100931, xss in link items (mopub.com), resolved
100938, https://hackerone.com/reports/100938, An administrator without any permission is able to get order notifications using his APNS Token., resolved
100956, https://hackerone.com/reports/100956, Cookie securing your "Opening soon" store is not secured against XSS, resolved
101063, https://hackerone.com/reports/101063, Drivers can change profile picture, resolved
101104, https://hackerone.com/reports/101104, Subdomain Expired, resolved
101108, https://hackerone.com/reports/101108, Reflected Cross-Site Scripting on French subdomain, resolved
101145, https://hackerone.com/reports/101145, Remove anyone's pic gravtar, resolved
101324, https://hackerone.com/reports/101324, RC4 cipher suites detected, resolved
101330, https://hackerone.com/reports/101330, SSL certificate invalid date, resolved
101331, https://hackerone.com/reports/101331, RC4 cipher suites detected, resolved
101450, https://hackerone.com/reports/101450, XSS in creating tweets, resolved
101909, https://hackerone.com/reports/101909, account.ubnt.com CSRF, resolved
101977, https://hackerone.com/reports/101977, Login to any user account using other facebook app access token , resolved
101983, https://hackerone.com/reports/101983, Cookie bug, resolved
102194, https://hackerone.com/reports/102194, [CRITICAL] CSRF leading to account take over, resolved
102234, https://hackerone.com/reports/102234, Same-Origin Policy bypass on main domain - ok.ru, resolved
102236, https://hackerone.com/reports/102236, Same-Origin Policy Bypass #2 , resolved
102327, https://hackerone.com/reports/102327, content injection, resolved
102376, https://hackerone.com/reports/102376, Обход защиты от csrf-ок в m.ok.ru, resolved
102755, https://hackerone.com/reports/102755, Stored XSS in name selection, resolved
103178, https://hackerone.com/reports/103178, Attack User Privacy Settings - X-Frame-Options missing on m.imgur.com/user/username/settings, resolved
103182, https://hackerone.com/reports/103182, [babel.mail.ru] Admin Page Found, resolved
103351, https://hackerone.com/reports/103351, [CSRF] Install premium themes , resolved
103432, https://hackerone.com/reports/103432, URGENT - Subdomain Takeover in support.urbandictionary.com pointing to Zendesk, resolved
103546, https://hackerone.com/reports/103546, manipulate the Practical HTTP Host header , resolved
103651, https://hackerone.com/reports/103651, Stored XSS in Draft Articles. , resolved
103772, https://hackerone.com/reports/103772, Open Redirect at *.myshopify.com/account/login?checkout_url=, resolved
103787, https://hackerone.com/reports/103787, CSRF possible when SOP Bypass/UXSS is available , resolved
103990, https://hackerone.com/reports/103990, Null pointer dereference in phar_get_fp_offset(), resolved
103991, https://hackerone.com/reports/103991, mod_lua: Crash in websockets PING handling, resolved
103992, https://hackerone.com/reports/103992, Integer overflow in _Unpickler_Read, resolved
103993, https://hackerone.com/reports/103993, Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier, resolved
103994, https://hackerone.com/reports/103994, Python 3.3 - 3.5 product_setstate() Out-of-bounds Read, resolved
103995, https://hackerone.com/reports/103995, Use After Free Vulnerability in unserialize() with SplDoublyLinkedList, resolved
103996, https://hackerone.com/reports/103996, Use After Free Vulnerability in unserialize() with SplObjectStorage, resolved
103997, https://hackerone.com/reports/103997, Use After Free Vulnerability in unserialize(), resolved
103998, https://hackerone.com/reports/103998, Use After Free Vulnerability in session deserializer, resolved
103999, https://hackerone.com/reports/103999, Use after free vulnerability in unserialize() with GMP, resolved
104000, https://hackerone.com/reports/104000, Python xmlparse_setattro() Type Confusion, resolved
104001, https://hackerone.com/reports/104001, time_strftime() Buffer Over-read, resolved
104002, https://hackerone.com/reports/104002, Python scan_eol() Buffer Over-read, resolved
104003, https://hackerone.com/reports/104003, Python deque.index() uninitialized memory, resolved
104004, https://hackerone.com/reports/104004, Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER, resolved
104005, https://hackerone.com/reports/104005, null pointer deref (segfault) in zend_eval_const_expr, resolved
104006, https://hackerone.com/reports/104006, Null pointer deref (segfault) in spl_autoload via ob_start, resolved
104007, https://hackerone.com/reports/104007, Buffer over-read in exif_read_data with TIFF IFD tag, resolved
104008, https://hackerone.com/reports/104008, Uninitialized pointer in phar_make_dirstream, resolved
104009, https://hackerone.com/reports/104009, zend_throw_or_error() format string vulnerability, resolved
104010, https://hackerone.com/reports/104010, SOAP serialize_function_call() type confusion / RCE, resolved
104011, https://hackerone.com/reports/104011, AddressSanitizer reports a global buffer overflow in mkgmtime() function, resolved
104012, https://hackerone.com/reports/104012, Integer overflow in unserialize() (32-bits only), resolved
104013, https://hackerone.com/reports/104013, heap buffer overflow in enchant_broker_request_dict(), resolved
104014, https://hackerone.com/reports/104014, libcurl duphandle read out of bounds, resolved
104015, https://hackerone.com/reports/104015, curl_setopt_array() type confusion, resolved
104016, https://hackerone.com/reports/104016, Dangling pointer in the unserialization of ArrayObject items, resolved
104017, https://hackerone.com/reports/104017, Arbitrary code execution in str_ireplace function, resolved
104018, https://hackerone.com/reports/104018, Multiple Use After Free Vulnerabilites in unserialize(), resolved
104019, https://hackerone.com/reports/104019, Files extracted from archive may be placed outside of destination directory, resolved
104020, https://hackerone.com/reports/104020, audioop.lin2adpcm Buffer Over-read, resolved
104021, https://hackerone.com/reports/104021, audioop.adpcm2lin Buffer Over-read, resolved
104022, https://hackerone.com/reports/104022, hotshot pack_string Heap Buffer Overflow, resolved
104023, https://hackerone.com/reports/104023, bytearray.find Buffer Over-read, resolved
104024, https://hackerone.com/reports/104024, array.fromstring Use After Free, resolved
104025, https://hackerone.com/reports/104025, use after free in load_newobj_ex, resolved
104026, https://hackerone.com/reports/104026, invalid pointer free() in phar_tar_process_metadata(), resolved
104027, https://hackerone.com/reports/104027, Memory Corruption in phar_parse_tarfile when entry filename starts with null, resolved
104028, https://hackerone.com/reports/104028, Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow), resolved
104032, https://hackerone.com/reports/104032, PyFloat_FromString & PyNumber_Long Buffer Over-reads, resolved
104033, https://hackerone.com/reports/104033, tokenizer crash when processing undecodable source code, resolved
104087, https://hackerone.com/reports/104087, Trick make all fixed open redirect links vulnerable again, resolved
104359, https://hackerone.com/reports/104359, shopifyapps.com XSS on sales channels via currency formatting, resolved
104465, https://hackerone.com/reports/104465, git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules, resolved
104488, https://hackerone.com/reports/104488, [rubm.qiwi.com] Yui charts.swf XSS, resolved
104543, https://hackerone.com/reports/104543, HTML injection in apps user review , resolved
104559, https://hackerone.com/reports/104559, XSS on codex.wordpress.org, resolved
104620, https://hackerone.com/reports/104620, XXE in OAuth2 Applications gallery profile App logo, informative
104896, https://hackerone.com/reports/104896, [status.zopim.com] Open Redirect, resolved
104917, https://hackerone.com/reports/104917, Cross-Site Scripting Reflected On Main Domain, resolved
104931, https://hackerone.com/reports/104931, CSRF in Connecting Pinterest Account, resolved
105149, https://hackerone.com/reports/105149, directory listing in https://demo.owncloud.org/doc/, resolved
105190, https://hackerone.com/reports/105190, Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone, resolved
105419, https://hackerone.com/reports/105419, Cookie-Based Injection, resolved
105434, https://hackerone.com/reports/105434, [rev-app.informatica.com] - XXE, resolved
105463, https://hackerone.com/reports/105463, risk of having secure=false in a crossdomain.xml, resolved
105486, https://hackerone.com/reports/105486, PornIQ Reflected Cross-Site Scripting, resolved
105655, https://hackerone.com/reports/105655, [crossdomain.xml] Dangerous Flash Cross-Domain Policy, resolved
105657, https://hackerone.com/reports/105657, libphutil: removing bytes from a PhutilRope does not work as intended, resolved
105659, https://hackerone.com/reports/105659, many xss in widgets.shopifyapps.com, resolved
105688, https://hackerone.com/reports/105688, DOM Based XSS in Checkout, resolved
105753, https://hackerone.com/reports/105753, [app.informaticaondemand.com] XXE, resolved
105787, https://hackerone.com/reports/105787,  XXE in upload file feature, resolved
105953, https://hackerone.com/reports/105953, Parameter pollution in social sharing buttons, resolved
105977, https://hackerone.com/reports/105977, DLL Hijacking Vulnerability in GlassWireSetup.exe, resolved
105980, https://hackerone.com/reports/105980, XXE at host vpn.owncloud.com, resolved
106024, https://hackerone.com/reports/106024, owncloud.com: Parameter pollution in social sharing buttons, resolved
106084, https://hackerone.com/reports/106084, Team Member███ associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports , resolved
106179, https://hackerone.com/reports/106179, Уязвимость дает возможность видеть записи , которые предлагаются пабликам + еще, resolved
106293, https://hackerone.com/reports/106293, Reflective XSS on wholesale.shopify.com, resolved
106305, https://hackerone.com/reports/106305, Improve signals in reputation, resolved
106315, https://hackerone.com/reports/106315, Potential for Double Spend via Sign Message Utility, informative
106348, https://hackerone.com/reports/106348, text injection can be used in phishing 404 page should not include attacker text, resolved
106350, https://hackerone.com/reports/106350, text injection can be used in phishing 404 page should not include attacker text, resolved
106360, https://hackerone.com/reports/106360, Race condition allowing user to review app multiple times, resolved
106362, https://hackerone.com/reports/106362, Clickjacking : https://partners.cloudflare.com/, resolved
106384, https://hackerone.com/reports/106384, Application error message, resolved
106427, https://hackerone.com/reports/106427, HTTP-Response-Splitting on v.shopify.com, resolved
106548, https://hackerone.com/reports/106548, Format string vulnerability in zend_throw_or_error(), resolved
106636, https://hackerone.com/reports/106636, Strored Cross Site Scripting, resolved
106678, https://hackerone.com/reports/106678, [now.informatica.com] Reflective XSS, resolved
106779, https://hackerone.com/reports/106779, Stored XSS in comments, resolved
106797, https://hackerone.com/reports/106797, [marketplace.informatica.com] - XXE, resolved
106802, https://hackerone.com/reports/106802, [marketplace.informatica.com] - XXE, resolved
106806, https://hackerone.com/reports/106806, Добавление в меню сообщества без ведома пользователя (нажатия пользователем), resolved
106865, https://hackerone.com/reports/106865, [rev-app.informatica.com] - XXE via SAML, resolved
106897, https://hackerone.com/reports/106897, Stored XSS in /admin/orders , resolved
106982, https://hackerone.com/reports/106982, XSS in imgur mobile, resolved
107036, https://hackerone.com/reports/107036, XSS in imgur mobile 3, resolved
107213, https://hackerone.com/reports/107213, GlassWireSetup.exe subject to EXE planting attack, resolved
107296, https://hackerone.com/reports/107296, Possible Timing Side-Channel in XMLRPC Verification, resolved
107336, https://hackerone.com/reports/107336, Team Member(s) associated with a  Group have Read-only permission (Post internal comments) can post comment to all the participants , resolved
107358, https://hackerone.com/reports/107358, reflected in xss, resolved
107849, https://hackerone.com/reports/107849, [https://test1.owncloud.com/owncloud6/] Guessable password used for admin user, resolved
107877, https://hackerone.com/reports/107877, API: Bug in method auth.signup , дающий возможность бесконечно звонить , resolved
107960, https://hackerone.com/reports/107960, Reflected File Download in community.ubnt.com/restapi/, resolved
108113, https://hackerone.com/reports/108113, Bypassing callback_url validation on Digits, resolved
108288, https://hackerone.com/reports/108288, otrs.owncloud.com: Reflected Cross-Site Scripting, resolved
108645, https://hackerone.com/reports/108645, Harden resend throttling, resolved
108681, https://hackerone.com/reports/108681, Use After Free Vulnerability in WDDX Packet Deserialization, resolved
108682, https://hackerone.com/reports/108682, Type Confusion Vulnerability in PHP_to_XMLRPC_worker(), resolved
108683, https://hackerone.com/reports/108683, Session WDDX Packet Deserialization Type Confusion Vulnerability, resolved
108692, https://hackerone.com/reports/108692, Mixed Active Scripting Issue on stats.owncloud.org, resolved
108723, https://hackerone.com/reports/108723, Validation bypass for Active Record and Active Model, resolved
108928, https://hackerone.com/reports/108928, Signals get affected once reports closed as self , resolved
109054, https://hackerone.com/reports/109054, HTTP trace method is enabled, resolved
109116, https://hackerone.com/reports/109116, Directory Listing on grtp.co, informative
109161, https://hackerone.com/reports/109161, protect against tabnabbing in statement, resolved
109175, https://hackerone.com/reports/109175, Use After Free in sortWithSortKeys(), resolved
109352, https://hackerone.com/reports/109352, XSS in GM , resolved
109395, https://hackerone.com/reports/109395, gmmovinparts.com SQLi via forgot_password.jsp, resolved
109420, https://hackerone.com/reports/109420, Requesting unknown file type returns Ruby object w/ address, resolved
109461, https://hackerone.com/reports/109461, refelected Xss on https://gmid.gm.com/gmid/jsp/GMIDInitialLogin.jsp, resolved
109485, https://hackerone.com/reports/109485, Race Condition in Article "Helpful" Indicator, resolved
109699, https://hackerone.com/reports/109699, Subdomain Takeover in http://assets.goubiquiti.com/, resolved
109810, https://hackerone.com/reports/109810, The 'Create a New Account' action is vulnerable to CSRF, not-applicable
109815, https://hackerone.com/reports/109815, Direct URL access to completed reports, resolved
109832, https://hackerone.com/reports/109832, HTML injection via 'underlying' parameter, duplicate
109839, https://hackerone.com/reports/109839, CSRF in Udemy.com , informative
109843, https://hackerone.com/reports/109843, Uninitialized pointer in phar_make_dirstream(), resolved
109959, https://hackerone.com/reports/109959, Extended policy checks are buggy, resolved
110293, https://hackerone.com/reports/110293, Insufficient OAuth callback validation which leads to Periscope account takeover, resolved
110352, https://hackerone.com/reports/110352, Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads, resolved
110417, https://hackerone.com/reports/110417, Heap corruption in tar/zip/phar parser, resolved
110467, https://hackerone.com/reports/110467, Bypassing Digits bridge origin validation, resolved
110655, https://hackerone.com/reports/110655, Information Exposure Through Directory Listing, resolved
110720, https://hackerone.com/reports/110720, Arbitary Memory Read via gdImageRotateInterpolated Array Index Out of Bounds, resolved
110722, https://hackerone.com/reports/110722, Heap BufferOver Flow in escapeshellargs and escapeshellcmd functions, resolved
110801, https://hackerone.com/reports/110801, Internal GET SSRF via CSRF with Press This scan feature, resolved
111003, https://hackerone.com/reports/111003, [cfire.mail.ru] Time Based SQL Injection 2, resolved
111078, https://hackerone.com/reports/111078, Sub Domain Take over, resolved
111094, https://hackerone.com/reports/111094, Content Spoofing OR Text Injection in https://withinsecurity.com, resolved
111131, https://hackerone.com/reports/111131, XSS, duplicate
111192, https://hackerone.com/reports/111192, CSV Injection via the CSV export feature, resolved
111216, https://hackerone.com/reports/111216, Twitter Disconnect CSRF, resolved
111218, https://hackerone.com/reports/111218, Attach Pinterest account - no State/CSRF parameter in Oauth Call back, resolved
111262, https://hackerone.com/reports/111262, The csrf token remains same after user logs in, resolved
111269, https://hackerone.com/reports/111269, [ssrf] libav vulnerable during conversion of uploaded videos, resolved
111365, https://hackerone.com/reports/111365, XSS at www.woothemes.com, resolved
111386, https://hackerone.com/reports/111386, Legacy API exposes private video titles, resolved
111417, https://hackerone.com/reports/111417, Checking whether user liked the media or not even when you are blocked , resolved
111475, https://hackerone.com/reports/111475, www.shopify.com XSS via third-party script, resolved
111500, https://hackerone.com/reports/111500, XSS at wordpress.com, resolved
111514, https://hackerone.com/reports/111514, [3k.mail.ru] Content Spoofing, resolved
111643, https://hackerone.com/reports/111643, Full access to Amazon S3 bucket containing AWS CloudTrail logs, resolved
111752, https://hackerone.com/reports/111752, Big Bug in SSL : breach compression attack (CVE-2013-3587) affect imgur.com, resolved
111763, https://hackerone.com/reports/111763, XSS vulnerability in "/coach/roster/" ( create your first class) , resolved
111860, https://hackerone.com/reports/111860, Error Page Text Injection #106350, resolved
111915, https://hackerone.com/reports/111915, [CRITICAL] HTML injection issue leading to account take over, resolved
111999, https://hackerone.com/reports/111999, Full Path Disclosure on gmchat.gm.com, resolved
112001, https://hackerone.com/reports/112001, XSS on gmchat.gm.com, resolved
112025, https://hackerone.com/reports/112025, Stored XSS, informative
112057, https://hackerone.com/reports/112057, Heapoverflow in zipimporter module, resolved
112116, https://hackerone.com/reports/112116, XXE in the Connector Designer, resolved
112156, https://hackerone.com/reports/112156, SSRF in the Connector Designer (REST and Elastic Search), resolved
112166, https://hackerone.com/reports/112166, The JDBC driver used by the Vertica connector allows to create files on the backends, resolved
112224, https://hackerone.com/reports/112224, Logical Vulnerability : REDIRECTING on pw.mail.ru by Parameter Spoofing, resolved
112304, https://hackerone.com/reports/112304, owncloud.help: Text  Injection, resolved
112306, https://hackerone.com/reports/112306, Full takeover of some binary.com sub domains, resolved
112372, https://hackerone.com/reports/112372, XSS during presentation, resolved
112386, https://hackerone.com/reports/112386, smartlist_add, smartlist_insert (may) cause heap corruption as a result of inadequate checks in smartlist_ensure_capacity, resolved
112496, https://hackerone.com/reports/112496, Session Issue Maybe Can lead to huge loss [CRITICAL], resolved
112632, https://hackerone.com/reports/112632, [tor] libevent dns remote stack overread vulnerability, resolved
112687, https://hackerone.com/reports/112687, grtp.co is vulnerable to http-vuln-cve2011-3192, informative
112723, https://hackerone.com/reports/112723, PHP-FPM fpm_log.c memory leak and buffer overflow, resolved
112784, https://hackerone.com/reports/112784, libevent (stack) buffer overflow in evutil_parse_sockaddr_port, resolved
112855, https://hackerone.com/reports/112855, EIP control using type confusion in json encoding, resolved
112858, https://hackerone.com/reports/112858, UAF in xmlparser_setevents (1), resolved
112860, https://hackerone.com/reports/112860, UAF  in xmlparser_setevents (2), resolved
112863, https://hackerone.com/reports/112863, Trivial age-old heap overflow in 32-bit PHP, resolved
112869, https://hackerone.com/reports/112869, [s2.jugger.ru] Content Spoofing, resolved
112871, https://hackerone.com/reports/112871, [tanks.mail.ru] Content Spoofing, resolved
112935, https://hackerone.com/reports/112935, Unintended HTML inclusion as a result of https://hackerone.com/reports/110578, resolved
112955, https://hackerone.com/reports/112955, WordPress Failure Notice page will generate arbitrary hyperlinks, resolved
113120, https://hackerone.com/reports/113120, An integer overflow bug in php_implode() could lead heap overflow, make PHP to crash, resolved
113122, https://hackerone.com/reports/113122, An integer overflow bug in php_str_to_str_ex() led arbitrary code execution., resolved
113211, https://hackerone.com/reports/113211, No Any Kind of Protection on Delete account, resolved
113268, https://hackerone.com/reports/113268, Integer overflow in wordwrap, resolved
113332, https://hackerone.com/reports/113332, [api.login.icq.net] Open Redirect, resolved
113336, https://hackerone.com/reports/113336, [api.login.icq.net] Reflected XSS, resolved
113339, https://hackerone.com/reports/113339, Cross-domain AJAX request, informative
113370, https://hackerone.com/reports/113370, [warofdragons.com] Content Spoofing, resolved
113424, https://hackerone.com/reports/113424, [tor] control connection pre-auth DoS (infinite loop) with --enable-bufferevents, resolved
113798, https://hackerone.com/reports/113798, Null pointer deref with ob_start with compact, resolved
113799, https://hackerone.com/reports/113799, Null pointer deref with ob_start with get_defined_vars, resolved
113831, https://hackerone.com/reports/113831, Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View, resolved
113857, https://hackerone.com/reports/113857, CSRF AT SELECTING ZAMATO HANDLE, resolved
113865, https://hackerone.com/reports/113865, CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER, resolved
113869, https://hackerone.com/reports/113869, Subdomain Takeover , resolved
113928, https://hackerone.com/reports/113928, Remote code execution using render :inline, resolved
114024, https://hackerone.com/reports/114024, Stack overflow when decompressing tar archives, resolved
114078, https://hackerone.com/reports/114078, Use-after-free vulnerability in SPL(ArrayObject, unserialize), resolved
114079, https://hackerone.com/reports/114079, Use-after-free vulnerability in SPL(SplObjectStorage, unserialize), resolved
114086, https://hackerone.com/reports/114086, [parapa.mail.ru] SQL Injection reapet, resolved
114125, https://hackerone.com/reports/114125, Remote Server Restart Lead to Denial of Server by only one Request., resolved
114127, https://hackerone.com/reports/114127, Twitter Disconnect CSRF, resolved
114134, https://hackerone.com/reports/114134, Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition), resolved
114151, https://hackerone.com/reports/114151, Cross Site Scripting - type Patameter, resolved
114169, https://hackerone.com/reports/114169, Bypassing Digits web authentication's host validation with HPP, resolved
114172, https://hackerone.com/reports/114172, 	Out-of-Bound Read in phar_parse_zipfile(), resolved
114198, https://hackerone.com/reports/114198, [touch.lady.mail.ru] CRLF Injection , resolved
114339, https://hackerone.com/reports/114339, Type Confusion in WDDX Packet Deserialization, resolved
114389, https://hackerone.com/reports/114389, Remote File Upload Vulnerability in business-blog.zomato.com, resolved
114414, https://hackerone.com/reports/114414, openssl_seal() uninitialized memory usage, resolved
114430, https://hackerone.com/reports/114430, CSRF on https://shopify.com/plus, resolved
114476, https://hackerone.com/reports/114476, Внедрение внешних сущностей в функционале импорта пользователей YouTrack, resolved
114631, https://hackerone.com/reports/114631, Several XSS affecting Zomato.com and developers.zomato.com, resolved
114698, https://hackerone.com/reports/114698, Remote Server Restart Lead to Denial of Service by only one Request., resolved
114796, https://hackerone.com/reports/114796, No validation on account names, resolved
114797, https://hackerone.com/reports/114797, A Log in page does not properly validate the authenticity token at the server side, resolved
114799, https://hackerone.com/reports/114799, A Signup page does not properly validate the authenticity token at the server side., resolved
114807, https://hackerone.com/reports/114807, Unsafe HTML in reset password email    and Account verification in email  is missing in Sign up, resolved
114870, https://hackerone.com/reports/114870, Basic Authorization over HTTP, resolved
114879, https://hackerone.com/reports/114879, Persistent input validation mail encoding vulnerability  in the "just followed you" email notification., resolved
115007, https://hackerone.com/reports/115007, Race conditions can be used to bypass invitation limit, resolved
115036, https://hackerone.com/reports/115036, Weak Password Policy, resolved
115158, https://hackerone.com/reports/115158, CSRF in twitterflightschool.com ( CAN POST ON TIMELINE WITHOUT USER PERMISSION), resolved
115205, https://hackerone.com/reports/115205, Putting link inside link in markdown, resolved
115209, https://hackerone.com/reports/115209, Unauthorized file (invoice) download, duplicate
115219, https://hackerone.com/reports/115219, Information Disclosure in Error Page, informative
115230, https://hackerone.com/reports/115230, Content spoofing due to the improper behavior  of the not-found meesage, resolved
115232, https://hackerone.com/reports/115232, Email spoofing, duplicate
115245, https://hackerone.com/reports/115245, Email Authentication bypass Vulnerability, duplicate
115246, https://hackerone.com/reports/115246, DNSsec not configured, informative
115248, https://hackerone.com/reports/115248, XSS and CSRF in Zomato Contact form, resolved
115250, https://hackerone.com/reports/115250, Missing SPF records for paragonie.com, duplicate
115271, https://hackerone.com/reports/115271, SSL certificate public key less than 2048 bit, not-applicable
115275, https://hackerone.com/reports/115275, SPF DNS Record , resolved
115284, https://hackerone.com/reports/115284, prevent content spoofing on /search, resolved
115294, https://hackerone.com/reports/115294, Missing SPF, duplicate
115296, https://hackerone.com/reports/115296, Your Application Have Cacheable SSL Pages, informative
115304, https://hackerone.com/reports/115304, Blind SQL INJ, not-applicable
115315, https://hackerone.com/reports/115315, Missing SPF for paragonie.com, duplicate
115323, https://hackerone.com/reports/115323, CSRF  AT SUBSCRIBE TO LIST , not-applicable
115337, https://hackerone.com/reports/115337, Full Path Disclosure, resolved
115390, https://hackerone.com/reports/115390, Missing SPF for paragonie.com, duplicate
115402, https://hackerone.com/reports/115402, XSS via modified Zomato widget (res_search_widget.php), resolved
115422, https://hackerone.com/reports/115422, Full Path Disclosure in password lock, informative
115438, https://hackerone.com/reports/115438, Cross-Site Scripting Vulnerability in urbandictionary.com, resolved
115452, https://hackerone.com/reports/115452, Email Spoof, spam
115560, https://hackerone.com/reports/115560, Two XSS vulns in widget parameters (all_collections.php and o2.php), resolved
115628, https://hackerone.com/reports/115628, SUBDOMAIN TAKEOVER(FIXED), resolved
115686, https://hackerone.com/reports/115686, [tor] pre-emptive defenses, potential vulnerabilities, resolved
115702, https://hackerone.com/reports/115702, [tor] libevent dns OOB read, resolved
115748, https://hackerone.com/reports/115748, SSRF in https://imgur.com/vidgif/url, resolved
115817, https://hackerone.com/reports/115817, WordPress User Enumeration - blog.newrelic.com, informative
115844, https://hackerone.com/reports/115844,   Rate limiting on password reset links , resolved
115845, https://hackerone.com/reports/115845,   Rate limiting on Email confirmation link, resolved
115857, https://hackerone.com/reports/115857, SSRF and local file read in video to gif converter, resolved
115860, https://hackerone.com/reports/115860, [login.newrelic.com] XSS via return_to, resolved
115922, https://hackerone.com/reports/115922, [download.newrelic.com] Access to private directories, resolved
115978, https://hackerone.com/reports/115978, SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg, resolved
116006, https://hackerone.com/reports/116006, XSS on hardware.shopify.com, resolved
116057, https://hackerone.com/reports/116057, file full path discloser., informative
116135, https://hackerone.com/reports/116135, Reflected Cross Site Script in www.gmcar.gm.com, resolved
116179, https://hackerone.com/reports/116179, Unauthorized Access, resolved
116189, https://hackerone.com/reports/116189, Null byte injection , resolved
116243, https://hackerone.com/reports/116243, Potential Subdomain Takeover - http://storefront.newrelic.com/, resolved
116254, https://hackerone.com/reports/116254, owncloud.com: Persistent XSS In Account Profile, resolved
116286, https://hackerone.com/reports/116286, Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack, resolved
116315, https://hackerone.com/reports/116315, open redirection at login, resolved
116352, https://hackerone.com/reports/116352, nginx SPDY heap buffer overflow for https://grtp.co/, informative
116360, https://hackerone.com/reports/116360, The POODLE attack (SSLv3 supported) for https://grtp.co/, resolved
116372, https://hackerone.com/reports/116372, Use-After-Free / Double-Free in WDDX Deserialize, resolved
116382, https://hackerone.com/reports/116382, Content Spoof in webcaps.ecomm.gm.com, resolved
116419, https://hackerone.com/reports/116419, an xss issue in https://hunter22.slack.com/help/requests/793043, resolved
116432, https://hackerone.com/reports/116432, E-mail Spoof in media.gm.com, resolved
116504, https://hackerone.com/reports/116504, Auth bypass on directory.corp.ubnt.com, resolved
116512, https://hackerone.com/reports/116512, Markdown parsing issue enables insertion of malicious tags, informative
116575, https://hackerone.com/reports/116575, Remote Code Execution (upload), resolved
116609, https://hackerone.com/reports/116609, SPF Issue , resolved
116618, https://hackerone.com/reports/116618, proxy port 7000 and shell port 514 not filtered, informative
116621, https://hackerone.com/reports/116621, server calendar and server status available to public, informative
116692, https://hackerone.com/reports/116692, PHP version disclosed on blog.algolia.com, resolved
116764, https://hackerone.com/reports/116764, vk.com/login.php , resolved
116773, https://hackerone.com/reports/116773, Type Confusion Vulnerability - SOAP / make_http_soap_request(), resolved
116774, https://hackerone.com/reports/116774, UDP port 5060 (SIP) Open, informative
116798, https://hackerone.com/reports/116798, Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint, resolved
116805, https://hackerone.com/reports/116805, SSL Issue on legalrobot.com, resolved
116927, https://hackerone.com/reports/116927, Spf , spam
116937, https://hackerone.com/reports/116937, Chat History CSV Export Excel Injection Vulnerability, resolved
116951, https://hackerone.com/reports/116951, Increase number of bugs by sending duplicate of your own valid report, resolved
116973, https://hackerone.com/reports/116973, No Valid SPF Records., resolved
117068, https://hackerone.com/reports/117068, XSS @ love.uber.com, resolved
117073, https://hackerone.com/reports/117073, [informatica.com] Blind SQL Injection, resolved
117097, https://hackerone.com/reports/117097, Email Forgery through Mandrillapp SPF, resolved
117142, https://hackerone.com/reports/117142, limit HTTP methods on other domains, resolved
117149, https://hackerone.com/reports/117149, SPF/DKIM/DMARC for grtp.co, resolved
117158, https://hackerone.com/reports/117158, SSRF на element.mail.ru, resolved
117159, https://hackerone.com/reports/117159, SPF/DKIM/DMARC for aspen.io, resolved
117168, https://hackerone.com/reports/117168, Stored XSS на street-combats.mail.ru, resolved
117187, https://hackerone.com/reports/117187, Prevent content spoofing on /~username/emails/verify.html, resolved
117195, https://hackerone.com/reports/117195, Login csrf., not-applicable
117325, https://hackerone.com/reports/117325, DMARC is misconfigured for grtp.co, resolved
117330, https://hackerone.com/reports/117330, stop serving grtp.co over HTTP, resolved
117385, https://hackerone.com/reports/117385, PHP and Web Server version disclosed on leasewebnoc.com, resolved
117449, https://hackerone.com/reports/117449, XSS in Draft Orders in Timeline i SHOPIFY Admin Site!, resolved
117458, https://hackerone.com/reports/117458, strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co, resolved
117480, https://hackerone.com/reports/117480, Stored XSS via Angular Expression injection on developer.zendesk.com, resolved
117573, https://hackerone.com/reports/117573, Directory Listening, resolved
117593, https://hackerone.com/reports/117593, Apache version disclosed on developer.leaseweb.com, resolved
117651, https://hackerone.com/reports/117651, Multiple Heap Overflow due to integer overflows | xml/filter_url/addcslashes, resolved
117739, https://hackerone.com/reports/117739, limit number of images in statement, resolved
117818, https://hackerone.com/reports/117818, MISSING SPF RECORDS & MISSING DKIM POLICY, informative
117862, https://hackerone.com/reports/117862, Admin panel access restrictions bypass [poll.mail.ru/admin/], resolved
117902, https://hackerone.com/reports/117902, Дорк, resolved
118024, https://hackerone.com/reports/118024, Markdown based stored XSS (IE only), resolved
118033, https://hackerone.com/reports/118033, X-Content-Type Header Missing For aspen.io, informative
118103, https://hackerone.com/reports/118103, Injection via CSV Export feature in Admin Orders, resolved
118418, https://hackerone.com/reports/118418, Утечка информации через JSONP (XXSI), resolved
118582, https://hackerone.com/reports/118582, CSV Injection at the CSV export feature, resolved
118631, https://hackerone.com/reports/118631, XSSI (Cross Site Script Inclusion), resolved
118663, https://hackerone.com/reports/118663, Denial of Service any Report, resolved
118684, https://hackerone.com/reports/118684, Abusing HOF rankings in limited circumstances, informative
118688, https://hackerone.com/reports/118688, File name and folder enumeration., resolved
118718, https://hackerone.com/reports/118718, User with Read-Only permissions can manually public disclosure the report , resolved
118731, https://hackerone.com/reports/118731, User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports, resolved
118737, https://hackerone.com/reports/118737, Login CSRF using Google OAuth, resolved
118925, https://hackerone.com/reports/118925, API Key added for one Indices works for all other indices too., resolved
118948, https://hackerone.com/reports/118948, Password reset link is not Expiring, resolved
118950, https://hackerone.com/reports/118950, Stored XSS , resolved
118965, https://hackerone.com/reports/118965, Distinguish EP+Private vs Private programs in HackerOne, resolved
119022, https://hackerone.com/reports/119022, Tweet Deck XSS- Persistent- Group DM name, resolved
119033, https://hackerone.com/reports/119033, Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error, resolved
119090, https://hackerone.com/reports/119090, Reflected XSS on Signup Page, resolved
119129, https://hackerone.com/reports/119129, Misconfiguration in 2 factor allows sensitive data expose, resolved
119148, https://hackerone.com/reports/119148, CSRF - Regenerate all admin api keys, resolved
119166, https://hackerone.com/reports/119166, Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate, resolved
119220, https://hackerone.com/reports/119220, Sub-Domain Takeover, resolved
119221, https://hackerone.com/reports/119221, User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions, resolved
119236, https://hackerone.com/reports/119236, Open Redirection on Uber.com, resolved
119250, https://hackerone.com/reports/119250, xss in the all widgets of shopifyapps.com, resolved
119262, https://hackerone.com/reports/119262, Authentication Data are not Clearing , resolved
119354, https://hackerone.com/reports/119354, Race Conditions Exist When Accepting Invitations, resolved
119427, https://hackerone.com/reports/119427, By pass admin panel [seminars.mail.ru], resolved
119432, https://hackerone.com/reports/119432, By pass admin panel [conference.mail.ru], resolved
119453, https://hackerone.com/reports/119453, www.veris.in DOM based XSS, resolved
119454, https://hackerone.com/reports/119454, Password(s) can be found via login process., resolved
119471, https://hackerone.com/reports/119471, DOMXSS in Tweetdeck, resolved
119494, https://hackerone.com/reports/119494, Full Path Disclosure In EasyDB, informative
119605, https://hackerone.com/reports/119605, An adversary can overwhelm the resources by automating Forgot password/Sign Up requests, not-applicable
119652, https://hackerone.com/reports/119652, Adobe Flash Player ASnative(101,10) Memory Corruption Vulnerability, resolved
119653, https://hackerone.com/reports/119653, Adobe Flash Player ASnative(900,1).call(MovieClip) Use-After-Free Vulnerability, resolved
119655, https://hackerone.com/reports/119655, Adobe Flash Player ASnative(900,1).call(TextField) Use-After-Free Vulnerability, resolved
119657, https://hackerone.com/reports/119657, Adobe Flash Player Race Condition Vulnerability, resolved
119666, https://hackerone.com/reports/119666, Server version is disclosure in http://leasewebnoc.com/, resolved
119794, https://hackerone.com/reports/119794, Password modification without knowing actual password & httpOnly bypass, informative
119808, https://hackerone.com/reports/119808, DROWN Attack, resolved
119828, https://hackerone.com/reports/119828, Found clickjacking vulnerability, resolved
119860, https://hackerone.com/reports/119860, HTTP Track/Trace Method Enabled, resolved
119871, https://hackerone.com/reports/119871, Unprotected Memcache Installation running, resolved
119918, https://hackerone.com/reports/119918, Public Facing Barracuda Login, resolved
119989, https://hackerone.com/reports/119989, b2i_PVK_bio heap corruption, resolved
120026, https://hackerone.com/reports/120026, don't serve hidden files from Nginx, resolved
120115, https://hackerone.com/reports/120115, Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely, resolved
120121, https://hackerone.com/reports/120121, Critical IDOR - Delete any group of any organization remotely, resolved
120123, https://hackerone.com/reports/120123, Critical IDOR - Delete any venue of any organization remotely, resolved
120126, https://hackerone.com/reports/120126, Critical IDOR - Delete any rule of any organization remotely, resolved
120143, https://hackerone.com/reports/120143, Missing Server Side Validation of CSRF Middleware Token in Change Password Request, resolved
120216, https://hackerone.com/reports/120216, SSRF/XSPA [parapa.mail.ru], resolved
120219, https://hackerone.com/reports/120219, SSRF issue, resolved
120288, https://hackerone.com/reports/120288, Critical IDOR - Delete any terminal/gatekeeper of any organization remotely, resolved
120289, https://hackerone.com/reports/120289, Critical IDOR - Get anyone's Terminal Data remotely, resolved
120291, https://hackerone.com/reports/120291, Critical IDOR - Set anyone's Terminal Data remotely, resolved
120293, https://hackerone.com/reports/120293, Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper, resolved
120298, https://hackerone.com/reports/120298, SSRF/XSPA [parapa.mail.ru] 2, resolved
120305, https://hackerone.com/reports/120305, Critical IDOR - Get venue data of any organization remotely, resolved
120312, https://hackerone.com/reports/120312, Critical IDOR - Can select any Parent while creating new Venue, resolved
120314, https://hackerone.com/reports/120314, Critical IDOR - Get Rules of any organization remotely, resolved
120318, https://hackerone.com/reports/120318, Critical IDOR - Make Rule for Any Group & Any Venue remotely, resolved
120324, https://hackerone.com/reports/120324, Multiple Stored XSS, resolved
120622, https://hackerone.com/reports/120622, Reflected Cross Site Script in imtportal.gm.com, duplicate
120656, https://hackerone.com/reports/120656, Reflected Cross Site Script in m.chevrolet.com.wpsegment5.gm.com, resolved
120683, https://hackerone.com/reports/120683, XSS Vulnerability in developer.gm.com, resolved
120941, https://hackerone.com/reports/120941, NexTable: Credentials exposure, resolved
121100, https://hackerone.com/reports/121100, Content Spoof in opel.es.wpsegment2.gm.com, resolved
121275, https://hackerone.com/reports/121275, Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App, resolved
121382, https://hackerone.com/reports/121382, doc.owncloud.org has missing PHP handler, resolved
121417, https://hackerone.com/reports/121417, Inaccurate Payment receipt , informative
121461, https://hackerone.com/reports/121461, Subdomain takeover due to unclaimed Amazon S3 bucket on a2.bime.io, resolved
121469, https://hackerone.com/reports/121469, Broken Authentication on Badoo, resolved
121696, https://hackerone.com/reports/121696, Bypass  two-factor authentication, resolved
121705, https://hackerone.com/reports/121705, Vulnerability : XSS Vulnerability , resolved
121827, https://hackerone.com/reports/121827, Account Takeover, resolved
121863, https://hackerone.com/reports/121863, Buffer overflow in HTTP url parsing functions, resolved
121903, https://hackerone.com/reports/121903, Additonal stored XSS in Add note/Expected payment Date, resolved
121919, https://hackerone.com/reports/121919, Private, embeddable videos leaks data through Facebook & Open Graph, resolved
121940, https://hackerone.com/reports/121940, Shell Injection via Web Management Console (dl-fw.cgi), resolved
121941, https://hackerone.com/reports/121941, Unauthenticated Cross-Site Scripting in Web Management Console, resolved
122054, https://hackerone.com/reports/122054, Open-redirect on login.xero.com , resolved
122254, https://hackerone.com/reports/122254, Adobe Flash Player TextField Use-After-Free Vulnerability, resolved
122256, https://hackerone.com/reports/122256, Adobe Flash Player  Uninitialised Memory Corruption, resolved
122469, https://hackerone.com/reports/122469, stored xss issue in folder name on go.xero.com/Docs/Folders, resolved
122475, https://hackerone.com/reports/122475, Local file read in image editor, resolved
122697, https://hackerone.com/reports/122697, Server Side Browsing - localhost open port enumeration, resolved
122849, https://hackerone.com/reports/122849, Stored XSS in https://checkout.shopify.com/, resolved
122898, https://hackerone.com/reports/122898, Default.aspx exposing full path and other info on wip.origin-community.xero.com, resolved
122932, https://hackerone.com/reports/122932, bgplay.mail.ru, resolved
123005, https://hackerone.com/reports/123005, Persistent XSS on Reservation / Booking Page, resolved
123074, https://hackerone.com/reports/123074, https://rpm.newrelic.com/.htaccess file is world readable, resolved
123078, https://hackerone.com/reports/123078, https://rpm.newrelic.com/login vulnerable to host header attack, resolved
123089, https://hackerone.com/reports/123089, Vulnerable Link Leaks the User Names, resolved
123091, https://hackerone.com/reports/123091, No Rate Limitation on Promo Code, resolved
123092, https://hackerone.com/reports/123092, CSRF - Delete all empty application policy, resolved
123093, https://hackerone.com/reports/123093, Reflected XSS на games.mail.ru, resolved
123095, https://hackerone.com/reports/123095, CSRF- delete all empty server policy, resolved
123119, https://hackerone.com/reports/123119, Use after free with assign by ref to overloaded objects, resolved
123120, https://hackerone.com/reports/123120, Emails and alert policies can be altered by malicious users., resolved
123125, https://hackerone.com/reports/123125, XSS on hardware.shopify.com, resolved
123126, https://hackerone.com/reports/123126, newrelic.com vulnerable to clickjacking !, informative
123127, https://hackerone.com/reports/123127, no email confirmation on signup, informative
123170, https://hackerone.com/reports/123170, Email Address Leak, duplicate
123172, https://hackerone.com/reports/123172, Open redirection on login, resolved
123183, https://hackerone.com/reports/123183, All the active session should destroy when user change his password, informative
123194, https://hackerone.com/reports/123194, Server and PHP version Disclosed in Response Header, resolved
123278, https://hackerone.com/reports/123278, Possible XSS, informative
123380, https://hackerone.com/reports/123380, Creating multiple user with the same link which is sent to email after registeration, resolved
123384, https://hackerone.com/reports/123384, Обход basic авторизации  [qpt.mail.ru], resolved
123420, https://hackerone.com/reports/123420, Mediation link can be accepted by other users, resolved
123435, https://hackerone.com/reports/123435, Normal user can set "Job title" of other users by Direct Object Reference, resolved
123496, https://hackerone.com/reports/123496, User enumeration via error message, resolved
123501, https://hackerone.com/reports/123501, Insecure Direct Member Disclosure, resolved
123513, https://hackerone.com/reports/123513, Host Header Injection / Cache Poisoning, duplicate
123518, https://hackerone.com/reports/123518, Security Vulnerability - SMTP protection not used, resolved
123572, https://hackerone.com/reports/123572, Unauthorized Team members viewing, informative
123615, https://hackerone.com/reports/123615, SECURITY: Referencing  previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments, resolved
123625, https://hackerone.com/reports/123625, [marketplace.informatica.com] Open Redirect, resolved
123649, https://hackerone.com/reports/123649, Synthetics Xss, resolved
123660, https://hackerone.com/reports/123660, Possible  SQL injection can cause denial of service attack, duplicate
123712, https://hackerone.com/reports/123712, Insecure Direct 'org-invite-log' References, resolved
123713, https://hackerone.com/reports/123713, Insecure Direct 'org-visitor-log' References, resolved
123731, https://hackerone.com/reports/123731, Complete or Edit Another User's Profile, resolved
123742, https://hackerone.com/reports/123742, suppress version in Server header on gratipay.com or grtp.co, resolved
123743, https://hackerone.com/reports/123743, Sending emails (via HackerOne) impersonating other users, resolved
123748, https://hackerone.com/reports/123748, Not Using Secure Flag Option on Cookies Could Lead to a Man in the Middle Session Highjacking, resolved
123782, https://hackerone.com/reports/123782, Vulnerable to clickjacking, informative
123849, https://hackerone.com/reports/123849, Cookie Does Not Contain The "secure" Attribute, resolved
123897, https://hackerone.com/reports/123897, auto-logout after 20 minutes, informative
123900, https://hackerone.com/reports/123900, csrf_token cookie don't have the flag "HttpOnly", informative
123902, https://hackerone.com/reports/123902, Complete Profile URL is not Random and not expiring , resolved
123905, https://hackerone.com/reports/123905, Stored XSS in Access Rules, resolved
123915, https://hackerone.com/reports/123915, Insecure transition from HTTP to HTTPS in form post, informative
124097, https://hackerone.com/reports/124097, Wordpress  Pingback  DDoS Attacks in domain:  veris.in, resolved
124151, https://hackerone.com/reports/124151, Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow, resolved
124173, https://hackerone.com/reports/124173, Captcha Bypass enable login bruteforce, resolved
124223, https://hackerone.com/reports/124223, CSV Injection via the CSV export feature, resolved
124277, https://hackerone.com/reports/124277, XSS via React element spoofing, resolved
124429, https://hackerone.com/reports/124429, Stored XSS via "Free Shipping" option (Discounts), resolved
124564, https://hackerone.com/reports/124564, Missing rate limit on private videos password, resolved
124578, https://hackerone.com/reports/124578, Angular Expression Injection in the my.gmc.com Search Page, resolved
124611, https://hackerone.com/reports/124611, Disclosure of private programs that have an "external" page on HackerOne, resolved
124620, https://hackerone.com/reports/124620, External links should use rel="noopener" or use the redirect service, resolved
124724, https://hackerone.com/reports/124724, Stored XSS through Angular Expression Sandbox Escape, resolved
124737, https://hackerone.com/reports/124737, Multiple Heap Overflows in php_raw_url_encode/php_url_encode, resolved
124845, https://hackerone.com/reports/124845, Bypassed password authentication before enabling OTP verification, resolved
124929, https://hackerone.com/reports/124929, External programs revealing info, resolved
124975, https://hackerone.com/reports/124975, Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/, informative
124976, https://hackerone.com/reports/124976, Hijacking user session by forcing the use of  invalid HTTPs Certificate on images.gratipay.com, resolved
125003, https://hackerone.com/reports/125003, Open Redirect in riders.uber.com, resolved
125027, https://hackerone.com/reports/125027, Reflected XSS on developer.uber.com via Angular template injection, resolved
125059, https://hackerone.com/reports/125059, Self-XSS Vulnerability on Password Reset Form, duplicate
125068, https://hackerone.com/reports/125068, LIsting of  http://archive.uber.com/pypi/simple/, informative
125118, https://hackerone.com/reports/125118, Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites, resolved
125179, https://hackerone.com/reports/125179, XSS on love.uber.com, duplicate
125181, https://hackerone.com/reports/125181, SQLi in love.uber.com, resolved
125197, https://hackerone.com/reports/125197, Full path disclosure on track.uber.com, resolved
125218, https://hackerone.com/reports/125218, Bypassing Uber Partner's 3 Cancel Limit , resolved
125246, https://hackerone.com/reports/125246, Listing of email addresses of whitelisted business users visible at business.uber.com, resolved
125250, https://hackerone.com/reports/125250, Avoiding Surge Pricing, resolved
125397, https://hackerone.com/reports/125397, Null pointer deref (segfault) in stream_context_get_default, resolved
125400, https://hackerone.com/reports/125400, Too many included lookups, informative
125488, https://hackerone.com/reports/125488, Estimation of a Lower Bound on Number of Uber Drivers via Enumeration, resolved
125498, https://hackerone.com/reports/125498, Dom Based Xss, resolved
125503, https://hackerone.com/reports/125503, Stored Cross Site Scripting [SELF] in partners.uber.com, informative
125505, https://hackerone.com/reports/125505, Possibility to brute force invite codes in riders.uber.com, resolved
125587, https://hackerone.com/reports/125587, Hogging up all the resources on hackerone.com, resolved
125594, https://hackerone.com/reports/125594, CSRF on eng.uber.com may lead to server-side compromise, resolved
125624, https://hackerone.com/reports/125624, Brute Force Amplification Attack, informative
125634, https://hackerone.com/reports/125634, Session retention is present which reveals the customer info, duplicate
125707, https://hackerone.com/reports/125707, Possibility to enumerate and bruteforce promotion codes in Uber iOS App, resolved
125762, https://hackerone.com/reports/125762, Reflected XSS on Zomato API, resolved
125849, https://hackerone.com/reports/125849, XSS found on Snapchat website, resolved
125932, https://hackerone.com/reports/125932, SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/, resolved
125980, https://hackerone.com/reports/125980, uber.com may RCE by Flask Jinja2 Template Injection, resolved
125984, https://hackerone.com/reports/125984, CRLF Injection in developer.uber.com, duplicate
126010, https://hackerone.com/reports/126010, prevent content spoofing on /~username/emails/verify.html, duplicate
126070, https://hackerone.com/reports/126070, Open redirect on rush.uber.com, business.uber.com, and help.uber.com, resolved
126099, https://hackerone.com/reports/126099, Stored XSS in drive.uber.com WordPress admin panel, resolved
126203, https://hackerone.com/reports/126203, CBC "cut and paste" attack may cause Open Redirect(even XSS), resolved
126235, https://hackerone.com/reports/126235, text injection in get.uber.com/check-otp, informative
126260, https://hackerone.com/reports/126260, Privilege escalation to allow non activated users to login and use uber partner ios app, not-applicable
126364, https://hackerone.com/reports/126364, Uber password reset link EMAIL FLOOD, duplicate
126374, https://hackerone.com/reports/126374, Uploading Plain Text to uber-documents.s3.amazonaws.com Through the Driver Document Upload Page, informative
126376, https://hackerone.com/reports/126376, Email leak in transcations in Android app, resolved
126377, https://hackerone.com/reports/126377, Changing Driver Passwords With Only an Authenticated Session (no password, no email), informative
126416, https://hackerone.com/reports/126416, Integer Overflow in php_raw_url_encode, resolved
126522, https://hackerone.com/reports/126522, Incorrect param parsing in Digits web authentication, resolved
126536, https://hackerone.com/reports/126536, SMS Flood with Update Profile , duplicate
126539, https://hackerone.com/reports/126539, XSS on https://app.shopify.com/, resolved
126569, https://hackerone.com/reports/126569, Disclosure of ip addresses in local network of uber, informative
126598, https://hackerone.com/reports/126598, Overreads/overcopies in torsocks, resolved
126652, https://hackerone.com/reports/126652, potential remote code execution with phar archive , resolved
126784, https://hackerone.com/reports/126784, Sending payments via QR code does not require confirmation, resolved
126797, https://hackerone.com/reports/126797, Use-after-free during XML transformations (MFSA-2016-27), informative
126826, https://hackerone.com/reports/126826, Pixel flood attack in https://riders.uber.com/profile, informative
126835, https://hackerone.com/reports/126835, It is possible to re-rate a driver after a very long time , informative
126861, https://hackerone.com/reports/126861, Insecure Direct Object Reference on badoo.com, informative
127025, https://hackerone.com/reports/127025, Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers, informative
127026, https://hackerone.com/reports/127026, User enumeration possible from log-in timing difference, resolved
127028, https://hackerone.com/reports/127028, Old CAPTCHA offers no protection, informative
127032, https://hackerone.com/reports/127032, CSV Injection in sub_accounts.csv, resolved
127085, https://hackerone.com/reports/127085, Use Partner/Driver App Without Being Activated, duplicate
127087, https://hackerone.com/reports/127087, Possible to View Driver Waybill via Driver UUID, resolved
127154, https://hackerone.com/reports/127154, XSS using javascript:alert(8007), resolved
127158, https://hackerone.com/reports/127158, Possibility to get private email using UUID, resolved
127161, https://hackerone.com/reports/127161, Information regarding trips from other users, resolved
127163, https://hackerone.com/reports/127163, XSS in https://www.coursera.org/courses/, resolved
127175, https://hackerone.com/reports/127175, HackerOne Important Emails Notification are sent in clear-text, resolved
127202, https://hackerone.com/reports/127202, Mobile Authentication Endpoint Credentials Brute-Force Vulnerability, resolved
127203, https://hackerone.com/reports/127203, rpm.newrelic.com - monitor creation to other accounts, resolved
127212, https://hackerone.com/reports/127212, php_snmp_error() Format String Vulnerability, resolved
127235, https://hackerone.com/reports/127235, New hacktivity view discloses report IDs of non-public reports, resolved
127242, https://hackerone.com/reports/127242, Negative size parameter (-1) in memcpy mbfl_strcut , resolved
127259, https://hackerone.com/reports/127259, Reflected XSS in owncloud.com, resolved
127645, https://hackerone.com/reports/127645, Session Impersonation in riders.uber.com, informative
127703, https://hackerone.com/reports/127703, [CRITICAL] Full account takeover using CSRF, resolved
127741, https://hackerone.com/reports/127741, Open redirection bypass, resolved
127766, https://hackerone.com/reports/127766, Password disclosure during signup process, resolved
127844, https://hackerone.com/reports/127844, Web Authentication Endpoint Credentials Brute-Force Vulnerability, resolved
127914, https://hackerone.com/reports/127914, Deleted name still present via mouseover functionality for user accounts, resolved
127918, https://hackerone.com/reports/127918, Easy spam with USE My PHONE Feature, resolved
127948, https://hackerone.com/reports/127948, Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin, resolved
127995, https://hackerone.com/reports/127995, Limit email address length, resolved
128035, https://hackerone.com/reports/128035, An adversary can harvest email address for spamming., informative
128041, https://hackerone.com/reports/128041, Getting Error Message and in use python version 2.7 is exposed., informative
128114, https://hackerone.com/reports/128114, Administrator access to a Django Administration Panel on *.sc-corp.net via bruteforced credentials, resolved
128121, https://hackerone.com/reports/128121, fix bug in username restriction, resolved
128493, https://hackerone.com/reports/128493, doc.owncloud.org: X-XSS-Protection not enabled, resolved
128645, https://hackerone.com/reports/128645, Clickjacking on authenticated pages which is inscope for New Relic, informative
128675, https://hackerone.com/reports/128675, Множественные уязвимости приложения Mail.Ru Почта (Android), duplicate
128685, https://hackerone.com/reports/128685, SSRF on testing endpoint, resolved
128723, https://hackerone.com/reports/128723, Enumerating userIDs with phone numbers, duplicate
128764, https://hackerone.com/reports/128764, text injection in website title, informative
128853, https://hackerone.com/reports/128853, Information disclosure at lite.uber.com, informative
128856, https://hackerone.com/reports/128856, Send email asynchronously, resolved
128895, https://hackerone.com/reports/128895, User credentials are not strong on vault.uber.com, duplicate
128910, https://hackerone.com/reports/128910, prevent %2f spoofed URLs in profile statement, informative
129002, https://hackerone.com/reports/129002, The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack, resolved
129027, https://hackerone.com/reports/129027, Disclosure of ways to the site root, informative
129091, https://hackerone.com/reports/129091, CPU utilization 99% on visiting wordpress site url & open redirect found, resolved
129138, https://hackerone.com/reports/129138, APT repository is signed using weak digest (SHA-1), resolved
129209, https://hackerone.com/reports/129209, After removing app from facebook app session not expiring., duplicate
129342, https://hackerone.com/reports/129342, Stored XSS in member book, resolved
129381, https://hackerone.com/reports/129381, niche s3 buckets are readable/writeable/deleteable by authorized AWS users, resolved
129436, https://hackerone.com/reports/129436, xss in DM group name in twitter, resolved
129551, https://hackerone.com/reports/129551, Cross site scripting in apps.owncloud.com, resolved
129582, https://hackerone.com/reports/129582, Reflected XSS POST method at partners.uber.com, resolved
129641, https://hackerone.com/reports/129641, UniFi Video Server - Arbitrary file upload as SYSTEM, resolved
129650, https://hackerone.com/reports/129650, Clickjacking: X-Frame-Options header missing, resolved
129698, https://hackerone.com/reports/129698, UniFi Video Server - Broken access control on system configuration, resolved
129712, https://hackerone.com/reports/129712, reopen #128853 (Information disclosure at lite.uber.com), not-applicable
129736, https://hackerone.com/reports/129736, Persistent XSS on public project page, resolved
129771, https://hackerone.com/reports/129771, Python 2.7 strop.replace Integer Overflow, resolved
129773, https://hackerone.com/reports/129773, Previous attachments can be referenced when creating a new report, resolved
129808, https://hackerone.com/reports/129808, No Rate Limiting while sending the feedback under Dropbox Help Centre, informative
129830, https://hackerone.com/reports/129830, Login Via FB Leads To Create A New Account Instead Of Loging In, resolved
129862, https://hackerone.com/reports/129862, Stored XSS on [your_zendesk].zendesk.com in Facebook Channel, resolved
129869, https://hackerone.com/reports/129869, beta version reveals paths, environment variables and partially files contents, resolved
129873, https://hackerone.com/reports/129873, Bypassing Digits origin validation which leads to account takeover, resolved
129918, https://hackerone.com/reports/129918, Authentication bypass leads to sensitive data exposure (token+secret), resolved
129942, https://hackerone.com/reports/129942, Insecure Payment System Integration, resolved
129992, https://hackerone.com/reports/129992, Missing Certificate Authority Authorization rule, resolved
130133, https://hackerone.com/reports/130133, Access to some Slack workspace metadata and settings available to unauthorized parties, resolved
130136, https://hackerone.com/reports/130136, developer.uber.com/404 and developer.uber.com/docs/404 are susceptible to iframes, informative
130338, https://hackerone.com/reports/130338, CSV Injection with the CSV export feature, resolved
130440, https://hackerone.com/reports/130440, Requested and received edit access to Google form, resolved
130453, https://hackerone.com/reports/130453, Badoo and Hotornot User Disclosure, not-applicable
130460, https://hackerone.com/reports/130460, BYASSING  OTP Verification, resolved
130521, https://hackerone.com/reports/130521, Unsubscribe any user from receiving email, informative
130591, https://hackerone.com/reports/130591, Stored XSS thru SVG upload, resolved
130661, https://hackerone.com/reports/130661, XXE issue, resolved
130739, https://hackerone.com/reports/130739, Sensitive information contained with New Relic APM iOS application, resolved
130889, https://hackerone.com/reports/130889, Reflected XSS in scores.ubnt.com, resolved
130914, https://hackerone.com/reports/130914, Error page Text Injection., duplicate
130951, https://hackerone.com/reports/130951, doc.owncloud.org: XSS via Referrer, informative
131028, https://hackerone.com/reports/131028, Malicious File Upload, resolved
131038, https://hackerone.com/reports/131038, Stored XSS in Financial Account executing in Bank tab, resolved
131047, https://hackerone.com/reports/131047, Possible Blind SQL injection | Language choice in presentation, informative
131052, https://hackerone.com/reports/131052, XSS in uber oauth, informative
131053, https://hackerone.com/reports/131053, Submit a non valid syntax email, informative
131065, https://hackerone.com/reports/131065, bring grtp.co up to A grade on SSLLabs, resolved
131082, https://hackerone.com/reports/131082, Open Redirector via (apps/files_pdfviewer) for un-authenticated users., resolved
131108, https://hackerone.com/reports/131108, Akismet Several CSRF vulnerabilities, resolved
131123, https://hackerone.com/reports/131123, XSS via password recovering, informative
131192, https://hackerone.com/reports/131192, User's legal name could be changed despite front end controls being disabled, resolved
131202, https://hackerone.com/reports/131202, [Critical] - Steal OAuth Tokens, resolved
131397, https://hackerone.com/reports/131397, Reflected XSS on partners.cloudflare.com, resolved
131450, https://hackerone.com/reports/131450, Stored XSS in developer.uber.com, resolved
131452, https://hackerone.com/reports/131452, PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs, not-applicable
131468, https://hackerone.com/reports/131468, AWS S3 bucket writable for authenticated aws user, resolved
131523, https://hackerone.com/reports/131523, AWS S3 bucket writable for authenticated aws user, resolved
131552, https://hackerone.com/reports/131552, Login Open Redirect, resolved
131560, https://hackerone.com/reports/131560, CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to ```backup.uber.com```, duplicate
131722, https://hackerone.com/reports/131722, Missing SPF for hackerone.com, duplicate
131728, https://hackerone.com/reports/131728, Open Redirect vulnerability in moneybird.com, resolved
132049, https://hackerone.com/reports/132049, [HIGH RISK] CSRF could potentially delete a zendesk subdomain., resolved
132104, https://hackerone.com/reports/132104, Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs, resolved
132251, https://hackerone.com/reports/132251, Open redirection , resolved
132602, https://hackerone.com/reports/132602, Stored XSS at Udemy, resolved
132658, https://hackerone.com/reports/132658, Stored Cross-Site Scripting via Angular Template Injection, resolved
132777, https://hackerone.com/reports/132777, Labels created in private projects are leaked, resolved
132835, https://hackerone.com/reports/132835, Cache-Control Misconfiguration Leads to Sensitive Information Leakage, resolved
133360, https://hackerone.com/reports/133360,  No DMARC Record in  legalrobot-uat.com, not-applicable
133375, https://hackerone.com/reports/133375, Information Disclosure on lite.uber.com, informative
133680, https://hackerone.com/reports/133680, AWS S3 Bucket hotornot-images permissions allow for listing and removing files, not-applicable
133717, https://hackerone.com/reports/133717, GFM renderer leaks external issue tracker URL of private project, resolved
133744, https://hackerone.com/reports/133744, XSS in Asset name, resolved
133753, https://hackerone.com/reports/133753, Content Spoofing In Moneybird, resolved
133847, https://hackerone.com/reports/133847, ProBlog 2.6.6 CSRF Exploit, resolved
133963, https://hackerone.com/reports/133963, XSS on www.wordpress.com, resolved
134004, https://hackerone.com/reports/134004, Reflected XSS and something more Store XSS too, resolved
134032, https://hackerone.com/reports/134032, newrelic.com rails directory traversal vuln, resolved
134061, https://hackerone.com/reports/134061, Reflected XSS via Livefyre Media Wall in newsroom.uber.com, resolved
134124, https://hackerone.com/reports/134124, Stored self-XSS at m.uber.com, resolved
134145, https://hackerone.com/reports/134145, SSL Certificate on qiwi.com will expire soon., informative
134206, https://hackerone.com/reports/134206, Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously, informative
134216, https://hackerone.com/reports/134216, doc.owncloud.com: PHP info page disclosure , resolved
134292, https://hackerone.com/reports/134292, Attacker can delete (and read) private project webhooks, resolved
134299, https://hackerone.com/reports/134299, Attacker can post notes on private MR, snippets, and issues, resolved
134300, https://hackerone.com/reports/134300, Confidential issues leaked in public projects when attached to milestone, resolved
134305, https://hackerone.com/reports/134305, Private snippets in public / internal projects leaked though GitLab API, resolved
134321, https://hackerone.com/reports/134321, RCE on facebooksearch.algolia.com, resolved
134406, https://hackerone.com/reports/134406, Source Code Disclosure on out of scope domain viestinta.lahitapiola.fi, informative
134434, https://hackerone.com/reports/134434, XSS In /zuora/ functionality, resolved
134521, https://hackerone.com/reports/134521, Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate `fast-rating` Endpoint , informative
134546, https://hackerone.com/reports/134546, WordPress Flash XSS in *flashmediaelement.swf*, resolved
134738, https://hackerone.com/reports/134738, WordPress SOME bug in plupload.flash.swf leading to RCE, resolved
134757, https://hackerone.com/reports/134757, staff memeber can install apps even if have limitied access , resolved
134760, https://hackerone.com/reports/134760, SSL/TLS BEAST ATTACK VULNERABILITY , resolved
134878, https://hackerone.com/reports/134878, XSS с помощью специально сформированного файла., resolved
134894, https://hackerone.com/reports/134894, The Anti-CSRF Library fails to restrict token to a particular IP address when being behind a reverse-proxy/WAF, informative
135027, https://hackerone.com/reports/135027, Potential double free in EVP_DigestInit_ex, resolved
135072, https://hackerone.com/reports/135072, RCE in profile picture upload, resolved
135152, https://hackerone.com/reports/135152, Integer overflow in ZipArchive::getFrom*, resolved
135154, https://hackerone.com/reports/135154, Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage, resolved
135192, https://hackerone.com/reports/135192, HTTP status code manipluation & java stack trace , resolved
135252, https://hackerone.com/reports/135252, Possibly big authorization problem in Lähitapiola´s varainhoito, resolved
135283, https://hackerone.com/reports/135283, Email Authentication Bypass, not-applicable
135288, https://hackerone.com/reports/135288, Multiple vulnerabilities in a WordPress plugin at drive.uber.com, resolved
135291, https://hackerone.com/reports/135291, Out-of-bounds reads in zif_grapheme_stripos with negative offset, resolved
135293, https://hackerone.com/reports/135293, bcpowmod accepts negative scale and corrupts _one_ definition, resolved
135294, https://hackerone.com/reports/135294, xml_parse_into_struct segmentation fault, resolved
135316, https://hackerone.com/reports/135316, Cross-Site Scripting Vulnerability in dovecot.fi, not-applicable
135620, https://hackerone.com/reports/135620, Showing Up Source Code, informative
135756, https://hackerone.com/reports/135756, View all deleted comments and rating of any app ., resolved
135782, https://hackerone.com/reports/135782, information disclose  , resolved
135797, https://hackerone.com/reports/135797, Session Fixation, resolved
135891, https://hackerone.com/reports/135891, Missing authentication on Notification setting ., informative
135937, https://hackerone.com/reports/135937, SSRF when importing a project from a git repo by URL, resolved
135989, https://hackerone.com/reports/135989, Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action, resolved
136169, https://hackerone.com/reports/136169, OneLogin authentication bypass on WordPress sites, resolved
136333, https://hackerone.com/reports/136333, Persistent XSS on public wiki pages, resolved
136396, https://hackerone.com/reports/136396, STORED XSS FOUND, resolved
136454, https://hackerone.com/reports/136454, User credentials leak and arbitrary local file read/leak due to same-origin-policy violation, resolved
136481, https://hackerone.com/reports/136481, CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public, resolved
136531, https://hackerone.com/reports/136531, Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com), resolved
136582, https://hackerone.com/reports/136582, OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing, resolved
136600, https://hackerone.com/reports/136600, Reflected XSS in Backend search, resolved
136720, https://hackerone.com/reports/136720, don't leak server version of grtp.co in error pages, resolved
136850, https://hackerone.com/reports/136850, Images and Subtitles Leakage from private videos, resolved
136885, https://hackerone.com/reports/136885, [CRITICAL] -- Complete Account Takeover, resolved
136891, https://hackerone.com/reports/136891, Source code disclosure on https://107.23.69.180, resolved
137008, https://hackerone.com/reports/137008, Csrf on creating course, informative
137023, https://hackerone.com/reports/137023, XSS in Subtitles of Vimeo Flash Player and Hubnut , duplicate
137093, https://hackerone.com/reports/137093, AXFR на plexus.m.smailru.net работает, resolved
137119, https://hackerone.com/reports/137119, [XSS] sandbox.veris.in, resolved
137126, https://hackerone.com/reports/137126, Xss in m.ok.ru, resolved
137127, https://hackerone.com/reports/137127, [Stored XSS] sandbox.veris.in , resolved
137152, https://hackerone.com/reports/137152, Clickjacking in love.uber.com, informative
137181, https://hackerone.com/reports/137181, Host Header Poisoning  in thisdata.com, resolved
137229, https://hackerone.com/reports/137229, Dropbox apps Server side request forgery, informative
137230, https://hackerone.com/reports/137230, nginx server vulnerable, resolved
137404, https://hackerone.com/reports/137404, List of a ton of internal twitter servers available on GitHub, informative
137480, https://hackerone.com/reports/137480, New Relic - Session Hijacking, informative
137502, https://hackerone.com/reports/137502, All Vimeo Private videos disclosure via Authorization Bypass, resolved
137503, https://hackerone.com/reports/137503, Inadequate access controls in "Vote" functionality???, resolved
137631, https://hackerone.com/reports/137631, SMTP command injection, resolved
137723, https://hackerone.com/reports/137723, vulnerabilitie, not-applicable
137756, https://hackerone.com/reports/137756, Cache poisoning for okhttp , informative
137845, https://hackerone.com/reports/137845, Stored XSS on 'Badges' page, resolved
137850, https://hackerone.com/reports/137850, CSV Macro injection in Video Manager (CEMI), resolved
137905, https://hackerone.com/reports/137905, Reflected XSS on business-blog.zomato.com - Part I, resolved
137906, https://hackerone.com/reports/137906, Reflected XSS on business-blog.zomato.com - Part 2, resolved
137938, https://hackerone.com/reports/137938, Reflected XSS in domain www.veris.in, resolved
137954, https://hackerone.com/reports/137954, [IDOR] post to anyone even if their stream is restricted to friends only, resolved
137956, https://hackerone.com/reports/137956, SQL Injection, resolved
137964, https://hackerone.com/reports/137964, Wordpress  flashmediaelement.swf XSS on stopthehacker.com  , resolved
138025, https://hackerone.com/reports/138025, Heap corruption via memarea.c, resolved
138045, https://hackerone.com/reports/138045, XSS ReflectedGET /*embed_player*?, resolved
138046, https://hackerone.com/reports/138046, XSS Reflected incategories*p, resolved
138101, https://hackerone.com/reports/138101, Weak user aunthentication on mobile application - I just broken userKey secret password, resolved
138226, https://hackerone.com/reports/138226,  Same-Origin Method Execution bug in plupload.flash.swf on /insights, resolved
138244, https://hackerone.com/reports/138244, Missing access control exposing detailed information on all users, resolved
138262, https://hackerone.com/reports/138262, Reflected Cross-Site Scripting in www.zomato.com/php/instagram_tag_relay, resolved
138270, https://hackerone.com/reports/138270, Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI), resolved
138315, https://hackerone.com/reports/138315, Abusing and Hacking the SMTP Server secure.lahitapiola.fi, resolved
138319, https://hackerone.com/reports/138319, [xss, pornhub.com] /, multiple parameters, resolved
138332, https://hackerone.com/reports/138332, [torg.mail.ru] CRLF Injection, resolved
138516, https://hackerone.com/reports/138516, Adobe Flash Player ContentFactory class Memory Corruption Vulnerability, resolved
138517, https://hackerone.com/reports/138517, Adobe Flash Player Metadata class Memory Corruption Vulnerability, resolved
138518, https://hackerone.com/reports/138518, Adobe Flash Player OpportunityGenerator class Memory Corruption Vulnerability, resolved
138558, https://hackerone.com/reports/138558, DIrectory Listing Found, not-applicable
138622, https://hackerone.com/reports/138622, Self-XSS on partners.uber.com, informative
138659, https://hackerone.com/reports/138659, don't expose path of Python , informative
138703, https://hackerone.com/reports/138703, View storyboard of private video @ ht.pornhub.com, resolved
138721, https://hackerone.com/reports/138721, SSRF & XSS (W3 Total Cache), resolved
138786, https://hackerone.com/reports/138786, Text injection can be used in phishing 404 page and should not include attacker text, resolved
138824, https://hackerone.com/reports/138824, Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback), resolved
138852, https://hackerone.com/reports/138852, [idor] Profile Admin can pin any other user's post on his stream wall, resolved
138863, https://hackerone.com/reports/138863, Missing rate limit on password, resolved
138869, https://hackerone.com/reports/138869, OneLogin authentication bypass on WordPress sites via XMLRPC, resolved
138881, https://hackerone.com/reports/138881, Phone Number Enumeration, informative
139099, https://hackerone.com/reports/139099, Lack of account link warning enables dropbox hijacking, resolved
139178, https://hackerone.com/reports/139178, Improper Session Management, resolved
139245, https://hackerone.com/reports/139245, WordPress core stored XSS via attachment file name, resolved
139319, https://hackerone.com/reports/139319, Missing proper error message., informative
139321, https://hackerone.com/reports/139321, Unsafe Query Generation (CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155) mitigation bypass, resolved
139402, https://hackerone.com/reports/139402, [kb.informatica.com] Unauthenticated emails and HTML injection in email messages, resolved
139502, https://hackerone.com/reports/139502, Privilege Escalation In Moniter, resolved
139547, https://hackerone.com/reports/139547, Apache version disclosure, not-applicable
139591, https://hackerone.com/reports/139591, Outdated Apache Server in www.dovecot.fi is vulnerable to various attack., informative
139626, https://hackerone.com/reports/139626, Passphrase credential lock bypass, resolved
139875, https://hackerone.com/reports/139875, DOM based XSS on, informative
139879, https://hackerone.com/reports/139879, Adobe Flash Player Regular Expression UAF Remote Code Execution Vulnerability, resolved
139940, https://hackerone.com/reports/139940, Exploiting Secure Shell (SSH) on mobilelt.lahitapiola.fi, resolved
139965, https://hackerone.com/reports/139965, No authentication required to add an email address., informative
139970, https://hackerone.com/reports/139970, JIRA account misconfig causes internal info leak, resolved
139981, https://hackerone.com/reports/139981, XSS onmouseover , resolved
140275, https://hackerone.com/reports/140275, No CSRF validation on Account Monitors in Synthetics Block, resolved
140333, https://hackerone.com/reports/140333, Session takeover, informative
140377, https://hackerone.com/reports/140377, don't store CSRF tokens in cookies, informative
140392, https://hackerone.com/reports/140392, CJ vulnerability in subdomain, resolved
140432, https://hackerone.com/reports/140432, configure a redirect URI for Facebook OAuth, resolved
140548, https://hackerone.com/reports/140548, [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References, resolved
140616, https://hackerone.com/reports/140616, www.starbucks.co.uk Reflected XSS via utm_source parameter, resolved
140705, https://hackerone.com/reports/140705, [my.mail.ru] HTML injection в письмах от myadmin@corp.mail.ru, resolved
140720, https://hackerone.com/reports/140720, Denial of service in report view., informative
140742, https://hackerone.com/reports/140742, Cookie not secure, not-applicable
140791, https://hackerone.com/reports/140791, XSS in people.uber.com, duplicate
140793, https://hackerone.com/reports/140793, UniFi Video v3.2.2 (Windows) Local Privileges Escalation due to weak default install directory ACLs, resolved
140865, https://hackerone.com/reports/140865, Integer Overflow in php_html_entities(), resolved
140899, https://hackerone.com/reports/140899, [tidaltrek.mail.ru] SQL Injection, resolved
141065, https://hackerone.com/reports/141065, Security Issue : CSRF Token Design Flaw, resolved
141090, https://hackerone.com/reports/141090, Parameter Manipulation allowed for viewing of other user’s teavana.com orders, resolved
141114, https://hackerone.com/reports/141114, Stored XSS in Filters, resolved
141115, https://hackerone.com/reports/141115, SSL/TLS BEAST ATTACK, informative
141120, https://hackerone.com/reports/141120, Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions., resolved
141125, https://hackerone.com/reports/141125, Ngnix Server version disclosure, resolved
141174, https://hackerone.com/reports/141174, node.drchrono.com - Information Disclosure and Windows Host Exposed, resolved
141197, https://hackerone.com/reports/141197, get_icu_value_internal out-of-bounds read, resolved
141198, https://hackerone.com/reports/141198, Template stored XSS, resolved
141202, https://hackerone.com/reports/141202, imagescale out-of-bounds read, resolved
141212, https://hackerone.com/reports/141212, Integer underflow / arbitrary null write in fread/gzread, resolved
141239, https://hackerone.com/reports/141239, Module ngx_http_auth_basic_module is broken and allowing all password after specific length, not-applicable
141240, https://hackerone.com/reports/141240, Angular injection in the profile name of onpatient, resolved
141244, https://hackerone.com/reports/141244, XSS in zendesk.com/product/, resolved
141329, https://hackerone.com/reports/141329, Code source discloure & ability to get database information "SQL injection" in   [townwars.mail.ru], resolved
141339, https://hackerone.com/reports/141339, Uber is Flooding my Mobile with SMS Daily  like a cron JOB, not-applicable
141344, https://hackerone.com/reports/141344, [CRITICAL]  CSRF  leading to account take over , resolved
141355, https://hackerone.com/reports/141355, Open Redirect in unifi.ubnt.com [Controller Finder], resolved
141463, https://hackerone.com/reports/141463, Stored XSS via AngularJS Injection, resolved
141493, https://hackerone.com/reports/141493, Reflected XSS by way of jQuery function, resolved
141541, https://hackerone.com/reports/141541, User with no permissions can access full wdcalendar feed, resolved
141629, https://hackerone.com/reports/141629, Able to remove the admin access of my program, resolved
141676, https://hackerone.com/reports/141676, Bime Unable to load Data Sources, not-applicable
141682, https://hackerone.com/reports/141682, SSRF on synthetics.newrelic.com permitting access to sensitive data, resolved
141700, https://hackerone.com/reports/141700, Bypass GlassWire's monitoring of Hosts file, resolved
141728, https://hackerone.com/reports/141728, XSS in Blog , duplicate
141734, https://hackerone.com/reports/141734, Bypassing Password Reset  , resolved
141839, https://hackerone.com/reports/141839, Multiple vulnerabilities related to PCRE functions (already fixed), resolved
141868, https://hackerone.com/reports/141868, Private Photo Disclosure - /user/stream_photo_attach?load=album&id= endpoint, resolved
141956, https://hackerone.com/reports/141956, [phpobject in cookie] Remote shell/command execution, resolved
142078, https://hackerone.com/reports/142078, IE search XSS, resolved
142084, https://hackerone.com/reports/142084, Stored XSS in unifi.ubnt.com, resolved
142096, https://hackerone.com/reports/142096, [Screenhero] Subdomain takeover, resolved
142101, https://hackerone.com/reports/142101, User with no permissions can create, edit, delete favorite prescriptions /erx/, resolved
142135, https://hackerone.com/reports/142135, XSS в upload.php, resolved
142221, https://hackerone.com/reports/142221, Bypass OTP verification when placing Order, resolved
142352, https://hackerone.com/reports/142352, (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK  / Android BackOffice Access , resolved
142479, https://hackerone.com/reports/142479, [tidaltrek.mail.ru] SQL Injection, resolved
142540, https://hackerone.com/reports/142540, Cross-Site Scripting Stored On Rich Media, resolved
142549, https://hackerone.com/reports/142549, Information Disclosure through .DS_Store in ██████████, resolved
142562, https://hackerone.com/reports/142562, [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com, resolved
142569, https://hackerone.com/reports/142569, Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation, resolved
142609, https://hackerone.com/reports/142609, DOM XSS bypassing in Regional Office -selector, resolved
142773, https://hackerone.com/reports/142773, 16 instances where return value of OpenSSL i2d_RSAPublicKey is discarded -- might lead to use of uninitialized memory, resolved
142893, https://hackerone.com/reports/142893, [STORED XSS] in debtor reports of ,,invoices'', resolved
142940, https://hackerone.com/reports/142940, Bug Report , resolved
142946, https://hackerone.com/reports/142946, xss vulnerability in http://ubermovement.com/community/daniel, resolved
143022, https://hackerone.com/reports/143022, Heap corruption via Python 2.7.11 IOBase readline(), resolved
143064, https://hackerone.com/reports/143064, Information Disclosure, resolved
143076, https://hackerone.com/reports/143076, Header Injection , informative
143139, https://hackerone.com/reports/143139, upgrade Aspen on inside.gratipay.com to pick up CR injection fix, resolved
143220, https://hackerone.com/reports/143220, XSS on www.mapbox.com/authorize, resolved
143234, https://hackerone.com/reports/143234, Integer Overflow in _gd2GetHeader() resulting in heap overflow, resolved
143240, https://hackerone.com/reports/143240, XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth, resolved
143265, https://hackerone.com/reports/143265, Unvalidated redirect on user profile website, informative
143280, https://hackerone.com/reports/143280, Mail.ru for Android Content Provider Vulnerability, resolved
143291, https://hackerone.com/reports/143291, Password Reset Does Not Confirm the Existence of an Email Address, informative
143294, https://hackerone.com/reports/143294, XSS on zomato.com, resolved
143321, https://hackerone.com/reports/143321, Unauthenticated CSRF(User can input any value for CSRF Token), informative
143323, https://hackerone.com/reports/143323, [uk.informatica.com] XSS on uk.informatica..com, resolved
143438, https://hackerone.com/reports/143438, Potentially Sensitive Information on GitHub, resolved
143482, https://hackerone.com/reports/143482, Authentication Bypass on Icinga monitoring server, resolved
143541, https://hackerone.com/reports/143541, Transaction Pending Via  Ip Change , informative
143575, https://hackerone.com/reports/143575, Full path disclosure, informative
143669, https://hackerone.com/reports/143669, Получение оригинала скрытого изображения, resolved
143672, https://hackerone.com/reports/143672, Email Enumeration Vulnerability, informative
143717, https://hackerone.com/reports/143717, Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical), resolved
143903, https://hackerone.com/reports/143903, File upload over private IM channel, resolved
143935, https://hackerone.com/reports/143935, [sms-be-vip.twitter.com] vulnerable to Jetleak, resolved
143966, https://hackerone.com/reports/143966, Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714), resolved
143975, https://hackerone.com/reports/143975, Homograph attack in escalate report, resolved
144000, https://hackerone.com/reports/144000, Authorization Bypass in Delivery Chat Logs, resolved
144084, https://hackerone.com/reports/144084, Content spoofing due to the improper behavior of the not-found message , resolved
144104, https://hackerone.com/reports/144104, Text injection on error page., informative
144129, https://hackerone.com/reports/144129, Old titles are not hidden in reports with limited disclosure, resolved
144147, https://hackerone.com/reports/144147, Newsroom.uber HTML form without CSRF protection, informative
144359, https://hackerone.com/reports/144359, Time Based SQL injection in url parameter, informative
144385, https://hackerone.com/reports/144385, SMTP server allows anonymous relay from internal addresses to internal addresses, duplicate
144482, https://hackerone.com/reports/144482, StringIO strio_getline() can divulge arbitrary memory, resolved
144484, https://hackerone.com/reports/144484, Heap corruption in DateTime.strftime() on 32 bit for certain format strings, informative
144485, https://hackerone.com/reports/144485, Heap corruption in string.c tr_trans() due to undersized buffer, informative
144525, https://hackerone.com/reports/144525, Open redirection bypass ., resolved
144526, https://hackerone.com/reports/144526, EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted., resolved
144674, https://hackerone.com/reports/144674, [townwars.mail.ru] Time-Based SQL Injection, resolved
144782, https://hackerone.com/reports/144782, CVE-2016-0772 - python: smtplib StartTLS stripping attack, resolved
144803, https://hackerone.com/reports/144803, Email Address Enumeration, informative
145086, https://hackerone.com/reports/145086, Stored XSS in SupportFlow Ticket Subject, resolved
145091, https://hackerone.com/reports/145091, Stored XSS from ticket messages in admin table in SupportFlow, resolved
145128, https://hackerone.com/reports/145128, [account-global.ubnt.com] CRLF Injection, resolved
145150, https://hackerone.com/reports/145150, Bulk UUID enumeration via invite codes, resolved
145206, https://hackerone.com/reports/145206, set Pragma header, not-applicable
145207, https://hackerone.com/reports/145207, set Expires header, not-applicable
145224, https://hackerone.com/reports/145224, Subdomain takeover on partners.ubnt.com due to non-used CloudFront DNS entry, resolved
145246, https://hackerone.com/reports/145246, Stored Cross site scripting, duplicate
145260, https://hackerone.com/reports/145260, Full path disclosure vulnerability on paragonie.com, informative
145265, https://hackerone.com/reports/145265, Adobe Flash Player ShimContentFactory class Memory Corruption Vulnerability, resolved
145266, https://hackerone.com/reports/145266, Adobe Flash Player ShimContentFactory.retrieveResolvers Memory Corruption Vulnerability, resolved
145267, https://hackerone.com/reports/145267, Adobe Flash Player ShimContentResolver.configure Memory Corruption Vulnerability, resolved
145269, https://hackerone.com/reports/145269, Adobe Flash Player ShimOpportunityGenerator class Memory Corruption Vulnerability, resolved
145271, https://hackerone.com/reports/145271, Adobe Flash Player ShimContentResolver(resolverType=0) class Memory Corruption Vulnerability, resolved
145272, https://hackerone.com/reports/145272, Adobe Flash Player ShimContentResolver(resolverType=1) class Memory Corruption Vulnerability, resolved
145278, https://hackerone.com/reports/145278, xss in https://www.uber.com, resolved
145289, https://hackerone.com/reports/145289, Self-XSS in Partners Profile, duplicate
145300, https://hackerone.com/reports/145300, Session Management, not-applicable
145306, https://hackerone.com/reports/145306, Registeration Link "Jacking&Redirecting", resolved
145343, https://hackerone.com/reports/145343, Possible RCE, informative
145344, https://hackerone.com/reports/145344, nextcloud.com: Content Injection  Custom 404 Error, resolved
145374, https://hackerone.com/reports/145374, Content Spoofing, resolved
145375, https://hackerone.com/reports/145375, stats.nextcloud.com: Content Injection, resolved
145392, https://hackerone.com/reports/145392, Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11, resolved
145396, https://hackerone.com/reports/145396, Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe, resolved
145402, https://hackerone.com/reports/145402, No permission set on Activities [Android App], informative
145409, https://hackerone.com/reports/145409, help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running, resolved
145430, https://hackerone.com/reports/145430, help.nextcloud.com: Session Management Issue, informative
145452, https://hackerone.com/reports/145452, Share owner has no possibility to list all existing derived shares, resolved
145458, https://hackerone.com/reports/145458, nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page), resolved
145462, https://hackerone.com/reports/145462, No rate limiting on password protected shared file link, duplicate
145467, https://hackerone.com/reports/145467, Downloading password protected / restricted videos, resolved
145488, https://hackerone.com/reports/145488, failure to invalidate session on password change, informative
145495, https://hackerone.com/reports/145495, nextcloud.com: Directory listening for 'wp-includes' forders, resolved
145517, https://hackerone.com/reports/145517, Vulnerable Javascript library, informative
145524, https://hackerone.com/reports/145524, Server side request forgery (SSRF) on nextcloud implementation., informative
145552, https://hackerone.com/reports/145552, Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy) , informative
145583, https://hackerone.com/reports/145583, Lost Password CSRF, informative
145603, https://hackerone.com/reports/145603, https://newsletter.nextcloud.com Directory listening and Information Disclosure, resolved
145604, https://hackerone.com/reports/145604, Avatar image upload and bypass  real image verification , informative
145612, https://hackerone.com/reports/145612, No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers, resolved
145621, https://hackerone.com/reports/145621, Unauthenticated Access to some old file thumbnails , informative
145686, https://hackerone.com/reports/145686, CSS, informative
145722, https://hackerone.com/reports/145722, Bruteforce attack is possible on newsletter.nextcloud.com, informative
145727, https://hackerone.com/reports/145727, Bruteforcing help.nextcloud.com, informative
145730, https://hackerone.com/reports/145730, newsletter.nextcloud.com: Bypass firewall protection, resolved
145734, https://hackerone.com/reports/145734, help.nextcloud Email Address/Username enumeration, informative
145745, https://hackerone.com/reports/145745, Business/Functional logic bypass: Remove admins from admin group., informative
145849, https://hackerone.com/reports/145849, Content Injection 404 page, resolved
145850, https://hackerone.com/reports/145850, Content Spoofing/Text Injection - docs.nextcloud.org, resolved
145853, https://hackerone.com/reports/145853, Content injection in subdomain, resolved
145854, https://hackerone.com/reports/145854, Content Injection in subdomain, resolved
145893, https://hackerone.com/reports/145893, Error Message on 404 page, informative
145896, https://hackerone.com/reports/145896, Password reset link remains valid after email change, resolved
146067, https://hackerone.com/reports/146067, Read-only share recipient can restore old versions of file, resolved
146093, https://hackerone.com/reports/146093, WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available, informative
146106, https://hackerone.com/reports/146106, Email ID Disclosure., informative
146129, https://hackerone.com/reports/146129, Authentication Bypass in Updating Personal Information, informative
146133, https://hackerone.com/reports/146133, Authentication Issue, resolved
146179, https://hackerone.com/reports/146179, REG: Content provider information leakage, informative
146180, https://hackerone.com/reports/146180, Integer Overflow in SplFileObject::fread, resolved
146182, https://hackerone.com/reports/146182, Integer Overflow/Heap Overflow in json_encode()/json_decode(), resolved
146183, https://hackerone.com/reports/146183, Integer Overflow in nl2br(), resolved
146184, https://hackerone.com/reports/146184, Integer Overflow in addcslashes()/addslashes(), resolved
146185, https://hackerone.com/reports/146185, Integer Overflow in Length of String-typed ZVAL, resolved
146200, https://hackerone.com/reports/146200, _php_mb_regex_ereg_replace_exec - double free, resolved
146202, https://hackerone.com/reports/146202, Invalid free in phar_extract_file(), resolved
146233, https://hackerone.com/reports/146233, Use After Free Vulnerability in PHP's GC algorithm and unserialize, resolved
146235, https://hackerone.com/reports/146235, ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize, resolved
146255, https://hackerone.com/reports/146255, Double Free Corruption in wddx.c (extension), resolved
146314, https://hackerone.com/reports/146314, Deny access to download.nextcloud.com + folders, informative
146318, https://hackerone.com/reports/146318, Html injection in monitor name textbox, resolved
146327, https://hackerone.com/reports/146327, Server version disclosure: team.uberinternal.com, informative
146336, https://hackerone.com/reports/146336, XSS vulnerable parameter in a location hash, resolved
146360, https://hackerone.com/reports/146360, Heap Overflow Due To Integer Overflow, resolved
146416, https://hackerone.com/reports/146416, Ruby:HTTP Header injection in 'net/http', informative
146424, https://hackerone.com/reports/146424, No Rate Limiting on stats.nextcloud.com login, informative
146436, https://hackerone.com/reports/146436, [product360.informatica.com] Unauthenticated Apache Tomcat 8 Installation, resolved
146593, https://hackerone.com/reports/146593, RCE Possible Via Video Manager Export using @ character in Video Title, informative
146735, https://hackerone.com/reports/146735, Command Injection, Information , informative
146847, https://hackerone.com/reports/146847, faspex.uber.com uses an invalid SSL certificate, informative
146875, https://hackerone.com/reports/146875, http://newrelic.com SSRF/XSPA, informative
146910, https://hackerone.com/reports/146910, RC4 cipher suites detected, resolved
146911, https://hackerone.com/reports/146911, The POODLE attack (SSLv3 supported), resolved
146936, https://hackerone.com/reports/146936, CVE-2015-8874 Stack overflow with imagefilltoborder, resolved
146939, https://hackerone.com/reports/146939, DOM XSS в /activation.php?act=activate_mobile, resolved
146940, https://hackerone.com/reports/146940, pass2_no_dither out-of-bounds access, resolved
146944, https://hackerone.com/reports/146944, NULL Pointer Dereference at _gdScaleVert, resolved
146948, https://hackerone.com/reports/146948, Clickjacking login page of http://book.zomato.com/, informative
147125, https://hackerone.com/reports/147125, Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow, resolved
147155, https://hackerone.com/reports/147155, Can make any number of dropbox accounts with one email, not-applicable
147161, https://hackerone.com/reports/147161, [oneclickdrsfdc-test.informatica.com] Tomcat Example Scripts Exposed Unauthenticated, resolved
147182, https://hackerone.com/reports/147182, No email verification required when we change email from settings, resolved
147188, https://hackerone.com/reports/147188, Stored number of clicks in the Deposits button, resolved
147196, https://hackerone.com/reports/147196, [careers.informatica.com] Reflected Cross Site Scripting to XSS Shell Possible, resolved
147204, https://hackerone.com/reports/147204, Bypass logout , resolved
147220, https://hackerone.com/reports/147220, Urgent Fix Balance Limit bypass , resolved
147237, https://hackerone.com/reports/147237, Betting more than max amount, resolved
147260, https://hackerone.com/reports/147260, Weak HSTS age, resolved
147310, https://hackerone.com/reports/147310, ntpd: read_mru_list() does inadequate incoming packet checks, resolved
147369, https://hackerone.com/reports/147369, User can start call in a channel of an unpaid account, resolved
147388, https://hackerone.com/reports/147388, Session doesn't expired after login, resolved
147570, https://hackerone.com/reports/147570, Local File Inclusion path bypass, resolved
147577, https://hackerone.com/reports/147577, Application error message, resolved
147656, https://hackerone.com/reports/147656, Logging out any user, resolved
147776, https://hackerone.com/reports/147776, Change contents of the careers iframe in https://corp.badoo.com/jobs, resolved
147919, https://hackerone.com/reports/147919, Email spoofing in 	support@veris.in , resolved
148050, https://hackerone.com/reports/148050, Know undisclosed Bounty Amount when Bounty Statistics are enabled., resolved
148068, https://hackerone.com/reports/148068, Source code leakage through GIT web access at host '52.91.137.42', resolved
148151, https://hackerone.com/reports/148151, SMB User Authentication Bypass and Persistence, resolved
148163, https://hackerone.com/reports/148163, Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains, resolved
148300, https://hackerone.com/reports/148300, Full Page Caching Stored XSS Vulnerability, informative
148417, https://hackerone.com/reports/148417, CSRF with redeem coupon request , informative
148467, https://hackerone.com/reports/148467, Паблики: Модератор паблика может удалять добавленные редакторами материалы с таймером на публикацию., resolved
148517, https://hackerone.com/reports/148517, Possible CSRF during joining report as participant , resolved
148537, https://hackerone.com/reports/148537, No authorization required in Windows phone web-application, duplicate
148538, https://hackerone.com/reports/148538, No authorization required in iOS device web-application, duplicate
148609, https://hackerone.com/reports/148609, Register multiple users using one invitation (race condition), resolved
148640, https://hackerone.com/reports/148640, XSS, Unvalidated redirects & phishing website hosting on dropbox servers, not-applicable
148763, https://hackerone.com/reports/148763, Email spoofing in security@paragonie.com, informative
148764, https://hackerone.com/reports/148764, [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs), resolved
148770, https://hackerone.com/reports/148770, Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io., resolved
148777, https://hackerone.com/reports/148777, Microsoft IIS tilde directory enumeration, resolved
148848, https://hackerone.com/reports/148848, "a stored xss issue in share post menu", resolved
148865, https://hackerone.com/reports/148865, HTML in Diffusion not escaped in certain circumstances, resolved
148890, https://hackerone.com/reports/148890, Full path disclosure when CSRF validation failed , informative
148897, https://hackerone.com/reports/148897, [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS, resolved
148903, https://hackerone.com/reports/148903, Airship doesn't reject weak passwords, informative
148911, https://hackerone.com/reports/148911, User enumeration  via Password reset page [Minor], informative
148914, https://hackerone.com/reports/148914, Session Management Issue CMS Airship, informative
148952, https://hackerone.com/reports/148952, Content Injection error page, informative
148963, https://hackerone.com/reports/148963, Application error message, resolved
149011, https://hackerone.com/reports/149011, a stored xss issue in https://files.slack.com, resolved
149027, https://hackerone.com/reports/149027, Issue with password reset functionality [Minor], informative
149028, https://hackerone.com/reports/149028, [URGENT] Password reset emails are sent in clear-text (without encryption), informative
149154, https://hackerone.com/reports/149154, Stored xss , resolved
149212, https://hackerone.com/reports/149212, Full path + some back-end code disclosure, resolved
149268, https://hackerone.com/reports/149268, Arbitrary file upload when setting an avatar, resolved
149273, https://hackerone.com/reports/149273, Filename and directory enumeration, resolved
149279, https://hackerone.com/reports/149279, Arbitrary SQL query execution and reflected XSS in the "SQL Query Form", resolved
149287, https://hackerone.com/reports/149287, Reflected Xss in AirMax [Nanostation Loco M2], resolved
149327, https://hackerone.com/reports/149327, Web Server Disclosure, informative
149369, https://hackerone.com/reports/149369, ssl info shown , not-applicable
149435, https://hackerone.com/reports/149435, Reward Money Leakage, informative
149483, https://hackerone.com/reports/149483, Server version disclosure, informative
149571, https://hackerone.com/reports/149571, Stored XSS in wis.pr, resolved
149572, https://hackerone.com/reports/149572, AWS S3 website can't serve security headers, may allow clickjacking, resolved
149589, https://hackerone.com/reports/149589, CSRF to add admin [wordpress], resolved
149598, https://hackerone.com/reports/149598, Insecure 2FA/authentication implementation creates a brute force vulnerability, resolved
149673, https://hackerone.com/reports/149673, Reflected XSS in reddeadredemption Site  located at www.rockstargames.com/reddeadredemption, resolved
149679, https://hackerone.com/reports/149679, Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com, resolved
149710, https://hackerone.com/reports/149710, don't leak Server version for assets.gratipay.com, informative
149798, https://hackerone.com/reports/149798, Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ , resolved
149855, https://hackerone.com/reports/149855, Reflected XSS in m.imgur.com, resolved
149907, https://hackerone.com/reports/149907, Urgent: attacker can access every data source on Bime, resolved
149914, https://hackerone.com/reports/149914, Attacker can access graphic representation of every query, resolved
150018, https://hackerone.com/reports/150018, Full Path Disclosure by removing CSRF token, informative
150078, https://hackerone.com/reports/150078, SSL certificate public key less than 2048 bit, not-applicable
150079, https://hackerone.com/reports/150079, Brute force on wp-login, not-applicable
150083, https://hackerone.com/reports/150083, Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution), resolved
150156, https://hackerone.com/reports/150156, SQL Injection on sctrack.email.uber.com.cn, resolved
150179, https://hackerone.com/reports/150179, Html Injection and Possible XSS in sms-be-vip.twitter.com, resolved
150374, https://hackerone.com/reports/150374, https://windsor.shopify.com/ takeover, resolved
150375, https://hackerone.com/reports/150375, newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf, resolved
150520, https://hackerone.com/reports/150520, XXE at Informatica sub-domain, resolved
150540, https://hackerone.com/reports/150540, All Active user sessions should be destroyed when user change his password!, resolved
150560, https://hackerone.com/reports/150560, XSS @ *.olx.com.ar, resolved
150565, https://hackerone.com/reports/150565, XSS @ yaman.olx.ph, resolved
150568, https://hackerone.com/reports/150568, Cross Site Scripting -> Reflected XSS, resolved
150586, https://hackerone.com/reports/150586, CSRF in account configuration leads to complete account compromise, resolved
150626, https://hackerone.com/reports/150626, Heap Buffer Overflow, resolved
150631, https://hackerone.com/reports/150631, Updating and Deleting any Ads on OLX Philippines , resolved
150668, https://hackerone.com/reports/150668, stored XSS in olx.pl - ogloszenie TITLE element - moderator acc can be hacked, resolved
150746, https://hackerone.com/reports/150746, Reflected XSS in www.olx.ph, resolved
150783, https://hackerone.com/reports/150783, Arbitrary File Reading, resolved
150822, https://hackerone.com/reports/150822, XSS @ *.letgo.com, resolved
150837, https://hackerone.com/reports/150837, Reflected Cross Site scripting Attack (XSS), resolved
150905, https://hackerone.com/reports/150905, Information disclosure through directory listing at http://dockerhost01.maximum.nl:8080, resolved
150917, https://hackerone.com/reports/150917, prevent null bytes in email field, informative
150944, https://hackerone.com/reports/150944, cross-site scripting in get request, duplicate
150976, https://hackerone.com/reports/150976, Flash “local-with-filesystem” Bypass in navigateToURL, resolved
151034, https://hackerone.com/reports/151034, Xss on billing, resolved
151039, https://hackerone.com/reports/151039, Adobe Flash Player TimedEvent.parent Memory Corruption Vulnerability, resolved
151040, https://hackerone.com/reports/151040, Adobe Flash Player ShimAdPolicySelector(adPolicySelectorType=0) class Memory Corruption, resolved
151043, https://hackerone.com/reports/151043, Adobe Flash Player PSDK Class Use After Free Vulnerability, resolved
151058, https://hackerone.com/reports/151058, Stealing livechat token and using it to chat as the user - user information disclosure , resolved
151086, https://hackerone.com/reports/151086, SSRF allows access to internal services like Ganglia, resolved
151117, https://hackerone.com/reports/151117, [bbPress] Stored XSS in any forum post., resolved
151147, https://hackerone.com/reports/151147, XSS yaman.olx.ph, resolved
151149, https://hackerone.com/reports/151149, Manipulating joinolx.com Job Vacancy alert subscription emails (HTML Injection / Script Injection), resolved
151165, https://hackerone.com/reports/151165, This is a test report, not-applicable
151231, https://hackerone.com/reports/151231, Content-type sniffing leads to stored XSS in CMS Airship on Internet Explorer , resolved
151258, https://hackerone.com/reports/151258, Reflected XSS at yaman.olx.ph, informative
151276, https://hackerone.com/reports/151276, Reflected XSS in /Videos/ via calling a callback http://www.rockstargames.com/videos/#/?lb=, resolved
151295, https://hackerone.com/reports/151295, don't allow directory browsing on grtp.co, informative
151302, https://hackerone.com/reports/151302, don't leak Server version for assets.gratipay.com, duplicate
151305, https://hackerone.com/reports/151305, REFLECTED CROSS SITE SCRIPTING IN OLX, resolved
151310, https://hackerone.com/reports/151310, xss yaman.olx.ph, informative
151459, https://hackerone.com/reports/151459, Creating Post on a restricted channel, resolved
151465, https://hackerone.com/reports/151465, Get organization info base on uuid, resolved
151470, https://hackerone.com/reports/151470, [IODR] Get business trip via organization id, resolved
151475, https://hackerone.com/reports/151475, ownCloud 2.2.2.6192 DLL Hijacking Vulnerability, resolved
151516, https://hackerone.com/reports/151516, CSV Injection at Camptix Event Ticketing, resolved
151583, https://hackerone.com/reports/151583, User enumeration in wp-admin, not-applicable
151634, https://hackerone.com/reports/151634, XSS in http://localhost:8153/go/admin/config/server/update, resolved
151678, https://hackerone.com/reports/151678, Cross Site Scripting, resolved
151680, https://hackerone.com/reports/151680, Possible SSRF at URL Parameter while creating a new package repository, resolved
151691, https://hackerone.com/reports/151691, XSS on Home page olx.com.ar via auto save search text, resolved
151772, https://hackerone.com/reports/151772, Directory Listening, resolved
151779, https://hackerone.com/reports/151779, Reflected XSS, duplicate
151786, https://hackerone.com/reports/151786, X-Content-Type-Options header missing at Auth Login, resolved
151831, https://hackerone.com/reports/151831, User Supplied links on profile page is not validated and redirected via gratipay., duplicate
151847, https://hackerone.com/reports/151847, The application uses basic authentication., informative
151868, https://hackerone.com/reports/151868, No Rate Limit In Inviting Similar Contact Multiple Times, resolved
152013, https://hackerone.com/reports/152013, CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php', resolved
152052, https://hackerone.com/reports/152052, CSRF Full Account Takeover, resolved
152067, https://hackerone.com/reports/152067, Stored XSS on developer.uber.com via admin account compromise, resolved
152069, https://hackerone.com/reports/152069, Stored XSS on contact name, resolved
152080, https://hackerone.com/reports/152080, Broken authentication and session management flaw , resolved
152231, https://hackerone.com/reports/152231, Out of bound read in exif_process_IFD_in_MAKERNOTE, resolved
152232, https://hackerone.com/reports/152232, NULL Pointer Dereference in exif_process_user_comment, resolved
152266, https://hackerone.com/reports/152266, Use After Free Vulnerability in SNMP with GC and unserialize(), resolved
152267, https://hackerone.com/reports/152267, Use After Free in unserialize() with Unexpected Session Deserialization, resolved
152278, https://hackerone.com/reports/152278, Stack-based buffer overflow vulnerability in php_stream_zip_opener, resolved
152280, https://hackerone.com/reports/152280, Stack-based buffer overflow vulnerability in virtual_file_ex, resolved
152281, https://hackerone.com/reports/152281, Use After Free/Double Free in Garbage Collection, resolved
152368, https://hackerone.com/reports/152368, XSS in a newrelic.com site, resolved
152398, https://hackerone.com/reports/152398, In correct casting from size_t to int lead to heap overflow in mcrypt_generic, resolved
152399, https://hackerone.com/reports/152399, php curl ext size_t overflow lead to heap corruption, resolved
152400, https://hackerone.com/reports/152400, php mcrypt ext - In correct casting from size_t to int lead to heap overflow in mdecrypt_generic, resolved
152407, https://hackerone.com/reports/152407, Missing Access Control(IDOR) To Know LinkedAccounts , resolved
152416, https://hackerone.com/reports/152416, Lazy Load stored XSS, resolved
152477, https://hackerone.com/reports/152477, Username .. (double dot) should be restricted or handled carefully, informative
152499, https://hackerone.com/reports/152499, Information disclosure, not-applicable
152569, https://hackerone.com/reports/152569, Cross-Site Request Forgery (CSRF), resolved
152584, https://hackerone.com/reports/152584, S3 bucket takeover due to proxy.harvestfiles.com, resolved
152586, https://hackerone.com/reports/152586, CSRF token fixation in Sign in with Google, resolved
152591, https://hackerone.com/reports/152591, Stored XSS on invoice, executing on any subdomain, resolved
152669, https://hackerone.com/reports/152669, Users enumeration is possible through cycling through recurring[client_id] argument value., resolved
152692, https://hackerone.com/reports/152692, Persistent Cross-Site Scripting in WooCommerce WordPress plugin, resolved
152696, https://hackerone.com/reports/152696, Leak of all project names and all user names , even across applications, resolved
152717, https://hackerone.com/reports/152717, Race Condition in Definition Votes, resolved
152772, https://hackerone.com/reports/152772, Inadequate error handling in bzread(), resolved
152782, https://hackerone.com/reports/152782, locale_accept_from_http out-of-bounds access, resolved
152784, https://hackerone.com/reports/152784, imagegif/output out-of-bounds access, resolved
152834, https://hackerone.com/reports/152834, [gratipay.com] Cross Site Tracing, informative
152925, https://hackerone.com/reports/152925, Content spoofing in cloud.nextcloud.com, resolved
152929, https://hackerone.com/reports/152929, Project Disclosure of all Harvest Instances, resolved
152944, https://hackerone.com/reports/152944, Session Management Flaw, resolved
152958, https://hackerone.com/reports/152958, Multiple XSS in Camptix Event Ticketing Plugin, resolved
153026, https://hackerone.com/reports/153026, Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in, resolved
153093, https://hackerone.com/reports/153093, WordPress core  - Denial of Service via Cross Site Request Forgery, resolved
153095, https://hackerone.com/reports/153095, Text Only Content Spoofing on ubermovement.com Community Page, informative
153175, https://hackerone.com/reports/153175, Can add employee in business.uber.com without add payment method, informative
153251, https://hackerone.com/reports/153251, [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter, resolved
153580, https://hackerone.com/reports/153580, CSRF in changing settings of Basic Google Maps Placemarks, not-applicable
153618, https://hackerone.com/reports/153618, Reflected XSS via #tags= while using a callback in newswire  http://www.rockstargames.com/newswire, resolved
153628, https://hackerone.com/reports/153628, [Not just a server configuration issue] Full Path Disclosure , informative
153634, https://hackerone.com/reports/153634, [alerts.newrelic.com] Scanning local network via notification channel, resolved
153666, https://hackerone.com/reports/153666, csp bypass + xss, resolved
153776, https://hackerone.com/reports/153776, gdImageTrueColorToPaletteBody allows arbitrary write/read access, resolved
153794, https://hackerone.com/reports/153794, Response splitting vulnerability in WEBrick, resolved
153799, https://hackerone.com/reports/153799, xss for admin of https://newsletter.nextcloud.com, resolved
153863, https://hackerone.com/reports/153863, heap-buffer-overflow (write) simplestring_addn simplestring.c, resolved
153905, https://hackerone.com/reports/153905, IDOR - Disable sharing, resolved
154275, https://hackerone.com/reports/154275, [doc.owncloud.org] CRLF Injection, resolved
154278, https://hackerone.com/reports/154278, Cache purge requests are not authenticated, resolved
154306, https://hackerone.com/reports/154306, [api.owncloud.org] CRLF Injection, resolved
154319, https://hackerone.com/reports/154319, [forum.owncloud.org] IE, Edge XSS via Request-URI, resolved
154369, https://hackerone.com/reports/154369, Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181, resolved
154397, https://hackerone.com/reports/154397, [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal ), resolved
154400, https://hackerone.com/reports/154400, Opportunity to set arbitrary cookies, resolved
154410, https://hackerone.com/reports/154410, Delete/modify  your own comment after limited access(IDOR), resolved
154425, https://hackerone.com/reports/154425, Subdomain takeover on http://fastly.sc-cdn.net/, resolved
154529, https://hackerone.com/reports/154529, Bookmarks: Delete all existing bookmarks of a user, resolved
154762, https://hackerone.com/reports/154762, Missing authorization checks leading to the exposure of ubernihao.com administrator accounts , resolved
154827, https://hackerone.com/reports/154827, More content spoofing through dir param in the files app, resolved
154855, https://hackerone.com/reports/154855, Leaking license key in source code, resolved
154921, https://hackerone.com/reports/154921, Content Spoofing/Text Injection , resolved
154963, https://hackerone.com/reports/154963, Stealing User emails by clickjacking cards.twitter.com/xxx/xxx, resolved
155130, https://hackerone.com/reports/155130, Unauthorised access to olx.in user accounts. , resolved
155189, https://hackerone.com/reports/155189, demo.nextcloud.com: Content spoofing due to default Apache Error Page, resolved
155222, https://hackerone.com/reports/155222, (BYPASS) Open Redirect after login at http://ecommerce.shopify.com, resolved
155223, https://hackerone.com/reports/155223, Use After Free Vulnerability in array_walk()/array_walk_recursive(), resolved
155228, https://hackerone.com/reports/155228, Outdated MediaElement.js Reflected Cross-Site Scripting (XSS), resolved
155576, https://hackerone.com/reports/155576, [github.algolia.com] XSS, resolved
155578, https://hackerone.com/reports/155578, User Enumeration and Information Disclosure, informative
155618, https://hackerone.com/reports/155618, Watch any Password Video without password, resolved
155657, https://hackerone.com/reports/155657, Arbitrary Code Injection in ownCloud’s Windows Client, resolved
155685, https://hackerone.com/reports/155685, Content injection on 404 error page at faspex.uber.com, not-applicable
155690, https://hackerone.com/reports/155690, Arbitrary File Upload in Logo & Log in image Theming setting., resolved
155704, https://hackerone.com/reports/155704, Staff member can delete Private Apps, resolved
155726, https://hackerone.com/reports/155726, Create Multiple Account Using Similar X-CSRF token, not-applicable
155774, https://hackerone.com/reports/155774, CSRF - Add optional two factor mobile number, resolved
156098, https://hackerone.com/reports/156098, XSS At "pages.et.uber.com", not-applicable
156166, https://hackerone.com/reports/156166, [kb.informatica.com] Dom Based xss, resolved
156182, https://hackerone.com/reports/156182, Visibility  Robots.txt file, informative
156196, https://hackerone.com/reports/156196, Error page Text Injection., not-applicable
156347, https://hackerone.com/reports/156347, Stored XSS triggered by json key during UI generation, resolved
156373, https://hackerone.com/reports/156373, Stored xss, resolved
156387, https://hackerone.com/reports/156387, Stored XSS from Display Settings triggered on Save and viewing realtime search demo, resolved
156425, https://hackerone.com/reports/156425, demo.nextcloud.com: Content spoofing due to default Apache Error Page, resolved
156510, https://hackerone.com/reports/156510, Directory listening enabled in: 88.198.160.130, resolved
156511, https://hackerone.com/reports/156511, Incorrect logic in MySQL & MariaDB protocol leads to remote SSRF/Remote file read, resolved
156520, https://hackerone.com/reports/156520, Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed., resolved
156536, https://hackerone.com/reports/156536, Reading Emails in Uber Subdomains, resolved
156537, https://hackerone.com/reports/156537, IDOR Causing Deletion of any account, resolved
156542, https://hackerone.com/reports/156542, Avoid "resend verification email" confusion, resolved
156941, https://hackerone.com/reports/156941, bug, resolved
156992, https://hackerone.com/reports/156992, Login CSRF vulnerability, informative
157270, https://hackerone.com/reports/157270, CSRF vulnerability that allows an attacker to purge plugin metric data, resolved
157434, https://hackerone.com/reports/157434, XSS on IOS app via HTML rendering, resolved
157450, https://hackerone.com/reports/157450, All Active user sessions should be destroyed when user change his password!, informative
157465, https://hackerone.com/reports/157465, Host Header Injection/Redirection Attack, not-applicable
157563, https://hackerone.com/reports/157563, Cookie:HttpOnly Flag not set, duplicate
157699, https://hackerone.com/reports/157699, Disclosure of external users invited to a specific report, resolved
157750, https://hackerone.com/reports/157750, Missing rate limit on critical user actions e.g. reset password, change email, disable account., resolved
157813, https://hackerone.com/reports/157813, XSS on Meta Tag at https://m.olx.ph, resolved
157889, https://hackerone.com/reports/157889, these are my old reports and still i have not receive any good replys, these all are Cross Site Scripting(XSS) issues: POC1: https://www.youtube.com/w, resolved
157958, https://hackerone.com/reports/157958, Stored XSS, resolved
157986, https://hackerone.com/reports/157986, Internal server error 500 at log.veris.in , informative
157993, https://hackerone.com/reports/157993, Cross-Site Request Forgery (CSRF), resolved
157996, https://hackerone.com/reports/157996, Race Condition in Redeeming Coupons, resolved
158002, https://hackerone.com/reports/158002, Missing rel=noreferrer tag allows link in list to change url of currently open tab, resolved
158016, https://hackerone.com/reports/158016, Server side request forgery on image upload for lists, resolved
158021, https://hackerone.com/reports/158021, Image Upload Path Disclosure, resolved
158148, https://hackerone.com/reports/158148, reverb.twitter.com redirects to vulnerable reverb.guru, resolved
158157, https://hackerone.com/reports/158157, shopper login_code's can be brute forced, resolved
158186, https://hackerone.com/reports/158186, Non-secure requests are not automatically upgraded to HTTPS, resolved
158270, https://hackerone.com/reports/158270, Business logic Failure - Browser cache management and logout vulnerability in Certly, resolved
158287, https://hackerone.com/reports/158287, XSS on Nanostation Loco M2 Airmax, resolved
158330, https://hackerone.com/reports/158330, Ability to access all user authentication tokens, leads to RCE, resolved
158434, https://hackerone.com/reports/158434, (BYPASS) Open redirect and XSS in supporthiring.shopify.com, resolved
158461, https://hackerone.com/reports/158461, Blind XSS in mapbox.com/contact, resolved
158482, https://hackerone.com/reports/158482, Host Header poisoning on gratipay.com, duplicate
158484, https://hackerone.com/reports/158484, [scores.ubnt.com] DOM based XSS at form.html, resolved
158541, https://hackerone.com/reports/158541, Webhook allows sending payload using insecure HTTP protocol, resolved
158554, https://hackerone.com/reports/158554, Hyperlink Injection in Friend Invitation Emails, resolved
158749, https://hackerone.com/reports/158749, [alpha.informatica.com] Expensive DOMXSS, resolved
158757, https://hackerone.com/reports/158757, Cross site scripting , resolved
158853, https://hackerone.com/reports/158853, OX Guard: DOM Based Cross-Site Scripting, resolved
158872, https://hackerone.com/reports/158872, [Critical] Delete any account , resolved
158979, https://hackerone.com/reports/158979, PM with can Set up email for invoices and estimates (Access control Issue), resolved
159213, https://hackerone.com/reports/159213, The web app's forgot password page is vulnerable to text injection/content spoofing, resolved
159387, https://hackerone.com/reports/159387, PM can delete the company logo image (Vertical Privilege Escalation ), resolved
159391, https://hackerone.com/reports/159391, Record payment for any invoice by PM (Access control Issue), resolved
159393, https://hackerone.com/reports/159393, PM can delete payment of any invoice in company (Access control Issue), resolved
159395, https://hackerone.com/reports/159395, Unauthorized access to all the actions of invoices by PM (Access control Issues) , resolved
159399, https://hackerone.com/reports/159399, Unauthorized read access to Invoices by PM (Access control Issues), resolved
159460, https://hackerone.com/reports/159460,  Stored XSS(Cross Site Scripting) In Slack App Name, resolved
159481, https://hackerone.com/reports/159481, full path disclosure vulnerability at https://security.olx.com/*, resolved
159497, https://hackerone.com/reports/159497, Missing Rate limiting for sensitive actions (like "forgot password") and reCaptcha error.  , resolved
159507, https://hackerone.com/reports/159507, [qiwi.com] Oauth захват аккаунта, resolved
159522, https://hackerone.com/reports/159522, Open redirect using checkout_url, resolved
159526, https://hackerone.com/reports/159526, Information leakage of private program, resolved
159536, https://hackerone.com/reports/159536, Open CouchDB on experiments.ec2.shopify.com:5984, resolved
159686, https://hackerone.com/reports/159686, integer overflow in the _csv module's join_append_data function, resolved
159687, https://hackerone.com/reports/159687, integer overflow in binascii.b2a_qp, resolved
159690, https://hackerone.com/reports/159690, stack buffer overflows in the curses module, resolved
159693, https://hackerone.com/reports/159693, Py_DECREF on a non-owned object in the _sre module, resolved
159696, https://hackerone.com/reports/159696, Two vulnerabilities in the ssl module, resolved
159820, https://hackerone.com/reports/159820, Issues with uploading list images, resolved
159878, https://hackerone.com/reports/159878, [render.bitstrips.com] Stored XSS via an incorrect avatar property value, resolved
159890, https://hackerone.com/reports/159890, Ability to monitor reports' submission in real time, not-applicable
159925, https://hackerone.com/reports/159925, Send emails to all users using Camptix, not-applicable
159943, https://hackerone.com/reports/159943, Create an Unexpected Object and Don't Invoke __wakeup() in During Deserialization, resolved
159953, https://hackerone.com/reports/159953, integer overflow in curl_escape caused heap corruption, resolved
159954, https://hackerone.com/reports/159954, integer overflow in base64_decode caused heap corruption, resolved
159955, https://hackerone.com/reports/159955, integer overflow in bzdecompress caused heap corruption, resolved
159958, https://hackerone.com/reports/159958, Integer overflow lead to heap corruption in sql_regcase, resolved
159959, https://hackerone.com/reports/159959, integer overflow in quoted_printable_encode caused heap corruption, resolved
159960, https://hackerone.com/reports/159960, integer overflow in urlencode caused heap corruption, resolved
159961, https://hackerone.com/reports/159961, integer overflow in php_uuencode caused heap corruption, resolved
159984, https://hackerone.com/reports/159984, XSS On meta tags in profile page, resolved
159985, https://hackerone.com/reports/159985, [realty.mail.ru] XSS, SSI Injection, resolved
159988, https://hackerone.com/reports/159988, Heap Overflow due to integer overflows, resolved
159992, https://hackerone.com/reports/159992, memory allocator fails to realloc small block to large one, resolved
160047, https://hackerone.com/reports/160047, [apps.shopify.com] Open Redirect, resolved
160109, https://hackerone.com/reports/160109, Brute force login and bypass locked account restrictions via iOS app, resolved
160120, https://hackerone.com/reports/160120, API OAuth Public Key disclosure in mobile app, informative
160294, https://hackerone.com/reports/160294, Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128), resolved
160295, https://hackerone.com/reports/160295, Heap overflow in curl_escape, resolved
160488, https://hackerone.com/reports/160488, stored SELF xss on Basic Google Maps Placemarks Settings plugin, not-applicable
160498, https://hackerone.com/reports/160498, window.opener is leaking to external domains upon redirect on Safari, resolved
160500, https://hackerone.com/reports/160500, Bypassing CSV injection using new line charcter, resolved
160520, https://hackerone.com/reports/160520, Bypass fix in https://hackerone.com/reports/151516 report., resolved
160981, https://hackerone.com/reports/160981, Extracting private info of estimates., resolved
161189, https://hackerone.com/reports/161189, select_colors write out-of-bounds, resolved
161193, https://hackerone.com/reports/161193, imagegammacorrect allows arbitrary write access, resolved
161198, https://hackerone.com/reports/161198, wddx_deserialize null dereference with invalid xml, resolved
161200, https://hackerone.com/reports/161200, wddx_deserialize allows illegal memory access, resolved
161216, https://hackerone.com/reports/161216, wddx_deserialize null dereference, resolved
161217, https://hackerone.com/reports/161217, wddx_deserialize null dereference in php_wddx_pop_element, resolved
161290, https://hackerone.com/reports/161290, bypass to csv injection, not-applicable
161299, https://hackerone.com/reports/161299, Content Injection - apps.nextcloud.com, resolved
161301, https://hackerone.com/reports/161301, READ .svg files by changing .svg into .png extension, resolved
161323, https://hackerone.com/reports/161323, Content Injection - demo.nextcloud.com, resolved
161408, https://hackerone.com/reports/161408, [cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info', resolved
161428, https://hackerone.com/reports/161428, Subdomain takeover at ws.bimedb.com due to unclaimed Amazon S3 bucket, resolved
161459, https://hackerone.com/reports/161459, Potentially vulnerable version of Apache software in and default files on https://iandunn.name/, informative
161529, https://hackerone.com/reports/161529, Site-wide CSRF on eats.uber.com, resolved
161621, https://hackerone.com/reports/161621, XSS Via Method injection, informative
161659, https://hackerone.com/reports/161659, ████ discloses valid Airbnb SSO login names via Google Search Results, resolved
161710, https://hackerone.com/reports/161710, Possible to steal any protected files on Android, resolved
161918, https://hackerone.com/reports/161918, Reset Link Issue, not-applicable
161924, https://hackerone.com/reports/161924, Password Reset Link issue, resolved
161932, https://hackerone.com/reports/161932, Non secure requests at guard.certly.io not upgrading to https, resolved
161935, https://hackerone.com/reports/161935, Usernames ending in .json are not restricted, informative
161947, https://hackerone.com/reports/161947, Lack of length validation on user address attribute, resolved
161991, https://hackerone.com/reports/161991, Open Redirect possible in https://www.shopify.com/admin/, resolved
162147, https://hackerone.com/reports/162147, Boards leak private label names and desciptions, resolved
162199, https://hackerone.com/reports/162199, Lack of payment type validation in dial.uber.com allows for free rides, resolved
162296, https://hackerone.com/reports/162296, XSS and HTML Injection https://sharjah.dubizzle.com/, resolved
162336, https://hackerone.com/reports/162336, x-xss protection header is not set in response header, informative
162809, https://hackerone.com/reports/162809, Changing paymentProfileUuid when booking a trip allows free rides, resolved
162822, https://hackerone.com/reports/162822, Fetch private list metadata and any user's personal name, resolved
162955, https://hackerone.com/reports/162955, Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation, resolved
163087, https://hackerone.com/reports/163087, use of uninitialized variables in operator.methodcaller, resolved
163106, https://hackerone.com/reports/163106, Information Disclosure of .htaccess file in Private Server/Subdomain, resolved
163124, https://hackerone.com/reports/163124, [skyliner.io / qa.skyliner.io] Open Redirect, duplicate
163131, https://hackerone.com/reports/163131, Users contents on AWS  is cacheable , resolved
163156, https://hackerone.com/reports/163156, Email Spoofing With Your Website's Email, duplicate
163227, https://hackerone.com/reports/163227, Cookie Misconfiguration, duplicate
163272, https://hackerone.com/reports/163272, OPEN URL REDIRECT through PNG files, resolved
163292, https://hackerone.com/reports/163292, Subtile Code Injection Vulnerability in Dropbox for Windows, resolved
163307, https://hackerone.com/reports/163307, WordPress Authentication Denial of Service, resolved
163338, https://hackerone.com/reports/163338, \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype, resolved
163342, https://hackerone.com/reports/163342, Expired SSL certificate , resolved
163381, https://hackerone.com/reports/163381, Session  hijacking attack, not-applicable
163421, https://hackerone.com/reports/163421, Wordpress: Directory Traversal / Denial of Serivce, resolved
163459, https://hackerone.com/reports/163459, potential memory corruption in or/buffers.c (particularly on 32 bit), resolved
163464, https://hackerone.com/reports/163464, User Information sent to client through websockets, resolved
163467, https://hackerone.com/reports/163467, User Information leak allows user to bypass email verification., resolved
163475, https://hackerone.com/reports/163475, Email spoofing possible via Legal Robot domain, informative
163476, https://hackerone.com/reports/163476, Information Disclosure in AWS S3 Bucket, resolved
163491, https://hackerone.com/reports/163491, CORS (Cross-Origin Resource Sharing), resolved
163501, https://hackerone.com/reports/163501, Email spoofing-fake mail from your mail domain server , informative
163526, https://hackerone.com/reports/163526, Email Spoofing, duplicate
163547, https://hackerone.com/reports/163547, Java RMI (Remote Code Execution), informative
163599, https://hackerone.com/reports/163599, Amazon Bucket Accessible (http://legalrobot.s3.amazonaws.com/), not-applicable
163646, https://hackerone.com/reports/163646, Clickjacking: X-Frame-Options header missing, duplicate
163676, https://hackerone.com/reports/163676,  Legal | Application is Missing CSP(Content Security Policy) Header , resolved
163677, https://hackerone.com/reports/163677, 2 vulns , informative
163730, https://hackerone.com/reports/163730, News Feed Detected , spam
163753, https://hackerone.com/reports/163753, UI Redressing ( ClickJacking ) Issue on Information submit form , duplicate
163812, https://hackerone.com/reports/163812, Insecure Transportation Security Protocol Supported (TLS 1.0), informative
163815, https://hackerone.com/reports/163815, Lack of CSRF token validation at server side, informative
163820, https://hackerone.com/reports/163820, Sensitive information/action is stored/done is done using a GET request, resolved
163823, https://hackerone.com/reports/163823, Slow Http attack on nextcloud(DOS), resolved
163834, https://hackerone.com/reports/163834, Обход 2ух-шаговой авторизации / 2FA Bypass, resolved
163885, https://hackerone.com/reports/163885, unsecured legalrobot.co.uk assets, resolved
163888, https://hackerone.com/reports/163888, Click Jacking, duplicate
163904, https://hackerone.com/reports/163904, Username can be used to trick the victim on the name of www.gratipay.com, informative
163938, https://hackerone.com/reports/163938, Snooping into messages via email service, resolved
163949, https://hackerone.com/reports/163949, Username Restriction is not applied for reserved folders, informative
164027, https://hackerone.com/reports/164027, Reflected Self-XSS Vulnerability in the Comment section of Files Information, resolved
164137, https://hackerone.com/reports/164137, Possible content spoofing due to missing error page, resolved
164152, https://hackerone.com/reports/164152, [ibank.qiwi.ru] XSS via Request-URI, resolved
164153, https://hackerone.com/reports/164153, [ibank.qiwi.ru] UI Redressing via Request-URI, resolved
164168, https://hackerone.com/reports/164168, [qiwi.com] Information Disclosure, resolved
164224, https://hackerone.com/reports/164224, Urgent: Server side template injection via Smarty template allows for RCE, resolved
164239, https://hackerone.com/reports/164239, NON VALIDATION OF SESSIONS AFTER PASSWORD CHANGE, duplicate
164419, https://hackerone.com/reports/164419, Non-secure requests are not automatically upgraded to HTTPS, informative
164483, https://hackerone.com/reports/164483, link reset problem, not-applicable
164515, https://hackerone.com/reports/164515, Project Manager can approve pending reports(Access control Issue), resolved
164520, https://hackerone.com/reports/164520, Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads), duplicate
164546, https://hackerone.com/reports/164546, CSRF bypass on Submit Time sheet for Approval, resolved
164648, https://hackerone.com/reports/164648, Missing access control at password change, resolved
164656, https://hackerone.com/reports/164656, [contact-sys.com] XSS via Request-URI, resolved
164662, https://hackerone.com/reports/164662, [wallet.rapida.ru] XSS Cookie flashcookie, resolved
164674, https://hackerone.com/reports/164674, CSV Injection in Camptix, resolved
164684, https://hackerone.com/reports/164684, [lk.contact-sys.com] SQL Injection reset_password FP_LK_USER_LOGIN, resolved
164687, https://hackerone.com/reports/164687, Validation bypass on user profile, resolved
164704, https://hackerone.com/reports/164704, [contact-sys.com] XSS /ajax/transfer/status trn param, resolved
164821, https://hackerone.com/reports/164821, OX Guard: DOM Based Cross-Site Scripting (#2), resolved
164833, https://hackerone.com/reports/164833, Hyperlink Injection in Friend Invitation Emails, resolved
164895, https://hackerone.com/reports/164895, Open redirection protection bypass (/cs/Satellite), resolved
164922, https://hackerone.com/reports/164922, XSS found In Your Web, informative
164933, https://hackerone.com/reports/164933, [lk.contact-sys.com] LKlang Path Traversal, resolved
164945, https://hackerone.com/reports/164945, [contact-sys.com] SQL Injection████ limit param, resolved
165046, https://hackerone.com/reports/165046, Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor, resolved
165048, https://hackerone.com/reports/165048, Access to Splunk via shard3-db2.ec2.shopify.com endpoint, resolved
165131, https://hackerone.com/reports/165131, Seemingly sensitive information at /api/v2/zones, resolved
165154, https://hackerone.com/reports/165154, Additional information for CVE-2016-5699, resolved
165219, https://hackerone.com/reports/165219, [id.rapida.ru] Full Path Disclosure, resolved
165229, https://hackerone.com/reports/165229, Nextcloud 10.0 privilege escalation issue - Normal user can mask external storage shared by admin    , resolved
165275, https://hackerone.com/reports/165275, OX (Guard): Stored Cross-Site Scripting via Email Attachment, resolved
165309, https://hackerone.com/reports/165309, Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly , resolved
165324, https://hackerone.com/reports/165324, XSS on expenses attachments, resolved
165353, https://hackerone.com/reports/165353, **minor issue ** -Nextcloud 10.0 session issue with desktop client and android client, resolved
165542, https://hackerone.com/reports/165542, clickjacking at http://mailboxes.legalrobot-uat.com/, not-applicable
165561, https://hackerone.com/reports/165561, Physical Access to Mobile App Allows Local Attribute Updates without Authentication, resolved
165686, https://hackerone.com/reports/165686, Reflected XSS in Gallery App, resolved
165727, https://hackerone.com/reports/165727, Rate-limit bypass, resolved
165854, https://hackerone.com/reports/165854, Bypassing Phone Verification For Posting AD On OLX, informative
165862, https://hackerone.com/reports/165862, Invoices can be added to any retainers - even closs-platform, resolved
165894, https://hackerone.com/reports/165894, User Enumeration. , informative
165923, https://hackerone.com/reports/165923, No csrf protection on logout, informative
165930, https://hackerone.com/reports/165930, PHP info page disclosure on http://www.day.dk/, resolved
165969, https://hackerone.com/reports/165969, The “Malstaller” Attack, global hijacking of any installation process to achieve RCE with elevated privileges, Windows OS (vendor agnostic) , resolved
166080, https://hackerone.com/reports/166080, null pointer dereference in set_conversion_mode due uncheck _ctypes_conversion_errors, resolved
166231, https://hackerone.com/reports/166231, CSRF Issue, informative
166265, https://hackerone.com/reports/166265, Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot, resolved
166581, https://hackerone.com/reports/166581, Privilege escalation - Normal user can somehow make admin to delete shared folders, resolved
166661, https://hackerone.com/reports/166661, Arbitrary heap overread in strscan on 32 bit Ruby, patch included, resolved
166682, https://hackerone.com/reports/166682, Denial of Service through set_preference.json, resolved
166694, https://hackerone.com/reports/166694, xss in Theme http://bztfashion.booztx.com, resolved
166699, https://hackerone.com/reports/166699, Reflected xss on websummit.net, resolved
166709, https://hackerone.com/reports/166709, Self-XSS via location cookie city field when getting suggestions for a new location, informative
166712, https://hackerone.com/reports/166712, Android app does not use SSL for login, informative
166826, https://hackerone.com/reports/166826, Potential Subdomain Takeover Possible, resolved
166849, https://hackerone.com/reports/166849, IDOR(indirect object references) on add friend,complement and send message , not-applicable
166861, https://hackerone.com/reports/166861, AWS hosting bucket for Legal Robots set as public browse and list contents: s3://legalrobot, not-applicable
166887, https://hackerone.com/reports/166887, Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline, resolved
167036, https://hackerone.com/reports/167036, Ngnix Server version disclosure 404 Page!, informative
167041, https://hackerone.com/reports/167041, Server version disclosure, resolved
167075, https://hackerone.com/reports/167075, XSS in SHOPIFY: Unsanitized Supplier Name  can lead to XSS in Transfers Timeline, resolved
167107, https://hackerone.com/reports/167107, XSS and Open Redirect on https://jobs.dubizzle.com/, resolved
167121, https://hackerone.com/reports/167121, Второй способ обхода 2FA, resolved
167321, https://hackerone.com/reports/167321, XSS, resolved
167380, https://hackerone.com/reports/167380, content spoofing, spam
167460, https://hackerone.com/reports/167460, Session Hijacking , resolved
167481, https://hackerone.com/reports/167481, Android - Possible to intercept broadcasts about uploaded files, resolved
167510, https://hackerone.com/reports/167510, CVE-2016-5157 OpenJPEG opj_dwt_interleave_v Out-of-Bounds Write Vulnerability, resolved
167512, https://hackerone.com/reports/167512, CVE-2016-7163 OpenJPEG opj_pi_create_decode Integer Overflow Vulnerability, resolved
167582, https://hackerone.com/reports/167582, Disclosure of private photos/albums - http://www.pornhub.com/album/show_image_box, resolved
167585, https://hackerone.com/reports/167585, Unsecured Grafana instance, resolved
167631, https://hackerone.com/reports/167631, Host header poisoning leads to account password reset links hijacking, duplicate
167688, https://hackerone.com/reports/167688, msilib.OpenDatabase Type Confusion, resolved
167698, https://hackerone.com/reports/167698, Broken Authentication and Session Management(Session Fixation), duplicate
167731, https://hackerone.com/reports/167731, Make victim buy in attacker's account without any idea - http://www.booztlet.com/, resolved
167809, https://hackerone.com/reports/167809, HOST HEADER INJECTION in rpm.newrelic.com , duplicate
167828, https://hackerone.com/reports/167828, Ability to enumerate private programs using SAML, resolved
167846, https://hackerone.com/reports/167846, Deleted Post and Administrative Function Access in eCommerce Forum, resolved
167859, https://hackerone.com/reports/167859, Base alpha version code exposure, resolved
167888, https://hackerone.com/reports/167888, Uninitialized Thumbail Data Leads To Memory Leakage in exif_process_IFD_in_TIFF, resolved
167895, https://hackerone.com/reports/167895, Out of bound when verify signature of zip phar in phar_parse_zipfile, resolved
167896, https://hackerone.com/reports/167896, Out of bound when verify signature of tar phar in phar_parse_tarfile, resolved
167901, https://hackerone.com/reports/167901, integer overflow in pg_escape_string caused heap corruption, resolved
167902, https://hackerone.com/reports/167902, integer overflow in php_ldap_do_escape caused heap corruption, resolved
167903, https://hackerone.com/reports/167903,  integer overflow in str_pad caused heap corruption, resolved
167904, https://hackerone.com/reports/167904, heap overflow in substr_replace, resolved
167905, https://hackerone.com/reports/167905, integer overflow in pg_escape_bytea caused heap corruption, resolved
167906, https://hackerone.com/reports/167906, integer overflow in imap_binary caused heap corruption, resolved
167907, https://hackerone.com/reports/167907, integer overflow in preg_quote caused heap corruption, resolved
167908, https://hackerone.com/reports/167908, integer overflow in fgets cause heap corruption, resolved
167909, https://hackerone.com/reports/167909, integer overflow in recode_string caused heap corruption, resolved
167910, https://hackerone.com/reports/167910, memory corruption in wordwrap function, resolved
167911, https://hackerone.com/reports/167911, integer overflow in fgetcsv caused heap corruption, resolved
167921, https://hackerone.com/reports/167921, integer overflow in xml_utf8_encode, resolved
167931, https://hackerone.com/reports/167931, Memory Corruption in During Deserialized-object Destruction, resolved
167947, https://hackerone.com/reports/167947, CVE-2016-3183 OpenJPEG sycc422_to_rgb Out-of-Bounds Read Vulnerability, resolved
167953, https://hackerone.com/reports/167953, CVE-2016-3182 OpenJPEG color_esycc_to_rgb Out-of-Bounds Read Vulnerability, resolved
167955, https://hackerone.com/reports/167955, CVE-2016-4796 OpenJPEG color_cmyk_to_rgb Out-of-Bounds Read Vulnerability, resolved
167957, https://hackerone.com/reports/167957, CVE-2016-1924 OpenJPEG opj_tgt_reset Out-of-Bounds Read Vulnerability, resolved
167977, https://hackerone.com/reports/167977, Missing type check when unserializing SplArray, resolved
168027, https://hackerone.com/reports/168027, gzdecode does NOT check output string size which leads to an overflow, resolved
168028, https://hackerone.com/reports/168028, gzuncompress does NOT check output string size which leads to an overflow, resolved
168029, https://hackerone.com/reports/168029, ldap_escape could produce string larger than 2Gb, resolved
168078, https://hackerone.com/reports/168078, Content Spoofing possible in concrete5.org, resolved
168108, https://hackerone.com/reports/168108, SSO Authentication Bypass, resolved
168116, https://hackerone.com/reports/168116, Insufficient validation on Digits bridge, resolved
168223, https://hackerone.com/reports/168223, User Information sent to client through websockets, informative
168254, https://hackerone.com/reports/168254, Http header injection, duplicate
168289, https://hackerone.com/reports/168289, coinbase Email leak while sending and requesting, informative
168293, https://hackerone.com/reports/168293, Not clearing hex-decoded variable after usage in Authentication, informative
168358, https://hackerone.com/reports/168358, Clickjacking: X-Frame Header Missing, informative
168453, https://hackerone.com/reports/168453, Users can falsely declare their own Uber account info on the monthly billing application, resolved
168458, https://hackerone.com/reports/168458, Stored XSS in https://productreviews.shopifyapps.com/proxy/v4/reviews/product, resolved
168476, https://hackerone.com/reports/168476, Incoming email hijacking on sc-cdn.net, resolved
168485, https://hackerone.com/reports/168485, Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE, resolved
168509, https://hackerone.com/reports/168509, Information leakage on https://docs.gdax.com, resolved
168538, https://hackerone.com/reports/168538, Twitter iOS fails to validate server certificate and sends oauth token, resolved
168574, https://hackerone.com/reports/168574, CORS Misconfiguration on www.zomato.com, resolved
169625, https://hackerone.com/reports/169625, Stored XSS in buy topup OLX Gold Credits , resolved
169680, https://hackerone.com/reports/169680, Bypass permissions, resolved
169699, https://hackerone.com/reports/169699, CSRF in the "Add restaurant picture" function, resolved
169704, https://hackerone.com/reports/169704, DNSSEC misconfiguration, informative
169751, https://hackerone.com/reports/169751, Stored XSS in albums on http://m.imgur.com/, resolved
169759, https://hackerone.com/reports/169759, Open redirect in bulk edit, resolved
169992, https://hackerone.com/reports/169992, Email information leakage for certain addresses, resolved
170052, https://hackerone.com/reports/170052, AWS Signature Disclosure in www.digitalsellz.com allows access to S3, resolved
170138, https://hackerone.com/reports/170138, SEH buffer overflow msgfmt_format_message, resolved
170144, https://hackerone.com/reports/170144, wddx_deserialize use-after-free, resolved
170149, https://hackerone.com/reports/170149, Time-based sql-injection на https://puzzle.mail.ru, resolved
170156, https://hackerone.com/reports/170156, Reflected XSS in Step 2 of the Installation, resolved
170161, https://hackerone.com/reports/170161, Password reset token not expiring, resolved
170241, https://hackerone.com/reports/170241, Stored Xss in rpm.newrelic.com, resolved
170260, https://hackerone.com/reports/170260, imap_rfc822_parse_headers GS Violation, resolved
170295, https://hackerone.com/reports/170295, Access to Amazon S3 bucket, duplicate
170333, https://hackerone.com/reports/170333, Host Header Injection/Redirection, duplicate
170369, https://hackerone.com/reports/170369, [kb.informatica.com] Stored XSS, resolved
170398, https://hackerone.com/reports/170398, ADB Backup is enabled within AndroidManifest, duplicate
170532, https://hackerone.com/reports/170532, Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite), resolved
170548, https://hackerone.com/reports/170548, Ruby OpenSSL Library - IV Reuse in GCM Mode, resolved
170552, https://hackerone.com/reports/170552, Slack integration setup lacks CSRF protection, resolved
170618, https://hackerone.com/reports/170618, CVE-2016-7418 PHP Out-Of-Bounds Read in php_wddx_push_element, resolved
170619, https://hackerone.com/reports/170619, PHP Integer Overflow in gdImageWebpCtx, resolved
170748, https://hackerone.com/reports/170748, RCE,SQL,Vulnerability + Exploit Method., not-applicable
170894, https://hackerone.com/reports/170894, Facebook and twitter page claimed of maximum.com [important], resolved
171048, https://hackerone.com/reports/171048, Full path disclosure vulnerability at http://corporate.olx.ph, resolved
171130, https://hackerone.com/reports/171130, Missing function level access controls allowing attacker to abuse file access controls. Multiple vulnerabilities, informative
171205, https://hackerone.com/reports/171205, No rate limit for Referral Program, resolved
171272, https://hackerone.com/reports/171272, Accessable Htaccess, resolved
171337, https://hackerone.com/reports/171337, Near-duplicate accounts allowed with ignored email mutations, resolved
171398, https://hackerone.com/reports/171398, (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation, resolved
171473, https://hackerone.com/reports/171473, HTTP Response Splitting(CRLF injection) in bi.owox.com, resolved
171497, https://hackerone.com/reports/171497, Content spoofing in lookup.nextcloud.com, resolved
171593, https://hackerone.com/reports/171593, Malicious Server can force read any file on clients system with default configuration in MySQL Clients, resolved
171670, https://hackerone.com/reports/171670, Link sanitation bypass in xss_clean() , resolved
171879, https://hackerone.com/reports/171879, Cloudflare issue: Error 521 Ray ID: 2e7ea7f706ea4056 • 2016-09-25 12:59:55 UTC Web server is down, informative
171917, https://hackerone.com/reports/171917, Name, email, phone and more disclosure on user ID (API), resolved
172115, https://hackerone.com/reports/172115, Multiple use after frees in obj2ast_* methods, resolved
172137, https://hackerone.com/reports/172137, Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com, duplicate
172289, https://hackerone.com/reports/172289, HackerOne Integrations Design Issue, resolved
172296, https://hackerone.com/reports/172296, Information Disclosure on rate limit defense mechanism, resolved
172403, https://hackerone.com/reports/172403, Python 2.7 32-bit JSON encoding heap corruption, resolved
172411, https://hackerone.com/reports/172411, Heap overflow caused by type confusion vulnerability in merge_param(), resolved
172545, https://hackerone.com/reports/172545, IDOR - Ability to view unlisted products, resolved
172549, https://hackerone.com/reports/172549, Possible Blind Writing to S3 Bucket, resolved
172562, https://hackerone.com/reports/172562, LZMADecompressor.decompress Use After Free, resolved
172574, https://hackerone.com/reports/172574, Follow Button XSS, resolved
172606, https://hackerone.com/reports/172606, Google Authenticator - Cross Site Scripting, not-applicable
172609, https://hackerone.com/reports/172609, Google Authenticator0.6 - PHP Version Dosclosure, not-applicable
172618, https://hackerone.com/reports/172618, All Plugins - Direct file access to plugin files Vulnerability, duplicate
172694, https://hackerone.com/reports/172694, Critical : Malware and XSS file can be uploaded and executed on udemy, informative
172698, https://hackerone.com/reports/172698, Subdomain take over signup.websummit, resolved
172707, https://hackerone.com/reports/172707, Udemy s3 storage can be used by an attacker personal website because of missing CSRF Token, informative
172711, https://hackerone.com/reports/172711, Content Spoofing in udemy, resolved
172733, https://hackerone.com/reports/172733, Add signature to transactions without any permission, resolved
172746, https://hackerone.com/reports/172746, WebSummit - Open Redirect , resolved
172780, https://hackerone.com/reports/172780, out of date disqus shortname usage in the web app source code, resolved
172809, https://hackerone.com/reports/172809, Flash XSS on global nav, resolved
172821, https://hackerone.com/reports/172821, Flash XSS on homepage fliptilescroller, resolved
172837, https://hackerone.com/reports/172837, password less login token expiration issue, resolved
172843, https://hackerone.com/reports/172843, DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request, resolved
172933, https://hackerone.com/reports/172933, IDNs displayed in unicode in messages/about/talk sections (Homograph Attack), resolved
173043, https://hackerone.com/reports/173043, Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue" , resolved
173175, https://hackerone.com/reports/173175, Obtain the username & the uid of the one doing the S3 sync on Hackerone, resolved
173195, https://hackerone.com/reports/173195, Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy, resolved
173251, https://hackerone.com/reports/173251, Password Reset emails missing TLS leads account takeover, resolved
173268, https://hackerone.com/reports/173268, Login credentials transmitted in cleartext on index.rubygems.org, resolved
173412, https://hackerone.com/reports/173412, Full Sub Domain Takeover at s3.websummit.net, resolved
173417, https://hackerone.com/reports/173417, Possilbe Sub Domain takever at prestashop.algolia.com, resolved
173501, https://hackerone.com/reports/173501, Stored XSS on Admin Access Page - Email field, resolved
173551, https://hackerone.com/reports/173551, password reset token leaking allowed for ATO of an Uber account, resolved
173622, https://hackerone.com/reports/173622, Bypassing quota limit , resolved
173681, https://hackerone.com/reports/173681, [CRITICAL]-Taking over entire subdomain of romit.io, resolved
173721, https://hackerone.com/reports/173721, Bad content-type in response header when getting document can lead to html injection, resolved
173811, https://hackerone.com/reports/173811, Git available containing passwords. , resolved
173972, https://hackerone.com/reports/173972, web.xml configuration file disclosure, resolved
174069, https://hackerone.com/reports/174069, Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme(), resolved
174228, https://hackerone.com/reports/174228, CSRF csrftoken in cookies, informative
174395, https://hackerone.com/reports/174395, Full Sub Domain Takeover at wx.zopim.net, resolved
174404, https://hackerone.com/reports/174404, private passenger information is exposed to the Uber Driver app during ride dispatch ("Ping") events, resolved
174449, https://hackerone.com/reports/174449, Researcher gets email updates on a private program after he/she quits that program., resolved
174470, https://hackerone.com/reports/174470, Possible CSRF during external programs, resolved
174474, https://hackerone.com/reports/174474, Cookie Injection at 'harvestapp.com', resolved
174524, https://hackerone.com/reports/174524, Filename enumeration && DoS, resolved
174632, https://hackerone.com/reports/174632, Information disclosure in mmap module - python 2.7.12, resolved
174645, https://hackerone.com/reports/174645, Existence of Folder path by guessing the path through response, resolved
174668, https://hackerone.com/reports/174668, No rate-limit in SERVER_SECURITY_CHECK, resolved
174721, https://hackerone.com/reports/174721, View liked twits of private account via publish.twitter.com, resolved
174871, https://hackerone.com/reports/174871, Linking Invoice to uninvited project., resolved
174882, https://hackerone.com/reports/174882, Requesting Show CheckIn Alert for Non Friend User, resolved
174896, https://hackerone.com/reports/174896, Dav sharing permissions issue, resolved
174909, https://hackerone.com/reports/174909, Reflected Cross site scripting, informative
175061, https://hackerone.com/reports/175061, Information Disclosure on stun.screenhero.com, resolved
175070, https://hackerone.com/reports/175070, Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront, resolved
175085, https://hackerone.com/reports/175085, URI scheme bypass in mail app lead to HTML content spoof and opener control, resolved
175091, https://hackerone.com/reports/175091, chain.__setstate__ Type Confusion, resolved
175122, https://hackerone.com/reports/175122, Public profile is vulnerable to stored XSS / Facebook Token can be stolen, resolved
175230, https://hackerone.com/reports/175230, Double-free in X509 parsing, resolved
175260, https://hackerone.com/reports/175260, missing NULL check in dom_document_save_html, resolved
175262, https://hackerone.com/reports/175262, NULL pointer dereference in SimpleXMLElement::asXML(), resolved
175263, https://hackerone.com/reports/175263, crash in openssl_random_pseudo_bytes function, resolved
175264, https://hackerone.com/reports/175264, heap overflow in php_ereg_replace function, resolved
175286, https://hackerone.com/reports/175286, Homograph attack, resolved
175310, https://hackerone.com/reports/175310, Write out-of-bounds at number_format, resolved
175311, https://hackerone.com/reports/175311, memcpy negative size parameter in php_resolve_path, resolved
175312, https://hackerone.com/reports/175312, memcpy negative parameter _bc_new_num_ex, resolved
175315, https://hackerone.com/reports/175315, Illegal write access through Locale methods, resolved
175316, https://hackerone.com/reports/175316, stack-buffer-overflow through "ResourceBundle" methods, resolved
175320, https://hackerone.com/reports/175320, 2 Directory Listing on ledger.brave.com & vault-staging.brave.com, resolved
175366, https://hackerone.com/reports/175366, Brave: Admin Panel Access, informative
175397, https://hackerone.com/reports/175397, Subdomain Takeover of Brave.com, duplicate
175403, https://hackerone.com/reports/175403, [website] Script injection in newsletter signup https://brave.com/brave_youth_program_signup.html, resolved
175410, https://hackerone.com/reports/175410, Reflected XSS at m.olx.ph, resolved
175451, https://hackerone.com/reports/175451, Full Path Disclosure at 27.prd.vine.co, resolved
175529, https://hackerone.com/reports/175529, URI Obfuscation, resolved
175587, https://hackerone.com/reports/175587, Stack Buffer Overflow in GD dynamicGetbuf, resolved
175701, https://hackerone.com/reports/175701, Status Bar Obfuscation, resolved
175760, https://hackerone.com/reports/175760, Directory Listing of all the resource files of olx.com.eg , resolved
175766, https://hackerone.com/reports/175766, Remote client memory corruption in ssl_add_clienthello_tlsext(), resolved
175779, https://hackerone.com/reports/175779, Address Bar Spoofing - Already resolved - Retroactive report, resolved
175801, https://hackerone.com/reports/175801, Reflected XSS in OLX.in, resolved
175958, https://hackerone.com/reports/175958, [iOS/Android] Address Bar Spoofing Vulnerability , resolved
175982, https://hackerone.com/reports/175982, Use-after-free in unserialize(), resolved
176002, https://hackerone.com/reports/176002, Information disclosure of user by email using buy widget, resolved
176013, https://hackerone.com/reports/176013, Disclosure of sensitive information through Google Cloud Storage bucket, resolved
176042, https://hackerone.com/reports/176042, Error Page Text Injection, informative
176065, https://hackerone.com/reports/176065, [Android] HTML Injection in BatterySaveArticleRenderer WebView, resolved
176066, https://hackerone.com/reports/176066, Denial of service attack on Brave Browser., resolved
176083, https://hackerone.com/reports/176083, JavaScript URL Issues in the latest version of Brave Browser, informative
176116, https://hackerone.com/reports/176116, Weak Forgot Password implementation, resolved
176127, https://hackerone.com/reports/176127, race condition in adding team members, resolved
176159, https://hackerone.com/reports/176159, [iOS] URI Obfuscation in iOS application, informative
176197, https://hackerone.com/reports/176197, Denial of service attack(window object) on brave browser, resolved
176226, https://hackerone.com/reports/176226, CachingIterator null dereference when convert to string, resolved
176279, https://hackerone.com/reports/176279, Heap overflow in mysqlnd related to BIT fields (CVE-2016-7412), resolved
176308, https://hackerone.com/reports/176308, Wordpress.com REST API oauth bypass via Cross Site Flashing, resolved
176364, https://hackerone.com/reports/176364, DOS in browser using window.print() function, informative
176477, https://hackerone.com/reports/176477, XSS (Reflected), informative
176494, https://hackerone.com/reports/176494, Hyperlink Injection on adding active users, informative
176599, https://hackerone.com/reports/176599, No CAPTCHA ia exist in pages, informative
176698, https://hackerone.com/reports/176698, Reflective XSS, resolved
176754, https://hackerone.com/reports/176754,  Cross-site scripting (reflected), resolved
176899, https://hackerone.com/reports/176899, Editing a project (LIMITED), resolved
176929, https://hackerone.com/reports/176929, [ios] Address bar spoofing in Brave for iOS, resolved
176979, https://hackerone.com/reports/176979, Authentication Issue, resolved
177184, https://hackerone.com/reports/177184, invalid homepage URL causes 'uncaught typeerror' or blank state, resolved
177225, https://hackerone.com/reports/177225, Email Server Compromised at secure.lahitapiola.fi, resolved
177230, https://hackerone.com/reports/177230, Reflective XSS at m.olx.ph, resolved
177335, https://hackerone.com/reports/177335, Content spoofing due to the improper behavior of the 403 page in Private Server, resolved
177472, https://hackerone.com/reports/177472, CSRF: add item to victim's cart automatically (starbucks.com - updatecart), resolved
177484, https://hackerone.com/reports/177484, Information disclosure via policy update notifications after removal from program, resolved
177485, https://hackerone.com/reports/177485, Open Redirect , resolved
177508, https://hackerone.com/reports/177508, Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments), resolved
177523, https://hackerone.com/reports/177523, Lahitapiola´s customer names send to 3rd party, resolved
177551, https://hackerone.com/reports/177551, SMS/Call spamming due to truncated phone number, resolved
177619, https://hackerone.com/reports/177619, Reflective XSS at dubai.dubizzle.com, resolved
177624, https://hackerone.com/reports/177624, Unvalidated redirect on team.badoo.com, resolved
177635, https://hackerone.com/reports/177635, CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard), resolved
177639, https://hackerone.com/reports/177639, CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments), resolved
177713, https://hackerone.com/reports/177713, xss on demo.nextcloud.com due to outdated version, resolved
177757, https://hackerone.com/reports/177757, Stored XSS in Restoring Archived Tasks, resolved
177943, https://hackerone.com/reports/177943, Reflective XSS, resolved
178049, https://hackerone.com/reports/178049, Раскрытие баланса на //kopilka.qiwi.com, resolved
178057, https://hackerone.com/reports/178057, [ipm.informatica.com] Sql injection Oracle , resolved
178094, https://hackerone.com/reports/178094, php_snmp_parse_oid integer overflow in memory allocation, resolved
178144, https://hackerone.com/reports/178144, imagecropauto out-of-bounds access, resolved
178184, https://hackerone.com/reports/178184, SSRF in https://cards-dev.twitter.com/validator, resolved
178241, https://hackerone.com/reports/178241, [allods.mail.ru] Cross-Site Request Forgery (Add-Item), resolved
178253, https://hackerone.com/reports/178253, [pokerist.mail.ru] XSS Request-URI, resolved
178278, https://hackerone.com/reports/178278, [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect, resolved
178279, https://hackerone.com/reports/178279, [hs.mail.ru] CRLF Injection / XSS, resolved
178281, https://hackerone.com/reports/178281, [hs.mail.ru] XSS play_now.php, resolved
178284, https://hackerone.com/reports/178284, [vitrina.contact-sys.com] Full Path Disclosure, resolved
178293, https://hackerone.com/reports/178293, Misconfiguration in Two Factor Authorisation, resolved
178345, https://hackerone.com/reports/178345, Limited Open redirection using SSO-SAML, resolved
178384, https://hackerone.com/reports/178384, CSRF in delete advertisement on olx.com.eg, resolved
178409, https://hackerone.com/reports/178409, Possible Subdomain Takeover at http://production.s3.rubygems.org/ pointing to Fastly , resolved
178503, https://hackerone.com/reports/178503, ability to retrieve a user's phone-number/email for a given inviteCode, resolved
178506, https://hackerone.com/reports/178506, Access private list metadata, resolved
178537, https://hackerone.com/reports/178537, Potential sub-domain hijacking, resolved
178567, https://hackerone.com/reports/178567, Arbitrary modification value "session" (Cookie) in badoo.com, resolved
178611, https://hackerone.com/reports/178611, Reflected XSS on Zones > Invocation Code, resolved
178632, https://hackerone.com/reports/178632, [afocusp.informatica.com] Sql injection  afocusp.informatica.com:37777, resolved
178742, https://hackerone.com/reports/178742, Leave inaccessible messaging system with a message (https://us1.badoo.com), resolved
178831, https://hackerone.com/reports/178831, CSRF on signup endpoint (auto-api.yelp.com), resolved
178990, https://hackerone.com/reports/178990, The websocket traffic is not secure enough, informative
179021, https://hackerone.com/reports/179021, Possible content spoofing due to missing error page, informative
179034, https://hackerone.com/reports/179034, [Airship CMS] Local File Inclusion - RST Parser, resolved
179073, https://hackerone.com/reports/179073, Content Spoofing in "files" app, resolved
179103, https://hackerone.com/reports/179103, Unauthenticated Docker registry, resolved
179121, https://hackerone.com/reports/179121, Information disclosure of website, informative
179164, https://hackerone.com/reports/179164, Stored XSS in community.ubnt.com, resolved
179217, https://hackerone.com/reports/179217, server version dislosure, resolved
179248, https://hackerone.com/reports/179248, Denial of service(POP UP Recursion) on Brave browser, duplicate
179421, https://hackerone.com/reports/179421, Новый 2FA Bypass, resolved
179426, https://hackerone.com/reports/179426, Reflected XSS on blockchain.info, resolved
179559, https://hackerone.com/reports/179559, Stored XSS in Template Documents, resolved
179568, https://hackerone.com/reports/179568, Tab nabbing via window.opener, resolved
179599, https://hackerone.com/reports/179599, Information disclosure at https://blockchain.atlassian.net, resolved
179695, https://hackerone.com/reports/179695, XSS via unicode characters in upload filename, resolved
179701, https://hackerone.com/reports/179701, username enumeration , informative
179732, https://hackerone.com/reports/179732, [Yelp Blog] Backslash in search string causes JS error, informative
179826, https://hackerone.com/reports/179826, Flash XSS on Buick_RotatingMasthead_JellyBeanSlider.swf, resolved
179839, https://hackerone.com/reports/179839, ClickJacking , duplicate
179920, https://hackerone.com/reports/179920, WordPress DB Class, bad implementation of prepare method guides to sqli and information disclosure, resolved
179986, https://hackerone.com/reports/179986, Exposed API-key allows to control nightly builds of firmwares (█████████ & ████████), resolved
180037, https://hackerone.com/reports/180037, Selecting encryption for email with drive attachment overrides the drive email password, resolved
180109, https://hackerone.com/reports/180109, crash in gzcompress and 3 other compress functions, resolved
180110, https://hackerone.com/reports/180110, crash in implode() function, resolved
180111, https://hackerone.com/reports/180111, crash in bzcompress function, resolved
180112, https://hackerone.com/reports/180112, iconv() function missing string length check, resolved
180113, https://hackerone.com/reports/180113, crash in get_icu_value_internal function, resolved
180115, https://hackerone.com/reports/180115, crash in locale_get_keywords() when keyword value in locale string too long, resolved
180116, https://hackerone.com/reports/180116, another crash in locale_get_keywords function, resolved
180196, https://hackerone.com/reports/180196, Host header Injection rubygems.org, not-applicable
180253, https://hackerone.com/reports/180253, Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf), resolved
180346, https://hackerone.com/reports/180346, Nginx server version disclosure on engineeringblog, informative
180349, https://hackerone.com/reports/180349, Android SDK - CREATE_REQUEST broascast is unprotected, resolved
180393, https://hackerone.com/reports/180393, Subdomain Takeover, not-applicable
180397, https://hackerone.com/reports/180397, Cookie Misconfiguration, duplicate
180434, https://hackerone.com/reports/180434, cURL / libcURL - CVE-2016-8624 invalid URL parsing with '#', resolved
180527, https://hackerone.com/reports/180527, SSRF (open) - via GET request, resolved
180538, https://hackerone.com/reports/180538, X.509 certificate validation fails on international vanity domains, resolved
180548, https://hackerone.com/reports/180548, Missing restriction on string size in profile fields, resolved
180559, https://hackerone.com/reports/180559, Content spoofing on yelp.onelogin, informative
180562, https://hackerone.com/reports/180562, Memory corruption in _php_math_number_format_ex(), resolved
180563, https://hackerone.com/reports/180563, Heap overflow due to integer overflow in bzdecompress() function, resolved
180572, https://hackerone.com/reports/180572, Memory corruption due to missing check size in _php_math_number_format_ex(), resolved
180582, https://hackerone.com/reports/180582, Heap overflow due to integer overflow in php_escape_html_entities_ex() function, resolved
180584, https://hackerone.com/reports/180584, Heap overflow due to integer overflow in pg_escape_string() function, resolved
180588, https://hackerone.com/reports/180588, Invalid memory access in zend_strtod() function, resolved
180589, https://hackerone.com/reports/180589, crash in simplestring_addn function, resolved
180590, https://hackerone.com/reports/180590, Invalid memory access in spl_filesystem_dir_open function, resolved
180591, https://hackerone.com/reports/180591, Invalid memory access in php_basename function, resolved
180592, https://hackerone.com/reports/180592, Invalid memory access in spl_filesystem_info_set_filename function, resolved
180695, https://hackerone.com/reports/180695, ruby DoS https://www.mruby.science, resolved
180814, https://hackerone.com/reports/180814, crash in locale_compose() function, resolved
180895, https://hackerone.com/reports/180895, Password reset access control, resolved
180908, https://hackerone.com/reports/180908, NULL Pointer Dereference in WDDX Packet Deserialization with PDORow, resolved
180909, https://hackerone.com/reports/180909, Use-after-free in ArrayObject Deserialization, resolved
180977, https://hackerone.com/reports/180977, Exception cause SIGABRT, resolved
181061, https://hackerone.com/reports/181061, Remote Stack Overflow Vulnerability (DoS), duplicate
181073, https://hackerone.com/reports/181073, malloc negative size parameter, resolved
181088, https://hackerone.com/reports/181088, Window.opener bug at www.coinbase.com, resolved
181210, https://hackerone.com/reports/181210, Incorrect detection of onion URLs, resolved
181212, https://hackerone.com/reports/181212, Missing GIT tag/commit verification in Docker, informative
181214, https://hackerone.com/reports/181214, Using plain git protocol (vulnerable to MITM), informative
181225, https://hackerone.com/reports/181225, Missing rel=noopener noreferrer in target=_blank links (Phishing attack), resolved
181232, https://hackerone.com/reports/181232, Denial of Service in mruby due to null pointer dereference, resolved
181315, https://hackerone.com/reports/181315, Not using Binary::safe* functions for substr/strlen function, resolved
181319, https://hackerone.com/reports/181319, Memory disclosure in mruby String#lines method, resolved
181321, https://hackerone.com/reports/181321, Use after free vulnerability in mruby Array#to_h causing DOS possible RCE, resolved
181528, https://hackerone.com/reports/181528, Cross site scripting in a subdomain of newrelic.com, resolved
181558, https://hackerone.com/reports/181558, [DOS] denial of service using code snippet on brave browser, resolved
181642, https://hackerone.com/reports/181642, libtiff 4.0.6 heap bufer overflow / out of bounds read (CVE-2016-9273), resolved
181665, https://hackerone.com/reports/181665, Subdomain Takeover (moderator.ubnt.com), resolved
181677, https://hackerone.com/reports/181677, NULL pointer dereference when parsing ternary operators, resolved
181685, https://hackerone.com/reports/181685, Range#initialize_copy null pointer dereference, resolved
181686, https://hackerone.com/reports/181686, [DOS] Browser hangs on loading the code snippet, resolved
181695, https://hackerone.com/reports/181695, Undefined method_missing null pointer dereference, resolved
181748, https://hackerone.com/reports/181748, [IDOR][translate.twitter.com] Opportunity to change any comment at the forum, resolved
181816, https://hackerone.com/reports/181816, [marketplace.informatica.com] Persistent XSS through document title, resolved
181823, https://hackerone.com/reports/181823, Stored XSS в личных сообщениях, resolved
181828, https://hackerone.com/reports/181828, Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference, resolved
181849, https://hackerone.com/reports/181849, Jenkins, resolved
181871, https://hackerone.com/reports/181871, DoS: type confusion in mrb_no_method_error, resolved
181874, https://hackerone.com/reports/181874, SIGSEGV when invalid argument on remove_method, resolved
181879, https://hackerone.com/reports/181879, Struct type confusion RCE, resolved
181893, https://hackerone.com/reports/181893, TOCTTOU bug in mrb_str_setbyte leading the memory corruption, resolved
181910, https://hackerone.com/reports/181910, Range constructor type confusion DoS, resolved
181939, https://hackerone.com/reports/181939, [qpt.mail.ru] CRLF Injection / Open Redirect, resolved
181955, https://hackerone.com/reports/181955, Stored xss in ALBUM DESCRIPTION , resolved
182008, https://hackerone.com/reports/182008, Spoof Email with Hyperlink Injection via Invites functionality, resolved
182017, https://hackerone.com/reports/182017, htaccess file is accesible, resolved
182027, https://hackerone.com/reports/182027, SIGSEV on mrb_ary_splice, resolved
182033, https://hackerone.com/reports/182033, Reflected Xss on , resolved
182046, https://hackerone.com/reports/182046, Nginx server version disclosure, resolved
182089, https://hackerone.com/reports/182089,  Spam Some one using (user.saveInvite) system, resolved
182132, https://hackerone.com/reports/182132, Reflected cross-site scripting (XSS) vulnerability in pornhub.com allows attackers to inject arbitrary web script or HTML., resolved
182140, https://hackerone.com/reports/182140, libtiff 4.0.6 segfault / read outside of buffer (CVE-2016-9297), resolved
182169, https://hackerone.com/reports/182169, Type confusion in FutureIter_throw() which may potentially lead to an arbitrary code execution, resolved
182234, https://hackerone.com/reports/182234, Unsecured Grafana instance, resolved
182267, https://hackerone.com/reports/182267, Password Forgot/Password Reset Request Bug, resolved
182274, https://hackerone.com/reports/182274, Null pointer dereference due to TOCTTOU bug in mrb_time_initialize, resolved
182414, https://hackerone.com/reports/182414, Stored XSS on BillingCountry parameter, resolved
182420, https://hackerone.com/reports/182420, Illegal write/read access caused by gdImageAALine overflow, resolved
182467, https://hackerone.com/reports/182467, Email Spoofing, resolved
182474, https://hackerone.com/reports/182474, Use After Free in PHP7 unserialize(), resolved
182484, https://hackerone.com/reports/182484, Broken handling of maximum number of method call arguments leads to segfault, resolved
182487, https://hackerone.com/reports/182487, CSRF Token Bypass in Account Deletion, resolved
182530, https://hackerone.com/reports/182530, Bypass the resend limit in Send Invites, resolved
182557, https://hackerone.com/reports/182557, links the user may download can be a malicious files, informative
182576, https://hackerone.com/reports/182576, Subdomain Takeover on http://kiosk.owox.com/, resolved
182637, https://hackerone.com/reports/182637, Administrator Access To Management Console, resolved
182670, https://hackerone.com/reports/182670, Email link poisoning / Host header attack, resolved
183127, https://hackerone.com/reports/183127, ClickJacking, duplicate
183231, https://hackerone.com/reports/183231, SIGSEGV on mruby mrb_str_modify() (Invalid memory access), resolved
183239, https://hackerone.com/reports/183239, SIGSEGV on mruby's mark_tbl() (Invalid memory access), resolved
183245, https://hackerone.com/reports/183245, Nginx version disclosure via response header, resolved
183318, https://hackerone.com/reports/183318, Direct IP Access, not-applicable
183352, https://hackerone.com/reports/183352, Возможность провести DoS атаку от имени vk.com сервера, resolved
183356, https://hackerone.com/reports/183356, Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop, resolved
183405, https://hackerone.com/reports/183405, Null target_class DoS, resolved
183425, https://hackerone.com/reports/183425, Segmentation fault when a Ruby method is invoked by a C method via Object#send, resolved
183458, https://hackerone.com/reports/183458, Command injection in the process of downloading the latest version of the cloud key firmware through the unifi management software., resolved
183568, https://hackerone.com/reports/183568, [Buddypress] Arbitrary File Deletion through bp_avatar_set, resolved
183577, https://hackerone.com/reports/183577, Sub domain issues., resolved
183624, https://hackerone.com/reports/183624, Race Condition Vulnerability On Pornhubpremium.com, resolved
183667, https://hackerone.com/reports/183667, Null pointer dereference in ary_concat, duplicate
183696, https://hackerone.com/reports/183696, Invalid memory access while freeing memory, caused by invalid type passed to mrb_ary_unshift, duplicate
183835, https://hackerone.com/reports/183835, Reflected XSS vulnerability on a DoD website, resolved
183844, https://hackerone.com/reports/183844, Reflected XSS on a DoD website, resolved
183854, https://hackerone.com/reports/183854, Reflective XSS vulnerability on a DoD website, resolved
183855, https://hackerone.com/reports/183855, Reflected XSS on a Department of Defense website, resolved
183871, https://hackerone.com/reports/183871, Reflected XSS on a DoD website, resolved
183878, https://hackerone.com/reports/183878, Reflected XSS on a Navy website, resolved
183925, https://hackerone.com/reports/183925, Unrestricted File Download / Path Traversal, resolved
183971, https://hackerone.com/reports/183971, Stored cross-site scripting (XSS) on a DoD website, resolved
183978, https://hackerone.com/reports/183978, Local File Inclusion vulnerability on an Army system allows downloading local files, resolved
184042, https://hackerone.com/reports/184042, Reflected cross-site scripting vulnerability on a DoD website, resolved
184057, https://hackerone.com/reports/184057, Read Application Name , Subscribers Count , resolved
184076, https://hackerone.com/reports/184076, Information disclosure on a DoD website, resolved
184125, https://hackerone.com/reports/184125, Reflected XSS vulnerability on a DoD website, resolved
184199, https://hackerone.com/reports/184199, Reflected XSS on an Army website, resolved
184200, https://hackerone.com/reports/184200, Reflected XSS on a DoD website, resolved
184279, https://hackerone.com/reports/184279, RCE on a Department of Defense website, resolved
184286, https://hackerone.com/reports/184286, Reflected XSS on a Department of Defense website, resolved
184472, https://hackerone.com/reports/184472, http://████/data.json  showing users sensitive information via  json file, informative
184495, https://hackerone.com/reports/184495, Cross-site scripting (XSS) vulnerability on a DoD website, resolved
184558, https://hackerone.com/reports/184558, Information disclosure vulnerability on a DoD website, resolved
184575, https://hackerone.com/reports/184575, Cross-site scripting vulnerability on a DoD website, resolved
184596, https://hackerone.com/reports/184596, Unrestricted File Upload, resolved
184661, https://hackerone.com/reports/184661, mruby-time: Crash host with uninitialized Time obj, resolved
184698, https://hackerone.com/reports/184698, Eavesdropping on private Slack calls, resolved
184712, https://hackerone.com/reports/184712, Denial of service due to invalid memory access in mrb_ary_concat, resolved
184715, https://hackerone.com/reports/184715, Read after free in mrb_vm_exec with OP_ARYCAT reading R(B), resolved
184750, https://hackerone.com/reports/184750, Reflected XSS on a DoD website, resolved
184759, https://hackerone.com/reports/184759, XSS on a DoD website, resolved
184857, https://hackerone.com/reports/184857, Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash, resolved
184877, https://hackerone.com/reports/184877,  Out-of-date Version (Apache) , resolved
184881, https://hackerone.com/reports/184881, invalid URL parsing with and '@', not-applicable
184884, https://hackerone.com/reports/184884, Subdomain Takeover on  http://blog.owox.com/, informative
184901, https://hackerone.com/reports/184901, Stored cross site scripting (XSS) vulnerability on a DoD website, resolved
184933, https://hackerone.com/reports/184933, Insecure direct object reference vulnerability on a DoD website, resolved
185041, https://hackerone.com/reports/185041, Type confusion in mrb_exc_set leading to memory corruption, resolved
185051, https://hackerone.com/reports/185051, Type confusion in wrap_decimal leading to memory corruption, resolved
185387, https://hackerone.com/reports/185387, Null pointer dereference regression in parse.y, resolved
185705, https://hackerone.com/reports/185705, Null pointer dereference in mrb_str_concat, duplicate
185775, https://hackerone.com/reports/185775, Crash: Initialize Decimal with itself triggers an assertion, resolved
185794, https://hackerone.com/reports/185794, Crash: mrb_any_to_s can't handle NilClass, Symbol and Fixnum, resolved
185833, https://hackerone.com/reports/185833, Incomplete or No Cache-control and Pragma HTTP Header Set, resolved
185835, https://hackerone.com/reports/185835, Secure Pages Include Mixed Content, duplicate
185862, https://hackerone.com/reports/185862, Twitter for android is exposing user's location to any installed android app, resolved
185899, https://hackerone.com/reports/185899, Invalid memory write caused by incorrect upper bound in array_copy, resolved
185907, https://hackerone.com/reports/185907, unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php, resolved
185909, https://hackerone.com/reports/185909, unchecked unserialize usages in audit-trail-extension/audit-trail-extension.php, resolved
185914, https://hackerone.com/reports/185914, constant cache_page_secret in regolith, resolved
185957, https://hackerone.com/reports/185957, Crash: A call to Symbol.new leads to a crash when inspecting the resulting object, resolved
186156, https://hackerone.com/reports/186156, SQL Injection vulnerability on a DoD website, resolved
186189, https://hackerone.com/reports/186189, Information leakage on a Department of Defense website, resolved
186279, https://hackerone.com/reports/186279, IDOR - disclosure of private videos - /api_android_v3/getUserVideos, resolved
186307, https://hackerone.com/reports/186307, Information disclosure vulnerability on a DoD website, resolved
186308, https://hackerone.com/reports/186308, Information disclosure vulnerability in a DoD website, resolved
186315, https://hackerone.com/reports/186315, Cross-site scripting (XSS) vulnerability on a DoD website, resolved
186316, https://hackerone.com/reports/186316, DNS Misconfiguration, duplicate
186317, https://hackerone.com/reports/186317, Information disclosure on a DoD website, duplicate
186326, https://hackerone.com/reports/186326, Arbitary file download vulnerability on a DoD website, resolved
186352, https://hackerone.com/reports/186352, Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM), resolved
186393, https://hackerone.com/reports/186393, Subdomain Takeover on OWOX.RU, duplicate
186402, https://hackerone.com/reports/186402, Cross-Site Scripting (XSS) on a DoD website, resolved
186462, https://hackerone.com/reports/186462, Stored XSS at 'Buy Button' page, resolved
186530, https://hackerone.com/reports/186530, Information disclosure vulnerability on a DoD website, resolved
186554, https://hackerone.com/reports/186554, Stored XSS in Adress Book (starbucks.com/account/profile), resolved
186586, https://hackerone.com/reports/186586, Access to Grafana Dashboard, resolved
186613, https://hackerone.com/reports/186613, Stored XSS on the http://ht.pornhub.com/widgets/, resolved
186723, https://hackerone.com/reports/186723, Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory, resolved
186766, https://hackerone.com/reports/186766, Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record, resolved
187006, https://hackerone.com/reports/187006, Open Redirect in a DoD website, resolved
187134, https://hackerone.com/reports/187134, JSBeautifier BApp: Race condition leads to memory disclosure, resolved
187225, https://hackerone.com/reports/187225, Web Browser XSS Protection Not Enabled, not-applicable
187232, https://hackerone.com/reports/187232, Arbitrary Script Injection (Mail) in a DoD Website, resolved
187305, https://hackerone.com/reports/187305, Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox, resolved
187380, https://hackerone.com/reports/187380, Stored xss, duplicate
187410, https://hackerone.com/reports/187410, Store XSS, resolved
187460, https://hackerone.com/reports/187460, Files Drop: WebDAV endpoint is leaking existence of resources, resolved
187520, https://hackerone.com/reports/187520, Wordpress 4.7 - CSRF -> HTTP SSRF any private ip:port and basic-auth, resolved
187536, https://hackerone.com/reports/187536, Null pointer derefence due to bug in codegen with negation without using value, resolved
187539, https://hackerone.com/reports/187539, Null pointer dereference due to bug in codegen with negation of floats, duplicate
187542, https://hackerone.com/reports/187542, Brave Browser unexpectedly allows to send arbitrary IPC messages, resolved
187602, https://hackerone.com/reports/187602, [element.mail.ru] /.svn/entries, resolved
187705, https://hackerone.com/reports/187705, Authentication bypass vulnerability on a DoD website, resolved
187759, https://hackerone.com/reports/187759, Persistent XSS vulnerability on a DoD website, resolved
187822, https://hackerone.com/reports/187822, Reflected XSS vulnerability on a DoD website, resolved
187881, https://hackerone.com/reports/187881, XSS vulnerability on an Army website, resolved
187969, https://hackerone.com/reports/187969, Open redirect vulnerability in a DoD website, resolved
188078, https://hackerone.com/reports/188078, Command Execution because of extension handling, duplicate
188086, https://hackerone.com/reports/188086, Sending arbitrary IPC messages via overriding Function.prototype.apply, resolved
188102, https://hackerone.com/reports/188102, 3 heap corruptions in PHP, resolved
188124, https://hackerone.com/reports/188124, Violation of secure design principles on a DoD website, resolved
188132, https://hackerone.com/reports/188132, Wordpress Version Disclosure Bug On Nextcloud, informative
188149, https://hackerone.com/reports/188149, Personal information disclosure on a DoD website, resolved
188185, https://hackerone.com/reports/188185, Dom Based Xss DIV.innerHTML  parameters store.starbucks*, resolved
188195, https://hackerone.com/reports/188195, Login Hints on Admin Panel, informative
188205, https://hackerone.com/reports/188205, BruteForce in to Admin Account, informative
188266, https://hackerone.com/reports/188266, Redirect in adding advance cash on delivery app, resolved
188279, https://hackerone.com/reports/188279, Multiple vulnerabilities in http://blog.dubizzle.com/uae, resolved
188284, https://hackerone.com/reports/188284, Remote code execution on an Army website, resolved
188313, https://hackerone.com/reports/188313, Segmentation fault due to bad memory access in kh_get_mt, resolved
188326, https://hackerone.com/reports/188326, Buffer overflow in mrb_time_asctime, resolved
188338, https://hackerone.com/reports/188338, Unvalidated / Open Redirect, resolved
188482, https://hackerone.com/reports/188482, Unsecured Kibana/Elasticsearch instance, resolved
188561, https://hackerone.com/reports/188561, Sending arbitrary IPC messages via overriding Array.prototype.push, informative
188661, https://hackerone.com/reports/188661, Invalid read when wddx decodes empty boolean element, resolved
188691, https://hackerone.com/reports/188691, Reflected XSS in a Navy website, resolved
188692, https://hackerone.com/reports/188692, httponly flag not set + csrftoken in url, informative
188743, https://hackerone.com/reports/188743, XXE on DoD web server, resolved
188929, https://hackerone.com/reports/188929, Time Based SQL Injection vulnerability on a DoD website, resolved
188972, https://hackerone.com/reports/188972, Persistent XSS in www.starbucks.com, resolved
189023, https://hackerone.com/reports/189023, S3 ACL misconfiguration, informative
189069, https://hackerone.com/reports/189069, SQL injection vulnerability on a DoD website, resolved
189149, https://hackerone.com/reports/189149, QuickTime Promotion on a DoD website, resolved
189192, https://hackerone.com/reports/189192, Unsecured DB instance, resolved
189241, https://hackerone.com/reports/189241, Reflected XSS on a DoD website, resolved
189332, https://hackerone.com/reports/189332, SQL injection vulnerability on a DoD website, resolved
189356, https://hackerone.com/reports/189356, Text injection on Auth problem at urbandictionary.com, resolved
189378, https://hackerone.com/reports/189378, Unauthenticated Stored XSS on <any>.myshopify.com via checkout page, resolved
189414, https://hackerone.com/reports/189414, Information disclosure on a DoD website, resolved
189458, https://hackerone.com/reports/189458, Information disclosure vulnerability on a DoD website, resolved
189633, https://hackerone.com/reports/189633, Certain inputs cause tight C-level recursion leading to process stack overflow, resolved
189648, https://hackerone.com/reports/189648, Server Side Request Forgery (SSRF) vulnerability in a DoD website, resolved
189704, https://hackerone.com/reports/189704, Segmentation fault due to invalid memory access in codegen when using break with the 127th argument a constant, duplicate
189726, https://hackerone.com/reports/189726, Websites opened from reports can change url of report page , resolved
189768, https://hackerone.com/reports/189768, [controlsyou.quora.com] 429 Too Many Requests Error-Page XSS, resolved
189793, https://hackerone.com/reports/189793, [Android] XSS via start ContentActivity, resolved
189834, https://hackerone.com/reports/189834, [kb.informatica.com] DOM based XSS in the bindBreadCrumb function, resolved
189851, https://hackerone.com/reports/189851, Time Based SQL Injection vulnerability on a DoD website, resolved
189878, https://hackerone.com/reports/189878, CSRF header is sent to external websites when using data-remote forms, resolved
190015, https://hackerone.com/reports/190015, Certificate signed using SHA-1, duplicate
190016, https://hackerone.com/reports/190016, [network.informatica.com] The login form XSS via the referer value, resolved
190020, https://hackerone.com/reports/190020, [careers.informatica.com] XSS on "isJTN", resolved
190133, https://hackerone.com/reports/190133, Segfault when passing invalid values to `values_at`, resolved
190194, https://hackerone.com/reports/190194, Cookie HttpOnly Flag Not Set , duplicate
190195, https://hackerone.com/reports/190195, [qiwi.com] .bash_history, resolved
190205, https://hackerone.com/reports/190205, Reflected XSS on a DoD website, resolved
190217, https://hackerone.com/reports/190217, [marketplace.informatica.com] Profile stored XSS, resolved
190247, https://hackerone.com/reports/190247, Reflected XSS vector, resolved
190373, https://hackerone.com/reports/190373, Gratipay uses the random module's cryptographically insecure PRNG., informative
190427, https://hackerone.com/reports/190427, Reflected XSS on a DoD website, resolved
190434, https://hackerone.com/reports/190434, SQL Injection in sijoitustalous_peruutus (viestinta.lahitapiola.fi), resolved
190798, https://hackerone.com/reports/190798, Reflected XSS on teavana.com (Locale-Change), resolved
190863, https://hackerone.com/reports/190863, imagefilltoborder stackoverflow on truecolor images, resolved
190870, https://hackerone.com/reports/190870, Stored XSS on new Calling plugin (spreed), resolved
190933, https://hackerone.com/reports/190933, Invalid parameter in memcpy function trough openssl_pbkdf2, resolved
190951, https://hackerone.com/reports/190951, XSS on manually entering Postal codes, resolved
190964, https://hackerone.com/reports/190964, Content type incorrectly stated, informative
191179, https://hackerone.com/reports/191179, http://digital.starbucks.com/ Creation of Google G Suite Account on Behalf of starbucks. , resolved
191196, https://hackerone.com/reports/191196, Authorization issue in Google G Suite allows DoS through HTTP redirect, resolved
191216, https://hackerone.com/reports/191216, SSRF via git Repo by URL Abuse, duplicate
191220, https://hackerone.com/reports/191220, HTTP OPTION Method is Enabled on portswigger.net , not-applicable
191243, https://hackerone.com/reports/191243, File upload vulnerability on a DoD website, resolved
191323, https://hackerone.com/reports/191323, Sub Domain Takeover at mk.prd.vine.co, resolved
191328, https://hackerone.com/reports/191328, Invalid memory access in `mrb_str_format`, resolved
191332, https://hackerone.com/reports/191332, Reflected XSS in [olx.qa], resolved
191380, https://hackerone.com/reports/191380, CRLF and XSS stored on ton.twitter.com, resolved
191381, https://hackerone.com/reports/191381, Reflected cross-site scripting (XSS) vulnerability on a DoD website, resolved
191407, https://hackerone.com/reports/191407, DOM Based XSS on an Army website, resolved
191416, https://hackerone.com/reports/191416, DOM Based XSS on a DoD website, resolved
191543, https://hackerone.com/reports/191543, ssrf xspa [https://prt.mail.ru/], resolved
191608, https://hackerone.com/reports/191608, Cross-site request forgery vulnerability on a DoD website, resolved
191643, https://hackerone.com/reports/191643, Password complexity requirements not enforced, resolved
191674, https://hackerone.com/reports/191674, XSS vulnerability using GIF tags, resolved
191689, https://hackerone.com/reports/191689, Incorrect code generation when result of NODE_NEGATE is not used, resolved
191810, https://hackerone.com/reports/191810, Reflected XSS in lert.uber.com, resolved
191830, https://hackerone.com/reports/191830, Server side information disclosure on a DoD website, resolved
191831, https://hackerone.com/reports/191831, Cross-site request forgery (CSRF) vulnerability on a DoD website, resolved
191884, https://hackerone.com/reports/191884, Remote Unrestricted file Creation/Deletion and Possible RCE., resolved
191890, https://hackerone.com/reports/191890, DOM Based XSS in Discourse Search, resolved
191902, https://hackerone.com/reports/191902, HTML injection vulnerability on a DoD website, resolved
191909, https://hackerone.com/reports/191909, XSS Vulnerability on Image link parser, resolved
191938, https://hackerone.com/reports/191938, SIGSEGV on mruby mrb_get_args() , resolved
191979, https://hackerone.com/reports/191979, Limitation of app specific password scope can be bypassed (NC-SA-2017-009), resolved
191994, https://hackerone.com/reports/191994, SIGSEGV mrb_obj_freeze() Manipulating Register RAX and RSI, resolved
192074, https://hackerone.com/reports/192074, Default credentials on a DoD website, resolved
192079, https://hackerone.com/reports/192079, SQL Injection vulnerability in a DoD website, resolved
192082, https://hackerone.com/reports/192082, Attackers can control which security questions they are presented (████████), resolved
192110, https://hackerone.com/reports/192110, SQL Injection vulnerability in a DoD website, resolved
192127, https://hackerone.com/reports/192127, Buffer underflow in sprintf, resolved
192131, https://hackerone.com/reports/192131, CSRF Attack on (m.badoo.com)deleting account and erasing imported contacts, resolved
192140, https://hackerone.com/reports/192140, XSS on postal codes, resolved
192197, https://hackerone.com/reports/192197,  Information disclosure in coinbase android app, informative
192223, https://hackerone.com/reports/192223, XSS vulnerability on Audio and Video parsers, resolved
192235, https://hackerone.com/reports/192235, Integer Overflow in mrb_ary_set, resolved
192284, https://hackerone.com/reports/192284, olx.ph is vulnerable to POODLE attack, informative
192318, https://hackerone.com/reports/192318, mrb_vformat() heap overflow could lead to code execution, resolved
192362, https://hackerone.com/reports/192362, Heap Overflow in mrb_arb_splice, resolved
192373, https://hackerone.com/reports/192373, [cooking.lady.mail.ru] Open Redirect, resolved
192375, https://hackerone.com/reports/192375, [ml.money.mail.ru] Open Redirect, resolved
192388, https://hackerone.com/reports/192388, Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation), resolved
192485, https://hackerone.com/reports/192485, SIGSEGV on mrb_vm_exec() Null Deref, resolved
192512, https://hackerone.com/reports/192512, RCE on default Ubuntu Desktop >= 12.10 Quantal, resolved
192532, https://hackerone.com/reports/192532, SIGABRT, SIGSEGV mspace_free() and mrb_default_allocf(), resolved
192567, https://hackerone.com/reports/192567, Remote code execution vulnerability on a DoD website, resolved
192577, https://hackerone.com/reports/192577, Server side information disclosure, informative
192578, https://hackerone.com/reports/192578, kh_get_n2s() stack overrun, resolved
192611, https://hackerone.com/reports/192611, Users can bookmark other user's messages, resolved
192618, https://hackerone.com/reports/192618, Creating arbitrary cookies values /cs/CookieServer (www.lahitapiola.fi), resolved
192648, https://hackerone.com/reports/192648, Account takeover via Pornhub Oauth, resolved
192665, https://hackerone.com/reports/192665, heap-buffer-overflow on mruby, resolved
192667, https://hackerone.com/reports/192667, [stagecafrstore.starbucks.com] CRLF Injection, XSS, resolved
192734, https://hackerone.com/reports/192734, SIGSEGV Null Pointer mrb_str_concat(), resolved
192749, https://hackerone.com/reports/192749, [newscdn.starbucks.com] CRLF Injection, XSS, resolved
192751, https://hackerone.com/reports/192751, XSS vulnerability on a DoD website, resolved
192786, https://hackerone.com/reports/192786, Reflected XSS in U2F plugin by shipping the example endpoints, resolved
192886, https://hackerone.com/reports/192886, Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager, resolved
192896, https://hackerone.com/reports/192896, Memory disclosure in timegm, resolved
192922, https://hackerone.com/reports/192922, Stored XSS at https://finance.owox.com/customer/accountList, resolved
192931, https://hackerone.com/reports/192931, Server-side include injection vulnerability in a DoD website, resolved
192940, https://hackerone.com/reports/192940, Remote File Inclusion, Malicious File Hosting, and Cross-site Scripting (XSS) in ████████, resolved
192986, https://hackerone.com/reports/192986, User Enumeration, informative
193027, https://hackerone.com/reports/193027, [http2.cloudflare.com] Open Redirect, resolved
193056, https://hackerone.com/reports/193056, Subdomain Takeover at http://gameday.websummit.net, resolved
193075, https://hackerone.com/reports/193075, SIGSEGV - mrb_check_intern_str() - NullPointer, resolved
193077, https://hackerone.com/reports/193077, mrb_str_modify try to write to memory not marked for writing, resolved
193081, https://hackerone.com/reports/193081, Null pointer dereference in mrb_str_prepend, resolved
193143, https://hackerone.com/reports/193143, Use After Free in str_replace, resolved
193419, https://hackerone.com/reports/193419, Способ узнать имя человека удаленной страницы, resolved
193436, https://hackerone.com/reports/193436, SQL injection vulnerability on a DoD website, resolved
193462, https://hackerone.com/reports/193462, a stored xss in web widget chat, resolved
193478, https://hackerone.com/reports/193478, Create New User Whilst Logged On, not-applicable
193481, https://hackerone.com/reports/193481, Reflected XSS on a DoD website, resolved
193517, https://hackerone.com/reports/193517, attempting double-free using the mruby compiler `mrbc`, resolved
193556, https://hackerone.com/reports/193556, Session Fixation At Logout /Session Misconfiguration, informative
193719, https://hackerone.com/reports/193719, Double free of filename after codegen error, resolved
193724, https://hackerone.com/reports/193724, SIGSEGV - kh_resize_iv - Null Deref, resolved
193753, https://hackerone.com/reports/193753, Directory listing, informative
193759, https://hackerone.com/reports/193759, Способ узнать имя человека удаленной страницы 2, resolved
193773, https://hackerone.com/reports/193773, SIGABRT - mrb_default_allocf , resolved
193799, https://hackerone.com/reports/193799, XSS in ubermovement.com via editable Google Sheets, resolved
193932, https://hackerone.com/reports/193932, Misconfigured password reset vulnerability on a DoD website, resolved
193936, https://hackerone.com/reports/193936, SQL injection vulnerability on a DoD website, resolved
194065, https://hackerone.com/reports/194065,  DoS vulnerability in mod_auth_digest CVE-2016-2161, resolved
194142, https://hackerone.com/reports/194142, Legal Robot AWS S3 Bucket Directory Listing, resolved
194207, https://hackerone.com/reports/194207, Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi), resolved
194294, https://hackerone.com/reports/194294, Reflected XSS on a DoD website, resolved
194308, https://hackerone.com/reports/194308, Password reset vulnerability on a DoD website, resolved
194318, https://hackerone.com/reports/194318, Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud, resolved
194329, https://hackerone.com/reports/194329, No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted, resolved
194351, https://hackerone.com/reports/194351, Able to download arbitrary  PHP files at yelpblog.com, resolved
194454, https://hackerone.com/reports/194454, Exposed Unencrypted Telnet Endpoint, resolved
194564, https://hackerone.com/reports/194564, Review remote code execution in SwiftMailer, resolved
194574, https://hackerone.com/reports/194574, IDOR - Folder names disclosure inside a domain, regardless of user, resolved
194594, https://hackerone.com/reports/194594, IDOR on partners.uber.com allows for a driver to override administrator documents, resolved
194647, https://hackerone.com/reports/194647, GlobaLeaks is vulnerable to timing attacks., resolved
194721, https://hackerone.com/reports/194721, Verification of email addresses possible through https://www.yelp.com/signup/facebook, resolved
194790, https://hackerone.com/reports/194790, IDOR - Downloading all attachements if having access to a shared link, resolved
194832, https://hackerone.com/reports/194832, Authentication Bypass on monitoring server, resolved
194866, https://hackerone.com/reports/194866, Deleting Key-value pair from Frozen HASH or Clearing a Frozen HASH, resolved
194884, https://hackerone.com/reports/194884, Heap use-after-free during range creation, resolved
194906, https://hackerone.com/reports/194906, Heap overflow due to off-by-one when expanding stack, resolved
194952, https://hackerone.com/reports/194952, Moniter Failed Sends too many emails, informative
195045, https://hackerone.com/reports/195045, Set Cookie Via SVG, resolved
195051, https://hackerone.com/reports/195051, SQL injection vulnerability in a DoD website, resolved
195058, https://hackerone.com/reports/195058, Users can download old project exports due to unclaimed namespace, resolved
195088, https://hackerone.com/reports/195088, Every user can delete public deploy keys, resolved
195134, https://hackerone.com/reports/195134, User with guest access can access private merge requests, resolved
195140, https://hackerone.com/reports/195140, Users with guest access can post notes to private merge requests, issues, and snippets, resolved
195163, https://hackerone.com/reports/195163, SAP Server - default credentials enabled, resolved
195205, https://hackerone.com/reports/195205, lert.uber.com: Few default folders/files of AURA Framework are accessible, resolved
195216, https://hackerone.com/reports/195216, No valid SPF records on demo.globaleaks.org, informative
195350, https://hackerone.com/reports/195350, Subdomain takeover on podcasts.slack-core.com, resolved
195356, https://hackerone.com/reports/195356, HTML Injection/Load Images vulnerability on a DoD website, resolved
195544, https://hackerone.com/reports/195544, Exposed Access Control Data Backup Files on DoD Website, resolved
195580, https://hackerone.com/reports/195580, Crash (DoS) when parsing a hostile TIFF, resolved
195586, https://hackerone.com/reports/195586, Memory corruption when parsing a hostile PHAR archive, resolved
195635, https://hackerone.com/reports/195635, Video player on ███ allows arbitrary remote videos to be played, resolved
195636, https://hackerone.com/reports/195636, Information disclosure vulnerability on a DoD website, resolved
195638, https://hackerone.com/reports/195638, Information disclosure vulnerability on a DoD website, resolved
195688, https://hackerone.com/reports/195688, NULL Pointer Dereference while unserialize php object, resolved
195836, https://hackerone.com/reports/195836, Information disclosure vulnerability on a DoD website, resolved
195842, https://hackerone.com/reports/195842, Segmentation fault - mrb_gc_mark, resolved
195913, https://hackerone.com/reports/195913, Излишние права при авторизации через интерфейс mail.ru, informative
195950, https://hackerone.com/reports/195950, Use of uninitialized memory in unserialize(), resolved
195996, https://hackerone.com/reports/195996, Changing details of other users profile using UUID (IDOR), resolved
196222, https://hackerone.com/reports/196222, RTLO char allowed in chat, resolved
196300, https://hackerone.com/reports/196300, Blind SQLi in a DoD Website, resolved
196358, https://hackerone.com/reports/196358, Report redaction doesn't apply to report title update activities, resolved
196380, https://hackerone.com/reports/196380, SIGSEGV in mrb_vm_exec, resolved
196386, https://hackerone.com/reports/196386, SIGSEGV - mrb_vm_exec - vm.c in line:1272, resolved
196416, https://hackerone.com/reports/196416, Clearing , Shifting and Pop Value from Frozen Array  , resolved
196448, https://hackerone.com/reports/196448, Local file inclusion vulnerability on a DoD website, resolved
196458, https://hackerone.com/reports/196458, apps.shopify.com - CSRF token leakage through Google Analytics, resolved
196482, https://hackerone.com/reports/196482, Information disclosure vulnerability on a DoD website, resolved
196498, https://hackerone.com/reports/196498, Segmentation fault on program counter, resolved
196624, https://hackerone.com/reports/196624, dom xss in https://www.slackatwork.com, resolved
196655, https://hackerone.com/reports/196655, Disclose any user's private email through API, resolved
196715, https://hackerone.com/reports/196715, CSRF Send a message at street-combats.mail.ru, resolved
196819, https://hackerone.com/reports/196819, Heap Buffer overflow in mrb_funcall_with_block, resolved
196833, https://hackerone.com/reports/196833, Vulnerable Javascript library, informative
196846, https://hackerone.com/reports/196846, Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com), resolved
196937, https://hackerone.com/reports/196937, Возможность смотреть видео рекомендации любого пользователя вконтакте, resolved
196969, https://hackerone.com/reports/196969, bug reporting template encourages users to paste config file with passwords, resolved
196989, https://hackerone.com/reports/196989, XSS on username when register to proffesional account, resolved
197055, https://hackerone.com/reports/197055, Information disclosure vulnerability on a DoD website, resolved
197114, https://hackerone.com/reports/197114, IDOR - Access to private video thumbnails even if video requires password authentication, resolved
197115, https://hackerone.com/reports/197115, Clickjacking @ Main Domain[www.yelp.com], informative
197153, https://hackerone.com/reports/197153, Ability to post comments to a crew even after getting kicked out, resolved
197238, https://hackerone.com/reports/197238, Server Version Of https://www.olx.ph/, informative
197253, https://hackerone.com/reports/197253, formassembly.com is vulnerable to padding-oracle attacks., resolved
197279, https://hackerone.com/reports/197279, [m.airbnb.com] CRLF Injection, resolved
197334, https://hackerone.com/reports/197334, [airbnb.com] XSS via Cookie flash, duplicate
197337, https://hackerone.com/reports/197337, [IMP] - Blind XSS in the admin panel for reviewing comments, resolved
197365, https://hackerone.com/reports/197365, SSRF через Share-ботов, resolved
197443, https://hackerone.com/reports/197443, XSS in topics because of bandcamp preview engine vulnerability, resolved
197489, https://hackerone.com/reports/197489, Subdomain takeover at signup.uber.com, resolved
197585, https://hackerone.com/reports/197585, Starbucks.com is reachable via ip address thus possible to link any doamin to Starbucks., not-applicable
197693, https://hackerone.com/reports/197693, SIGSEGV - mrb_vm_exec - line:1681, resolved
197694, https://hackerone.com/reports/197694, SIGSEGV - mrb_obj_extend - line:413, resolved
197719, https://hackerone.com/reports/197719, Still heap overflow in mrb_ary_splice, resolved
197723, https://hackerone.com/reports/197723, Null pointer dereference in mrb_str_modify, resolved
197726, https://hackerone.com/reports/197726, newrelic.atlassian.net - jira information disclosure, resolved
197754, https://hackerone.com/reports/197754, SQL Injection vulnerability in a DoD website, resolved
197755, https://hackerone.com/reports/197755, SQL injection found in US Navy Website (http://███/), resolved
197786, https://hackerone.com/reports/197786, User Information Disclosure via REST API, resolved
197789, https://hackerone.com/reports/197789, [insideok.ru] Database Dump, resolved
197877, https://hackerone.com/reports/197877, User Information Disclosure via REST API, resolved
197878, https://hackerone.com/reports/197878, WordPress <= 4.6.1 Stored XSS Via Theme File, resolved
197880, https://hackerone.com/reports/197880, Nginx version disclosure via forbidden page, informative
197902, https://hackerone.com/reports/197902, Stored XSS in topics because of whitelisted_generic engine vulnerability, resolved
197907, https://hackerone.com/reports/197907, Misconfigured user account settings on DoD website, resolved
197914, https://hackerone.com/reports/197914, Stored XSS in posts because of absence of oembed variables values escaping, resolved
197916, https://hackerone.com/reports/197916, Crash in print_backtrace, resolved
197958, https://hackerone.com/reports/197958, [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users, resolved
197976, https://hackerone.com/reports/197976, Open FTP on ███, resolved
198012, https://hackerone.com/reports/198012, Disclosure of administrators via JSON on nextcloud.com Wordpress, resolved
198218, https://hackerone.com/reports/198218, HTML Injection on ████, resolved
198221, https://hackerone.com/reports/198221, Restricted User can view multiple account details including customer_root_account_id, payment method, date of first payment, etc., resolved
198249, https://hackerone.com/reports/198249, [XSS/3dsecure.qiwi.com] 3DSecure XSS, resolved
198251, https://hackerone.com/reports/198251, [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS, resolved
198259, https://hackerone.com/reports/198259, Reflected XSS vulnerability on a DoD website, resolved
198452, https://hackerone.com/reports/198452, SIGABRT - mrb_realloc_simple - gc.c - line:201, resolved
198470, https://hackerone.com/reports/198470, csrf blogs.starbucks.com, duplicate
198494, https://hackerone.com/reports/198494, Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud, resolved
198622, https://hackerone.com/reports/198622, Clickjacking Periscope.tv on Chrome, resolved
198673, https://hackerone.com/reports/198673, HTTP-Basic Authentication on logs.nextcloud.com, informative
198690, https://hackerone.com/reports/198690, SSRF in alerts.newrelic.com exposes entire internal network, resolved
198718, https://hackerone.com/reports/198718, Blacklist bypass for /cs/Satellite (www.lahitapiola.fi), resolved
198723, https://hackerone.com/reports/198723, Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization, resolved
198732, https://hackerone.com/reports/198732, Use After Free in unserialize(), resolved
198733, https://hackerone.com/reports/198733, Type Confusion in Object Deserialization, resolved
198734, https://hackerone.com/reports/198734, GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability], resolved
198773, https://hackerone.com/reports/198773, Drone Nextcloud, informative
198851, https://hackerone.com/reports/198851, XSS in api_v1, resolved
198907, https://hackerone.com/reports/198907, HTML Injection possible due to bad filter, resolved
198927, https://hackerone.com/reports/198927, Parsing invalid unicode codepoints using json c extension (2.0.1+) triggers a segfault, resolved
198969, https://hackerone.com/reports/198969, IDOR - Deleting other user's reminders just by id, resolved
199082, https://hackerone.com/reports/199082, Multiple Vulnerabilities in Oracle Webcenter Sites (/cs/Satellite), resolved
199243, https://hackerone.com/reports/199243, No user confirmation when an auto-updated extension gets more permissions, resolved
199281, https://hackerone.com/reports/199281, IDOR - Leaking other user's folder names from /appsuite/api/import?action=ICA, resolved
199286, https://hackerone.com/reports/199286, Group admin can remove user from all his groups via API, resolved
199321, https://hackerone.com/reports/199321, IDOR - Deleting other user's signature via /appsuite/api/snippet?action=update (although an error is thrown), resolved
199436, https://hackerone.com/reports/199436, Yelp.com is vulnerable to SWEET32 attack, informative
199438, https://hackerone.com/reports/199438, SWEET32 TLS attack, informative
199445, https://hackerone.com/reports/199445, Nextcloud.com is vulnerable to SWEET32 attack, informative
199644, https://hackerone.com/reports/199644, Privilege Escalation on a DoD Website, resolved
199714, https://hackerone.com/reports/199714, Missing Rate Limit for Current Password field in nextcloud.com, resolved
199764, https://hackerone.com/reports/199764, Aborted - proc.c - line:143, resolved
199779, https://hackerone.com/reports/199779, Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com, resolved
199804, https://hackerone.com/reports/199804, Persistent XSS on ForecastApp, resolved
199996, https://hackerone.com/reports/199996, HTML injection-WordCamp Talks plugin, not-applicable
200034, https://hackerone.com/reports/200034, [marketplace.informatica.com] Search XSS, resolved
200072, https://hackerone.com/reports/200072, Bypass email validity in newsletter field, informative
200079, https://hackerone.com/reports/200079, Critical information disclosure at https://█████████, resolved
200125, https://hackerone.com/reports/200125, Information disclosure vulnerability on a DoD website, resolved
200179, https://hackerone.com/reports/200179, SMS URL verification link does not expire on phone number change and lacks rate limiting, resolved
200210, https://hackerone.com/reports/200210, SQL Injection on /webApp/viivanalle (viestinta.lahitapiola.fi), resolved
200212, https://hackerone.com/reports/200212, Sql injection on /webApp/sijoituswebinaari (viestinta.lahitapiola.fi), resolved
200214, https://hackerone.com/reports/200214, SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi), resolved
200224, https://hackerone.com/reports/200224, SSRF на https://target.my.com/, resolved
200351, https://hackerone.com/reports/200351, XSS in flashmediaelement.swf (business-blog.zomato.com), resolved
200355, https://hackerone.com/reports/200355, MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS), resolved
200387, https://hackerone.com/reports/200387, Incorrect code generation with redo inside NODE_RESCUE., resolved
200419, https://hackerone.com/reports/200419, Clickjacking, resolved
200427, https://hackerone.com/reports/200427, Access of Android protected components via embedded intent, resolved
200487, https://hackerone.com/reports/200487, Incomplete HTML sanitization + Session id leaking + private information disclosure, resolved
200572, https://hackerone.com/reports/200572, Information About Your System(Sensitive Directories), not-applicable
200576, https://hackerone.com/reports/200576, Logic flaw enables restricted account to access account license key, resolved
200623, https://hackerone.com/reports/200623, SQL injection vulnerability on a DoD website, resolved
200683, https://hackerone.com/reports/200683, CSRF bypass + XSS on verkkopalvelu.tapiola.fi, resolved
200753, https://hackerone.com/reports/200753, [nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html, resolved
200762, https://hackerone.com/reports/200762, Email Spoofing, informative
200821, https://hackerone.com/reports/200821,  heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c, resolved
200826, https://hackerone.com/reports/200826, [github.algolia.com] DOM Based XSS github-btn.html, resolved
200909, https://hackerone.com/reports/200909, Out of bounds memory read in unserialize(), resolved
201152, https://hackerone.com/reports/201152, [ipm.informatica.com]- Broken Authentication, resolved
201300, https://hackerone.com/reports/201300, Attacker can get vine repost user all informations even Ip address and location ., resolved
201489, https://hackerone.com/reports/201489, Wordpress 4.7.1, resolved
201512, https://hackerone.com/reports/201512, SQL Injection vulnerability in a DoD website, resolved
201520, https://hackerone.com/reports/201520, test.zba.se is vulnerable to SSL POODLE  , resolved
201529, https://hackerone.com/reports/201529, Can upload files without authentication on AirFibre 3.2, resolved
201796, https://hackerone.com/reports/201796, cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com ) , resolved
201838, https://hackerone.com/reports/201838, [tanks.mail.ru] Open Redirect, resolved
201848, https://hackerone.com/reports/201848, Click jacking in delete image of user in Yelp, duplicate
201855, https://hackerone.com/reports/201855, Information disclosue in Android Application, duplicate
201897, https://hackerone.com/reports/201897, Recursion causing uninitialized memory reads leading to a segfault, resolved
201903, https://hackerone.com/reports/201903, Segmentfault at mrb_vm_exec, resolved
201905, https://hackerone.com/reports/201905, SIGSEGV - vm.c - line:1214, resolved
201940, https://hackerone.com/reports/201940, Account hijack via deleted PH account, resolved
201948, https://hackerone.com/reports/201948, Disclosure of information on static.dl.mail.ru, informative
201984, https://hackerone.com/reports/201984, Wordpress directories/files visible to internet, resolved
202177, https://hackerone.com/reports/202177, Login with Google Not Authenticated on iOS App, resolved
202354, https://hackerone.com/reports/202354, Stored XSS / Bypassing .htaccess protection in http://nodebb.ubnt.com/, resolved
202361, https://hackerone.com/reports/202361, Requestor Email Disclosure via Email Notification, informative
202362, https://hackerone.com/reports/202362, Null pointer dereference in mrb_random_initialize, resolved
202496, https://hackerone.com/reports/202496, Stored XSS vulnerability on a DoD website, duplicate
202499, https://hackerone.com/reports/202499, User with only Viewing Privilege can send message to Room, resolved
202501, https://hackerone.com/reports/202501, Restricted user is able to delete filter sets of admin users in https://infrastructure.newrelic.com/accounts/{{ACC#}}/settings/filterSets, resolved
202536, https://hackerone.com/reports/202536, [xss] pornhubpremium.com, /redeem?code= URL endpoint , resolved
202548, https://hackerone.com/reports/202548, XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint , resolved
202582, https://hackerone.com/reports/202582, Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval, resolved
202584, https://hackerone.com/reports/202584, Denial of service (segfault) due to null pointer dereference in mrb_vm_exec, resolved
202619, https://hackerone.com/reports/202619, SQL injection vulnerability on a DoD website, resolved
202652, https://hackerone.com/reports/202652, Remote command execution (RCE) vulnerability on a DoD website, resolved
202725, https://hackerone.com/reports/202725, Public access to objects in AWS S3 bucket, resolved
202740, https://hackerone.com/reports/202740, Missing Server Side Rate Limiting can Lead to VK Account Take over , resolved
202774, https://hackerone.com/reports/202774, Type Juggling -> PHP Object Injection -> SQL Injection Chain, resolved
202781, https://hackerone.com/reports/202781, Chained Bugs to Leak Victim's Uber's FB Oauth Token, resolved
202797, https://hackerone.com/reports/202797, found a vulnerability in your website, resolved
202808, https://hackerone.com/reports/202808, Cross-site request forgery (CSRF) vulnerability in a DoD website, resolved
202823, https://hackerone.com/reports/202823, Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ], resolved
202918, https://hackerone.com/reports/202918, yaman.olx.ph/wordpress is using a very vulnerable version of WordPress and contains directory listing, resolved
202921, https://hackerone.com/reports/202921, Unauthorised Access to Anyone's User Account, resolved
202939, https://hackerone.com/reports/202939, Debug.log file Exposed to Public \Full Path Disclosure\, resolved
202949, https://hackerone.com/reports/202949, Wordpress Content injection , resolved
202951, https://hackerone.com/reports/202951, [marketplace.informatica.com]- Stored XSS on Image title and Edit Property, resolved
202960, https://hackerone.com/reports/202960, CVE-2017-5204: The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print(), resolved
202965, https://hackerone.com/reports/202965, CVE-2017-5341 The OTV parser in tcpdump before 4.9.0 has a buffer overflow in print-otv.c:otv_print(), resolved
202967, https://hackerone.com/reports/202967, CVE-2017-5484 The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:sig_print(), resolved
202968, https://hackerone.com/reports/202968, CVE-2017-5342 In tcpdump before 4.9.0 a bug in multiple protocol parsers could cause a buffer overflow in print-ether.c:ether_print(), resolved
202969, https://hackerone.com/reports/202969, CVE-2017-5482 The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print()., resolved
203002, https://hackerone.com/reports/203002, Incorrect GC behavior in xxlimited could lead to use-after-free, resolved
203042, https://hackerone.com/reports/203042, Find whether a video has been favourited or not, for any user [via YouPorn Mobile API], resolved
203047, https://hackerone.com/reports/203047, Add a video to favourite list of any user [via YouPorn API / FrontEnd], resolved
203060, https://hackerone.com/reports/203060, Cross-site scripting (XSS) on a DoD website, resolved
203088, https://hackerone.com/reports/203088, Brave payments remembers history even after clearing all browser data., not-applicable
203241, https://hackerone.com/reports/203241, Reflected XSS, resolved
203311, https://hackerone.com/reports/203311, Bypass file access control vulnerability on a DoD website, resolved
203384, https://hackerone.com/reports/203384, HTTP trace method is enabled on gip.rocks, resolved
203388, https://hackerone.com/reports/203388, Content length restriction bypass can lead to DOS by reading large files on gip.rocks, resolved
203391, https://hackerone.com/reports/203391, Content Spoofing or Text Injection in (403 forbidden page injection) and Nginx version disclosure via response header, informative
203409, https://hackerone.com/reports/203409, HTTP trace method is enabled on aspen.io, resolved
203513, https://hackerone.com/reports/203513, SIGSEGV - mrb_vm_exec - line:1312, resolved
203515, https://hackerone.com/reports/203515, Wordpress 4.7.2 - Two XSS in Media Upload when file too large., resolved
203594, https://hackerone.com/reports/203594, Calendar and addressbook names disclosed (NC-SA-2017-012), resolved
203595, https://hackerone.com/reports/203595, forgot to add the patch, resolved
203600, https://hackerone.com/reports/203600, Remote code execution vulnerability on a DoD website, resolved
203614, https://hackerone.com/reports/203614, Enumerating emails through "Forgot Password" form, informative
203658, https://hackerone.com/reports/203658, Restricted file access when it exists in old versions of task or wiki document, informative
203673, https://hackerone.com/reports/203673, AirFibre products vulnerable to HTTP Header injection, resolved
203726, https://hackerone.com/reports/203726, Open Redirect in <customer>.greenhouse.io, resolved
203912, https://hackerone.com/reports/203912, Stored XSS via Discussion Title and Send as Email attribute in [marketplace.informatica.com], resolved
203935, https://hackerone.com/reports/203935, Time Based SQL-inject in post-parametr login[username] [domain - youporn.com], resolved
203974, https://hackerone.com/reports/203974, Reflected XSS in Meta Tag, resolved
204047, https://hackerone.com/reports/204047, Segmentation fault while printing backtrace, resolved
204048, https://hackerone.com/reports/204048, Illegal account registration in ████████, resolved
204050, https://hackerone.com/reports/204050, [Android API] SQL injection ( errortoken.json ), resolved
204198, https://hackerone.com/reports/204198, Clickjacking or URL Masking , informative
204237, https://hackerone.com/reports/204237, [informatica.com]- Cross Site scripting , resolved
204239, https://hackerone.com/reports/204239, [informatica.com]- Information Disclosure , resolved
204292, https://hackerone.com/reports/204292, <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information ->, resolved
204421, https://hackerone.com/reports/204421, Heap buffer oveflow with many arguments, resolved
204513, https://hackerone.com/reports/204513, Infrastructure - Photon - SSRF, resolved
204568, https://hackerone.com/reports/204568, stack trace exposed on  https://receipts.uber.com/, informative
204628, https://hackerone.com/reports/204628, segafult in mruby's sprintf - mrb_str_format, resolved
204703, https://hackerone.com/reports/204703, CSRF to change password, resolved
204774, https://hackerone.com/reports/204774, A crash when an exception is caught in a caller and the receiver returned from `ensure`, resolved
204802, https://hackerone.com/reports/204802, pam-ussh may be tricked into using another logged in user's ssh-agent, resolved
204969, https://hackerone.com/reports/204969, XSS with needed user intervention, resolved
204984, https://hackerone.com/reports/204984, IDOR - Accessing other user's attachements via PUT /appsuite/api/files?action=saveAs, resolved
204996, https://hackerone.com/reports/204996, Access to job creation web page on http://████████, resolved
205034, https://hackerone.com/reports/205034, [wave.informatica.com]- Subdomain missconfiguration, resolved
205069, https://hackerone.com/reports/205069, express config leaking stacktrace, resolved
205250, https://hackerone.com/reports/205250, Missing SPF Flags on nextcloud.com, duplicate
205284, https://hackerone.com/reports/205284, SIGABRT - method_missing - mark_context_stack, resolved
205309, https://hackerone.com/reports/205309, Broken Authentication and session management OWASP A2, not-applicable
205360, https://hackerone.com/reports/205360, Content-Injection/XSS ████, resolved
205481, https://hackerone.com/reports/205481, Wordpress unzip_file path traversal, resolved
205506, https://hackerone.com/reports/205506, youporn email notification enable/disable  and newsletter , resolved
205521, https://hackerone.com/reports/205521, Heap Buffer overflow in mrb_ary_unshift, resolved
205529, https://hackerone.com/reports/205529, Combined attacks leading to stealing user's account, resolved
205536, https://hackerone.com/reports/205536, Use After Free in mrb_vm_exec, resolved
205626, https://hackerone.com/reports/205626, XSS Stored, resolved
205796, https://hackerone.com/reports/205796, CRLF инъекция на https://tz.mail.ru, resolved
205884, https://hackerone.com/reports/205884, Interger overflow in str_substr leading to read/write out of bound memory, resolved
205908, https://hackerone.com/reports/205908, LDAP login possible even though account doesn't match user filter, resolved
205920, https://hackerone.com/reports/205920, show control page if you insert ' at http://viestinta.lahitapiola.fi/, resolved
205925, https://hackerone.com/reports/205925, Application code is not obfuscated -- OWASP M9 (2016), informative
205949, https://hackerone.com/reports/205949, Subdomain takeover in many subdomains, resolved
205953, https://hackerone.com/reports/205953, CSRF - Adding unlimited number of saved items via GET request, resolved
206109, https://hackerone.com/reports/206109, mruby heap use-after-free , resolved
206125, https://hackerone.com/reports/206125, Reflected XSS in olx.pt, resolved
206239, https://hackerone.com/reports/206239, Heap Buffer Overflow while processing OP_SEND, resolved
206319, https://hackerone.com/reports/206319, Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites, resolved
206359, https://hackerone.com/reports/206359,  Email Spoofing, not-applicable
206516, https://hackerone.com/reports/206516, Subdomain Takeover (http://docs.olx.ph/ , http://calendar.olx.ph/, http://sites.olx.ph/), resolved
206591, https://hackerone.com/reports/206591, Open Redirect on central.uber.com allows for account takeover, resolved
206650, https://hackerone.com/reports/206650, Broken Authentication - Security token gets captured via man in the middle attack, resolved
206653, https://hackerone.com/reports/206653, Captcha bypass for the most important function - At en.instagram-brand.com, resolved
206737, https://hackerone.com/reports/206737, XSS via login cookie, resolved
206811, https://hackerone.com/reports/206811, Open Redirect located at https://www.robinhood.com/oauth2/authorize/?, resolved
206872, https://hackerone.com/reports/206872, SQL injection in 3rd party software Anomali, resolved
206877, https://hackerone.com/reports/206877, HTML injection in Desktop Client, resolved
206894, https://hackerone.com/reports/206894, SSRF at iris.lystit.com, resolved
207013, https://hackerone.com/reports/207013, Public Vulnerable Version of Confluence https://confluence.olx.com, resolved
207042, https://hackerone.com/reports/207042, Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP, resolved
207053, https://hackerone.com/reports/207053, Writable RubyCi Amazon s3 bucket, resolved
207062, https://hackerone.com/reports/207062, Воскрешение сессии после сброса сессий / смены пароля / принудительной смены пароля, resolved
207099, https://hackerone.com/reports/207099, Insecure Direct Object Reference (IDOR) vulnerability in a DoD website, resolved
207170, https://hackerone.com/reports/207170, Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain, resolved
207236, https://hackerone.com/reports/207236, Potentially sensitive information disclosure on a DoD website, informative
207285, https://hackerone.com/reports/207285, Open redirection , resolved
207321, https://hackerone.com/reports/207321, Controlled address leak due to type confusion - ASLR bypass, resolved
207329, https://hackerone.com/reports/207329, Mixed Active content issue on https://www.lyst.com, resolved
207384, https://hackerone.com/reports/207384, Directory listing - i am able to download all php_agent archive, not-applicable
207388, https://hackerone.com/reports/207388, Sensitive information disclosure, informative
207399, https://hackerone.com/reports/207399, CSRF possible when SOP Bypass/UXSS is available, resolved
207404, https://hackerone.com/reports/207404, SSL Certification Expired And TLS Vulnerability , informative
207431, https://hackerone.com/reports/207431, One of yelp.com url is redirecting to domain which is not yet purchased, informative
207435, https://hackerone.com/reports/207435, Research papers on yelp  are getting indexed by google bots., not-applicable
207457, https://hackerone.com/reports/207457,  SSL/TLS Vulnerability at khanacademy.org, informative
207477, https://hackerone.com/reports/207477, SSRF in ███████, resolved
207505, https://hackerone.com/reports/207505, Unvalidated redirect in alerts.newrelic.com/auth/newrelic?origin=, resolved
207552, https://hackerone.com/reports/207552, No Security check at changing password and at adding mobile number which leads to account takeover and spam, informative
207576, https://hackerone.com/reports/207576, Subdomain takeover on s3.shopify.com, resolved
207695, https://hackerone.com/reports/207695, sqli, resolved
207710, https://hackerone.com/reports/207710, Heap use-after-free in mrb_vm_exec , resolved
207781, https://hackerone.com/reports/207781, Reflected XSS vulnerability in a DoD website , duplicate
207792, https://hackerone.com/reports/207792, http://ht.pornhub.com/ stored XSS in widget stylesheet, resolved
207983, https://hackerone.com/reports/207983, read outside of buffer (heap buffer overflow) in S_regmatch - regexec.c:6057, resolved
208141, https://hackerone.com/reports/208141, /icons/README is still available on viestinta.lahitapiola.fi, resolved
208363, https://hackerone.com/reports/208363, Memory corrouption in mrb_gc_mark, resolved
208407, https://hackerone.com/reports/208407, Able to create basic user account via Google login on HackerOne Drupal CMS, resolved
208480, https://hackerone.com/reports/208480, Site configured improperly at subdomain of lyst.co.uk, resolved
208481, https://hackerone.com/reports/208481, Remote file inclusion vulnerability on a DoD website, resolved
208526, https://hackerone.com/reports/208526, Null pointer dereference in mark_context_stack, resolved
208556, https://hackerone.com/reports/208556, Cross-site scripting (XSS) vulnerability on a DoD website, resolved
208566, https://hackerone.com/reports/208566, Outdated Jenkins server hosted at OwnCloud.org, resolved
208622, https://hackerone.com/reports/208622, Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter., resolved
208654, https://hackerone.com/reports/208654, Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе.", resolved
208719, https://hackerone.com/reports/208719, Subdomain Takeover at Landing.udemy.com , resolved
208734, https://hackerone.com/reports/208734, CSRF @ configuration , resolved
208834, https://hackerone.com/reports/208834, Address bar spoofing in Brave browser via. window close warnings, informative
208978, https://hackerone.com/reports/208978, [URGENT] Opportunity to publish tweets on any twitters account, resolved
209004, https://hackerone.com/reports/209004, Subdomain takeover #2  at info.hacker.one, resolved
209008, https://hackerone.com/reports/209008, Authentication Bypass - Chaining two vulnerabilities leads to account takeover at en.instagram-brand.com, resolved
209140, https://hackerone.com/reports/209140, Private program email forwarding response invitation not expire after first use., resolved
209223, https://hackerone.com/reports/209223, Open S3 Bucket WriteAble To Any Aws User, resolved
209251, https://hackerone.com/reports/209251, public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053], resolved
209352, https://hackerone.com/reports/209352, Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand, resolved
209368, https://hackerone.com/reports/209368, [wallet.rapida.ru] Mass SMS flood, resolved
209449, https://hackerone.com/reports/209449, Heap buffer overflow with long array assignment, resolved
209520, https://hackerone.com/reports/209520, http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement, resolved
209736, https://hackerone.com/reports/209736, DOM XSS on teavana.com via "pr_zip_location" parameter, resolved
209765, https://hackerone.com/reports/209765, Heap buffer overflow in mruby value_move, resolved
209821, https://hackerone.com/reports/209821, URL Given leading to end users ending up in malicious sites, informative
209860, https://hackerone.com/reports/209860, Rate Limitation Vulnerability (DDos), duplicate
209917, https://hackerone.com/reports/209917, javascript: and mailto: links are allowed in JIRA integration settings, duplicate
209937, https://hackerone.com/reports/209937, SIGSEGV - mark_context_stack, resolved
209949, https://hackerone.com/reports/209949, Arbitrary heap exposure in JSON.generate, resolved
210190, https://hackerone.com/reports/210190, Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers, resolved
210238, https://hackerone.com/reports/210238, full path disclosure on www.rockstargames.com via apache filename brute forcing, resolved
210246, https://hackerone.com/reports/210246, Invalid Pointer Reference from OP_RESCUE, resolved
210298, https://hackerone.com/reports/210298, Privilege Escalation in Default Notification Preferences, resolved
210304, https://hackerone.com/reports/210304, Privilege Escalation in Share Report, resolved
210331, https://hackerone.com/reports/210331, SSLv3 POODLE Vulnerability, resolved
210354, https://hackerone.com/reports/210354, RTLO character in file names, resolved
210384, https://hackerone.com/reports/210384, Open Redirect, resolved
210417, https://hackerone.com/reports/210417, Bypass CAPTCHA protection, resolved
210429, https://hackerone.com/reports/210429, mrb_vm_exec - null ptr dereference, resolved
210525, https://hackerone.com/reports/210525, Information disclosure vulnerability on a DoD website, resolved
210572, https://hackerone.com/reports/210572, Full path Disclosure in Rockstargames.com██████████ , resolved
210654, https://hackerone.com/reports/210654, Bypass to postMessage origin validation via FTP, resolved
210671, https://hackerone.com/reports/210671, Null pointer dereferences from mrb_vm_exec, resolved
210741, https://hackerone.com/reports/210741, Unserialize leading to arbitrary PHP function invoke, resolved
210779, https://hackerone.com/reports/210779, [Urgent] Invalidating OAuth2 Bearer token makes TweetDeck unavailable, resolved
210875, https://hackerone.com/reports/210875, use of unsafe host header leads to open redirect, resolved
210994, https://hackerone.com/reports/210994, Control Character Injection In Messages, resolved
211021, https://hackerone.com/reports/211021, Null pointer dereference in 'get_file', resolved
211065, https://hackerone.com/reports/211065, Gitlab.com is vulnerable to reverse tabnabbing., resolved
211072, https://hackerone.com/reports/211072, Написать от имени любого пользователя на его стене, если он перейдет по ссылке. https://vk.com/al_video.php, resolved
211149, https://hackerone.com/reports/211149, Inadequate/dangerous jQuery behavior, resolved
211206, https://hackerone.com/reports/211206, Version 4.7.2 of wordpress is vulnerable, resolved
211213, https://hackerone.com/reports/211213, https://xmpp.nextcloud.com///;@www.google.com allows open redirect, resolved
211283, https://hackerone.com/reports/211283, Cross Site WebSocket Hijacking, informative
211381, https://hackerone.com/reports/211381, Remote Code Execution (RCE) in a DoD website, resolved
211418, https://hackerone.com/reports/211418, Source Code Disclosure (CGI), resolved
211643, https://hackerone.com/reports/211643, Stored Cross Site Scripting in Customer Name, resolved
211988, https://hackerone.com/reports/211988, sql injection vulnerablity found, not-applicable
212015, https://hackerone.com/reports/212015, Unable to register in starbucks IN app, not-applicable
212022, https://hackerone.com/reports/212022, Remote Code Execution (RCE) in a DoD website, resolved
212046, https://hackerone.com/reports/212046, Создание ссылки от имени чужой страницы vk.cc, resolved
212067, https://hackerone.com/reports/212067, An “algobot”-s GitHub access token was leaked, resolved
212074, https://hackerone.com/reports/212074, SIGSEGV - mrb_yield_with_class, resolved
212107, https://hackerone.com/reports/212107, Null pointer dereference in mrb_class, resolved
212239, https://hackerone.com/reports/212239, sprintf gem - format string combined attack, resolved
212241, https://hackerone.com/reports/212241, sprintf combined format string attack, resolved
212253, https://hackerone.com/reports/212253, XSS via SVG file, duplicate
212456, https://hackerone.com/reports/212456, SIGSEGV - kh_get_n2s - in /src/symbol.c:37, resolved
212523, https://hackerone.com/reports/212523, Single user DOS on selectedLanuage -cookie at (verkkopalvelu.tapiola.fi), resolved
212629, https://hackerone.com/reports/212629, Gitlab.com is vulnerable to reverse tabnabbing. (#2), resolved
212696, https://hackerone.com/reports/212696, RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`, resolved
212721, https://hackerone.com/reports/212721, IE 11 Self-XSS on Jira Integration Preview Base Link, resolved
212770, https://hackerone.com/reports/212770, Content spoofing due to the improper behavior of the 403 page, resolved
212882, https://hackerone.com/reports/212882, SIGABRT in only mirb, resolved
212931, https://hackerone.com/reports/212931, heap-buffer-overflow (buffer read overrun) in curl: ourWriteOut() src/tool_writeout.c:115, resolved
212985, https://hackerone.com/reports/212985, Remote code execution vulnerability on a DoD website, resolved
213056, https://hackerone.com/reports/213056, Invalid request may lead content spoofing for phishing, resolved
213069, https://hackerone.com/reports/213069, Remote Code Execution (RCE) in a DoD website, duplicate
213114, https://hackerone.com/reports/213114, Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3), resolved
213180, https://hackerone.com/reports/213180, Password reset form ignores email field, resolved
213190, https://hackerone.com/reports/213190, Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key=, resolved
213227, https://hackerone.com/reports/213227, DOM XSS vulnerability in search dialogue (NC-SA-2017-007), resolved
213239, https://hackerone.com/reports/213239, Blind SQLi vulnerability in a DoD Website, resolved
213255, https://hackerone.com/reports/213255, SIGSEGV in str_buf_cat, resolved
213261, https://hackerone.com/reports/213261, Use-after-free leading to an invalid pointer dereference, resolved
213358, https://hackerone.com/reports/213358, SSRF at apps.nextcloud.com/developer/apps/releases/new, informative
213360, https://hackerone.com/reports/213360, Content Spoofing/Text Injection in nextcloud.com, resolved
213437, https://hackerone.com/reports/213437, Critical vulnerability in JSON Web Encryption (JWE) - RFC 7516 Invalid Curve attack, resolved
213558, https://hackerone.com/reports/213558, Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks, resolved
213767, https://hackerone.com/reports/213767, Password Policy Bypass, informative
213776, https://hackerone.com/reports/213776, Remote Command Execution on a DoD website, duplicate
213779, https://hackerone.com/reports/213779, SIGSEGV - mrb_obj_value, resolved
213789, https://hackerone.com/reports/213789, Update php-saml library to 2.10.5, resolved
213936, https://hackerone.com/reports/213936, Token leakage by referrer, resolved
213942, https://hackerone.com/reports/213942, Differential "Show Raw File" feature exposes generated files to unauthorised users, resolved
213991, https://hackerone.com/reports/213991, Setting Arbitrary Cookie at kitcrm.com, resolved
214000, https://hackerone.com/reports/214000, SIGABRT - mirb and mruby, resolved
214001, https://hackerone.com/reports/214001, File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed, resolved
214022, https://hackerone.com/reports/214022, Admin Command Injection via username in user_archive ExportCsvFile, resolved
214028, https://hackerone.com/reports/214028, Race condition in GitLab import, giving access to other people their imports due to filename collision, resolved
214034, https://hackerone.com/reports/214034, Open redirect, resolved
214044, https://hackerone.com/reports/214044, Stored XSS in [shop].myshopify.com/admin/orders/[id], resolved
214087, https://hackerone.com/reports/214087, Clickjacking Vulnerability found on Yelp, resolved
214171, https://hackerone.com/reports/214171, Null pointer dereferences in ary_concat, resolved
214340, https://hackerone.com/reports/214340, Content spoofing due to the improper behavior of the 403 page, resolved
214370, https://hackerone.com/reports/214370, Comments Denial of Service in socialclub.rockstargames.com, resolved
214436, https://hackerone.com/reports/214436, HTTP Header Injection/HTTP_Response_Splitting, informative
214449, https://hackerone.com/reports/214449, Content-Length restriction bypass to heap overflow in gip.rocks., resolved
214484, https://hackerone.com/reports/214484, Stored XSS, resolved
214570, https://hackerone.com/reports/214570, Nginx Version Disclosure, informative
214571, https://hackerone.com/reports/214571, Login form on non-HTTPS page, resolved
214576, https://hackerone.com/reports/214576, SIGABRT - mirb - Double Free, resolved
214620, https://hackerone.com/reports/214620, Cloudflare based XSS for IE11, resolved
214642, https://hackerone.com/reports/214642, Reflected XSS on frag.mail.ru, resolved
214681, https://hackerone.com/reports/214681, Null pointer dereference in ary_concat , resolved
214763, https://hackerone.com/reports/214763, Profile bio at rockstar is accepting control characters, resolved
214798, https://hackerone.com/reports/214798, SQL injection on https://███████, resolved
214800, https://hackerone.com/reports/214800, Default page exposes admin functions and all metods and classes available. on https://██████/█████/dwr/index.html, resolved
214839, https://hackerone.com/reports/214839, Report invitation links not restricted to any existing user, resolved
214845, https://hackerone.com/reports/214845, SIGSEGV in mrb_vm_exec, resolved
215044, https://hackerone.com/reports/215044, [iOS] URL can be replaceState by blob URL in iOS Brave, resolved
215053, https://hackerone.com/reports/215053, Ability to log in as any user without authentication if █████████ is empty, resolved
215083, https://hackerone.com/reports/215083, Cleartext Password returned in JSON response, resolved
215105, https://hackerone.com/reports/215105, SSRF vulnerability in gitlab.com via project import., resolved
215326, https://hackerone.com/reports/215326, Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем., resolved
215372, https://hackerone.com/reports/215372, Server version/OS type disclosure via HTTP Response Header, informative
215381, https://hackerone.com/reports/215381, CSRF on Periscope Web OAuth authorization endpoint , resolved
215383, https://hackerone.com/reports/215383, Cross-Site Request Forgery, duplicate
215384, https://hackerone.com/reports/215384, [Subgroups] Unprivileged User Can Disclose Private Group Names, resolved
215410, https://hackerone.com/reports/215410, HTML Injection in Owncloud, resolved
215447, https://hackerone.com/reports/215447, SIGSEGV in mrb_class, resolved
215625, https://hackerone.com/reports/215625, A HackerOne employee's GitHub personal access token exposed in Travis CI build logs, resolved
215854, https://hackerone.com/reports/215854, Garbage collector crash, resolved
215859, https://hackerone.com/reports/215859, [REMOTE] Full Account Takeover At https://██████████████/CAS/, resolved
215891, https://hackerone.com/reports/215891, Null pointer dereference in mrb_class, resolved
215967, https://hackerone.com/reports/215967, SIGABRT in mrb_debug_info_append_file, resolved
215970, https://hackerone.com/reports/215970, [Repository Import] Open Redirect via "continue[to]" parameter , resolved
216151, https://hackerone.com/reports/216151, Use-after-free in _asyncio_Future_remove_done_callback, resolved
216161, https://hackerone.com/reports/216161, CSRF Token Design Flaw, informative
216243, https://hackerone.com/reports/216243, CSV injection in gitlab.com via issues export feature., resolved
216271, https://hackerone.com/reports/216271, SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability, resolved
216289, https://hackerone.com/reports/216289, Раскрытие информации о частной группе или приложении, resolved
216294, https://hackerone.com/reports/216294, Session replay vulnerability in www.urbandictionary.com, resolved
216336, https://hackerone.com/reports/216336, Source Code Disclosure, informative
216351, https://hackerone.com/reports/216351, Null pointer dereferences in mrb_get_args, resolved
216373, https://hackerone.com/reports/216373, deleting payment profile during active trip puts account into arrears but active trip is temporarily “free”, resolved
216379, https://hackerone.com/reports/216379, Blind Stored XSS against Pornhub employees using Amateur Model Program, resolved
216389, https://hackerone.com/reports/216389, Full access at an internal service of Shopify, resolved
216453, https://hackerone.com/reports/216453, Unfiltered `class` attribute in markdown code, resolved
216469, https://hackerone.com/reports/216469, Reflected XSS on ht.pornhub.com - /export/GetPreview, resolved
216533, https://hackerone.com/reports/216533, ssrf xspa [https://prt.mail.ru/] 2, resolved
216615, https://hackerone.com/reports/216615, Crash in ary_concat() , resolved
216699, https://hackerone.com/reports/216699, SQL Injection vulnerability in a DoD website, resolved
216700, https://hackerone.com/reports/216700, heap use-after-free in mrb_vm_exec(), resolved
216725, https://hackerone.com/reports/216725, SIGABRT - in free, resolved
216746, https://hackerone.com/reports/216746, Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks., resolved
216806, https://hackerone.com/reports/216806, Reflected XSS in login redirection module, resolved
216822, https://hackerone.com/reports/216822, Stored XSS via transloadit.com and imageproxy, resolved
216992, https://hackerone.com/reports/216992, Heap Buffer Overflow in mrb_hash_keys, resolved
216998, https://hackerone.com/reports/216998, CSV Injection with the CVS export feature, informative
217058, https://hackerone.com/reports/217058, CRLF injection in info.hacker.one, resolved
217083, https://hackerone.com/reports/217083, SIGSEGV in mrb_str_inum, resolved
217097, https://hackerone.com/reports/217097, SIGSEGV in mrb_vm_exec, resolved
217108, https://hackerone.com/reports/217108, Reflected XSS in a DoD Website, resolved
217344, https://hackerone.com/reports/217344, Path traversal on ████████, resolved
217381, https://hackerone.com/reports/217381, doc.owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service), resolved
217430, https://hackerone.com/reports/217430, [connect.teavana.com] Open Redirect and abuse of connect.teavana.com, resolved
217431, https://hackerone.com/reports/217431, sweet32 , informative
217555, https://hackerone.com/reports/217555, Possible to unsubscribe from activities using CSRF @ mijn.werkenbijdefensie.nl, resolved
217558, https://hackerone.com/reports/217558, Possible to view and takeover other user's education and courses @ mijn.werkenbijdefensie.nl, resolved
217610, https://hackerone.com/reports/217610, kh_put_iv SEGFAULT - mruby 1.2.0, resolved
217679, https://hackerone.com/reports/217679, ВИП подарки бесплатные без подключения ВИП услуги, resolved
217739, https://hackerone.com/reports/217739, Stored XSS on any page in most Uber domains, resolved
217745, https://hackerone.com/reports/217745, XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app, resolved
217747, https://hackerone.com/reports/217747, Information disclosure vulnerability on a DoD website, resolved
218088, https://hackerone.com/reports/218088, Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier, resolved
218136, https://hackerone.com/reports/218136, Reflected XSS vulnerability on a DoD website, resolved
218199, https://hackerone.com/reports/218199, Directory Listing In Subdomain Of nextcloud.com, informative
218226, https://hackerone.com/reports/218226, Stored XSS in comments on https://www.starbucks.co.uk/blog/*, resolved
218233, https://hackerone.com/reports/218233, Null pointer dereference in OP_ENTER, resolved
218264, https://hackerone.com/reports/218264, An Automattic employee's GitHub personal access token exposed in Travis CI build logs, resolved
218287, https://hackerone.com/reports/218287, In App purchase Hack , resolved
218324, https://hackerone.com/reports/218324, An unsafe design practice in the Passphrase may result in Secret being accidentally changed., informative
218342, https://hackerone.com/reports/218342, RCE (Remote Code Execution) Vulnerability on Ruby, not-applicable
218465, https://hackerone.com/reports/218465, [staging-engineering.gnip.com] Publicly accessible GIT directory, resolved
218567, https://hackerone.com/reports/218567, SIGSEGV in array_copy - array.c:71, resolved
218570, https://hackerone.com/reports/218570, Invalid pointer dereference in OP_ENTER, resolved
218680, https://hackerone.com/reports/218680, [buy.coinbase.com]Content Injection, resolved
218705, https://hackerone.com/reports/218705, Example HackerOne security@ forward domain is not registered, resolved
218733, https://hackerone.com/reports/218733, Design Issues on ( ███ ) Lead to show ( IPS of Users ) , resolved
218748, https://hackerone.com/reports/218748, Parameter tampering can result in product price manipulation, resolved
218803, https://hackerone.com/reports/218803, SIGABRT in sym_validate_len - symbol.c:44, resolved
218872, https://hackerone.com/reports/218872, Stored XSS on Files overview by abusing git submodule URL, resolved
218876, https://hackerone.com/reports/218876, Share tokens for public calendars disclosed (NC-SA-2017-011), resolved
218898, https://hackerone.com/reports/218898, Table and Column Exposure, resolved
218966, https://hackerone.com/reports/218966, avrecode: global-buffer-overflow in get_neighbor(), resolved
219014, https://hackerone.com/reports/219014, [dev-unifi-go.ubnt.com] Insecure CORS, Stealing Cookies, resolved
219140, https://hackerone.com/reports/219140, Reflected XSS Vulnerability in www.lahitapiola.fi/cs/Satellite, resolved
219170, https://hackerone.com/reports/219170, XSS, resolved
219171, https://hackerone.com/reports/219171, Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер., resolved
219192, https://hackerone.com/reports/219192, Resend invitation to members by Read only user(Privilege Escalation), resolved
219197, https://hackerone.com/reports/219197, [██████████.gnip.com] .htpasswd disclosure, resolved
219203, https://hackerone.com/reports/219203, Login bypass on travel.██████████ aka "Harvest Spring Summit 2017", resolved
219215, https://hackerone.com/reports/219215, Client can redirect payment, causing payment discrepancy between Harvest and PayPal, resolved
219293, https://hackerone.com/reports/219293, Invalid Pointer reference in L_RESCUE, resolved
219323, https://hackerone.com/reports/219323, CSV injection in gratipay.com via payment history export feature., resolved
219356, https://hackerone.com/reports/219356, Manipulation of submit payment request allows me to obtain Infrastructure Pro/Other Services for free or at greatly reduced price, resolved
219447, https://hackerone.com/reports/219447, Open redirect on marketing site, resolved
219458, https://hackerone.com/reports/219458, Open Redirect, resolved
219499, https://hackerone.com/reports/219499, POODLE SSLv3.0, informative
219509, https://hackerone.com/reports/219509, Store XSS on Informatica University via transcript (informatica.csod.com), resolved
219599, https://hackerone.com/reports/219599, Open Redirection at https://it.mail.ru/, resolved
219601, https://hackerone.com/reports/219601, Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message, duplicate
219657, https://hackerone.com/reports/219657, api.vk.com отдаёт в ответ HTML авторизированную страницу vk.com, resolved
219715, https://hackerone.com/reports/219715, Раскрытие имени файла приватных документов, resolved
219729, https://hackerone.com/reports/219729, Reflected XSS on a DoD website, resolved
219821, https://hackerone.com/reports/219821, XSS, resolved
219870, https://hackerone.com/reports/219870, mirb only: stack-buffer-overflow (OOB write) in main(), resolved
220009, https://hackerone.com/reports/220009, Lack of input sanitization in Marketo form leads to execution of HTML in lead emails, resolved
220116, https://hackerone.com/reports/220116, SSLv3 Poodle Vulnerability, resolved
220150, https://hackerone.com/reports/220150, 200 http code in 403 forbidden directories on main Ubnt.com domain, resolved
220185, https://hackerone.com/reports/220185, Password reset Token not expiring , resolved
220385, https://hackerone.com/reports/220385, Delete All Data of Any User, resolved
220445, https://hackerone.com/reports/220445, Race condition leads to duplicate payouts, resolved
220615, https://hackerone.com/reports/220615, Expired SSL certificate, resolved
220737, https://hackerone.com/reports/220737, Tabnabbing via Window.Opener @Mavenlink, resolved
220774, https://hackerone.com/reports/220774, API Last Request Date/Time Not Updating, resolved
220852, https://hackerone.com/reports/220852, XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker), resolved
220864, https://hackerone.com/reports/220864, Unauthorized access to attachments details of Private Calendar appointments  (Access control issue), resolved
220874, https://hackerone.com/reports/220874, Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation), resolved
220903, https://hackerone.com/reports/220903, Authenticated Cross-site Scripting in Template Name, resolved
220909, https://hackerone.com/reports/220909, Autoclose can close any task regardless of policies/spaces, resolved
220946, https://hackerone.com/reports/220946, https://portal.nextcloud.com/.htaccess file is readable, resolved
221041, https://hackerone.com/reports/221041, Cookie bomb, resolved
221133, https://hackerone.com/reports/221133, Sub Domain Takeover, resolved
221163, https://hackerone.com/reports/221163, heap-buffer-overflow (read outside of buffer) in Sass::Prelexer::exactly<(char)92>(char const*) - libsass/src/lexer.hpp:92, informative
221250, https://hackerone.com/reports/221250, /accounts/USERID.json file is left open for Restricted User of organization disclosing Owners's Mobile Number and "billing_info, cc_email", duplicate
221251, https://hackerone.com/reports/221251, heap-buffer-overflow (read outside of buffer) in mrb_vm_exec(), resolved
221260, https://hackerone.com/reports/221260, stack overflow in libsass, resolved
221262, https://hackerone.com/reports/221262, stack overflow #2 in libsass, resolved
221264, https://hackerone.com/reports/221264, stack overflow #3 in libsass, resolved
221267, https://hackerone.com/reports/221267, stack overflow #4 in libsass, resolved
221286, https://hackerone.com/reports/221286, stack overflow #5 in libsass, resolved
221287, https://hackerone.com/reports/221287, null pointer dereference in Sass::Eval::operator()(Sass::Map*), resolved
221289, https://hackerone.com/reports/221289, heap-use-after-free in Sass::SharedPtr::incRefCount(), resolved
221292, https://hackerone.com/reports/221292, stack overflow #6 in libsass, resolved
221294, https://hackerone.com/reports/221294, Java Deserialization RCE via JBoss on card.starbucks.in, resolved
221298, https://hackerone.com/reports/221298, GIT Detected, resolved
221325, https://hackerone.com/reports/221325, Stored XSS in Express Objects - Concrete5 v8.1.0, resolved
221328, https://hackerone.com/reports/221328, HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter, resolved
221333, https://hackerone.com/reports/221333, Information Disclosure, informative
221380, https://hackerone.com/reports/221380, Stored XSS in RSS Feeds Title (Concrete5 v8.1.0), resolved
221432, https://hackerone.com/reports/221432, CSRF-Token leak by request forgery, resolved
221454, https://hackerone.com/reports/221454, Privilege escalation in the client impersonation functionality, resolved
221461, https://hackerone.com/reports/221461, homograph-attack (unicode vuln), duplicate
221507, https://hackerone.com/reports/221507, Multiple stored XSS in WordPress, resolved
221625, https://hackerone.com/reports/221625, UBNT Amplification DDOS Attack, resolved
221631, https://hackerone.com/reports/221631, [ux.shopify.com] Subdomain takeover, resolved
221712, https://hackerone.com/reports/221712, Null pointer dereferences in kh_copy_mt, resolved
221757, https://hackerone.com/reports/221757, Blind SQL Injection, resolved
221833, https://hackerone.com/reports/221833, [https://jenkins.brew.sh] Jenkins in Debug Mode with Stack Traces Enabled, resolved
221869, https://hackerone.com/reports/221869, Email enumeration of users, resolved
221883, https://hackerone.com/reports/221883, DOM-based XSS on youporn.com (main page), resolved
221893, https://hackerone.com/reports/221893, XSS in the search bar of mercantile.wordpress.org, resolved
221908, https://hackerone.com/reports/221908, Host header Injection, informative
221948, https://hackerone.com/reports/221948, The mailbox verification API interface is unlimited and can be used as a mailbox bomb, not-applicable
221950, https://hackerone.com/reports/221950, The special code in editor has no Authority control and can lead to Information Disclosure, informative
221955, https://hackerone.com/reports/221955, duplicate hsts headers lead to firefox ignoring hsts on  business.uber.com, resolved
221989, https://hackerone.com/reports/221989, Server version disclosure on [jenkins.brew.sh], informative
222036, https://hackerone.com/reports/222036, Missing SSL can leak job token , resolved
222040, https://hackerone.com/reports/222040, Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter , resolved
222058, https://hackerone.com/reports/222058, Content Spoofing/Text Injection in https://demo.nextcloud.com, resolved
222063, https://hackerone.com/reports/222063, Sensitive information disclosure via response headers on jenkins.brew.sh, duplicate
222080, https://hackerone.com/reports/222080, The email API to reset password is unlimited and can be used as a email bomb, duplicate
222082, https://hackerone.com/reports/222082, Broken Authentication & Session Management (Login Bypass) at support.owox.com, resolved
222096, https://hackerone.com/reports/222096, [bot.brew.sh] Full Path Disclosure, resolved
222108, https://hackerone.com/reports/222108, Stack Trace on jenkins.brew.sh, informative
222171, https://hackerone.com/reports/222171, heap use after free in fiber_switch, resolved
222252, https://hackerone.com/reports/222252, Дубликат: https://hackerone.com/reports/219171 (доступ к аккаунту, через сброс пароля), resolved
222294, https://hackerone.com/reports/222294, heap-use-after-free in mrb_vm_exec - vm.c:1247, resolved
222506, https://hackerone.com/reports/222506, Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section, resolved
222556, https://hackerone.com/reports/222556, XSS on pornhubselect.com, resolved
222660, https://hackerone.com/reports/222660, The email API to test email-server settings is unlimited and can be used as a email bomb, informative
222667, https://hackerone.com/reports/222667, Possible SSRF in email server settings(SMTP mode), informative
222692, https://hackerone.com/reports/222692, plugins.trac.wordpress.org likely vulnerable to Cross Site Tracing (xst), TRACE HTTP method should be disabled, resolved
222724, https://hackerone.com/reports/222724, Open Aws Amazon S3 Buckets, resolved
222762, https://hackerone.com/reports/222762, Clickjacking In https://demo.nextcloud.com, not-applicable
222805, https://hackerone.com/reports/222805, Content (Text) Injection at https://nextcloud.com, informative
222838, https://hackerone.com/reports/222838, Stored XSS in Gallery application (NC-SA-2017-010), resolved
222870, https://hackerone.com/reports/222870, IRC-Bot exposes information, resolved
223014, https://hackerone.com/reports/223014, SAML Authentication Bypass on uchat.uberinternal.com, resolved
223024, https://hackerone.com/reports/223024, Clickjacking In jobs.wordpress.net, resolved
223172, https://hackerone.com/reports/223172, Просмотр привязного к странице email, всего лишь раз скомпрометировав письмо-уведомление, resolved
223203, https://hackerone.com/reports/223203, SVG Server Side Request Forgery (SSRF), resolved
223324, https://hackerone.com/reports/223324, Registration captcha bypass, resolved
223326, https://hackerone.com/reports/223326, Open Redirect via "next" parameter in third-party authentication, resolved
223327, https://hackerone.com/reports/223327, No expiration of session ID after Password change, resolved
223329, https://hackerone.com/reports/223329, Logout CSRF, resolved
223331, https://hackerone.com/reports/223331, [demo.weblate.org] Stored Self-XSS via Editor Link in Profile, resolved
223333, https://hackerone.com/reports/223333, CSRF : Reset API , resolved
223337, https://hackerone.com/reports/223337, No BruteForce Protection, resolved
223339, https://hackerone.com/reports/223339, Activation tokens are not expiring, resolved
223343, https://hackerone.com/reports/223343, Already Registered Email Disclosure, resolved
223344, https://hackerone.com/reports/223344, CSV Injection with the CSV export feature, resolved
223345, https://hackerone.com/reports/223345, CSRF : Lock and Unlock Translation, resolved
223350, https://hackerone.com/reports/223350, Web server is vulnerable to Beast Attack, resolved
223355, https://hackerone.com/reports/223355, Insecure Account Removal, resolved
223362, https://hackerone.com/reports/223362, Improper Password Reset Policy on https://hosted.weblate.org/, resolved
223363, https://hackerone.com/reports/223363, Escape sequence injection vulnerability in WEBrick BasicAuth, resolved
223367, https://hackerone.com/reports/223367, CSRF - Changing the full name / adding a secondary email identity of an account via a GET request, resolved
223374, https://hackerone.com/reports/223374, You can simply just use passwords that simply are as 123456, resolved
223384, https://hackerone.com/reports/223384, Directory Listing , resolved
223391, https://hackerone.com/reports/223391, Clickjacking docs.weblate.org, resolved
223396, https://hackerone.com/reports/223396, hosted.weblate.org: X-XSS-Protection not enabled, resolved
223421, https://hackerone.com/reports/223421, Open port leads to information disclosure, informative
223427, https://hackerone.com/reports/223427, Login using disconnected google account i.e login using old email id, resolved
223430, https://hackerone.com/reports/223430, Content Spoofing, resolved
223434, https://hackerone.com/reports/223434, Improper access control when an added email address is deleted from authentication, duplicate
223435, https://hackerone.com/reports/223435, Open SMTP port can let anyone send email from mail.chihar.com, not-applicable
223454, https://hackerone.com/reports/223454, Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/, resolved
223456, https://hackerone.com/reports/223456, Content Spoofing in error message, resolved
223461, https://hackerone.com/reports/223461, Weak e-mail change functionality could lead to account takeover, resolved
223475, https://hackerone.com/reports/223475, Existing sessions valid after removing third party auth, resolved
223525, https://hackerone.com/reports/223525, Spamming any user from Reset Password Function, resolved
223531, https://hackerone.com/reports/223531, User Enumeration when adding email to account, resolved
223542, https://hackerone.com/reports/223542, Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form, resolved
223545, https://hackerone.com/reports/223545, Missing DMARC on weblate.org, resolved
223557, https://hackerone.com/reports/223557, Abuse of Api that causes spamming users and possible DOS due to missing rate limit, resolved
223597, https://hackerone.com/reports/223597, Посмотреть видеоролики, которые пользователь когда-либо скидывал в ЛС. , resolved
223609, https://hackerone.com/reports/223609, Notify user about password change, resolved
223618, https://hackerone.com/reports/223618, Null Password - Setting a new password doesn't check for empty spaces, resolved
223625, https://hackerone.com/reports/223625, Subdomain Takeover (and Stored XSS) via Trailing Dot at https://coding-exercises.udemy.com, resolved
223630, https://hackerone.com/reports/223630, Content Spoofing, duplicate
223637, https://hackerone.com/reports/223637, [hosted.weblate.org]Account Takeover, resolved
223653, https://hackerone.com/reports/223653, demo.weblate.org is vulnerable to SWEET32 Vulnerability, resolved
223692, https://hackerone.com/reports/223692, Self XSS at translation page through Editor Link at demo.weblate.org, resolved
223694, https://hackerone.com/reports/223694, No Rate Limitting at Change Password, resolved
223718, https://hackerone.com/reports/223718, Open redirect in Signing in via Social Sites, duplicate
223723, https://hackerone.com/reports/223723, weblate.org: X-XSS-Protection not enabled, resolved
223759, https://hackerone.com/reports/223759, information disclose, informative
223846, https://hackerone.com/reports/223846, Access to completion page without performing any action, resolved
223851, https://hackerone.com/reports/223851, Setting a password with a single character, resolved
223854, https://hackerone.com/reports/223854, No Password Length Restriction leads to Denial of Service, resolved
223906, https://hackerone.com/reports/223906, Dropbox Paper - Markdown XSS, resolved
223931, https://hackerone.com/reports/223931, Specify maximal length in new comment, resolved
223936, https://hackerone.com/reports/223936, Multiple cryptographic vulnerabilities in login page on ███████, resolved
223999, https://hackerone.com/reports/223999, CSV export filter bypass leads to formula injection., resolved
224006, https://hackerone.com/reports/224006, HttpOnly Flag not set , resolved
224015, https://hackerone.com/reports/224015, Specify maximal length in translation, resolved
224072, https://hackerone.com/reports/224072, Running 2 accounts with a single email, resolved
224095, https://hackerone.com/reports/224095, password reset email spamming, not-applicable
224096, https://hackerone.com/reports/224096, ShopifyAPI is vulnerable to timing attacks., resolved
224108, https://hackerone.com/reports/224108, Cross Site Scripting, informative
224186, https://hackerone.com/reports/224186, Email spoofing at weblate.org, resolved
224198, https://hackerone.com/reports/224198, Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution, informative
224214, https://hackerone.com/reports/224214, Lack of Password Confirmation when Changing Password and Email, duplicate
224287, https://hackerone.com/reports/224287, Email verification over an unencrypted channel, resolved
224291, https://hackerone.com/reports/224291, CSV Injection with the CVS export feature - Glossary, resolved
224317, https://hackerone.com/reports/224317, Open redirect while disconnecting authenticated account, resolved
224342, https://hackerone.com/reports/224342, Bypassing captcha in registration on Hosted site, informative
224362, https://hackerone.com/reports/224362, Invalidate session after password reset - hosted website, duplicate
224379, https://hackerone.com/reports/224379, session id missing secure flag - Hosted Website, resolved
224460, https://hackerone.com/reports/224460, Rate Limit Bypass on login Page, resolved
224556, https://hackerone.com/reports/224556, Self-XSS in WordPress Editor Link Modal, resolved
224572, https://hackerone.com/reports/224572, Weak password policy, resolved
224904, https://hackerone.com/reports/224904, SSL Key Certificate expires, informative
224927, https://hackerone.com/reports/224927, Missing Rate Limiting protection leading to mass triggering of e-mails, resolved
225020, https://hackerone.com/reports/225020, reflected xss @ www.█████████, resolved
225098, https://hackerone.com/reports/225098, SQL exception in JSON format, resolved
225100, https://hackerone.com/reports/225100, CSRF to Connect third party Account, resolved
225326, https://hackerone.com/reports/225326, CSRF For Adding Users, resolved
225495, https://hackerone.com/reports/225495, full path disclosure at hosted.weblate.org/admin/accounts/profile/ , resolved
225537, https://hackerone.com/reports/225537, Node modules path disclosure due to lack of error handling, resolved
225540, https://hackerone.com/reports/225540, Incorrect HTTPS Certificate, resolved
225555, https://hackerone.com/reports/225555, ClickJacking on Debug, resolved
225653, https://hackerone.com/reports/225653, Account Takeover using Third party Auth CSRF, resolved
225722, https://hackerone.com/reports/225722, 7BO: Binary Option Robot URL should be HTTPS, resolved
225754, https://hackerone.com/reports/225754, Insecure SHA1withRSA in b5s.hackerone-ext-content.com and a4l.hackerone-ext-content.com, resolved
225769, https://hackerone.com/reports/225769, Facebook share URL should be HTTPS, resolved
225777, https://hackerone.com/reports/225777, DOMPurify 0.8.9 released, resolved
225831, https://hackerone.com/reports/225831, Extract Billing admin email address using random team id, resolved
225897, https://hackerone.com/reports/225897, Throttling Bypass - ws1.dashlane.com, resolved
225901, https://hackerone.com/reports/225901, Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register, resolved
225936, https://hackerone.com/reports/225936, Cross-site scripting (XSS) vulnerability on a DoD website, resolved
226037, https://hackerone.com/reports/226037, Wordpress Vulnerable to Potential Unauthorized Password Reset, resolved
226094, https://hackerone.com/reports/226094, I am because bug, spam
226097, https://hackerone.com/reports/226097, I am because bug, spam
226104, https://hackerone.com/reports/226104, Incomplete fix for #181225 (target=_blank vulnerability), not-applicable
226188, https://hackerone.com/reports/226188, I am because bug, spam
226199, https://hackerone.com/reports/226199, Changing Victim's JIRA Integration Settings Through Multiple Bugs, resolved
226203, https://hackerone.com/reports/226203, Cross-site-Scripting, resolved
226211, https://hackerone.com/reports/226211, SQL Injection vulnerability in a DoD website, resolved
226212, https://hackerone.com/reports/226212, directory information disclose, informative
226245, https://hackerone.com/reports/226245, Remote code execution (RCE) in multiple DoD websites, resolved
226334, https://hackerone.com/reports/226334, Improper validation of Email , informative
226335, https://hackerone.com/reports/226335, Escape sequence injection in "summary" field, resolved
226343, https://hackerone.com/reports/226343, Full Path Disclosure in airship.paragonie.com '/cabins/', informative
226408, https://hackerone.com/reports/226408, Open Redirect in shopify app URL, resolved
226418, https://hackerone.com/reports/226418, HackerOne reports escalation to JIRA is CSRF vulnerable, resolved
226427, https://hackerone.com/reports/226427, Information disclosure vulnerability on a DoD website, resolved
226505, https://hackerone.com/reports/226505, There is an vulnerability in https://bridge.cspr.ng where an attacker can users directory, informative
226514, https://hackerone.com/reports/226514, Full Path Disclousure on https://airship.paragonie.com, informative
226518, https://hackerone.com/reports/226518, no session logout after changing the password  in https://bridge.cspr.ng/, informative
226612, https://hackerone.com/reports/226612, CSRF, resolved
226640, https://hackerone.com/reports/226640, IDOR in tender.mail.ru leading to Information Disclosure, resolved
226648, https://hackerone.com/reports/226648, Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat, informative
226659, https://hackerone.com/reports/226659, Password Reset link hijacking via Host Header Poisoning , resolved
226712, https://hackerone.com/reports/226712, Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change, not-applicable
226756, https://hackerone.com/reports/226756, local file disclosure via FFmpeg hls processing, resolved
226783, https://hackerone.com/reports/226783, HTML Injection on airlink.ubnt.com, resolved
227102, https://hackerone.com/reports/227102, Two Error-Based SQLi in courses.aspx on ██████████, resolved
227230, https://hackerone.com/reports/227230, API Webhooks Fire And Are Unlisted After Permissions Removed, resolved
227298, https://hackerone.com/reports/227298, dom based xss in *.zendesk.com/external/zenbox/, resolved
227344, https://hackerone.com/reports/227344, CVE-2017-8798 - miniupnp getHTTPResponse chunked encoding integer signedness error, resolved
227486, https://hackerone.com/reports/227486, XSS on https://www.starbucks.co.uk (can lead to credit card theft) (/shop/paymentmethod), resolved
227522, https://hackerone.com/reports/227522, IDOR in editing courses, resolved
227587, https://hackerone.com/reports/227587, SQL Injection vulnerability in a DoD website, resolved
227643, https://hackerone.com/reports/227643, Cross-site scripting (XSS) vulnerability on a DoD website, resolved
227659, https://hackerone.com/reports/227659, Weak password requirement on techsupport.teradici.com , resolved
227663, https://hackerone.com/reports/227663, [https://www.dashlane.com] Test Panel Disclosure, resolved
227725, https://hackerone.com/reports/227725, Missing CSRF Token On Add Coupon To Basket, duplicate
227726, https://hackerone.com/reports/227726, Missing CSRF Token On Remove Coupun From Cart, duplicate
227762, https://hackerone.com/reports/227762, Heap Overflow in fiber_switch triggered from Fiber.transfer, resolved
227781, https://hackerone.com/reports/227781, Получение предложенных фотографий паблику , resolved
227806, https://hackerone.com/reports/227806, [qiwi.me] No limits on image download requests, resolved
227837, https://hackerone.com/reports/227837, ClickJacking in editing business name, informative
227880, https://hackerone.com/reports/227880, XXE in DoD website that may lead to RCE, resolved
228006, https://hackerone.com/reports/228006, Cross-site Scripting (XSS) on [maximum.nl] , resolved
228112, https://hackerone.com/reports/228112, Directory Disclose,Email Disclose Zendmail vulnerability, resolved
228156, https://hackerone.com/reports/228156, https://www.legalrobot.com/, not-applicable
228295, https://hackerone.com/reports/228295, User can be fooled to Bookmark any restaurant by clickjacking, informative
228323, https://hackerone.com/reports/228323, Weak Password Policy on techsupport.teradici.com, duplicate
228383, https://hackerone.com/reports/228383, IDOR on DoD Website exposes FTP users and passes linked to all accounts!, resolved
228399, https://hackerone.com/reports/228399, Any authenticated user can download full list of users, including email, resolved
228471, https://hackerone.com/reports/228471, DNSSEC Zone Walk using NSEC Records, informative
228495, https://hackerone.com/reports/228495, Partial disclosure of Private Videos through data-mediabook attribute information leak, resolved
228539, https://hackerone.com/reports/228539, self xss in, not-applicable
228648, https://hackerone.com/reports/228648, WannaCrypt “Killswitch”, resolved
228825, https://hackerone.com/reports/228825, (Authenticated) RCE by bypassing of the .htaccess blacklist, resolved
228854, https://hackerone.com/reports/228854, WordPress Automatic Update Protocol Does Not Authenticate Updates Provided by the Server, not-applicable
228873, https://hackerone.com/reports/228873, Misconfiguration: Missing Custom Error Page (CWE-12 & CWE-756), informative
229170, https://hackerone.com/reports/229170, RTLO character allowed in shared files, informative
229199, https://hackerone.com/reports/229199, Limited code execution vulnerability on a DoD website, resolved
229405, https://hackerone.com/reports/229405, Csrf in watch-unwatch projects, resolved
229417, https://hackerone.com/reports/229417, Design Flaw in session management of password reset , resolved
229483, https://hackerone.com/reports/229483, Improper validation of unicode characters, resolved
229498, https://hackerone.com/reports/229498, Host header injection/redirection via newsletter signup, resolved
229511, https://hackerone.com/reports/229511, No Rate Limiting at /contact, resolved
229528, https://hackerone.com/reports/229528, Login CSRF : Login Authentication Flaw, resolved
229532, https://hackerone.com/reports/229532, Insecure Account Removal #2, resolved
229541, https://hackerone.com/reports/229541, Captcha Bypass at Email Reset can lead to Spamming users., resolved
229577, https://hackerone.com/reports/229577, Old password can be new password, resolved
229584, https://hackerone.com/reports/229584, Captcha bypass at registration, informative
229599, https://hackerone.com/reports/229599, Email Spoofing Vulnerability from nextcloud., spam
229622, https://hackerone.com/reports/229622, Directory traversal at https://nightly.ubnt.com, resolved
229690, https://hackerone.com/reports/229690, Amazon S3 bucket misconfiguration (share), resolved
229796, https://hackerone.com/reports/229796, Missing restriction on string size, resolved
229825, https://hackerone.com/reports/229825, Rate Limit Issue on hosted.weblate.org, resolved
229869, https://hackerone.com/reports/229869, Adding Email lacks Password validation, resolved
229909, https://hackerone.com/reports/229909, No notificatoin sent on email after account deletion., resolved
229920, https://hackerone.com/reports/229920, Password Restriction, resolved
229987, https://hackerone.com/reports/229987, Password token validation in https://demo.weblate.org/, resolved
230029, https://hackerone.com/reports/230029, Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0), resolved
230076, https://hackerone.com/reports/230076, Takeover of an account via reset password options after removing the account, resolved
230098, https://hackerone.com/reports/230098, Full directory path listing, spam
230119, https://hackerone.com/reports/230119, Reflected XSS in Zomato Mobile - category parameter, resolved
230194, https://hackerone.com/reports/230194, Option method enabled, resolved
230231, https://hackerone.com/reports/230231, XSS в портальной навигации, resolved
230278, https://hackerone.com/reports/230278, Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ], resolved
230328, https://hackerone.com/reports/230328, IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email , resolved
230428, https://hackerone.com/reports/230428, Csrf bug on signup session, informative
230435, https://hackerone.com/reports/230435, DOM Based XSS In mercantile.wordpress.org, resolved
230525, https://hackerone.com/reports/230525, Domain takeover (legalrobot.co.za), resolved
230581, https://hackerone.com/reports/230581, Clickjacking wordcamp.org, resolved
230608, https://hackerone.com/reports/230608, [marketplace.informatica.com] User email disclosure, resolved
230633, https://hackerone.com/reports/230633, Weblate- Banner Grabbing-Ngnix Server version, resolved
230648, https://hackerone.com/reports/230648, Weblate |Security Misconfiguration| Method Enumeration Possible on domain , resolved
230674, https://hackerone.com/reports/230674, No rate limiting at POST /2/2017-05-22/send_identifier_token, resolved
230681, https://hackerone.com/reports/230681, Reflected XSS on Branch domain, resolved
230688, https://hackerone.com/reports/230688, CSRF на сброс ключа трансляции., resolved
230714, https://hackerone.com/reports/230714, Arbitary file download vulnerability on a DoD website, resolved
230832, https://hackerone.com/reports/230832, cuvva.com vulnerable to sweet32, informative
230837, https://hackerone.com/reports/230837, CSRF To Like/Unlike Photos, resolved
230863, https://hackerone.com/reports/230863, CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org, resolved
230870, https://hackerone.com/reports/230870, Arbitary file download vulnerability on a DoD website, resolved
231062, https://hackerone.com/reports/231062, CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org, informative
231068, https://hackerone.com/reports/231068, RC4 cipher suit in use in vpn.corp.cuvva.co, resolved
231086, https://hackerone.com/reports/231086, CSP "script-src" includes "unsafe-inline" in https://gratipay.com, informative
231267, https://hackerone.com/reports/231267, Development configuration file, resolved
231374, https://hackerone.com/reports/231374, cuvva.com website CSP "script-src" includes "unsafe-inline", informative
231380, https://hackerone.com/reports/231380, Missing rate limit on https://underwriter.partner.cuvva.com/login, resolved
231389, https://hackerone.com/reports/231389, Stored XSS in snapmatic comments, resolved
231434, https://hackerone.com/reports/231434, https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options , resolved
231444, https://hackerone.com/reports/231444, Stored XSS in profile activity feed messages, resolved
231460, https://hackerone.com/reports/231460, Open prod Jenkins instance, resolved
231508, https://hackerone.com/reports/231508, CRLF Injection [vpn.corp.cuvva.com], resolved
231510, https://hackerone.com/reports/231510, Gratipay Website CSP "script-scr" includes "unsafe-inline", informative
231524, https://hackerone.com/reports/231524, HTML injection and limited XSS via logo image upload - Nextcloud 12.0.0, resolved
231687, https://hackerone.com/reports/231687, Remote Code Execution (RCE) vulnerability in multiple DoD websites, resolved
231694, https://hackerone.com/reports/231694, Clickjacking vulnerability in support-dashboard.corp.cuvva.co, informative
231713, https://hackerone.com/reports/231713,  OLX is vulnerable to clickjaking, informative
231738, https://hackerone.com/reports/231738, No Notification Sent When Email Is Changed., resolved
231749, https://hackerone.com/reports/231749, Your two domain login email address are disclosed in , resolved
231760, https://hackerone.com/reports/231760, Open redirect on sign in , not-applicable
231805, https://hackerone.com/reports/231805, Insecure Cache-Control Leading to API key Retrieval, resolved
231813, https://hackerone.com/reports/231813, Verification code for Underwriter dashboard can be brute-forced, informative
231917, https://hackerone.com/reports/231917, Shared file link - password protection bypass under certain conditions, resolved
231926, https://hackerone.com/reports/231926, Remote Code Execution (RCE) in a DoD website, resolved
232150, https://hackerone.com/reports/232150, heap-buffer-overflow (READ of size 11) in Perl 5.25.x, resolved
232174, https://hackerone.com/reports/232174, XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications, resolved
232185, https://hackerone.com/reports/232185, Subdomain take over oh-no.cuvva.co and ohno.cuvva.co, informative
232306, https://hackerone.com/reports/232306, Improper Cookie expiration | Cookies Expiration Set to Future , resolved
232327, https://hackerone.com/reports/232327, CRLF Injection on openvpn.svc.ubnt.com, resolved
232330, https://hackerone.com/reports/232330, Remote Code Execution (RCE) vulnerability in a DoD website, resolved
232347, https://hackerone.com/reports/232347, [FG-VD-17-063] NextCloud Insufficient Attack Protection Vulnerability Notification, resolved
232403, https://hackerone.com/reports/232403, Missing Rate limiting on https://underwriter.partner.cuvva.com/login, duplicate
232432, https://hackerone.com/reports/232432, Universal Cross-Site Scripting in Keybase Chrome extension, resolved
232499, https://hackerone.com/reports/232499, Control characters incorrectly handled on Crew Status Update, resolved
232562, https://hackerone.com/reports/232562, IDOR spam anyone's cellphone number through Cuvva app link, informative
232614, https://hackerone.com/reports/232614, Uploaded XLF files result in External Entity Execution, resolved
232878, https://hackerone.com/reports/232878, Missing rate-limits at endpoints, resolved
232994, https://hackerone.com/reports/232994, API Does Not Apply Access Controls to Translations, resolved
233099, https://hackerone.com/reports/233099, CSRF in Report Lost or Stolen Page https://www.starbucks.com/account/card, resolved
233376, https://hackerone.com/reports/233376, mailbomb through invite feature on chrome addon, resolved
233379, https://hackerone.com/reports/233379, Attacker can trick other into logging in as themselves, resolved
233402, https://hackerone.com/reports/233402, Possible Subdomain Takeover, resolved
233408, https://hackerone.com/reports/233408, Subdomain takeover (sales.mixmax.com), resolved
233440, https://hackerone.com/reports/233440, heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start(), resolved
234701, https://hackerone.com/reports/234701, Security Vulnerability - SMTP protection not used, resolved
234713, https://hackerone.com/reports/234713, Clickjacking on Mixmax.com, resolved
234758, https://hackerone.com/reports/234758, CRLF Injection on https://vpn.mixmax.com, resolved
234947, https://hackerone.com/reports/234947, Sensitive Support Mail Disclosure, resolved
235016, https://hackerone.com/reports/235016, rpcbind "rpcbomb" CVE-2017-8779, CVE-2017-8804, resolved
235059, https://hackerone.com/reports/235059, Privilege escalation-User who does not have access is able to add notes to the contact, resolved
235139, https://hackerone.com/reports/235139, Twitter SSO allows unverified e-mail registration, leads to Slack and social media hijacks, resolved
235200, https://hackerone.com/reports/235200, Cross-origin resource sharing misconfig | steal user information , resolved
235216, https://hackerone.com/reports/235216, Exposed FTP Credentials on ███████, resolved
235292, https://hackerone.com/reports/235292, [compose.mixmax.com] Stored XSS on compose.mixmax.com in contact names., resolved
235605, https://hackerone.com/reports/235605, Remote Code Execution (RCE) in DoD Websites, resolved
235642, https://hackerone.com/reports/235642, [CRITICAL] Full account takeover using CSRF, resolved
235842, https://hackerone.com/reports/235842, Ruby 2.3.x and 2.2.x still bundle DoS vulnerable verision of libYAML, resolved
235866, https://hackerone.com/reports/235866, Cross-site Scripting (XSS) in /updates-pro/archive/, resolved
236188, https://hackerone.com/reports/236188, Missing restriction on string size of contact field, resolved
236276, https://hackerone.com/reports/236276, Unable to register in starbucks app, not-applicable
236301, https://hackerone.com/reports/236301, Blind SSRF due to img tag injection in career form, resolved
236349, https://hackerone.com/reports/236349, [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network, resolved
236390, https://hackerone.com/reports/236390, Email Leakage in staging environment, resolved
236398, https://hackerone.com/reports/236398, no captcha for register user and weak question attacker can spam email, resolved
236533, https://hackerone.com/reports/236533, Session cookie without secure flag on https://underwriter.partner.cuvva.com, resolved
236552, https://hackerone.com/reports/236552, Unauthenticated RCE in Vaultpress, resolved
236599, https://hackerone.com/reports/236599, Open redirects protection bypass, resolved
236607, https://hackerone.com/reports/236607, Remote Code Execution in the Import Channel function, resolved
237071, https://hackerone.com/reports/237071, X-Frame-Options, informative
237100, https://hackerone.com/reports/237100, [app.mixmax.com] Stored XSS on Adding new enhancement., resolved
237125, https://hackerone.com/reports/237125, no string size restriction on team name, resolved
237184, https://hackerone.com/reports/237184, Session fixation in password protected public download., resolved
237232, https://hackerone.com/reports/237232, Unauthenticated 'display name' information leak on enumeration of login names, resolved
237262, https://hackerone.com/reports/237262, Invitation tokens leak to Google Analytics, resolved
237357, https://hackerone.com/reports/237357, CRLF Injection at vpn.bitstrips.com, resolved
237381, https://hackerone.com/reports/237381, SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing, resolved
237544, https://hackerone.com/reports/237544, Weak Password Policy, informative
237860, https://hackerone.com/reports/237860, ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service), resolved
237915, https://hackerone.com/reports/237915, PHP mbstring / Oniguruma multiple remote heap/stack corruptions, resolved
237927, https://hackerone.com/reports/237927, Stored XSS templates -> 'call for action' feature, resolved
238041, https://hackerone.com/reports/238041, BruteForce Any [My.com] Account Credentials., resolved
238117, https://hackerone.com/reports/238117, Open redirect while disconnecting Email, resolved
238260, https://hackerone.com/reports/238260, Uninstalling Slack for Windows (64-bit), then reinstalling keeps you logged in without authentication, resolved
238344, https://hackerone.com/reports/238344, http://lists.parrotsec.org vulnerable to MITM, resolved
238842, https://hackerone.com/reports/238842, XSS on http://irc.parrotsec.org, resolved
238890, https://hackerone.com/reports/238890, SAUCE Access_key and User_name leaked in Travis CI build logs, resolved
238906, https://hackerone.com/reports/238906, Stored XSS in Templates>Enahance>Social Badges, resolved
238915, https://hackerone.com/reports/238915, Text injection on status.algolia.com, resolved
239170, https://hackerone.com/reports/239170, CSRF bug , not-applicable
239359, https://hackerone.com/reports/239359, Timing attack woocommerce, simplify commerce gateway, resolved
239380, https://hackerone.com/reports/239380, Session Cookie without HttpOnly and secure flag set, informative
239479, https://hackerone.com/reports/239479, HTTP - Basic Authentication on https://www.stellar.org/wp-login.php, not-applicable
239481, https://hackerone.com/reports/239481, [gamesventures.mail.ru] Publicly accessible GIT directory, resolved
239482, https://hackerone.com/reports/239482, [sputnik.mail.ru] Publicly accessible GIT directory, resolved
239503, https://hackerone.com/reports/239503, Open Redirect & Information Disclosure [mijn.werkenbijdefensie.nl], resolved
239623, https://hackerone.com/reports/239623, Many Slack teams can be joined by abusing an improperly configured support@ inbox, resolved
239719, https://hackerone.com/reports/239719, Privilege Escalation using API->Feature, resolved
239762, https://hackerone.com/reports/239762, XSS at https://app.goodhire.com/member/GH.aspx, resolved
239818, https://hackerone.com/reports/239818, Design issue with webhook (several) notifications on mixmax.com, resolved
240048, https://hackerone.com/reports/240048, Imperfect CSRF To Overwrite Server Config at /go/admin/restful/configuration/file/POST/xml, resolved
240083, https://hackerone.com/reports/240083, Updating payout preference to CurrencyCloud doesn't notify user via email, resolved
240091, https://hackerone.com/reports/240091, Open redirect at app.goodhire.com via ReturnUrl parameter, resolved
240098, https://hackerone.com/reports/240098, CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection, resolved
240256, https://hackerone.com/reports/240256, [mercantile.wordpress.org] Reflected XSS, resolved
240562, https://hackerone.com/reports/240562, Privilege Escalation., resolved
240659, https://hackerone.com/reports/240659, heap-buffer-overflow (READ of size 1) in cpptoml::parser::consume_whitespace(), resolved
240821, https://hackerone.com/reports/240821, Ability To Takeover any account by Emaill., resolved
240886, https://hackerone.com/reports/240886, Multiple File Manipulation bugs in WP Super Cache , resolved
240958, https://hackerone.com/reports/240958, Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values., resolved
240987, https://hackerone.com/reports/240987, Email Spoofing, duplicate
240989, https://hackerone.com/reports/240989, xss found in zomato, resolved
241044, https://hackerone.com/reports/241044, Privilege Escalation: From operator to ubnt (and root) with non-interactive Session Hijacking, resolved
241192, https://hackerone.com/reports/241192, CSP Policy Bypass and javascript execution, duplicate
241194, https://hackerone.com/reports/241194, Session ID is accessible via XSS, resolved
241198, https://hackerone.com/reports/241198, pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss, resolved
241202, https://hackerone.com/reports/241202, Unsafe arithmetic in PyString_DecodeEscape, resolved
241231, https://hackerone.com/reports/241231, flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf, resolved
241244, https://hackerone.com/reports/241244, Spring security configuration allows agent sessions to be hijacked, resolved
241323, https://hackerone.com/reports/241323, woocommerce - prevent_caching() bug / bypass, resolved
241341, https://hackerone.com/reports/241341, CSP Policy Bypass and javascript execution Still Not Fixed, duplicate
241484, https://hackerone.com/reports/241484, Открытое перенапровление на OpenID, resolved
241503, https://hackerone.com/reports/241503, Possible subdomain takeover at openapi.starbucks.com, resolved
241596, https://hackerone.com/reports/241596, Improper validation of unicode characters still not fixed, resolved
241598, https://hackerone.com/reports/241598, Full Name Overwrite on Third party login, resolved
241608, https://hackerone.com/reports/241608, Running 2 accounts with a single email [Part 2], resolved
241619, https://hackerone.com/reports/241619, DOM-based XSS in store.starbucks.co.uk on IE 11, resolved
241623, https://hackerone.com/reports/241623, Persistence of Third Party Association., resolved
241892, https://hackerone.com/reports/241892, Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain, duplicate
241950, https://hackerone.com/reports/241950, Non-secure requests are not automatically upgraded to HTTPS, informative
242119, https://hackerone.com/reports/242119, Roundcube virtualmin privilege escalation (CVE-2017-8114), resolved
242171, https://hackerone.com/reports/242171, Improper validation of unicode characters, resolved
242213, https://hackerone.com/reports/242213, Stored XSS in the any user profile using website link, resolved
242243, https://hackerone.com/reports/242243, Open Redirect through POST Request, resolved
242314, https://hackerone.com/reports/242314, Open redirect on https://werkenbijdefensie.nl/, resolved
242354, https://hackerone.com/reports/242354, Null pointer dereference with send/method_missing, resolved
242407, https://hackerone.com/reports/242407, Privilege Escalation with Session Hijacking Having a Non-privileged Valid User, resolved
242408, https://hackerone.com/reports/242408, Нет маркера на добавление песни в плейлист пользователя, resolved
242489, https://hackerone.com/reports/242489, Possibility of DOS Through logging System, informative
242579, https://hackerone.com/reports/242579, 4 severe remote + several minor OpenVPN vulnerabilities, resolved
242622, https://hackerone.com/reports/242622, Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain, not-applicable
242727, https://hackerone.com/reports/242727, Android content provider exposes password-protected share password hashes, resolved
242765, https://hackerone.com/reports/242765, Any user with invite capabilities can take-over any account on Discourse, resolved
242846, https://hackerone.com/reports/242846, Password Change not notified when changed from settings, informative
242874, https://hackerone.com/reports/242874, Bypassing Verify Humans Page, informative
242905, https://hackerone.com/reports/242905, XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js, resolved
242945, https://hackerone.com/reports/242945, No filteration of null characters in name field, resolved
242964, https://hackerone.com/reports/242964, Adding or removing a new non-preferred payout method does not trigger an e-mail or account notification, resolved
243001, https://hackerone.com/reports/243001, Open Redirect, resolved
243003, https://hackerone.com/reports/243003, No limit of summary length allows Denail of Service, resolved
243049, https://hackerone.com/reports/243049, Call back number not verified, informative
243094, https://hackerone.com/reports/243094, Paragonie Airship Admin CSRF on Extensions Pages, resolved
243138, https://hackerone.com/reports/243138, Improper parsing of input could lead to future XSS vulnerabilities in Sequences, informative
243156, https://hackerone.com/reports/243156, Installing a crafted gem package may create or overwrite files, resolved
243277, https://hackerone.com/reports/243277, SSRF via webhook, resolved
243474, https://hackerone.com/reports/243474, Identity Login Page Redirect Can Be Manipulated, resolved
243594, https://hackerone.com/reports/243594, Reset password more than once with a reset link, resolved
243609, https://hackerone.com/reports/243609, The username of an account can be .., resolved
243611, https://hackerone.com/reports/243611, Improper validation of unicode characters still not fixed #2, resolved
243616, https://hackerone.com/reports/243616, Previous password could set as new password, resolved
243619, https://hackerone.com/reports/243619, No Rate Limitation on Regenerate Api Key, resolved
243635, https://hackerone.com/reports/243635, Improper validation of unicode characters #3, resolved
243824, https://hackerone.com/reports/243824, [afisha.mail.ru] HTML-инъекция через XSS на портале виджета, resolved
243842, https://hackerone.com/reports/243842, Password token validation in Weblate Bypass, resolved
243865, https://hackerone.com/reports/243865, SSRF thru File Replace, resolved
243943, https://hackerone.com/reports/243943, IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop, resolved
244070, https://hackerone.com/reports/244070, SSl Weak Ciphers, duplicate
244092, https://hackerone.com/reports/244092, Password of failed (2FA) login attempt is stored in log, resolved
244287, https://hackerone.com/reports/244287, Password token validation in Weblate Bypass #2, resolved
244292, https://hackerone.com/reports/244292, CSV Injection https://hub.grab.com, resolved
244432, https://hackerone.com/reports/244432, Missing SPF Flags, resolved
244434, https://hackerone.com/reports/244434, Leaking password reset token via referrer from external Twitter share button, resolved
244459, https://hackerone.com/reports/244459, Apache HTTP Request Parsing Whitespace Defects, resolved
244474, https://hackerone.com/reports/244474, Mailgun misconfiguration , resolved
244555, https://hackerone.com/reports/244555, Email Spoofing Via /api/v1/users/reset_password, resolved
244567, https://hackerone.com/reports/244567, [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge, resolved
244612, https://hackerone.com/reports/244612, Password reset links should expire after being used, instead of at specific time, resolved
244614, https://hackerone.com/reports/244614, Password token validation in https://wakatime.com/, resolved
244636, https://hackerone.com/reports/244636, IDOR create accounts and verify them with original account email, resolved
244677, https://hackerone.com/reports/244677, Add arbitrary content to Password Reset Email, resolved
244697, https://hackerone.com/reports/244697, UI Redressing on Embedded Charts, resolved
244721, https://hackerone.com/reports/244721, Open Redirect on [My.com], resolved
244724, https://hackerone.com/reports/244724, Unsafe Inline and Eval CSP Usage, resolved
244766, https://hackerone.com/reports/244766, https://wakatime.com/ website CSP "script-src" includes "unsafe-inline", resolved
244778, https://hackerone.com/reports/244778, Logout CSRF, duplicate
244781, https://hackerone.com/reports/244781, Users with member privilege are able to see emails and membership information of other users, resolved
244813, https://hackerone.com/reports/244813, No rate limit when creating new goals [https://wakatime.com/goals], resolved
244836, https://hackerone.com/reports/244836, [Critical] billion dollars issue, spam
244875, https://hackerone.com/reports/244875, Session Not Expired On Logout, duplicate
244902, https://hackerone.com/reports/244902, XSS through document projects, resolved
244904, https://hackerone.com/reports/244904, Use after free in mruby-mpdecimal, resolved
244958, https://hackerone.com/reports/244958, No redirect uri for Twitter Oath resulting in token leak, resolved
244967, https://hackerone.com/reports/244967, Clickjacking on authorized page https://wakatime.com/share/embed, resolved
244971, https://hackerone.com/reports/244971, No notificatoin sent on email after account deletion., resolved
245124, https://hackerone.com/reports/245124, Session not expired on logout, duplicate
245147, https://hackerone.com/reports/245147, No rate limiting for confirmation email, can spam anyone with confirmation emails, resolved
245221, https://hackerone.com/reports/245221, null pointer dereference and segfault in tile-count-merge, resolved
245228, https://hackerone.com/reports/245228, Object Injection in Woocommerce / Handle PDT Responses from PayPal, resolved
245233, https://hackerone.com/reports/245233, HTML - injection , not-applicable
245236, https://hackerone.com/reports/245236, Missing filteration of meta characters in all full name field on wakatime.com, resolved
245296, https://hackerone.com/reports/245296, Persistent XSS on keybase.io via "payload" field in `/user/sigchain_signature.toffee` template, resolved
245304, https://hackerone.com/reports/245304, Running 2 accounts with a single email #3, resolved
245305, https://hackerone.com/reports/245305, Two email addresses can access the same account, resolved
245311, https://hackerone.com/reports/245311, Missing Account Deletion Notification, resolved
245334, https://hackerone.com/reports/245334, Lack of Password Confirmation When Changing Email, resolved
245340, https://hackerone.com/reports/245340, Bypassing Access control, changing owner's name in a private leaderboard, resolved
245346, https://hackerone.com/reports/245346, JSON CSRF on POST Heartbeats API, resolved
245408, https://hackerone.com/reports/245408, Login to any account with the emailaddress, resolved
245450, https://hackerone.com/reports/245450, Reset password more than once with a reset link #2, resolved
245485, https://hackerone.com/reports/245485, CRLF Injection on ███████, resolved
245514, https://hackerone.com/reports/245514, Sensitive Cookie Without 'HttpOnly' Flag, informative
245518, https://hackerone.com/reports/245518, [debian.weblate.org]-Missing SPF Record, resolved
245527, https://hackerone.com/reports/245527, No rate limit on creating private leaderboards., resolved
245538, https://hackerone.com/reports/245538, Blocking users to sign up on the site, resolved
245762, https://hackerone.com/reports/245762, self cross site scripting, informative
245956, https://hackerone.com/reports/245956, Use-after-free in PHP7's unserialize(), resolved
245969, https://hackerone.com/reports/245969, Use any User to Follow you (Increase Followers) [IDOR], resolved
246042, https://hackerone.com/reports/246042, Password Policy Issue, resolved
246055, https://hackerone.com/reports/246055, Public calendar link can be invisible, resolved
246085, https://hackerone.com/reports/246085, Просмотр аватара и название частной группы, resolved
246302, https://hackerone.com/reports/246302, Running 2 accounts with a single email, informative
246412, https://hackerone.com/reports/246412, SQL Injection, exploitable in boolean mode, resolved
246419, https://hackerone.com/reports/246419, [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector], resolved
246505, https://hackerone.com/reports/246505, Reflected XSS via Double Encoding, resolved
246634, https://hackerone.com/reports/246634, XSS в письме, в поле отправителя., resolved
246663, https://hackerone.com/reports/246663, [FG-VD-17-115] Mail.ru's Amigo Browser DLL Pre-Loading Vulnerability Notification, resolved
246780, https://hackerone.com/reports/246780, Using an outdated version of OpenSSH on db01.wakatime.com, resolved
246794, https://hackerone.com/reports/246794, XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter, resolved
246801, https://hackerone.com/reports/246801, Captcha Bypass in Coinbase SignUp Form, resolved
246803, https://hackerone.com/reports/246803, [spectacles.com] Bypassing quantity limit in orders, resolved
246819, https://hackerone.com/reports/246819, Private videos can be added to our playlists, resolved
246838, https://hackerone.com/reports/246838, by pass rate limit exceed , resolved
246897, https://hackerone.com/reports/246897, Open Redirect, resolved
246995, https://hackerone.com/reports/246995, [█████████] Hardcoded credentials in Android App, resolved
247002, https://hackerone.com/reports/247002, Apache Server-Status Detected, resolved
247027, https://hackerone.com/reports/247027, CVE-2017-10965: Null pointer dereference in Irssi <1.0.4 , resolved
247028, https://hackerone.com/reports/247028, CVE-2017-10966: Heap-use-after-free in Irssi <1.0.4, resolved
247072, https://hackerone.com/reports/247072, Узнать название частной группы и ее аватарку по видеоролику., resolved
247084, https://hackerone.com/reports/247084, Moneybird customers invoices leak in cacheable urls, resolved
247158, https://hackerone.com/reports/247158, Bypass OTP verification when placing Order, resolved
247225, https://hackerone.com/reports/247225, Session Duplication due to Broken Access Control, duplicate
247246, https://hackerone.com/reports/247246, Dom based xss affecting all pages from https://www.grab.com/., resolved
247517, https://hackerone.com/reports/247517, Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload, resolved
247521, https://hackerone.com/reports/247521, Stored XSS in Name field in User Groups/Group Details form, resolved
247628, https://hackerone.com/reports/247628, Reading redacted data via hackbot's answers, resolved
247640, https://hackerone.com/reports/247640, Ruby 2.4.1 has "Stack consistency error" and aborts when processing return statement within a case statement, informative
247680, https://hackerone.com/reports/247680, SSRF in imgur video GIF conversion, resolved
247700, https://hackerone.com/reports/247700, Application-level DoS on image's "size" parameter., resolved
247721, https://hackerone.com/reports/247721, The auth token does not expire on logging out and even after logging out all sessions, resolved
248037, https://hackerone.com/reports/248037, SQL TEST, not-applicable
248116, https://hackerone.com/reports/248116, Remote Code Execution (RCE) in a DoD website, resolved
248133, https://hackerone.com/reports/248133, Stored XSS vulnerability in RSS Feeds Description field, resolved
248560, https://hackerone.com/reports/248560, [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/, resolved
248588, https://hackerone.com/reports/248588, [wakatime.com] HTML Injection github-btn.html, resolved
248599, https://hackerone.com/reports/248599, Information disclosure same issue #176002, resolved
248601, https://hackerone.com/reports/248601, PHP INI Parsing Stack Buffer Overflow Vulnerability, resolved
248609, https://hackerone.com/reports/248609, PHP OpenSSL zif_openssl_seal() heap overflow (wild memcpy), resolved
248656, https://hackerone.com/reports/248656, bypass of 2FA, resolved
248659, https://hackerone.com/reports/248659, PHP WDDX Deserialization Heap OOB Read in timelib_meridian(), resolved
248668, https://hackerone.com/reports/248668, XXE on sms-be-vip.twitter.com in SXMP Processor, resolved
248693, https://hackerone.com/reports/248693, Git repository found, resolved
249234, https://hackerone.com/reports/249234, Posting to Twitter CSRF on php/post_twitter_authenticate.php, resolved
249337, https://hackerone.com/reports/249337, Non-functional 2FA recovery codes, resolved
249339, https://hackerone.com/reports/249339, Missing link to TOTP manual enroll option, resolved
249346, https://hackerone.com/reports/249346, Missing link to 2FA recovery code, resolved
249398, https://hackerone.com/reports/249398, Password complexity not evenly enforced, resolved
249431, https://hackerone.com/reports/249431, 2FA user enumeration via password reset, resolved
249467, https://hackerone.com/reports/249467, 2FA user enumeration via login, resolved
249695, https://hackerone.com/reports/249695, 2FA Error Handling on Google Authenticator, resolved
249759, https://hackerone.com/reports/249759, Lack of Sanitization and Insufficient Authentication, resolved
249786, https://hackerone.com/reports/249786, Отсутствие flood контроля в ИСТОРИЯХ вк, resolved
250082, https://hackerone.com/reports/250082, Enhancement: email confirmation for 2FA recovery, resolved
250088, https://hackerone.com/reports/250088, Account profile shows encryption recovery box for all users, resolved
250243, https://hackerone.com/reports/250243, Users with 2FA can have multiple sessions, resolved
250253, https://hackerone.com/reports/250253, Password complexity ignores empty spaces, resolved
250273, https://hackerone.com/reports/250273, Image lib - unescaped file path, resolved
250386, https://hackerone.com/reports/250386, CSRF Проверить является ли пользователь админом группы., resolved
250430, https://hackerone.com/reports/250430, CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva, informative
250457, https://hackerone.com/reports/250457, User enumeration, resolved
250581, https://hackerone.com/reports/250581, CVE-2017-11367: Global buffer overflow (READ of size 4) in shoco C library , resolved
250587, https://hackerone.com/reports/250587, Potential code injection in fun delete_directory, resolved
250741, https://hackerone.com/reports/250741, [New Feature] Password history check, resolved
250766, https://hackerone.com/reports/250766, Subdomain misconfiguration [mail.legalrobot.com], informative
250837, https://hackerone.com/reports/250837, Stored xss via template injection, resolved
251043, https://hackerone.com/reports/251043, Stored XSS at Moneybird, resolved
251200, https://hackerone.com/reports/251200, Missing Issuer parameter on TOTP 2FA, resolved
251224, https://hackerone.com/reports/251224, Blind stored xss [parcel.grab.com] > name parameter , resolved
251358, https://hackerone.com/reports/251358, Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap], resolved
251468, https://hackerone.com/reports/251468, Pages don't render in old browsers like IE11, resolved
251469, https://hackerone.com/reports/251469, Meta characters are not filtered into full name on profile page, resolved
251526, https://hackerone.com/reports/251526, No notification on change password feature, resolved
251572, https://hackerone.com/reports/251572, Length extension attack leading to HTML injection, resolved
251732, https://hackerone.com/reports/251732, uninitilized server memory disclosure via ImageMagick in my.mail.ru and cloud.mail.ru, resolved
251747, https://hackerone.com/reports/251747, Frans Visits Vegas Announcement, resolved
252043, https://hackerone.com/reports/252043, Restaurant payment information leakage, resolved
252324, https://hackerone.com/reports/252324, CSRF Добавить просмотр к записи без ведома пользователя., resolved
252544, https://hackerone.com/reports/252544, Token leakage by referrer header & analytics, resolved
252580, https://hackerone.com/reports/252580, Scrollbar Width permits detecting browser platform, resolved
252626, https://hackerone.com/reports/252626, [Android org.torproject.android] Possible to force list of bridges, informative
252699, https://hackerone.com/reports/252699, Hyper Link Injection In email and Space Characters Allowed at Password Field., informative
252894, https://hackerone.com/reports/252894, Missing URL sanitization in comments can be leveraged for phishing, informative
253128, https://hackerone.com/reports/253128, CSRF Vulnerability allows attackers to steal SocialClub private token., resolved
253202, https://hackerone.com/reports/253202, Unrestricted file upload - cloudacademy.informatica.com, resolved
253313, https://hackerone.com/reports/253313, XSS Vulnerability in WooCommerce Product Vendors plugin, resolved
253429, https://hackerone.com/reports/253429, Linux TBB SFTP URI allows local IP disclosure, resolved
253448, https://hackerone.com/reports/253448, [Cross-domain Referer leakage] Password reset token leakage via referer, resolved
253558, https://hackerone.com/reports/253558, SSRF , resolved
253926, https://hackerone.com/reports/253926, DKIM records not present, Email Hijacking is possible....., resolved
253929, https://hackerone.com/reports/253929, I found a way to instantly take over ads by other users and change them (IDOR), resolved
253934, https://hackerone.com/reports/253934, Password reset token issue, resolved
253975, https://hackerone.com/reports/253975, insecure redirect in https://www.rockstargames.com, resolved
254151, https://hackerone.com/reports/254151, IDOR in activateFuelCard id allows bulk lookup of driver uuids, resolved
254200, https://hackerone.com/reports/254200, Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename, resolved
254211, https://hackerone.com/reports/254211, [www.zomato.com/dubai/gold] CRITICAL - Allowing arbitrary amount to become a GOLD Member, resolved
254343, https://hackerone.com/reports/254343, dom based xss in https://www.rockstargames.com/GTAOnline/, resolved
254588, https://hackerone.com/reports/254588, Removed staff members who had "Manage shops" permission can still create development stores, resolved
254869, https://hackerone.com/reports/254869, Device confirmation Flaw, informative
254895, https://hackerone.com/reports/254895, SSL BREACH attack (CVE-2013-3587), informative
254927, https://hackerone.com/reports/254927, Lack of input validation in e-mail & user name, job title, company name field, informative
255020, https://hackerone.com/reports/255020, Password Reset page Session Fixation, not-applicable
255025, https://hackerone.com/reports/255025, Create Api Key is not working, informative
255026, https://hackerone.com/reports/255026, [UX] Notify user on likely email address typo, resolved
255034, https://hackerone.com/reports/255034, Failure to check password history, not-applicable
255041, https://hackerone.com/reports/255041, LUCKY13 (CVE-2013-0169) effects legalrobot.com, informative
255098, https://hackerone.com/reports/255098, Unable to change profile picture, informative
255100, https://hackerone.com/reports/255100, No error or notification on Reset password page, resolved
255125, https://hackerone.com/reports/255125, Null Byte Injection in all fields of Profile, informative
255132, https://hackerone.com/reports/255132, Credential gets exposed, informative
255474, https://hackerone.com/reports/255474, Profile fields validation bypass, resolved
255481, https://hackerone.com/reports/255481, app.legalrobot.com opens FireFox but not in FireFox ESR, resolved
255510, https://hackerone.com/reports/255510, При передаче в ID сообщения нулевого байта, происходит вывод какого-то буфера., resolved
255587, https://hackerone.com/reports/255587,  CVE-2017-1000101: cURL: URL globbing out of bounds read, resolved
255627, https://hackerone.com/reports/255627, SSH backdated version open port, resolved
255651, https://hackerone.com/reports/255651, Unauthorized update of merchants' information via /php/merchant_details.php, resolved
255679, https://hackerone.com/reports/255679, Change password logic inversion, resolved
255685, https://hackerone.com/reports/255685, [New Relic Infrastructure] Restricted User can still integrate with AWS via forced browsing (plus, a few other bugs), resolved
255708, https://hackerone.com/reports/255708, Password Functionality not working correctly, informative
255822, https://hackerone.com/reports/255822, WebDAV Empty Property search leads to full CPU usage, resolved
255978, https://hackerone.com/reports/255978, Non-Cloudflare IPs allowed to access origin servers, resolved
255991, https://hackerone.com/reports/255991, URL Spoof / Brave Shield Bypass, resolved
256152, https://hackerone.com/reports/256152, Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains, resolved
256647, https://hackerone.com/reports/256647, Simple CSS line-height identifies platform, resolved
256649, https://hackerone.com/reports/256649, Mixed Content over HTTPS, resolved
256663, https://hackerone.com/reports/256663, Weak Password, informative
256665, https://hackerone.com/reports/256665, Violation of secure design principle, informative
257035, https://hackerone.com/reports/257035, User enumeration from failed login error message, resolved
257106, https://hackerone.com/reports/257106, This is not the security issue., informative
257119, https://hackerone.com/reports/257119, Impersonation of Wakatime user using Invitation functionality., resolved
257194, https://hackerone.com/reports/257194, Weak Bithdate Validation Implemented on Sign Up, informative
257207, https://hackerone.com/reports/257207, Code injection, resolved
257237, https://hackerone.com/reports/257237, CSRF Token, informative
257276, https://hackerone.com/reports/257276, Open aws s3 bucket s3://rubyci, not-applicable
257305, https://hackerone.com/reports/257305, [www.boozt.com] - Authentication bypass, resolved
257331, https://hackerone.com/reports/257331, Sub domain take over in gratipay.com, informative
257335, https://hackerone.com/reports/257335, ssh: unprivileged users may hijack due to backdated ssh version open port found(███.unikrn.com), resolved
257376, https://hackerone.com/reports/257376, Missing Restriction On String Size, resolved
257384, https://hackerone.com/reports/257384, No rate limit or captcha to identify humans, resolved
257942, https://hackerone.com/reports/257942, languagechange event fires simultaneously on all tabs, resolved
258084, https://hackerone.com/reports/258084, Access to all files of remote user through shared file, resolved
258117, https://hackerone.com/reports/258117, RCE/LFI on test Jenkins instance due to improper authentication flow, resolved
258198, https://hackerone.com/reports/258198, The Custom Emoji Page has a Reflected XSS, resolved
258201, https://hackerone.com/reports/258201, Overwrite Drafts of Everyone , resolved
258260, https://hackerone.com/reports/258260, Accessing Private Files Shared in message of other users, resolved
258283, https://hackerone.com/reports/258283, Clickjacking - https://mercantile.wordpress.org/, resolved
258317, https://hackerone.com/reports/258317, Reflected XSS in https://e.mail.ru/, resolved
258410, https://hackerone.com/reports/258410, Gateway information leakage, resolved
258573, https://hackerone.com/reports/258573, Able to view Backend Database dur to improper authentication, resolved
258578, https://hackerone.com/reports/258578, application/x-brave-tab should not be readable., resolved
258582, https://hackerone.com/reports/258582, [www.zomato.com] Union SQLi + Waf Bypass, resolved
258585, https://hackerone.com/reports/258585, OS username disclosure, resolved
258596, https://hackerone.com/reports/258596, Отраженная XSS на cloud.mail.ru в URL в функционале создания и редактировании презентации., resolved
258630, https://hackerone.com/reports/258630, Access to local file system using javascript, resolved
258632, https://hackerone.com/reports/258632, owncloud.com open redirect, informative
258710, https://hackerone.com/reports/258710, Download attribute allows downloading local files, resolved
258876, https://hackerone.com/reports/258876, XSS when clicking "Share to Twitter" at quora.com/widgets/embed_iframe?path=..., resolved
258879, https://hackerone.com/reports/258879, No password length restriction, informative
259100, https://hackerone.com/reports/259100, XSS through `__e2e_action_id` delivered by JSONP, resolved
259390, https://hackerone.com/reports/259390, Use-after-free in XML::LibXML::Node::replaceChild, resolved
259400, https://hackerone.com/reports/259400, Issues with Forgot password Error Handling , resolved
259415, https://hackerone.com/reports/259415, Lengthy manual entry of 2FA secret, resolved
259416, https://hackerone.com/reports/259416, Incorrect email content when disabling 2FA, resolved
259555, https://hackerone.com/reports/259555, heap-buffer-overflow (WRITE of size 8) in Perl_pp_reverse(), resolved
259742, https://hackerone.com/reports/259742, Incorrect error message, resolved
259913, https://hackerone.com/reports/259913, File Upload Restriction Bypass, resolved
260005, https://hackerone.com/reports/260005, RCE via ssh:// URIs in multiple VCS , resolved
260221, https://hackerone.com/reports/260221, Information Exposure Through Directory Listing, informative
260239, https://hackerone.com/reports/260239, Tampering the mail id on chatbox, informative
260278, https://hackerone.com/reports/260278, TabNabbing issue (due to taget=_blank), resolved
260299, https://hackerone.com/reports/260299, observer.com URL should HTTPS, resolved
260316, https://hackerone.com/reports/260316, Profile fields validation mismatch, resolved
260390, https://hackerone.com/reports/260390, 2FA manual entry uses wrong encoding, resolved
260414, https://hackerone.com/reports/260414, CVE-2017-12858: Heap UAF in _zip_buffer_free() / Double free in _zip_dirent_read(), resolved
260468, https://hackerone.com/reports/260468, first name and last name restrictions bypass, resolved
260491, https://hackerone.com/reports/260491, 2FA manual entry uses wrong encoding, resolved
260492, https://hackerone.com/reports/260492, Invalid Email Verification, informative
260591, https://hackerone.com/reports/260591, Futureoflife organization URL should be HTTPS, resolved
260604, https://hackerone.com/reports/260604, Update any profile, resolved
260632, https://hackerone.com/reports/260632, Improper validation of parameters while creating issues, resolved
260645, https://hackerone.com/reports/260645, Information Discloser, informative
260648, https://hackerone.com/reports/260648, CSP script-src includes "unsafe-inline", resolved
260662, https://hackerone.com/reports/260662, No length limit in invite_code can cause server degradation, resolved
260689, https://hackerone.com/reports/260689, Weak Cryptography for Passwords, informative
260697, https://hackerone.com/reports/260697, CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception), resolved
260751, https://hackerone.com/reports/260751, Change password session fixed, spam
260755, https://hackerone.com/reports/260755, https://secure.gravatar.com, resolved
260838, https://hackerone.com/reports/260838, Special characters are not filtered out on profile fields , informative
260928, https://hackerone.com/reports/260928, Missing Certificate Authority Authorization rule, informative
260938, https://hackerone.com/reports/260938, Homograph IDNs displayed in Description, resolved
260941, https://hackerone.com/reports/260941, UX: JS error on Password Safety link, resolved
261138, https://hackerone.com/reports/261138, Stored XSS in OAuth redirect URI , resolved
261221, https://hackerone.com/reports/261221, Participation of expired account holders in Projects can occure financial loss to Mavenlink , resolved
261285, https://hackerone.com/reports/261285, Privilege Escalation to Admin-level Account, resolved
261297, https://hackerone.com/reports/261297, Disabled user can reset their password  , resolved
261335, https://hackerone.com/reports/261335, Heap Use After Free Read in unserialize(), resolved
261336, https://hackerone.com/reports/261336, Out of Bounds Memory Read in unserialize(), resolved
261338, https://hackerone.com/reports/261338, Heap Use After Free in unserialize(), resolved
261571, https://hackerone.com/reports/261571, dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass), resolved
261592, https://hackerone.com/reports/261592, Open Redirection Found in users.whisper.sh, resolved
261643, https://hackerone.com/reports/261643, [beta.tracker.my.com] XSS Request-URI, resolved
261652, https://hackerone.com/reports/261652, Clickjacking Full account takeover and editing the personal information at [account.my.com], resolved
261654, https://hackerone.com/reports/261654, [new.wf.mail.ru] XSS Request-URI, resolved
261706, https://hackerone.com/reports/261706, Missing Certificate Authority Authorization rule, duplicate
261734, https://hackerone.com/reports/261734, Индексация почты/логинов пользователей, resolved
261764, https://hackerone.com/reports/261764, Просмотр Участников ЧАСТНОЙ встречи , resolved
261817, https://hackerone.com/reports/261817, Information disclosure, informative
261966, https://hackerone.com/reports/261966, XSS в колбек апи в сообществах , resolved
262004, https://hackerone.com/reports/262004, HTML injection in email in unikrn.com, resolved
262005, https://hackerone.com/reports/262005, xss , not-applicable
262010, https://hackerone.com/reports/262010, XSS в названии сервера, resolved
262088, https://hackerone.com/reports/262088, Show hide privacy giving receiving on my website , informative
262109, https://hackerone.com/reports/262109, UX: JS error on Password Safety link, resolved
262140, https://hackerone.com/reports/262140, Password Restriction On Change, informative
262230, https://hackerone.com/reports/262230, Tinymce 2.4.0, resolved
262262, https://hackerone.com/reports/262262, app.mixmax.com Information Discloure on cal.mixmax.com and Not Signing out after Removing information grant access from Google, resolved
262620, https://hackerone.com/reports/262620, Gratipay rails secret token (secret_key_base) publicly exposed in GitHub, resolved
262661, https://hackerone.com/reports/262661, IDOR on HackerOne Feedback Review, resolved
262665, https://hackerone.com/reports/262665, CVE-2017-5969: libxml2 when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference), resolved
262830, https://hackerone.com/reports/262830, Rate-limit protection get executed in the last stage of the registration process, allowing enumeration of existing account., resolved
262852, https://hackerone.com/reports/262852, Reflected XSS - gratipay.com, resolved
263010, https://hackerone.com/reports/263010, Improper validation at Phone verification (possible cost increase + SMS SPAM attack), resolved
263109, https://hackerone.com/reports/263109, Buddypress 2.9.1 - Exceeding the maximum upload size  - XSS leading to potential RCE. , resolved
263169, https://hackerone.com/reports/263169, Internal Ports Scanning via Blind SSRF, resolved
263191, https://hackerone.com/reports/263191, Stored XSS with CRLF injection via post message to user feed, resolved
263196, https://hackerone.com/reports/263196, Name can't be numbers or email, informative
263498, https://hackerone.com/reports/263498, CSRF to change Account Security Keys on secure.login.gov, resolved
263508, https://hackerone.com/reports/263508, Server Side Misconfiguration (EMAIL SPOOFING) , not-applicable
263512, https://hackerone.com/reports/263512, CSRF in generating a new Personal Key, duplicate
263535, https://hackerone.com/reports/263535, [www.zomato.com] Unauthenticated access to Internal Sales Data of Zomato through an unrestricted endpoint, resolved
263542, https://hackerone.com/reports/263542, Subdomain take-over of {REDACTED}.18f.gov, resolved
263553, https://hackerone.com/reports/263553, federalist.18f.gov vulnerable to Sweet32 attack, informative
263589, https://hackerone.com/reports/263589, Email Length Verification , spam
263662, https://hackerone.com/reports/263662, Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host, resolved
263672, https://hackerone.com/reports/263672, previous token seems to work even though it does not verify email, resolved
263681, https://hackerone.com/reports/263681, Improper error message, informative
263684, https://hackerone.com/reports/263684, [qiwi.com] XSS on payment form, resolved
263718, https://hackerone.com/reports/263718, Wordpress 4.8.1 - Rogue editor leads to RCE. And the risks of same origin frame scripting in general, informative
263728, https://hackerone.com/reports/263728, Password Complexity , not-applicable
263743, https://hackerone.com/reports/263743, I cant login to my account, informative
263760, https://hackerone.com/reports/263760, Opportunity to obtain private tweets through search widget preview caches, resolved
263780, https://hackerone.com/reports/263780, Direct URL access to PDF files, informative
263866, https://hackerone.com/reports/263866, Error Page Content Spoofing or Text Injection, duplicate
263873, https://hackerone.com/reports/263873, Improper Session management can cause account takeover[https://micropurchase.18f.gov], resolved
263902, https://hackerone.com/reports/263902, {REDACTED}.data.gov subdomain takeover., resolved
263913, https://hackerone.com/reports/263913, Content injection via URL parameter., duplicate
264002, https://hackerone.com/reports/264002, Stored XSS on member post feed, resolved
264023, https://hackerone.com/reports/264023, Coding error ! , duplicate
264101, https://hackerone.com/reports/264101, design issue exists on login page , spam
264125, https://hackerone.com/reports/264125, Clickjacking mercantile.wordpress.org, resolved
264405, https://hackerone.com/reports/264405, Header Injection In app.legalrobot.com, informative
264426, https://hackerone.com/reports/264426, Nextcloud logs ldap passwords, resolved
264445, https://hackerone.com/reports/264445, XSS в комментариях от имени сообщества , resolved
264481, https://hackerone.com/reports/264481, Stack overflow in UnbindFromTree (browser can be crashed remotely), informative
264754, https://hackerone.com/reports/264754, [www.zomato.com] IDOR - Delete/Deactivate ANY/ALL Promos through a Post Request at **clients/promoDataHandler.php**, resolved
264832, https://hackerone.com/reports/264832, xss filter bypass [polldaddy], resolved
264919, https://hackerone.com/reports/264919, [www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato, resolved
264934, https://hackerone.com/reports/264934,  Application allowing old password to be set as new password | hosted.weblate.org, resolved
265160, https://hackerone.com/reports/265160, TabNabbing issue (due to taget=_blank), resolved
265161, https://hackerone.com/reports/265161, Monero Website & Kovri on your policy are returning 404 not found., resolved
265232, https://hackerone.com/reports/265232, Unsecure: Bypass alerts of Little Flocker / Little Snitch / HandsOff! / BlockBlock (same concept can be applied to other security tools), resolved
265258, https://hackerone.com/reports/265258, IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid, resolved
265274, https://hackerone.com/reports/265274, Stored XSS on support.rockstargames.com, resolved
265284, https://hackerone.com/reports/265284, 'cnvID' parameter vulnerable to Insecure Direct Object References, resolved
265384, https://hackerone.com/reports/265384, Stored XSS on support.rockstargames.com, resolved
265441, https://hackerone.com/reports/265441, Error the message with already e-mail , informative
265619, https://hackerone.com/reports/265619, No alert in verify email address with wrong input, informative
265696, https://hackerone.com/reports/265696, Gitlab is vulnerable to impersonation attacks due to broken links, resolved
265701, https://hackerone.com/reports/265701, Security: Publicly accessible x.509 Public and Private Key of Ubiquiti Networks., resolved
265740, https://hackerone.com/reports/265740, [Cross Domain Referrer Leakage] Password Reset Token Leaking to Third party Sites., resolved
265749, https://hackerone.com/reports/265749, Bypass email verification when register new account, not-applicable
265775, https://hackerone.com/reports/265775, Password reset token issue, resolved
265863, https://hackerone.com/reports/265863, Wrong password validation message, resolved
265930, https://hackerone.com/reports/265930, No notification of change email feature, resolved
265931, https://hackerone.com/reports/265931, Logic issue in email change process, resolved
265987, https://hackerone.com/reports/265987, Add another email address without verification, resolved
266017, https://hackerone.com/reports/266017, Logic issue in email change process, resolved
266030, https://hackerone.com/reports/266030, Add arbitrary value in reset password cookie, informative
266072, https://hackerone.com/reports/266072, Хранимая XSS в группе VK, resolved
266090, https://hackerone.com/reports/266090, Possible to join any class without coache's knowledge & Little Information Disclosure, resolved
266288, https://hackerone.com/reports/266288, New Device Confirmation Bug, informative
266449, https://hackerone.com/reports/266449, [api.data.gov] Leak Valid API With out Verification -, informative
266454, https://hackerone.com/reports/266454, IDNs displayed in unicode, informative
266766, https://hackerone.com/reports/266766, Access Grab_Road BigData Database via Open Presto coordinator, resolved
266801, https://hackerone.com/reports/266801, [marketplace.informatica.com]-Reflected XSS , resolved
266908, https://hackerone.com/reports/266908, Impersonation attack via Broken Link in Resellers Page, resolved
267075, https://hackerone.com/reports/267075, Clickjacking irclogs.wordpress.org, informative
267161, https://hackerone.com/reports/267161, Unsecured Elasticsearch Instance, resolved
267177, https://hackerone.com/reports/267177, stored xss in invited team member via email parameter, resolved
267189, https://hackerone.com/reports/267189, clickjacking on https://gratipay.com/on/npm/[text], informative
267206, https://hackerone.com/reports/267206, Reflected XSS , resolved
267212, https://hackerone.com/reports/267212, 400 Bad Request [Use a third-party provider to sign in or create an account on Gratipay], not-applicable
267213, https://hackerone.com/reports/267213, Information Disclosure on inside.gratipay.com, informative
267356, https://hackerone.com/reports/267356, Autocomplete feature , resolved
267473, https://hackerone.com/reports/267473, XSS in OLX.pl ("title" in new advertisement), resolved
267570, https://hackerone.com/reports/267570, Stored XSS through Facebook Page Connection, resolved
267636, https://hackerone.com/reports/267636, [NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894, resolved
267643, https://hackerone.com/reports/267643, Possibility to insert stored XSS inside <img> tag, resolved
267865, https://hackerone.com/reports/267865, Add movie or series CSRF, not-applicable
267867, https://hackerone.com/reports/267867, Logout CSRF, not-applicable
267922, https://hackerone.com/reports/267922, Sql query disclosure,, informative
268113, https://hackerone.com/reports/268113, Uncloaking hidden services and hidden service users, informative
268167, https://hackerone.com/reports/268167, Insecure Direct Object Reference (IDOR) Allowing me to claim other user's photos (driving license and selfies) as mine, resolved
268382, https://hackerone.com/reports/268382, Nginx misconfiguration leading to direct PHP source code download, resolved
268612, https://hackerone.com/reports/268612, Venturebeat.com URL should be HTTPS, resolved
268622, https://hackerone.com/reports/268622, booztfashion.com URL should HTTPS, resolved
268629, https://hackerone.com/reports/268629, Failed OutLink on Terms of Service, resolved
268679, https://hackerone.com/reports/268679, Homo graphs attack , informative
268794, https://hackerone.com/reports/268794, all private tokens are leaked to an unauthenticated attacker, resolved
268803, https://hackerone.com/reports/268803, CVE-2017-12985: The IPv6 parser in tcpdump before 4.9.2 has a buffer over-read in ip6_print(), resolved
268804, https://hackerone.com/reports/268804, CVE-2017-12986 The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print()., resolved
268805, https://hackerone.com/reports/268805, CVE-2017-13008 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements()., resolved
268806, https://hackerone.com/reports/268806, CVE-2017-13009 The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_print()., resolved
268807, https://hackerone.com/reports/268807, CVE-2017-13010 The BEEP parser in tcpdump before 4.9.2 has a buffer over-read in print-beep.c:l_strnstart()., resolved
268808, https://hackerone.com/reports/268808, CVE-2017-13038 The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print-ppp.c:handle_mlppp()., resolved
268888, https://hackerone.com/reports/268888, Sensitive Information Disclosure https://cards-dev.twitter.com, resolved
268981, https://hackerone.com/reports/268981, Missing homograph filter character, resolved
269047, https://hackerone.com/reports/269047, Clickjacking https://blockstack.org/, informative
269066, https://hackerone.com/reports/269066, Remote Code Execution at http://tw.corp.ubnt.com, resolved
269109, https://hackerone.com/reports/269109, Subdomain Takeover via unclaimed UserVoice domain, resolved
269184, https://hackerone.com/reports/269184, Weak crossdomain.xml, informative
269196, https://hackerone.com/reports/269196, Cross site request forgery, informative
269230, https://hackerone.com/reports/269230, Emails of invited collaborators are disclosed in full in payload for report participants, resolved
269279, https://hackerone.com/reports/269279, SQL injection in partner id field on https://www.teavana.com (Sign-up form), resolved
269288, https://hackerone.com/reports/269288, External links to be in HTTP, resolved
269318, https://hackerone.com/reports/269318, Bypass of Rate limiting in secure_session endpoint's password input will lead to user password disclosure , resolved
269449, https://hackerone.com/reports/269449, Banner Grabbing - Apache Server Version Disclousure, informative
269467, https://hackerone.com/reports/269467, Banner Grabbing - Apache Server Version Disclousure, resolved
269479, https://hackerone.com/reports/269479, Report Private Links Leaks to Google Analytics via Query String Param, resolved
269568, https://hackerone.com/reports/269568, Optionsbleed / CVE-2017-9798, resolved
269705, https://hackerone.com/reports/269705, WordPress < 4.8.2 vulnerable to multiple attacks, resolved
269831, https://hackerone.com/reports/269831, Keys, resolved
269937, https://hackerone.com/reports/269937, [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint, resolved
269940, https://hackerone.com/reports/269940, XSS в приглашении в группу, resolved
270059, https://hackerone.com/reports/270059, Denial of service in libxml2, using malicious lzma file to consume available system memory, resolved
270068, https://hackerone.com/reports/270068, Installer can modify other gems if gem name is specially crafted, resolved
270072, https://hackerone.com/reports/270072, Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations, resolved
270119, https://hackerone.com/reports/270119, Узнаем название и аватарку частной группы, по ID приложения., resolved
270454, https://hackerone.com/reports/270454, Clickjacking in Legalrobot app, resolved
270695, https://hackerone.com/reports/270695, [marketplace.informatica.com] - Sensitive Data Exposure , resolved
270981, https://hackerone.com/reports/270981, Shopify admin authentication bypass using partners.shopify.com, resolved
271176, https://hackerone.com/reports/271176, Bypassing one-time checkout router page (revealing payment information), resolved
271224, https://hackerone.com/reports/271224, SSRF in https://www.zomato.com████ allows reading local files and website source code, resolved
271253, https://hackerone.com/reports/271253, NextCloud is also Accepting OCTET-STREAM Type of Documents instead of jpg or Imge Files Only, duplicate
271324, https://hackerone.com/reports/271324, Homograph fix Bypass , resolved
271330, https://hackerone.com/reports/271330, Format string implementation vulnerability, resulting in code execution, resolved
271355, https://hackerone.com/reports/271355, [avito.ru] ImageMagick uninitialized image palette, resolved
271360, https://hackerone.com/reports/271360, [avito.ru] Утекают креды от платежных провайдеров, resolved
271391, https://hackerone.com/reports/271391, Potential server misconfiguration leads to disclosure of vendor/ directory, resolved
271393, https://hackerone.com/reports/271393, NR Internal_API call allows me to read the events/violations/policies/messages of ANY New Relic account (AND pull data from infrastructure), resolved
271407, https://hackerone.com/reports/271407, Admin Access to a domain used for development and admin access to internal dashboards on that domain, resolved
271506, https://hackerone.com/reports/271506, Banned researcher gets email updates on a private program., resolved
271533, https://hackerone.com/reports/271533, Bruteforcing password reset tokens, could lead to account takeover, resolved
271700, https://hackerone.com/reports/271700, Leak IP internal, resolved
271765, https://hackerone.com/reports/271765, Stored XSS in partners dashboard, resolved
271861, https://hackerone.com/reports/271861, Bypass of my two other reports #267636 + #255894 - (IDOR) Ability to see full name associated with other New Relic accounts, resolved
271928, https://hackerone.com/reports/271928, facebook button URL should be HTTPS, resolved
271950, https://hackerone.com/reports/271950, Improper Implementation of Password strength checker, resolved
271960, https://hackerone.com/reports/271960, Client-side Template Injection in Search, user email/token leak and maybe sandbox escape, resolved
272044, https://hackerone.com/reports/272044, Android - Access of some not exported content providers , resolved
272095, https://hackerone.com/reports/272095, SSRF/XSPA in labs.data.gov/dashboard/validate, resolved
272097, https://hackerone.com/reports/272097, Interger overflow in eval trigger write out of bound, informative
272221, https://hackerone.com/reports/272221, Arbitrary local code execution via DLL hijacking from executable installer, duplicate
272231, https://hackerone.com/reports/272231, Download of (later executed) .NET installer over insecure channel, informative
272272, https://hackerone.com/reports/272272, Export vault feature is vulnerable to CSV injection, informative
272357, https://hackerone.com/reports/272357, Mailgun misconfiguration on email.bitwarden.com, resolved
272379, https://hackerone.com/reports/272379, Password reset token leak on third party website via Referer header, resolved
272387, https://hackerone.com/reports/272387, aspen | clickjacking, not-applicable
272426, https://hackerone.com/reports/272426, Server Path Disclosure , informative
272432, https://hackerone.com/reports/272432, Cross-origin resource sharing (CORS), not-applicable
272497, https://hackerone.com/reports/272497, Perl $ENV Key Stack Buffer Overflow, resolved
272506, https://hackerone.com/reports/272506,  SQL injections, resolved
272570, https://hackerone.com/reports/272570, Organization Admin Privilege Escalation To Owner, resolved
272578, https://hackerone.com/reports/272578, Unauthenticated LFI revealing log information, resolved
272588, https://hackerone.com/reports/272588, CSRF in Raffles Ticket Purchasing, resolved
272596, https://hackerone.com/reports/272596, No Rate Limit (Leads to huge email flooding/email bombing), not-applicable
272824, https://hackerone.com/reports/272824, client_secret Token disclosure , resolved
272832, https://hackerone.com/reports/272832, Bruteforce Unlimited number of password attempts, not-applicable
272839, https://hackerone.com/reports/272839, Weak Session ID Implementation - No Session change on Password change, resolved
272863, https://hackerone.com/reports/272863, External links should be served in HTTPS., informative
272979, https://hackerone.com/reports/272979, 2 vulnerabilities of arbitrary code in ████████  - CVE-2017-5929, resolved
272982, https://hackerone.com/reports/272982, Information leakage on django.aspen.io, not-applicable
272997, https://hackerone.com/reports/272997, Stored XSS via Send crew invite, resolved
273365, https://hackerone.com/reports/273365, XSS в товарах, resolved
273449, https://hackerone.com/reports/273449, Authenticated RCE in ToughSwitch, resolved
273560, https://hackerone.com/reports/273560, Validation of Password reset tokens, informative
273630, https://hackerone.com/reports/273630, Leaking sensitive information lead to compromise employer API keys, resolved
273698, https://hackerone.com/reports/273698, Unauthorized Access to Protected Tweets via niche.co API, resolved
273726, https://hackerone.com/reports/273726, Information / sensitive data disclosure on some endpoints, resolved
273805, https://hackerone.com/reports/273805, Improper access control lead  To delete anyone comment, resolved
273881, https://hackerone.com/reports/273881, Invalidate session after password reset on https://polldaddy.com, informative
273960, https://hackerone.com/reports/273960, Хранимая XSS на странице "Виджет для авторизации", resolved
273998, https://hackerone.com/reports/273998, CSRF token does not valided during blog comment, resolved
274013, https://hackerone.com/reports/274013, Allowance of Meta/Null characters, duplicate
274112, https://hackerone.com/reports/274112, Хранимая XSS в функционале добавления аудио в WYSIWYG, resolved
274264, https://hackerone.com/reports/274264, Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL], resolved
274267, https://hackerone.com/reports/274267, Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier, informative
274324, https://hackerone.com/reports/274324, cross site web socket hijacking, duplicate
274336, https://hackerone.com/reports/274336, Subdomain Takeover via Unclaimed WordPress site, resolved
274443, https://hackerone.com/reports/274443, stored xss in comments : driver exam , resolved
274541, https://hackerone.com/reports/274541, Invited user to a Author profile can remove the owner of that Author, resolved
274594, https://hackerone.com/reports/274594, Unupdated ImageMagic leads to uninitialized server memory disclosure , resolved
274868, https://hackerone.com/reports/274868, Xss on community.imgur.com, resolved
274997, https://hackerone.com/reports/274997, Use of uninitialized value in memarea_strdup (src/common/memarea.c:369), informative
275186, https://hackerone.com/reports/275186, Get all instacart emails - missing rate limit on /accounts/register, resolved
275242, https://hackerone.com/reports/275242, password token validation, informative
275245, https://hackerone.com/reports/275245, Can link to websites from profile, informative
275269, https://hackerone.com/reports/275269, Gem signature forgery, resolved
275274, https://hackerone.com/reports/275274, touch.mail.ru/messages - Stored XSS, resolved
275293, https://hackerone.com/reports/275293, Pending member invitations are not revoked on program name change, informative
275303, https://hackerone.com/reports/275303,  Account Restore / Reactivating an old email via old reset link, resolved
275386, https://hackerone.com/reports/275386, Stored XSS Using Media, resolved
275443, https://hackerone.com/reports/275443, Missing robots exclusion header for user uploads, resolved
275515, https://hackerone.com/reports/275515, Stored XSS in dev-ucrm-billing-demo.ubnt.com In Client Custom Attribute , resolved
275518, https://hackerone.com/reports/275518, Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent), resolved
275668, https://hackerone.com/reports/275668, Stored XSS using SVG  on subdomain infra.mail.ru, resolved
275714, https://hackerone.com/reports/275714, Subdomain takeover on developer.openapi.starbucks.com, resolved
276031, https://hackerone.com/reports/276031, Remote Code Execution in Rocket.Chat Desktop, resolved
276041, https://hackerone.com/reports/276041, Secret API Key Leakage via Query String, resolved
276105, https://hackerone.com/reports/276105, Stored XSS in WordPress, informative
276123, https://hackerone.com/reports/276123, Password Complexity Not Enforced On Password Change, resolved
276174, https://hackerone.com/reports/276174, [NR Infrastructure] Bypass of #200576 through GraphQL query abuse - allows restricted user access to root account license key, resolved
276244, https://hackerone.com/reports/276244, Broken links for stale domains may be leveraged for Phishing, Misinformation, Defaming, resolved
276253, https://hackerone.com/reports/276253, Use of uninitialized value in networkstatus_parse_vote_from_string (src/or/routerparse.c:3533), informative
276255, https://hackerone.com/reports/276255, Use of unitialized value in token_check_object (src/or/parsecommon.c:224), duplicate
276269, https://hackerone.com/reports/276269, Multiple Subdomain takeovers via unclaimed instances, resolved
276276, https://hackerone.com/reports/276276, Blind XXE on my.mail.ru, resolved
276427, https://hackerone.com/reports/276427, Legal Robot, spam
276614, https://hackerone.com/reports/276614, Email Spoofing, duplicate
276634, https://hackerone.com/reports/276634, XSS на e.mail.ru в мобильном приложении!, resolved
276714, https://hackerone.com/reports/276714, reflected XSS on healt.mail.ru, resolved
276747, https://hackerone.com/reports/276747, CSS injection in avito.ru via IE11 , resolved
276816, https://hackerone.com/reports/276816, No password confirmation on changing primary email address, informative
276976, https://hackerone.com/reports/276976, Information Disclosure and Privilege Escalation in app.goodhire.com/member/developers/api-settings, resolved
277078, https://hackerone.com/reports/277078, Goodhire Open Redirect, duplicate
277138, https://hackerone.com/reports/277138, Privilege Escalation: Read-Only to Admin, resolved
277192, https://hackerone.com/reports/277192, Host Header Injection and Cache Poisoning, duplicate
277197, https://hackerone.com/reports/277197, xss flash on http://presentatie.werkenbijmcdonalds.nl/, resolved
277213, https://hackerone.com/reports/277213, Two accounts can be made with same password, informative
277259, https://hackerone.com/reports/277259, [marketplace.informatica.com] - Stored XSS, resolved
277262, https://hackerone.com/reports/277262, Newrelic s3 bucket is writeable and deleteable by authorized AWS users, informative
277300, https://hackerone.com/reports/277300, Captcha Bypass on SignUp Form, resolved
277341, https://hackerone.com/reports/277341, blind XXE when uploading avatar in mymail phone app, resolved
277354, https://hackerone.com/reports/277354, HTTP Host Header Injection on app.goodhire.com, duplicate
277377, https://hackerone.com/reports/277377, Amount Manipulation Buy Unlimited Credits in just $1.00, duplicate
277407, https://hackerone.com/reports/277407, Email abuse and Referral Abuse, informative
277431, https://hackerone.com/reports/277431, XSS on app.legalrobot.com, not-applicable
277525, https://hackerone.com/reports/277525, Formula injection via CSV exports in WordCamp Talks plugin, resolved
277534, https://hackerone.com/reports/277534, Timing Attack in Google Authenticator - Per User Prompt, informative
277664, https://hackerone.com/reports/277664, [lk-cdn.3igames.mail.ru] apc.php, resolved
278095, https://hackerone.com/reports/278095, Invalid Host detection at https://hackerone.com/redirect, resolved
278151, https://hackerone.com/reports/278151, Content Spoofing @ https://irclogs.wordpress.org/, resolved
278182, https://hackerone.com/reports/278182, Dropbox employee benefits documents are available in a test Dropbox folder, resolved
278191, https://hackerone.com/reports/278191, Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv), resolved
278220, https://hackerone.com/reports/278220, Limited arbitrary text inclusion in user invite emails, informative
278225, https://hackerone.com/reports/278225, If the developer forgets to remove the built in controller welcome.php it helps the attacker to identify that the site is built with Codeigniter, not-applicable
278231, https://hackerone.com/reports/278231, Out of bounds read in libcurl's IMAP FETCH response parser, resolved
278718, https://hackerone.com/reports/278718, Improper validation of unicode characters , resolved
279351, https://hackerone.com/reports/279351, Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware, informative
279717, https://hackerone.com/reports/279717, Broken link for wrong domain entry may be leveraged for Phishing, Misinformation, Serving Malware, resolved
279914, https://hackerone.com/reports/279914, Issue with password change in Disabled Account, informative
279932, https://hackerone.com/reports/279932, Users Unable to login using Gmail/Facebook on https://boozt-stage1.booztx.com/login, resolved
279935, https://hackerone.com/reports/279935, Malicious callback url can be set while creating application in identity, resolved
279945, https://hackerone.com/reports/279945, Improper validation of unicode characters#2, informative
280282, https://hackerone.com/reports/280282, Enforce minimum master password complexity, not-applicable
280304, https://hackerone.com/reports/280304, No Confirmation During Email Change, duplicate
280389, https://hackerone.com/reports/280389, No Rate limit on Password Reset Function, resolved
280408, https://hackerone.com/reports/280408, SPF Misconfiguration, resolved
280495, https://hackerone.com/reports/280495, Stored Cross-Site scripting in the infographics using links, resolved
280500, https://hackerone.com/reports/280500, Tabnabbing via window.opener, resolved
280503, https://hackerone.com/reports/280503, Stored Cross-Site scripting in the infographics using Data Objects links, resolved
280504, https://hackerone.com/reports/280504, Weak Password Policy on Signup, resolved
280509, https://hackerone.com/reports/280509, User Enumeration, resolved
280511, https://hackerone.com/reports/280511, Server Side Request Forgery on JSON Feed, resolved
280519, https://hackerone.com/reports/280519, Email notification is not being sent while changing passwords, resolved
280529, https://hackerone.com/reports/280529, Incorrect Functionality of Password reset links, resolved
280534, https://hackerone.com/reports/280534, No Rate Limit on account deletion request(Leads to huge email flooding/email bombing), resolved
280585, https://hackerone.com/reports/280585, No Session change on Password change, duplicate
280770, https://hackerone.com/reports/280770, Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page, resolved
280803, https://hackerone.com/reports/280803, Fake mailing reports using mail service on [URL : mail-txn.identity.com], resolved
280826, https://hackerone.com/reports/280826, Stored self-XSS pubg.mail.ru в нескольких местах, resolved
280865, https://hackerone.com/reports/280865, Non Critical Code Quality Bug / Self XSS on Map Editor, resolved
280912, https://hackerone.com/reports/280912, apache access.log leakage via long request on https://rapida.ru/, resolved
280914, https://hackerone.com/reports/280914, Business Logic Flaw allowing Privilege Escalation, informative
281274, https://hackerone.com/reports/281274, Non-HTTPS link on blog, resolved
281283, https://hackerone.com/reports/281283, XSS on partners.uber.com due to no user input sanitisation , resolved
281296, https://hackerone.com/reports/281296, IDOR in merchant.rbmonkey.com allows deleting eShops of another user, resolved
281336, https://hackerone.com/reports/281336, Negative size in tar header causes infinite loop, resolved
281344, https://hackerone.com/reports/281344, No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts, resolved
281387, https://hackerone.com/reports/281387, xss, informative
281449, https://hackerone.com/reports/281449, Limited Account Takeover via Backup codes , duplicate
281472, https://hackerone.com/reports/281472, Unsubscribe Any User, informative
281575, https://hackerone.com/reports/281575, Password reset link injection allows redirect to malicious URL, resolved
281597, https://hackerone.com/reports/281597, Preferred language option fingerprinting issue in Tor Browser, informative
281682, https://hackerone.com/reports/281682, Crashes/Buffer at 0x2C0086,name=PBrowser::Msg_Destroy , informative
281850, https://hackerone.com/reports/281850, Provide a security sistem most fit to our team, not-applicable
281851, https://hackerone.com/reports/281851, XSS в личных сообщениях, resolved
281942, https://hackerone.com/reports/281942, Bugs, spam
281950, https://hackerone.com/reports/281950, Internal Ports Scanning via Blind SSRF, resolved
282176, https://hackerone.com/reports/282176, Unauthenticated hidden groups disclosure via Ajax groups search, resolved
282209, https://hackerone.com/reports/282209, Stored XSS in the Custom Logo link (non-Basic plan required), resolved
282339, https://hackerone.com/reports/282339, Cross-domain linkability when system time changed in Tor Browser, informative
282363, https://hackerone.com/reports/282363, Outdated jQuery Version, resolved
282475, https://hackerone.com/reports/282475, Sensitive information is publicly available , resolved
282490, https://hackerone.com/reports/282490, Application Vulnerable to CSRF - Remove Invited user, resolved
282535, https://hackerone.com/reports/282535, XSS on Report Classic, resolved
282564, https://hackerone.com/reports/282564, User enumeration via forgot password error message, duplicate
282570, https://hackerone.com/reports/282570, No notification on Password Change, duplicate
282572, https://hackerone.com/reports/282572, No Confirmation or Notification During Email Change which can leads to account takeover, duplicate
282588, https://hackerone.com/reports/282588, Take back my all data from limfuimay@gmail.com, spam
282604, https://hackerone.com/reports/282604, Stored XSS on profile page via Steam display name, resolved
282628, https://hackerone.com/reports/282628, OS Command Execution on User's PC via CSV Injection, informative
282748, https://hackerone.com/reports/282748, Detecting Tor Browser UI Language, resolved
282772, https://hackerone.com/reports/282772, no notification send to victim if attacker hacks/accesses his victims WebLate account., resolved
282843, https://hackerone.com/reports/282843, UnResolved ChangeSet are Visible to Public That also Causes Information Disclosure, informative
282909, https://hackerone.com/reports/282909, Report Design Critical Stored DOM XSS Vulnerability , resolved
283014, https://hackerone.com/reports/283014, View Any Program's Team Members through GET https://hackerone.com/invitations/, resolved
283058, https://hackerone.com/reports/283058, [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity, resolved
283063, https://hackerone.com/reports/283063, [IRCCloud Android] XSS in ImageViewerActivity, resolved
283269, https://hackerone.com/reports/283269, A10 – Unvalidated Redirects and Forwards, informative
283309, https://hackerone.com/reports/283309, Private Program all members disclosed , duplicate
283361, https://hackerone.com/reports/283361, Private partial disclosure of h1 infrastructure , resolved
283407, https://hackerone.com/reports/283407, IDOR exposes receipts of all users., resolved
283419, https://hackerone.com/reports/283419, [app.mavenlink.com] IDOR to view sensitive information, resolved
283460, https://hackerone.com/reports/283460, Open Redirect Protection Bypass, resolved
283482, https://hackerone.com/reports/283482, Login Cross Site Request Forgery , duplicate
283492, https://hackerone.com/reports/283492, [health.mail.ru] Раскрытие SSI сценариев, resolved
283502, https://hackerone.com/reports/283502, XST(Cross Site Tracing), informative
283539, https://hackerone.com/reports/283539, Stored xss в /lead_forms_app.php, resolved
283550, https://hackerone.com/reports/283550, Password Reset Token Not Expired , resolved
283565, https://hackerone.com/reports/283565, XSS on infogram.com, resolved
283644, https://hackerone.com/reports/283644, Out-Of-Bounds Read in timelib_meridian(), resolved
283742, https://hackerone.com/reports/283742, HTML injection , resolved
283786, https://hackerone.com/reports/283786, Host Header Injection or cache poisoning in multiple domains, not-applicable
283821, https://hackerone.com/reports/283821, XSS when Shared, resolved
283825, https://hackerone.com/reports/283825, Multiple xss on infogram templates, resolved
283847, https://hackerone.com/reports/283847, GraphQL sessions aren't immediately invalidated when user password is changed, resolved
283951, https://hackerone.com/reports/283951, Bypassing X-frame options , not-applicable
284082, https://hackerone.com/reports/284082, Javascript Payload reflected Back in Report Embed Code, resolved
284143, https://hackerone.com/reports/284143, Reverse Tabnabbing Vulnerability in Outgoing Links, informative
284155, https://hackerone.com/reports/284155, Uninitialized server memory disclosure via ImageMagick gif parser, resolved
284807, https://hackerone.com/reports/284807, i am The bug, spam
284811, https://hackerone.com/reports/284811, Reflected SQL Execution, spam
284951, https://hackerone.com/reports/284951, Out-of-bounds read when importing corrupt blockchain with monero-blockchain-import, resolved
284963, https://hackerone.com/reports/284963, Insecure Direct Object Reference on API without API key, informative
285153, https://hackerone.com/reports/285153, No Email Verification, informative
285432, https://hackerone.com/reports/285432, IDOR - setAttribute action of user object in API, resolved
285482, https://hackerone.com/reports/285482, Security misconfiguration "weak passwords"., informative
285609, https://hackerone.com/reports/285609, Frameset(Frame) html tag is allowed in html editor.(can lead to clickjacking), resolved
286728, https://hackerone.com/reports/286728, Saying goodbye to HackerOne and Gratipay., resolved
286740, https://hackerone.com/reports/286740, Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse, resolved
287245, https://hackerone.com/reports/287245, Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver., resolved
287378, https://hackerone.com/reports/287378, Possibility to view subdepartments for arbitrary domain, resolved
287382, https://hackerone.com/reports/287382, Self-xss via drag&drop in email form, resolved
287496, https://hackerone.com/reports/287496, Internal Ports Scanning via Blind SSRF  (URL Redirection to beat filter), resolved
287562, https://hackerone.com/reports/287562, Stored XSS in content when Graph is created via API, resolved
287666, https://hackerone.com/reports/287666, CVE-2017-13089 wget stack smash, resolved
287667, https://hackerone.com/reports/287667, CVE-2017-13090 wget heap smash, resolved
287688, https://hackerone.com/reports/287688, Stored XSS On Wordpress Infogram plugin, resolved
287758, https://hackerone.com/reports/287758, Bypass insecure password validation, resolved
287789, https://hackerone.com/reports/287789, IDOR to view User Order Information, resolved
287835, https://hackerone.com/reports/287835, Resolv::getaddresses bug that can be abused to bypass security measures. , informative
287837, https://hackerone.com/reports/287837, 217.147.95.145 NFS Exposed with Zeus Server configs, resolved
288219, https://hackerone.com/reports/288219, Open Redirection while saving User account Settings , resolved
288298, https://hackerone.com/reports/288298, LFI in pChart php library, resolved
288353, https://hackerone.com/reports/288353, SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE, resolved
288540, https://hackerone.com/reports/288540, CSRF создание опроса от имени пользователя, зная id приложения. + небольшой флуд сообщениями на стену, resolved
288596, https://hackerone.com/reports/288596, User Profiles Leak PII in HTML Document for Mobile Browser User Agents, resolved
288704, https://hackerone.com/reports/288704, Command injection on Phabricator instance with an evil hg branch name, resolved
288707, https://hackerone.com/reports/288707, Email Spoofing, spam
288846, https://hackerone.com/reports/288846, Bruteforcing Coupons, resolved
288912, https://hackerone.com/reports/288912, Cross-origin resource sharing, informative
288950, https://hackerone.com/reports/288950, Additional bypass allows SSRF for internal netblocks, resolved
288955, https://hackerone.com/reports/288955, [IRCCloud Android] Theft of arbitrary files leading to token leakage, resolved
288966, https://hackerone.com/reports/288966, POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204), resolved
289000, https://hackerone.com/reports/289000, Vulnerable exported broadcast receiver, resolved
289051, https://hackerone.com/reports/289051, Subdomain Takeover, resolved
289085, https://hackerone.com/reports/289085, Stored XSS on urbandictionary.com, resolved
289189, https://hackerone.com/reports/289189, Exposes a series of other private credentials, duplicate
289246, https://hackerone.com/reports/289246, Following links are vulnerable to clickjacking, resolved
289264, https://hackerone.com/reports/289264, Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300, resolved
289330, https://hackerone.com/reports/289330, Reflected XSS vulnerability in Database name field on installation screen, resolved
289568, https://hackerone.com/reports/289568, Program profile metrics endpoint contains mean time to triage, even when turned off, resolved
289823, https://hackerone.com/reports/289823, Improper markup sanitization., resolved
289846, https://hackerone.com/reports/289846, X-XSS-Protection -> Misconfiguration, resolved
290023, https://hackerone.com/reports/290023, CSRF на biz.mail.ru, informative
290794, https://hackerone.com/reports/290794, Persistent XSS in share button, resolved
290889, https://hackerone.com/reports/290889, Session does't get expired after changing the password in https://readthedocs.org, informative
290930, https://hackerone.com/reports/290930, Information Disclosure when /invitations/<token>.json is not yet accepted, resolved
291012, https://hackerone.com/reports/291012, Server-side cache poisoning leads to the http://my.dev.owox.com inaccessibility, resolved
291057, https://hackerone.com/reports/291057, MySQL username and password leaked in developer.valvesoftware.com via source code dislosure, resolved
291200, https://hackerone.com/reports/291200, Hard Coded username and password in registry, resolved
291489, https://hackerone.com/reports/291489, Kovri: potential buffer over-read in garlic clove handling + I2NP message creation, resolved
291531, https://hackerone.com/reports/291531, Introspection query leaks sensitive graphql system information., duplicate
291683, https://hackerone.com/reports/291683, Crafted frame injection leading to form-based UI redressing., resolved
291721, https://hackerone.com/reports/291721, IDOR on Program Visibilty (Revealed / Concealed) against other team members, duplicate
291750, https://hackerone.com/reports/291750, Link filter protection bypass, resolved
291764, https://hackerone.com/reports/291764, SQL Injection found in NextCloud Android App Content Provider, resolved
291822, https://hackerone.com/reports/291822, Shared-channel BETA persists integration after unshare, resolved
291878, https://hackerone.com/reports/291878, Arbitrary file deletion in wp-core - guides towards RCE and information disclosure, resolved
292457, https://hackerone.com/reports/292457, Reflected XSS in www.dota2.com, resolved
292500, https://hackerone.com/reports/292500, User provided values passed to PHP unset() function, informative
292636, https://hackerone.com/reports/292636, session_id is not being validated at email invitation endpoint, resolved
292673, https://hackerone.com/reports/292673, No Password Verification on  Changing Email Address Cause Account takeover   , resolved
292761, https://hackerone.com/reports/292761, Stealing Private Information in VK Android App through PlayerProxy Port Remotely, resolved
292797, https://hackerone.com/reports/292797, ActionController::Parameters .each returns an unsafe hash, resolved
292825, https://hackerone.com/reports/292825, Possible to redirect to a (non-existing) subdomain after logging in via GitHub (leaking the token), resolved
292997, https://hackerone.com/reports/292997, XSS работающая по всему сайту, где есть упоминания, resolved
293016, https://hackerone.com/reports/293016, CSRF log victim into the attacker account, resolved
293105, https://hackerone.com/reports/293105, XSS в личных сообщениях, resolved
293126, https://hackerone.com/reports/293126, Multiple issues in Libxml2 (2.9.2 - 2.9.5), resolved
293276, https://hackerone.com/reports/293276, Cloudflare does not sufficiently truncate credit card numbers in invoices, resolved
293358, https://hackerone.com/reports/293358, The Microsoft Store Uber App Does Not Implement Certificate Pinning, duplicate
293359, https://hackerone.com/reports/293359, The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting, informative
293363, https://hackerone.com/reports/293363, The Microsoft Store Uber App Does Not Implement Server-side Token Revocation, informative
293581, https://hackerone.com/reports/293581, self-xss ads_easy_promote vk.com, resolved
293845, https://hackerone.com/reports/293845, [IDOR] Deleting other people's tasks, resolved
293847, https://hackerone.com/reports/293847, SSRF in /appsuite/api/autoconfig , resolved
294048, https://hackerone.com/reports/294048, Stored XSS => community.ubnt.com , resolved
294147, https://hackerone.com/reports/294147, Mercurial git subrepo lead to arbritary command injection, resolved
294201, https://hackerone.com/reports/294201, subdomain takeover at news-static.semrush.com, resolved
294232, https://hackerone.com/reports/294232, Adding external participants to unaccessible appointments, resolved
294334, https://hackerone.com/reports/294334, clickjacking в /lead_forms_app.php, resolved
294364, https://hackerone.com/reports/294364, De-anonymization by visiting specially crafted bookmark., resolved
294462, https://hackerone.com/reports/294462, NET::Ftp allows command injection in filenames, resolved
294464, https://hackerone.com/reports/294464, Verbose error message reveals internal system hostnames, protols and used ports (yrityspalvelu.tapiola.fi), resolved
294505, https://hackerone.com/reports/294505, Cross-site scripting in "Contact customer" form, resolved
294548, https://hackerone.com/reports/294548, Uninitilized server memory disclosure via ImageMagick, resolved
294568, https://hackerone.com/reports/294568, Information Disclosure - Composer.lock, duplicate
294867, https://hackerone.com/reports/294867, Improper Host Detection During Team Up  on tweetdeck.twitter.com, resolved
294891, https://hackerone.com/reports/294891, Improper Certificate Validation, informative
294911, https://hackerone.com/reports/294911, Admin Panel Accessed (OAuth Bypassed ) , resolved
295276, https://hackerone.com/reports/295276, heap-use-after-free in OP_RESCUE, resolved
295330, https://hackerone.com/reports/295330, code.wordpress.net subdomain Takeover, resolved
295339, https://hackerone.com/reports/295339, Mailsploit: a sender spoofing bug in over 30 email clients, resolved
295380, https://hackerone.com/reports/295380, heap-buffer-overflow in OP_R_BREAK, resolved
295540, https://hackerone.com/reports/295540, [XSS] Portal Widget Mail, resolved
295680, https://hackerone.com/reports/295680, Invalid read leading to a segfault, resolved
295740, https://hackerone.com/reports/295740, GarlicRust - heartbleed style vulnerability in major I2P C++ router implementations, resolved
295841, https://hackerone.com/reports/295841, Blind SQL injection in Hall of Fap, resolved
295865, https://hackerone.com/reports/295865, Open Redirection on auth.rbk.money, resolved
295900, https://hackerone.com/reports/295900, New team invitation functionality allows extend team without upgrade, resolved
296045, https://hackerone.com/reports/296045, SSRF in VCARD photo upload functionality, resolved
296094, https://hackerone.com/reports/296094, Reflected Cross-site Scripting Vulnerability via JSON Error Message, resolved
296198, https://hackerone.com/reports/296198, SEGV on ary_concat, resolved
296622, https://hackerone.com/reports/296622, Blind XXE on pu.vk.com, resolved
296632, https://hackerone.com/reports/296632, Audit log validation, resolved
296701, https://hackerone.com/reports/296701, SSL-protected Reflected XSS in m.uber.com, duplicate
296706, https://hackerone.com/reports/296706, Open redirect deceive in hackerone.com via another open redirect link., informative
296907, https://hackerone.com/reports/296907, Lack of validation before assigning custom domain names leading to abuse of GitLab pages service, informative
296991, https://hackerone.com/reports/296991, Exim use-after-free vulnerability while reading mail header involving BDAT commands, resolved
296994, https://hackerone.com/reports/296994, Exim handles BDAT data incorrectly and leads to crash/hang, resolved
297181, https://hackerone.com/reports/297181, Common response suggestion is sent to Google Analytics when user accepts duplicate comment Genius suggestion, resolved
297198, https://hackerone.com/reports/297198, Leaking Referrer in Reset Password Link, resolved
297203, https://hackerone.com/reports/297203, Reflected XSS using Header Injection, resolved
297359, https://hackerone.com/reports/297359, No Rate Limit in email leads to huge Mass mailings, resolved
297383, https://hackerone.com/reports/297383, mruby heredoc notation, resolved
297434, https://hackerone.com/reports/297434, Unauthenticated Reflected XSS in admin dashboard, resolved
297478, https://hackerone.com/reports/297478, SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent , resolved
297534, https://hackerone.com/reports/297534, [www.zomato.com] Boolean SQLi - /█████.php, resolved
297547, https://hackerone.com/reports/297547, Improper markup sanitisation in Simplenote Android application., resolved
297751, https://hackerone.com/reports/297751, Registered users can change app password permissions for any user, resolved
297803, https://hackerone.com/reports/297803, [crm.unikrn.com] Open Redirect, resolved
297968, https://hackerone.com/reports/297968, Persistent DOM-based XSS in https://help.twitter.com via localStorage, resolved
298028, https://hackerone.com/reports/298028, Clickjacking on https://www.goodhire.com/api, resolved
298176, https://hackerone.com/reports/298176, SQL injection in MilestoneFinder order method, resolved
298218, https://hackerone.com/reports/298218, antispambot does not always escape <, >, &, " and ', informative
298246, https://hackerone.com/reports/298246, controlled buffer under-read in pack_unpack_internal(), resolved
298862, https://hackerone.com/reports/298862, It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without , informative
298873, https://hackerone.com/reports/298873, Command injection by overwriting authorized_keys file through GitLab import, resolved
298888, https://hackerone.com/reports/298888, Design Issue at riders.uber.com/profile, informative
298990, https://hackerone.com/reports/298990, Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication , informative
299009, https://hackerone.com/reports/299009, Single Sing On - Clickjacking, resolved
299034, https://hackerone.com/reports/299034, Text manipulation in https://checkout.rbk.money, duplicate
299112, https://hackerone.com/reports/299112, MediaElements XSS, resolved
299130, https://hackerone.com/reports/299130, SSRF - RSS feed, blacklist bypass (IP Formatting), resolved
299135, https://hackerone.com/reports/299135, SSRF - RSS feed, blacklist bypass (301 re-direct), resolved
299241, https://hackerone.com/reports/299241, [marketplace.informatica.com] -  Template Injection, resolved
299334, https://hackerone.com/reports/299334, Information disclosure when trying to delete an expense's attachment on m.mavenlink.com  , resolved
299403, https://hackerone.com/reports/299403, Domain spoofing in redirect page using RTLO, resolved
299424, https://hackerone.com/reports/299424, Bypass Filter and get Stored Xss , resolved
299460, https://hackerone.com/reports/299460, Fix for self-DoS in Security-txt Chrome Extension., resolved
299466, https://hackerone.com/reports/299466, [XSS] Mail <style> v2.0, resolved
299473, https://hackerone.com/reports/299473, Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook, resolved
299552, https://hackerone.com/reports/299552, Information disclosure on https://paycard.rapida.ru, resolved
299728, https://hackerone.com/reports/299728, Markdown parsing issue enables insertion of malicious tags and event handlers, resolved
299806, https://hackerone.com/reports/299806, Stored XSS , resolved
299835, https://hackerone.com/reports/299835, Link poisoning on https://secure.login.gov/ login page, resolved
299924, https://hackerone.com/reports/299924, DOM-based Cross-Site Scripting in redirect url checkout, resolved
299998, https://hackerone.com/reports/299998, XSS в отправителе, БЕТА-версия почты, resolved
300080, https://hackerone.com/reports/300080, SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint, duplicate
300081, https://hackerone.com/reports/300081, SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint, duplicate
300099, https://hackerone.com/reports/300099, [www.zomato.com] Privilege Escalation - Control reviews - /████dashboard_handler.php, resolved
300101, https://hackerone.com/reports/300101, lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint, duplicate
300102, https://hackerone.com/reports/300102, muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint, duplicate
300103, https://hackerone.com/reports/300103, udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint, duplicate
300104, https://hackerone.com/reports/300104, Cleartext protocol after bank authentication (yrityspalvelu.tapiola.fi), resolved
300176, https://hackerone.com/reports/300176, [https://reviews.zomato.com] Time Based SQL Injection, resolved
300179, https://hackerone.com/reports/300179, User uploaded portfolio files can be accessed by any user even after deleted, resolved
300181, https://hackerone.com/reports/300181, Torrent Viewer extension web service available on all interfaces, resolved
300270, https://hackerone.com/reports/300270, Stored XSS in learnboost.com via the lesson[goals] parameter., resolved
300301, https://hackerone.com/reports/300301, [unikrn.com] Profile updated with error":true,"success":false", informative
300454, https://hackerone.com/reports/300454, [www.zomato.com] Privilege Escalation - /php/restaurant_menus_handler.php, resolved
300513, https://hackerone.com/reports/300513, WebLogic Server Side Request Forgery, resolved
300532, https://hackerone.com/reports/300532, Stored XSS on Add Event in Calendar, resolved
300539, https://hackerone.com/reports/300539, SharePoint exposed web services, resolved
300540, https://hackerone.com/reports/300540, SharePoint exposed web services, resolved
300571, https://hackerone.com/reports/300571, Stored XSS on Add Calendar, resolved
300622, https://hackerone.com/reports/300622, Монипулирование на страницах пользоватлей значением "Подсказывать стикеры в полях ввода", resolved
300748, https://hackerone.com/reports/300748, Ethereum account balance manipulation, resolved
300779, https://hackerone.com/reports/300779, Hack The World 2017 Top 2 Bonus, resolved
300812, https://hackerone.com/reports/300812, Stored XSS in www.learnboost.com via ZIP codes., resolved
300879, https://hackerone.com/reports/300879, User to Admin privilege escalation in Infrastructure Conditions - /v2/accounts/1835740/alerts/conditions, resolved
300881, https://hackerone.com/reports/300881, Account members can re-add themselve after has been deleted by administrator, resolved
300999, https://hackerone.com/reports/300999, CSRF в m.vk.com, resolved
301137, https://hackerone.com/reports/301137, GitHub import allows user to create child group under existing namespace, resolved
301257, https://hackerone.com/reports/301257, [www.zomato.com] Boolean SQLi - /███████.php, resolved
301406, https://hackerone.com/reports/301406, Unrestricted File System Access via Twig Template Injection on dev-ucrm-billing-demo.ubnt.com, resolved
301432, https://hackerone.com/reports/301432, GitLab CI runner can read and poison cache of all other projects, resolved
301458, https://hackerone.com/reports/301458, Remote Code Execution in Wordpress Desktop, resolved
301526, https://hackerone.com/reports/301526, Invitation token leaks to https://bat.bing.com, resolved
301572, https://hackerone.com/reports/301572, Просмотр части номера телефона и отправка на него SMS, всего раз скомпроментировав аккаунт, resolved
301586, https://hackerone.com/reports/301586, CSRF на установку своей почты к аккаунту., resolved
301592, https://hackerone.com/reports/301592, Host Header Injection allow HiJack Password Reset Link, duplicate
301631, https://hackerone.com/reports/301631, CSRF на "ловлю гостей" и раскрытие аудиотрансляции в частной группе, resolved
301718, https://hackerone.com/reports/301718, https://fundl.qiwi.com CSRF на подтверждении sms , resolved
301794, https://hackerone.com/reports/301794, XSS on e.mail.ru via postMessage, resolved
301831, https://hackerone.com/reports/301831, Leaking sensitive files on Github leads to internal files (python scripts,SQL files), resolved
301919, https://hackerone.com/reports/301919, CSRF Add user templates, resolved
301924, https://hackerone.com/reports/301924, SSRF vulnerability in gitlab.com webhook, resolved
301973, https://hackerone.com/reports/301973, Airship: Persistent XSS via Comment, resolved
302253, https://hackerone.com/reports/302253, Очень жесткая XSS в личных сообщениях m.ok.ru, resolved
302289, https://hackerone.com/reports/302289, // (double slash) inside es6 template literals interpreted as an inline comment by the auto-minifier, resolved
302298, https://hackerone.com/reports/302298, Unintentional file creation caused at Tempfile with directory traversal, resolved
302338, https://hackerone.com/reports/302338, The possibility that unintended file operation may be performed because some methods of `Dir` do not check NULL characters., resolved
302357, https://hackerone.com/reports/302357, XSS уязвимость, resolved
302485, https://hackerone.com/reports/302485, IDOR allow to extract all registered email, resolved
302620, https://hackerone.com/reports/302620, Partial disclosure of undisclosed programs through <meta> tags, informative
302651, https://hackerone.com/reports/302651, Leak of Platform Authentication credentials via Repeater, resolved
302731, https://hackerone.com/reports/302731, Users email can be changed without verification, resolved
302885, https://hackerone.com/reports/302885, ImageMagick GIF coder vulnerability leading to memory disclosure, resolved
302997, https://hackerone.com/reports/302997, Unix domain socket and a path containing a null character, resolved
303062, https://hackerone.com/reports/303062, Раскрытие названия частной группы через старый бокс просмотра фото., resolved
303299, https://hackerone.com/reports/303299, Missing Password Confirmation at a Critical Function (Payout Method), informative
303322, https://hackerone.com/reports/303322, [www.coursera.org] Leaking password reset link on referrer header, resolved
303378, https://hackerone.com/reports/303378, SSRF - Blacklist bypass for mail account addition, resolved
303390, https://hackerone.com/reports/303390, remote access to localhost daemon, can issue jsonrpc commands, resolved
303480, https://hackerone.com/reports/303480, Reflected XSS in admin settings, not-applicable
303522, https://hackerone.com/reports/303522, Zomato.com Reflected Cross Site Scripting, resolved
303632, https://hackerone.com/reports/303632, Fastify denial-of-service vulnerability with large JSON payloads, resolved
303727, https://hackerone.com/reports/303727, XSS в теле письма., resolved
303730, https://hackerone.com/reports/303730, Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS, resolved
303744, https://hackerone.com/reports/303744, Arbitrary local system file read on open-xchange server , resolved
304098, https://hackerone.com/reports/304098, [XSS/CSRF] filter content-type bypass in Files, resolved
304115, https://hackerone.com/reports/304115, Integer Underflow @ ossl_cipher_pkcs5_keyivgen , informative
304175, https://hackerone.com/reports/304175, Reflected XSS, resolved
304190, https://hackerone.com/reports/304190, ubernycmarketplace.com is vulnerable to the Heartbleed Bug, resolved
304240, https://hackerone.com/reports/304240, Unrestricted access to Eureka server on ██████, resolved
304378, https://hackerone.com/reports/304378, ACME TLS-SNI-01/02 challenge vulnerable when combined with shared hosting providers, resolved
304386, https://hackerone.com/reports/304386, Unrestricted access to https://██████.█████myteksi.net/, resolved
304545, https://hackerone.com/reports/304545, Возможность залить шелл на https://widget.operator.mail.ru, resolved
304642, https://hackerone.com/reports/304642, Administrators can add other administrators, informative
304770, https://hackerone.com/reports/304770, Corrupt RPC responses from remote daemon nodes can lead to transaction tracing, resolved
305082, https://hackerone.com/reports/305082, Query string parameter modifications returned in page, resolved
305518, https://hackerone.com/reports/305518, Information leakage and default open port, resolved
305915, https://hackerone.com/reports/305915, Обход функций закрытого профиля, получения возможности комментировать закрытые подарки и просматривать их, resolved
305972, https://hackerone.com/reports/305972, Potential infinite loop in gdImageCreateFromGifCtx!, resolved
305973, https://hackerone.com/reports/305973, Inappropriately parsing HTTP response leads to PHP segment fault!, resolved
305974, https://hackerone.com/reports/305974, Inappropriate URL parsing may cause security risk!, resolved
305976, https://hackerone.com/reports/305976, [e.mail.ru] XSS на странице отправки денежного перевода, resolved
306128, https://hackerone.com/reports/306128, reflected xss on cycloferon.health.mail.ru, resolved
306414, https://hackerone.com/reports/306414, Window.opener protection  Bypass, resolved
306554, https://hackerone.com/reports/306554, xss, resolved
306607, https://hackerone.com/reports/306607, [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl, resolved
306733, https://hackerone.com/reports/306733, Submitted reports state logs leakage, informative
307050, https://hackerone.com/reports/307050, Leak ██████████ information in real time through API request, resolved
307239, https://hackerone.com/reports/307239, Double Payout via PayPal, resolved
307382, https://hackerone.com/reports/307382, CSRF отредактировать карточки в посте у группы, resolved
307424, https://hackerone.com/reports/307424, While adding a payment method - Notification email not sent to newly added email ID as well as there is no verification for new email id (Paypal), informative
307485, https://hackerone.com/reports/307485, Stored blind xss on showmax support team, resolved
307666, https://hackerone.com/reports/307666, [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url, resolved
307670, https://hackerone.com/reports/307670, Difference in query string parameter processing between Hacker News and Keybase Chrome extension spawns chat to incorrect user, resolved
307672, https://hackerone.com/reports/307672, Keybase extension hostname-validation regular expression issue., resolved
307675, https://hackerone.com/reports/307675, Claiming ownership of GitHub handles via forked GitHub gists., resolved
307681, https://hackerone.com/reports/307681, Cross-Domain JavaScript Source File Inclusion , informative
307808, https://hackerone.com/reports/307808, Path Traversal on Default Installed Rails Application (Asset Pipeline), resolved
307978, https://hackerone.com/reports/307978, Authorization issue on 'valtakirjat' (/e2/verkkopalvelu/), resolved
308155, https://hackerone.com/reports/308155, [html-janitor] Passing user-controlled data to clean() leads to XSS, resolved
308156, https://hackerone.com/reports/308156, Email Notification should be get while changing password on apps.nextcloud.com, informative
308158, https://hackerone.com/reports/308158, [html-janitor] Bypassing sanitization using DOM clobbering, resolved
308355, https://hackerone.com/reports/308355, Opcode Cache, resolved
308394, https://hackerone.com/reports/308394, CSRF token fixation and potential account takeover, resolved
308489, https://hackerone.com/reports/308489, wpjobmanager - unserialize of user input, resolved
308610, https://hackerone.com/reports/308610, Read Access to all comments on unauthorized forums' discussions! IDOR! , resolved
308721, https://hackerone.com/reports/308721, [serve] Directory listing and File access even when they have been set to be ignored., resolved
309058, https://hackerone.com/reports/309058, Open Redirect on the nl.wordpress.net, resolved
309120, https://hackerone.com/reports/309120, [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server, resolved
309124, https://hackerone.com/reports/309124, [node-srv] Path Traversal allows to read arbitrary files from remote server, resolved
309367, https://hackerone.com/reports/309367, [metascraper] Stored XSS in Open Graph meta properties read by metascrapper, resolved
309394, https://hackerone.com/reports/309394, [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere, resolved
309531, https://hackerone.com/reports/309531, Stored XSS in Snapmatic + R★Editor comments, resolved
309537, https://hackerone.com/reports/309537, Backup Source Code Detected, resolved
309594, https://hackerone.com/reports/309594, error, resolved
309641, https://hackerone.com/reports/309641, [simple-server] HTML with iframe element can be used as filename, which might lead to load and execute malicious JavaScript , resolved
309648, https://hackerone.com/reports/309648, [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML, resolved
309663, https://hackerone.com/reports/309663, [3k.mail.ru] - Content spoofing, resolved
309714, https://hackerone.com/reports/309714, [support.wordcamp.org] - publicly accessible .svn repository, resolved
310036, https://hackerone.com/reports/310036, SSRF vulnerability on ██████████ leaks internal IP and various sensitive information, resolved
310105, https://hackerone.com/reports/310105, Disclosure of 152 cookie names via crafted input, resolved
310106, https://hackerone.com/reports/310106, [glance] Path Traversal in glance static file server allows to read content of arbitrary file, resolved
310133, https://hackerone.com/reports/310133, [glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser, resolved
310280, https://hackerone.com/reports/310280, [Informational] Possible SQL Injection in inc/ajax-actions-frontend.php, resolved
310339, https://hackerone.com/reports/310339, Хранимая XSS в личных сообщениях новое место, resolved
310439, https://hackerone.com/reports/310439, Prototype pollution attack (Hoek), resolved
310443, https://hackerone.com/reports/310443, Prototype pollution attack (lodash), resolved
310446, https://hackerone.com/reports/310446, Prototype pollution attack (deap), resolved
310514, https://hackerone.com/reports/310514, Prototype pollution attack (defaults-deep), resolved
310579, https://hackerone.com/reports/310579,  CORS (Cross-Origin Resource Sharing), informative
310671, https://hackerone.com/reports/310671, [file-static-server] Path Traversal allows to read content of arbitrary file on the server, resolved
310690, https://hackerone.com/reports/310690, [crud-file-server] Path Traversal allows to read arbitrary file from the server, resolved
310706, https://hackerone.com/reports/310706, Prototype pollution attack (merge-objects), resolved
310707, https://hackerone.com/reports/310707, Prototype pollution attack (assign-deep), resolved
310708, https://hackerone.com/reports/310708, Prototype pollution attack (merge-deep), resolved
310943, https://hackerone.com/reports/310943, [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server, resolved
310946, https://hackerone.com/reports/310946, The request tells the number of private programs, the new system of authorization /invite/token, resolved
311058, https://hackerone.com/reports/311058, [http://www.informatica.com]- info disclosure, resolved
311063, https://hackerone.com/reports/311063, Хранимая XSS ( API ), resolved
311101, https://hackerone.com/reports/311101, [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server, resolved
311216, https://hackerone.com/reports/311216, [626] Path Traversal allows to read arbitrary file from remote server, resolved
311218, https://hackerone.com/reports/311218, [hekto] Path Traversal vulnerability allows to read content of arbitrary files, resolved
311236, https://hackerone.com/reports/311236, Prototype pollution attack (mixin-deep), resolved
311244, https://hackerone.com/reports/311244, [query-mysql] SQL Injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database, resolved
311289, https://hackerone.com/reports/311289, CI for [example.gov] can be logged in and accessible, resolved
311330, https://hackerone.com/reports/311330, Open Redirect, resolved
311333, https://hackerone.com/reports/311333, Prototype pollution attack (deep-extend), resolved
311336, https://hackerone.com/reports/311336, Prototype pollution attack (merge-options), resolved
311337, https://hackerone.com/reports/311337, Prototype pollution attack (merge-recursive), resolved
311380, https://hackerone.com/reports/311380, See details of a unpublished word by guessing the word ID, resolved
311413, https://hackerone.com/reports/311413, XSS in delivery club, resolved
311449, https://hackerone.com/reports/311449, Reputation gain split by company can be used to track the existence of otherwise undisclosed reports, not-applicable
311639, https://hackerone.com/reports/311639, Reflected XSS on https://www.zomato.com, resolved
311805, https://hackerone.com/reports/311805, Cross-origin resource sharing misconfig , duplicate
311874, https://hackerone.com/reports/311874, CSRF на calendar.mail.ru, resolved
311884, https://hackerone.com/reports/311884, Format String Vulnerability in the EdgeSwitch restricted CLI, resolved
311913, https://hackerone.com/reports/311913, Reflected XSS в m.vk.com, resolved
311922, https://hackerone.com/reports/311922,  SQL injection , resolved
311948, https://hackerone.com/reports/311948, Stored XSS (client-side, using cookie poisoning) on the pornhubpremium.com, resolved
311998, https://hackerone.com/reports/311998, [uppy] Stored XSS due to crafted SVG file, informative
312118, https://hackerone.com/reports/312118, Using GitLab to monitor and hijack domains in mass quantity., resolved
312121, https://hackerone.com/reports/312121, Error in processing gif images, resolved
312292, https://hackerone.com/reports/312292, [https://life.informatica.com] - information disclose , resolved
312510, https://hackerone.com/reports/312510, [mobs.mail.ru] nginx path traversal via misconfigured alias, resolved
312543, https://hackerone.com/reports/312543, XXE in Site Audit function exposing file and directory contents, resolved
312555, https://hackerone.com/reports/312555, IDOR on mcs.mail.ru , resolved
312647, https://hackerone.com/reports/312647, Gaining access to private topics using quoting feature, resolved
312889, https://hackerone.com/reports/312889, [localhost-now] Path Traversal allows to read content of arbitrary file, resolved
312907, https://hackerone.com/reports/312907, [mcstatic] Path Traversal allows to read content of arbitrary files, resolved
312918, https://hackerone.com/reports/312918, [public] Path Traversal allows to read content of arbitrary files, resolved
313075, https://hackerone.com/reports/313075, Information Disclosure which violate program privacy, informative
313245, https://hackerone.com/reports/313245, Code Execution in restricted CLI of EdgeSwitch, resolved
313250, https://hackerone.com/reports/313250, Xss was found by exploiting the URL markdown on http://store.steampowered.com, resolved
313457, https://hackerone.com/reports/313457, Publicly accessible Continuous Integration Tool, resolved
314126, https://hackerone.com/reports/314126, Blind XSS - Report review - Admin panel, resolved
314204, https://hackerone.com/reports/314204, [XSS] Style/Event Filter Bypass v3.0, resolved
314808, https://hackerone.com/reports/314808, Full account takeover, resolved
314814, https://hackerone.com/reports/314814, [oauth token leak] at oauth.semrush.com, resolved
315037, https://hackerone.com/reports/315037, Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities, resolved
315205, https://hackerone.com/reports/315205, Debug information disclosure on oauth-redirector.services.greenhouse.io, resolved
315256, https://hackerone.com/reports/315256, ImageMagick GIF coder vulnerability leading to memory disclosure, resolved
315512, https://hackerone.com/reports/315512, No authentication on email address for password reset functionality/ https://platform.thecoalition.com/forgot-password, resolved
315524, https://hackerone.com/reports/315524, Общий CSRF токен для сообщений сообществ, или как подставить соседа-редактора, resolved
315760, https://hackerone.com/reports/315760, Path Traversal on Resolve-Path, resolved
315773, https://hackerone.com/reports/315773, Remote Command Execution vulnerability in pullit, resolved
315838, https://hackerone.com/reports/315838, Non-Cloudflare IPs allowed to access origin servers, resolved
315865, https://hackerone.com/reports/315865, Stored CSS Injection, resolved
315879, https://hackerone.com/reports/315879, Able to reset other user's password in https://card.starbucks.com.sg/, resolved
315906, https://hackerone.com/reports/315906, CVE-2017-15277 on Profile page, resolved
316078, https://hackerone.com/reports/316078, Обходим 2FA и/или получаем access_token, если мы когда-либо были на аккаунте жертвы, resolved
316290, https://hackerone.com/reports/316290, Prepopulation of email address and name leaks information provided to other merchants, resolved
316319, https://hackerone.com/reports/316319, XSS on redirection page( Bypassed) , resolved
316346, https://hackerone.com/reports/316346, [public] Stored XSS in filenames in directory served by public, resolved
316475, https://hackerone.com/reports/316475, Reflected xss в m.vk.com/chatjoin, resolved
316713, https://hackerone.com/reports/316713, Ad Builder Display Ads Path Traversal, resolved
316738, https://hackerone.com/reports/316738, Forum posts and private messages are poorly sanitized, allowing execution of arbitrary JavaScript, resolved
316789, https://hackerone.com/reports/316789, Able to purchase a gift card with any amount, resolved
316810, https://hackerone.com/reports/316810, Can read features from any user, resolved
316897, https://hackerone.com/reports/316897, XSS on https://www.delivery-club.ru, resolved
316898, https://hackerone.com/reports/316898, Reflected XSS on https://www.delivery-club.ru/, resolved
316946, https://hackerone.com/reports/316946, новенькое (старенькое upgreid) хакерство: делаем демократию во всем в контакте (XSS - на англиском), resolved
316948, https://hackerone.com/reports/316948, SocialClub's Facebook OAuth Theft through Warehouse XSS., resolved
317005, https://hackerone.com/reports/317005, Subdomain Takeover due to unclaimed domain pointing to AWS, resolved
317043, https://hackerone.com/reports/317043, Shell upload in http://widget.support.my.com/, resolved
317053, https://hackerone.com/reports/317053, CSRF on lootdog.io, resolved
317119, https://hackerone.com/reports/317119, Exposed Git Repo at http://fileserver.dropboxbusiness.com, resolved
317125, https://hackerone.com/reports/317125, [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template, resolved
317201, https://hackerone.com/reports/317201, [vulners.com] nginx alias_traversal, resolved
317243, https://hackerone.com/reports/317243, Window.opener fix bypass, resolved
317314, https://hackerone.com/reports/317314, CSRF на добавление товара на продажу, resolved
317321, https://hackerone.com/reports/317321, Delete directory using symlink when decompressing tar, resolved
317332, https://hackerone.com/reports/317332, Improper access control on adding a Register to an Outlet, resolved
317372, https://hackerone.com/reports/317372, CSRF на покупку товара https://lootdog.io/, resolved
317388, https://hackerone.com/reports/317388, Delay of arrears notification allows Riders to take multiple rides without paying, resolved
317391, https://hackerone.com/reports/317391, Exploiting Misconfigured CORS to Steal User Information, resolved
317507, https://hackerone.com/reports/317507, Any user can completely delete their own account without authorization and/or going through any kind of membership cancellation protocol., resolved
317543, https://hackerone.com/reports/317543, Unicorn worker pool exhaustion by continuously updating payout preferences, resolved
317548, https://hackerone.com/reports/317548, Regular Expression Denial of Service (ReDoS), resolved
317557, https://hackerone.com/reports/317557, Race condition на market.games.mail.ru, resolved
317711, https://hackerone.com/reports/317711, twofactor_auth bypassable if provider fails to load, resolved
317931, https://hackerone.com/reports/317931, Bypassing Homograph Attack Using /@ [ Tested On Windows ], resolved
317980, https://hackerone.com/reports/317980, [online.games.mail.ru] - Sensitive information disclosure, resolved
317985, https://hackerone.com/reports/317985, Просмотр приватных видео записей у Пользователей, resolved
318295, https://hackerone.com/reports/318295, clickjacking to Semrush auth login, informative
318399, https://hackerone.com/reports/318399, Program profile_metrics.json contains time to triage for deptofdefense even it's turned off, resolved
318594, https://hackerone.com/reports/318594, SSLv3 Poodle Attack on Ip Of semrush, not-applicable
319003, https://hackerone.com/reports/319003, [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s), resolved
319036, https://hackerone.com/reports/319036, There is vulnebility Click Here TO fix, not-applicable
319279, https://hackerone.com/reports/319279, [critical] sql injection by GET method, resolved
319458, https://hackerone.com/reports/319458, typeorm does not properly escape parameters when building SQL queries, resulting in potential SQLi, resolved
319465, https://hackerone.com/reports/319465, `sql` does not properly escape parameters when building SQL queries, resulting in potential SQLi, resolved
319467, https://hackerone.com/reports/319467, `macaddress` concatenates unsanitized input into exec() command, resolved
319473, https://hackerone.com/reports/319473, [open] concatenation of unsanitized input into exec() command, resolved
319476, https://hackerone.com/reports/319476, `whereis` concatenates unsanitized input into exec() command, resolved
319480, https://hackerone.com/reports/319480, Broken Authentication: A project addition request can be used multiple time for different users, informative
319483, https://hackerone.com/reports/319483, Stored self-xss and its escalation to a victim account in e.mail.ru, resolved
319593, https://hackerone.com/reports/319593, `sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys, resolved
319629, https://hackerone.com/reports/319629, `rgb2hex` is vulnerable to ReDoS when parsing crafted invalid colors, resolved
319674, https://hackerone.com/reports/319674, Просмотр любого видео из частной группы и кто загрузил, resolved
319794, https://hackerone.com/reports/319794, [m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code, resolved
319795, https://hackerone.com/reports/319795, [m-server] Path Traversal allows to display content of arbitrary file(s) from the server, resolved
319809, https://hackerone.com/reports/319809, `memjs` allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage, resolved
319951, https://hackerone.com/reports/319951, `superstatic` is vulnerable to path traversal on Windows, resolved
320159, https://hackerone.com/reports/320159, `useragent` is vulnerable to ReDoS in user-agent string, resolved
320166, https://hackerone.com/reports/320166, `concat-with-sourcemaps` allocates uninitialized Buffers when number is passed as a separator, resolved
320173, https://hackerone.com/reports/320173, Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts, resolved
320200, https://hackerone.com/reports/320200, [NR Alerts/Synthetics?] User with no Synthetics permissions can view synthetic monitor details through /internal_api/ endpoint, resolved
320222, https://hackerone.com/reports/320222, memory corruption while parsing HTTP response, resolved
320269, https://hackerone.com/reports/320269, `npmconf` (and `npm` js api) allocate and write to disk uninitialized memory content when a typed number is passed as input on Node.js 4.x, resolved
320376, https://hackerone.com/reports/320376, Open Redirection in index.php page, resolved
320586, https://hackerone.com/reports/320586, `foreman` is vulnerable to ReDoS in path, resolved
320689, https://hackerone.com/reports/320689, [NR Synthetics] Restricted user can view synthetics monitors and user permissions through .json endpoint at /permissions/securablemetadata/{GROUP ID}, resolved
320693, https://hackerone.com/reports/320693, [hekto] open redirect when target domain name is used as html filename on server, resolved
321029, https://hackerone.com/reports/321029, HTML Injection inside Slack promotional emails, resolved
321213, https://hackerone.com/reports/321213, Monero GUI not linked with /DYNAMICBASE or hardening on windows, no ASLR, resolved
321249, https://hackerone.com/reports/321249, Forum Users Information Disclosure, resolved
321410, https://hackerone.com/reports/321410, A user can create an event in a group without being in it http://littleguy.vanillastaging.com/, resolved
321419, https://hackerone.com/reports/321419, XSS в названии лайвчата, resolved
321420, https://hackerone.com/reports/321420, xss reflected in littleguy.vanillastaging.com, resolved
321444, https://hackerone.com/reports/321444, Fix bypass of different processing of usernames on Hackernews, resolved
321511, https://hackerone.com/reports/321511, It's possible to put SDX orderbook into invalid state and execute trades at arbitrary price, resolved
321594, https://hackerone.com/reports/321594, Смотрим фотографии из частных/закрытых групп., resolved
321643, https://hackerone.com/reports/321643, XSS в нике при запросе в контакты., resolved
321670, https://hackerone.com/reports/321670, `stringstream` allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below, resolved
321686, https://hackerone.com/reports/321686, `atob` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below, resolved
321687, https://hackerone.com/reports/321687, `base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below, resolved
321692, https://hackerone.com/reports/321692, `base64-url` below 2.0 allocates uninitialized Buffers when number is passed in input, resolved
321699, https://hackerone.com/reports/321699, Takeover of Twitter-owned domain at mobileapplinking.com, resolved
321701, https://hackerone.com/reports/321701, `utile` allocates uninitialized Buffers when number is passed in input, resolved
321702, https://hackerone.com/reports/321702, `put` allocates uninitialized Buffers when non-round numbers are passed in input, resolved
321704, https://hackerone.com/reports/321704, `njwt` allocates uninitialized Buffers when number is passed in base64urlEncode input, resolved
321725, https://hackerone.com/reports/321725, A user can comment in private discussions without having permission to access the discussion, resolved
321938, https://hackerone.com/reports/321938, [www.zomato.com] Getting a complimentary dessert [Zomato Treats] on ordering a Meal at no cost, resolved
321980, https://hackerone.com/reports/321980, [XSS/CSRF] filter content-type bypass in Files v2.0, resolved
322661, https://hackerone.com/reports/322661, Replace other user files in Inbox messages , resolved
322724, https://hackerone.com/reports/322724,  Local paths disclosure through error message, resolved
322935, https://hackerone.com/reports/322935, Exim off-by-one RCE vulnerability, resolved
322985, https://hackerone.com/reports/322985, Ability to reset password for account, resolved
323005, https://hackerone.com/reports/323005, CSRF leads to a stored self xss, resolved
323017, https://hackerone.com/reports/323017, Two vulnerability in GNU binutils, resolved
323566, https://hackerone.com/reports/323566, Reflected XSS { support.mycrypto.com }, resolved
323852, https://hackerone.com/reports/323852, Firmware download/install vulnerable to CSRF, resolved
323899, https://hackerone.com/reports/323899, Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities, resolved
323906, https://hackerone.com/reports/323906, Double authentication bypass, informative
323975, https://hackerone.com/reports/323975, CSRF in Inviting users, resolved
323992, https://hackerone.com/reports/323992, Publicly accessible Order confirmations leaking User Emails on ███, resolved
324005, https://hackerone.com/reports/324005, Server-Side Request Forgery on SAML Application - Import via URL, resolved
324006, https://hackerone.com/reports/324006, SaaS admin can modify/delete/get user information., resolved
324194, https://hackerone.com/reports/324194, Blind stored xss in demo form, resolved
324230, https://hackerone.com/reports/324230, Account Takeover on https://www.delivery-club.ru через партнерский аккаунт., resolved
324303, https://hackerone.com/reports/324303, DOM Based XSS in mycrypto.com, resolved
324372, https://hackerone.com/reports/324372, Missing SPF Records., duplicate
324453, https://hackerone.com/reports/324453, `command-exists` concatenates unsanitized input into exec()/execSync() commands, resolved
324491, https://hackerone.com/reports/324491, `fs-path` concatenates unsanitized input into exec()/execSync() commands, resolved
324548, https://hackerone.com/reports/324548, Html injection mycrypto.com, resolved
325510, https://hackerone.com/reports/325510, Stored-XSS with user interaction on [sandbox.open-xchange.com] via inserted link in mail, resolved
325594, https://hackerone.com/reports/325594, Leakage badges on disabled user, informative
325734, https://hackerone.com/reports/325734, Missing SPF record for the in scope domain, duplicate
325827, https://hackerone.com/reports/325827, Content Spoofing or Text Injection support.mycrypto.com, resolved
326043, https://hackerone.com/reports/326043, SSRF+XSS, resolved
326080, https://hackerone.com/reports/326080, Improper Access Control on Onelogin in multi-layered architecture, resolved
326434, https://hackerone.com/reports/326434, Able to Select Every Poll Option[http://tedwebers-famous-loudspeakers.vanillacommunities.com], resolved
326449, https://hackerone.com/reports/326449, Reflected XSS on multiple uberinternal.com domains, resolved
326697, https://hackerone.com/reports/326697, HTML Injection on https://www.mycrypto.com/, resolved
326918, https://hackerone.com/reports/326918, Stored Blind XSS, resolved
327088, https://hackerone.com/reports/327088, Extra program metrics disclosed via /PROGRAM_NAME json response, resolved
327200, https://hackerone.com/reports/327200, disclosure of email by sending a message., resolved
327480, https://hackerone.com/reports/327480, SSRF on infawiki.informatica.com and infawikitest.informatica.com, resolved
327512, https://hackerone.com/reports/327512, Potential command injection in `Shell#[]` and `Shell#test`, resolved
327671, https://hackerone.com/reports/327671, Error Page Content Spoofing or Text Injection , resolved
327674, https://hackerone.com/reports/327674, Invitation reminder emails contain insecure links, resolved
327867, https://hackerone.com/reports/327867, User provided values trusted in sensitive actions, informative
328210, https://hackerone.com/reports/328210, [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name, resolved
328270, https://hackerone.com/reports/328270, XSS vulnerability in sanitize-method when parsing link's href, resolved
328486, https://hackerone.com/reports/328486, [Zomato Android/iOS] Theft of user session, resolved
328526, https://hackerone.com/reports/328526, ETH contract handling errors, resolved
328724, https://hackerone.com/reports/328724, Improper Authentication in Vimeo's API 'versions' endpoint., resolved
329209, https://hackerone.com/reports/329209, Making further registrations difficult on Vanilla forum, resolved
329218, https://hackerone.com/reports/329218, reports.breadcrumb.com is vulnerable for Arbitrary file existence disclosur CVE-2014-7829 , resolved
329263, https://hackerone.com/reports/329263, Full account takeover am.ru, resolved
329345, https://hackerone.com/reports/329345, CSRF на загрузку аудиозаписей, resolved
329376, https://hackerone.com/reports/329376, Remote Code Execution (RCE) in a DoD website, resolved
329397, https://hackerone.com/reports/329397, Remote Code Execution (RCE) in a DoD website, resolved
329399, https://hackerone.com/reports/329399, Remote Code Execution (RCE) in a DoD website, resolved
329400, https://hackerone.com/reports/329400, Remote Code Execution (RCE) in a DoD website, resolved
329407, https://hackerone.com/reports/329407, Drupal admin takeover via install.php not being performed prior to install., resolved
329572, https://hackerone.com/reports/329572, Remote Code Execution (RCE) in a Sony WebSystem, resolved
329645, https://hackerone.com/reports/329645, Silent omission of certificate hostname verification in LibreSSL and BoringSSL, resolved
329659, https://hackerone.com/reports/329659, UniFi Video web interface Configuration Restore user privilege escalation, resolved
329689, https://hackerone.com/reports/329689, Test-scripts for postgis in mason-repository using unsafe unzip of content from unclaimed bucket creates potential RCE-issues, resolved
329749, https://hackerone.com/reports/329749, UniFi Video Server web interface Configuration Restore CSRF leading to full application compromise, resolved
329770, https://hackerone.com/reports/329770, UniFi Video Server web interface Configuration Restore path traversal leading to local system compromise, resolved
329837, https://hackerone.com/reports/329837, Bypass to defective fix of Path Traversal , resolved
329862, https://hackerone.com/reports/329862, Stored xss in shop name @ lp.reverb.com, resolved
329950, https://hackerone.com/reports/329950, [public] Stored XSS in the filename when directories listing, resolved
329957, https://hackerone.com/reports/329957, Tracking of users on third-party websites using the Twitter cookie, due to a flaw in authenticating image requests, resolved
330008, https://hackerone.com/reports/330008, [dev.twitter.com] XSS and Open Redirect Protection Bypass, resolved
330028, https://hackerone.com/reports/330028, Remote Code Execution (RCE) in a Sony Pictures WebSystem, resolved
330051, https://hackerone.com/reports/330051, UniFi Video Server web interface admin user Firmware Update path traversal leading to local system compromise, resolved
330105, https://hackerone.com/reports/330105, Exploitable vulnerability in SDEX, resolved
330122, https://hackerone.com/reports/330122, Bypassing CSRF Token On Reply Message & Send Message, resolved
330135, https://hackerone.com/reports/330135, S3 bucket unnecessarily discloses permissions, resolved
330285, https://hackerone.com/reports/330285, [mcstatic] Server Directory Traversal, resolved
330349, https://hackerone.com/reports/330349, [angular-http-server] Server Directory Traversal, resolved
330351, https://hackerone.com/reports/330351, `byte` allocates uninitialized buffers and reads data from them past the initialized length, resolved
330356, https://hackerone.com/reports/330356, [html-pages] Stored XSS in the filename when directories listing, resolved
330378, https://hackerone.com/reports/330378, ПРОСМОТР ЛЮБЫХ ПРИВАТНЫХ ФОТО + ПРЕВЬЮ ЛЮБОГО ПРИВАТНОГО ВИДЕО., resolved
330650, https://hackerone.com/reports/330650, [serve] Directory listing and File access even when they have been set to be ignored, resolved
330721, https://hackerone.com/reports/330721, Expose relay IP in the debug (The source is different from the rendering), informative
330724, https://hackerone.com/reports/330724, [serve] Directory listing and File access even when they have been set to be ignored (using dot-slash), resolved
330760, https://hackerone.com/reports/330760, Partner Account Takeover on https://www.delivery-club.ru через пользовательский аккаунт., resolved
330860, https://hackerone.com/reports/330860, Information Disclosure, resolved
330957, https://hackerone.com/reports/330957, [pdfinfojs] Command Injection on filename parameter, resolved
330974, https://hackerone.com/reports/330974, XSS on https://www.delivery-club.ru/sd/test_330933/info/, resolved
331032, https://hackerone.com/reports/331032, [buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag, resolved
331040, https://hackerone.com/reports/331040, Определение id по номеру телефона, resolved
331110, https://hackerone.com/reports/331110, [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser, resolved
331302, https://hackerone.com/reports/331302, Improper protection of FileContentProvider, resolved
331368, https://hackerone.com/reports/331368, 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290), resolved
331428, https://hackerone.com/reports/331428, Cross domain tracking even with 3rd party cookies disabled., informative
331489, https://hackerone.com/reports/331489, Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock, resolved
331691, https://hackerone.com/reports/331691, Email Forwarding invitations for Drafts are not marked as accepted, allowing multiple users to join a program after disabling Email Forwarding, resolved
331752, https://hackerone.com/reports/331752, https://mathfacts.khanacademy.org/ includes code from unprivileged localhost port, resolved
331879, https://hackerone.com/reports/331879, User Impersonation - Create Support Ticket With Any Registered Account Email, informative
331940, https://hackerone.com/reports/331940, Race Condition : Exploiting the loyalty claim https://xxx.vendhq.com/loyalty/claim/email/xxxxx url and gain x amount of loyalty bonus/cash, resolved
331975, https://hackerone.com/reports/331975, [XSS] Pasting bootstrap in mail compose, resolved
331984, https://hackerone.com/reports/331984, HTTP header can split /[\r\n]/ instead of /\r\n/, resolved
332381, https://hackerone.com/reports/332381, Internal API endpoint discloses full account name of email address associated with unconfirmed user, resolved
332586, https://hackerone.com/reports/332586, Unauthorized access to jiratest.starbucks.com , resolved
332631, https://hackerone.com/reports/332631, Bypass blocked profile protection on aircrm.ubnt.com, resolved
332632, https://hackerone.com/reports/332632, (Possible) staff account takeover via reset token bruteforce at helpdesk.bistudio.com, resolved
332708, https://hackerone.com/reports/332708, [dl.beepcar.ru] CRLF Injection, resolved
333008, https://hackerone.com/reports/333008, Persistent XSS in https://sandbox.reverb.com/item/, resolved
333306, https://hackerone.com/reports/333306, Directory traversal at https://msg.algolia.com, resolved
333459, https://hackerone.com/reports/333459, npm packages that overlap with core node packages, informative
333507, https://hackerone.com/reports/333507, Stored XSS in "post last edited" option, resolved
333767, https://hackerone.com/reports/333767, IDOR to view other user folder name, resolved
334139, https://hackerone.com/reports/334139, CSRF Trial 14 days express subscription, resolved
334143, https://hackerone.com/reports/334143, [NR Synthetics] Restricted User can add/modify alert conditions on monitors without any synthetics privileges , resolved
334229, https://hackerone.com/reports/334229, Blind XSS pets.mail.ru/admin/, resolved
334230, https://hackerone.com/reports/334230, Disclosure of user email address and Deanonymization [mail.ru] + Blind | Stored XSS pets.mail.ru, resolved
334253, https://hackerone.com/reports/334253, CSRF at [Apply to this program] that lead to submit your request automatic with out any validations, resolved
334488, https://hackerone.com/reports/334488, Blind XXE via Powerpoint files, resolved
334691, https://hackerone.com/reports/334691, Reflected XSS в /al_audio.php, resolved
334709, https://hackerone.com/reports/334709, Cache poisoning using NULL bytes and long URLs, resolved
334837, https://hackerone.com/reports/334837, [localhost-now] bypassing url filter which leads to read content of arbitrary file, resolved
335123, https://hackerone.com/reports/335123, Invalid Phabricator API token revealed through error message when escalating a report, resolved
335330, https://hackerone.com/reports/335330, Subdomain Takeover to Authentication bypass , resolved
335339, https://hackerone.com/reports/335339, HTTP parameter pollution from outdated Greenhouse.io JS dependency, resolved
335481, https://hackerone.com/reports/335481, [Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2, resolved
335495, https://hackerone.com/reports/335495, Out of order TLS handshake / application data messages lead to segmentation fault, resolved
335533, https://hackerone.com/reports/335533, HTTP/2 Denial of Service Vulnerability, resolved
335607, https://hackerone.com/reports/335607, [XSS] select/onchange in TinyMCE via set body, resolved
335608, https://hackerone.com/reports/335608, Denial of Service: nghttp2 use of uninitialized pointer, resolved
335761, https://hackerone.com/reports/335761, RCE By import channel field, resolved
336131, https://hackerone.com/reports/336131, Potential to abuse pricing errors in saved carts, resolved
336145, https://hackerone.com/reports/336145, 3rd party shop admin panel blind XSS, resolved
337189, https://hackerone.com/reports/337189, Tracking Bitwarden firefox addon users, resolved
337219, https://hackerone.com/reports/337219, URL is vulnerable to clickjacking, informative
337488, https://hackerone.com/reports/337488, [XSS] Forgot password link, resolved
337680, https://hackerone.com/reports/337680, burp does not validate the common name of the presented collaborator server certificate, resolved
337734, https://hackerone.com/reports/337734, Получение вечного доступа к Long Pool и авторизованой страницы сайта, если мы когда-либо были на аккаунте жертвы, resolved
337986, https://hackerone.com/reports/337986, CVE-2018-6797:  A crafted regular expression can cause a heap buffer write overflow in Perl 5 giving a remote attacker control over bytes written, resolved
338477, https://hackerone.com/reports/338477, [EE] change the author of post using the author_id, resolved
338569, https://hackerone.com/reports/338569, Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE), duplicate
339352, https://hackerone.com/reports/339352, CSRF logs the victim into attacker's account, resolved
339483, https://hackerone.com/reports/339483, "Bad Protocols Validation" Bypass in "wp_kses_bad_protocol_once" using HTML-encoding without trailing semicolons, resolved
339987, https://hackerone.com/reports/339987, [EE] Spoof the redirect process, resolved
340012, https://hackerone.com/reports/340012, Buffer out of bound read in miniupnpc xml parser , resolved
340053, https://hackerone.com/reports/340053, Use After Free in crypto.randomFill, informative
340191, https://hackerone.com/reports/340191, Session works after logout from Shopify account, resolved
340208, https://hackerone.com/reports/340208, Command injection in 'pdf-image', resolved
340431, https://hackerone.com/reports/340431, Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg, resolved
340580, https://hackerone.com/reports/340580, registry.nodejs.org Subdomain Takeover, resolved
340926, https://hackerone.com/reports/340926, [XSS] Parameter Theme , resolved
341044, https://hackerone.com/reports/341044, [cloudcmd] Stored XSS in the filename when directories listing, resolved
341074, https://hackerone.com/reports/341074, Bruteforce in admin panel, resolved
341372, https://hackerone.com/reports/341372, The session token in the URL, informative
341600, https://hackerone.com/reports/341600, [www.zomato.com] Abusing LocalParams to Inject Code through ███████ query, resolved
341634, https://hackerone.com/reports/341634, Invalid URL parsing '#', informative
341637, https://hackerone.com/reports/341637, Часть  админки доступна для всех пользователей, resolved
341675, https://hackerone.com/reports/341675, Просмотр любых записей на стене, resolved
341710, https://hackerone.com/reports/341710, [git-dummy-commit] Command injection on the msg parameter, resolved
341869, https://hackerone.com/reports/341869, [entitlements] Command injection on the 'path' parameter, resolved
341908, https://hackerone.com/reports/341908, XSS via Direct Message deeplinks, resolved
341969, https://hackerone.com/reports/341969, DOM XSS in edoverflow.com/tools/respond due to unsafe usage of the innerHTML property., resolved
341992, https://hackerone.com/reports/341992, Import File Converter - local File inclusion , resolved
342066, https://hackerone.com/reports/342066, [bruteser] Path Traversal allows to read content of arbitrary file, resolved
342608, https://hackerone.com/reports/342608, XML Member Proccessing - Local File inclusion Vulnerability , resolved
342610, https://hackerone.com/reports/342610, [XSS] Style/Event Filter Bypass v4.0, resolved
342693, https://hackerone.com/reports/342693, Password reset token leakage via referer, resolved
342709, https://hackerone.com/reports/342709, Smuggle SocialClub's Facebook OAuth Code via Referer Leakage, resolved
342928, https://hackerone.com/reports/342928, api.icq.com / отсутсвие лимита на отправку сообщений удаляя параметр защиты "&r", not-applicable
342976, https://hackerone.com/reports/342976, Referer in /servlet/TestServlet, resolved
342977, https://hackerone.com/reports/342977, brute force attack allowed on admin page https://www.stellar.org/wp-admin/, informative
342978, https://hackerone.com/reports/342978, Team object in GraphQL disclosed total number of whitelisted hackers, resolved
343095, https://hackerone.com/reports/343095, Session Cookie Without Secure Flag,, informative
343111, https://hackerone.com/reports/343111, OAuth2 Access Token and App Password Security Vulnerability, resolved
343120, https://hackerone.com/reports/343120, Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF, resolved
343464, https://hackerone.com/reports/343464, Team object in GraphQL discloses team group names and permissions, resolved
343626, https://hackerone.com/reports/343626, Privilege escalation allows any user to add an administrator, resolved
343726, https://hackerone.com/reports/343726, Unrestricted file upload (RCE), resolved
343752, https://hackerone.com/reports/343752, lootdog.io XSS, resolved
344032, https://hackerone.com/reports/344032, Blind SSRF in Ticketing Integrations Jira webhooks leading to internal network enumeration and blind HTTP requests, resolved
344035, https://hackerone.com/reports/344035, Heap Buffer Overflow (READ: 1786) in exif_iif_add_value, resolved
344069, https://hackerone.com/reports/344069, The react-marked-markdown module allows XSS injection in href values., resolved
344086, https://hackerone.com/reports/344086, Uber employees are sharing information on productforums.google.com, resolved
344177, https://hackerone.com/reports/344177, api.icq.com / возможность смотреть аватарку и название приватного чата, resolved
344223, https://hackerone.com/reports/344223, [Привязка email к странице] by admin@notify.vk.com | email-flood, resolved
344284, https://hackerone.com/reports/344284, View & add to cart unlisted items via IDOR, resolved
344309, https://hackerone.com/reports/344309, Adding a new user discloses their full name in the "Users" section of NR Alerts notification channels page, resolved
344429, https://hackerone.com/reports/344429, reflected XSS avito.ru, resolved
344468, https://hackerone.com/reports/344468, User is able to access and create private synthetics locations without upgrading (regression of #276157) , resolved
344499, https://hackerone.com/reports/344499, epee will accept an arbitrary amount of leading line-breaks in an http request, resolved
344557, https://hackerone.com/reports/344557, easyXDM allows cross domain postmessaging with any origin, leaking sensitive info, resolved
344566, https://hackerone.com/reports/344566, Cleartext password exposure allows access to the desafio5estrelas.com admin panel, resolved
344595, https://hackerone.com/reports/344595, Arbitrary file overwrites in `node-tar`, resolved
345162, https://hackerone.com/reports/345162, Local File Download, resolved
345166, https://hackerone.com/reports/345166, Session cookie missing SecureFlag on git.edoverflow.com., resolved
346111, https://hackerone.com/reports/346111, XSS (Persistent) - Selecting role(s) for protected branches, resolved
346217, https://hackerone.com/reports/346217, Persistent XSS - Selecting users as allowed merge request approvers, resolved
346516, https://hackerone.com/reports/346516, Remote code executio in  NPM package getcookies, resolved
346575, https://hackerone.com/reports/346575, Remote file inclusion using "/cdn-cgi/pe/bag2?r[]="  , resolved
346825, https://hackerone.com/reports/346825, LFI in beta.mail.ru, resolved
347139, https://hackerone.com/reports/347139, LFI and SSRF via XXE in emblem editor, resolved
347215, https://hackerone.com/reports/347215, Blind Stored XSS, resolved
347282, https://hackerone.com/reports/347282, Linux kernel: CVE-2017-6074: DCCP double-free vulnerability, resolved
347296, https://hackerone.com/reports/347296, Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning, resolved
347439, https://hackerone.com/reports/347439, [synthetics.newrelic.com] SMTP header injection leads to (mass) arbitrary email sending, resolved
347567, https://hackerone.com/reports/347567, XSS in "explore-keywords-dropdown" results., resolved
347645, https://hackerone.com/reports/347645, Open Redirection Vulnerability in m.vk.com, resolved
347665, https://hackerone.com/reports/347665, Permissions leaks the full name of other NR accounts - Regression of #267636, resolved
347693, https://hackerone.com/reports/347693, Program metrics disclosed response_efficiency_percentage via /program_name json response despite the team decided not to show on their profile, resolved
347748, https://hackerone.com/reports/347748, Improper session handling on web browsers, resolved
347782, https://hackerone.com/reports/347782, Click Jacking Nextcloud, informative
347850, https://hackerone.com/reports/347850, Attacker can send requests from mail.ru server, resolved
347937, https://hackerone.com/reports/347937, Team object in GraphQL that have a published external program may expose existence of a private program, resolved
348047, https://hackerone.com/reports/348047, Code reversion allowing SQLI again in ███████, resolved
348076, https://hackerone.com/reports/348076, Stored XSS in Brower `name` field reflected in two pages, resolved
348108, https://hackerone.com/reports/348108, XSS web.icq.com double linkify, resolved
348443, https://hackerone.com/reports/348443, Snippet JS template allows attacker to read a user's private snippets, resolved
348801, https://hackerone.com/reports/348801, Banner Grabbing - Apache Server Version Disclosure, informative
349146, https://hackerone.com/reports/349146, Stored XSS in Node-Red, resolved
349291, https://hackerone.com/reports/349291, IDOR via internal_api "users" endpoint , resolved
349681, https://hackerone.com/reports/349681, Aapp name leakage on economy history page, resolved
350119, https://hackerone.com/reports/350119, Buffer overflows in demo parsing, resolved
350288, https://hackerone.com/reports/350288, Two Factor Authentication Bypass, resolved
350401, https://hackerone.com/reports/350401, Insecure implementation of deserialization in funcster, resolved
350418, https://hackerone.com/reports/350418, Insecure implementation of deserialization in cryo, resolved
350739, https://hackerone.com/reports/350739, Lack of cross-origin request blocking allows leaking of sensitive information on several endpoints, duplicate
350847, https://hackerone.com/reports/350847, Bypass of request line length limit to DoS via cache poisoning, resolved
350937, https://hackerone.com/reports/350937, GetReports works for hubs you don't have access to, resolved
350939, https://hackerone.com/reports/350939, Получение чужого номера телефона (все цифры) через форму восстановления пароля, resolved
350964, https://hackerone.com/reports/350964, User object in GraphQL exposes number of trial reports for External Programs that also have a Private Program, resolved
351014, https://hackerone.com/reports/351014, Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution, resolved
351016, https://hackerone.com/reports/351016, Malformed Skybox .TGA in Half-Life (GoldSRC) leads to Access Violation, resolved
351106, https://hackerone.com/reports/351106, resetreportedcount & updatetags doesn't verify appid param, resolved
351171, https://hackerone.com/reports/351171, Stored XXS @ https://steamcommunity.com/search/users/#text= via Profile Name, resolved
351275, https://hackerone.com/reports/351275, DOM Based XSS charting_library, resolved
351361, https://hackerone.com/reports/351361, Administrator can create user without entering high security mode, resolved
351363, https://hackerone.com/reports/351363, Открытая информация phpinfo() на сайте https://agent.mail.ru, resolved
351376, https://hackerone.com/reports/351376, XSS in main search, use class tag to imitate Reverb.com core functionality, create false login window, resolved
351519, https://hackerone.com/reports/351519, Improper access check by Kit  leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C, resolved
351554, https://hackerone.com/reports/351554, Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7), resolved
351555, https://hackerone.com/reports/351555, Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app, resolved
352623, https://hackerone.com/reports/352623, Api token exposed in Reverb.com's public github repository, resolved
352869, https://hackerone.com/reports/352869,  Subdomain Takeover Via Insecure CloudFront Distribution cdn.grab.com, resolved
353293, https://hackerone.com/reports/353293, XSS in buying and selling pages, can created spoofed content (false login message), resolved
353310, https://hackerone.com/reports/353310, People who interviewed for HackerOne security analyst position can be enumerated and their personal email address may be exposed, resolved
353334, https://hackerone.com/reports/353334, Unfiltered input allows for XSS in "Playtime Item Grants" fields, resolved
354262, https://hackerone.com/reports/354262, stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter, resolved
354650, https://hackerone.com/reports/354650, [CVE-2018-6913] heap-buffer-overflow in S_pack_rec, resolved
354660, https://hackerone.com/reports/354660, Suspended users can bypass UGC upload ban, resolved
354686, https://hackerone.com/reports/354686, Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/, resolved
355456, https://hackerone.com/reports/355456, [statics-server] Path Traversal due to lack of provided path sanitization, resolved
355458, https://hackerone.com/reports/355458, [statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser, resolved
355501, https://hackerone.com/reports/355501, [servey] Path Traversal allows to retrieve content of any file with extension from remote server, resolved
355558, https://hackerone.com/reports/355558, Open Redirect via login avito.ru | Protection bypass, resolved
355773, https://hackerone.com/reports/355773, XSS on support.wordcamp.org in ajax-quote.php, resolved
355774, https://hackerone.com/reports/355774, Modifying application settings via clickjacking on o2.mail.ru, resolved
355948, https://hackerone.com/reports/355948, Раскрытие IP, почты и другой полезной информации lootdog.io, resolved
356284, https://hackerone.com/reports/356284, Samlify is vulnerable to signature wrapping, resolved
356322, https://hackerone.com/reports/356322, Раскрытие серии/номера паспорта и снилс пользователя lootdog.io, resolved
356408, https://hackerone.com/reports/356408, The "Download Raw Diff" URL is viewable by everyone, informative
356566, https://hackerone.com/reports/356566, HackerOne support disclosing report state without checking user identity, resolved
356586, https://hackerone.com/reports/356586, [XSS] content_disposition=inline in files, resolved
356763, https://hackerone.com/reports/356763, Buffer overflow in sha3, informative
356765, https://hackerone.com/reports/356765, Internal SSRF bypass using slash commands at api.slack.com, resolved
356775, https://hackerone.com/reports/356775, command Injection in rawlog binary, informative
356809, https://hackerone.com/reports/356809, [exceljs] Possible XSS via cell value when worksheet is displayed in browser, resolved
357213, https://hackerone.com/reports/357213, Получаем все домены и поддомены icq с помощью amazonaws.com [config,txt], informative
357485, https://hackerone.com/reports/357485, Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot, resolved
357576, https://hackerone.com/reports/357576, Exposing hackerone users personally identifiable information by abusing sandbox with swag reward enabled, informative
357665, https://hackerone.com/reports/357665, DoS in Brave browser for iOS, resolved
357858, https://hackerone.com/reports/357858, forum.getmonero.org Shell upload, resolved
357929, https://hackerone.com/reports/357929, Items bought for free due to lacks of quantity controls, resolved
357952, https://hackerone.com/reports/357952, Deleting other people's comments on ModeratorMessages, resolved
358001, https://hackerone.com/reports/358001, HTML TAG INJECTION ON PROFILE NAME, resolved
358005, https://hackerone.com/reports/358005, Tor Browser: iframe with `data:` uri  has access to parent window, informative
358007, https://hackerone.com/reports/358007, Compromising the user ID, resolved
358049, https://hackerone.com/reports/358049, RCE via Print function [Simplenote 1.1.3 - Desktop app] , resolved
358102, https://hackerone.com/reports/358102, Disclosed Version of PORTS SSH|HTTP|SSL, duplicate
358112, https://hackerone.com/reports/358112, [buttle] Path traversal in mid-buttle module allows to read any file in the server., resolved
358119, https://hackerone.com/reports/358119, SSRF in proxy.duckduckgo.com via the image_host parameter, resolved
358143, https://hackerone.com/reports/358143, CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card , resolved
358339, https://hackerone.com/reports/358339, File access control rules not enforced on image files, resolved
358359, https://hackerone.com/reports/358359, Privilage escalation with malicious .npmrc, informative
358641, https://hackerone.com/reports/358641, [serve] Stored XSS in the filename when directories listing, resolved
358645, https://hackerone.com/reports/358645, [serve] Server Directory Traversal, resolved
358669, https://hackerone.com/reports/358669, [www.zomato.com] SQLi on `order_id` parameter, resolved
359288, https://hackerone.com/reports/359288, Potensial SSRF via Git repository URL , duplicate
359290, https://hackerone.com/reports/359290, LDAP Injection at ██████, resolved
360171, https://hackerone.com/reports/360171, Multiple Bugs in api.data.gov/signup endpoint leads to send custom messages to Anyone, resolved
360539, https://hackerone.com/reports/360539, SQL Injection Proof of Concept for Starbucks URL, not-applicable
360727, https://hackerone.com/reports/360727, [markdown-pdf] Local file reading, resolved
360797, https://hackerone.com/reports/360797, Authenticated reflected XSS on liberapay.com via the back_to parameter when leaving a team., resolved
360811, https://hackerone.com/reports/360811, Information Leak - Github - JMS Information, resolved
360834, https://hackerone.com/reports/360834, CSRF to make any user accept the invitation to the team, informative
361089, https://hackerone.com/reports/361089, twitter api access token leaked on github , not-applicable
361130, https://hackerone.com/reports/361130, Same CSRF token is being used for deleting other platform login’s within an account and across other liberapay Account’s, informative
361131, https://hackerone.com/reports/361131, csrf token did not changed after login/logout many times, informative
361133, https://hackerone.com/reports/361133, Able to View other users income history, informative
361189, https://hackerone.com/reports/361189, Anyone can register organization legal type as "Soletrader", resolved
361194, https://hackerone.com/reports/361194, Liberapay Non Verified Account Takeover with signup feature, informative
361269, https://hackerone.com/reports/361269, Trusted daemon check fails when proxied through torsocks or proxychains, resolved
361287, https://hackerone.com/reports/361287, DOMXSS in redirect param, resolved
361337, https://hackerone.com/reports/361337, Missing back-end user input validation can lead to DOS flaw, resolved
361368, https://hackerone.com/reports/361368, Insecure Account Deletion, informative
361400, https://hackerone.com/reports/361400, The csrf token remains same after user logs in, duplicate
361414, https://hackerone.com/reports/361414, CSRF token manipulation in every possible form submits. NO server side Validation, informative
361438, https://hackerone.com/reports/361438, Open AWS S3 bucket at ubergreece.s3.amazonaws.com exposes confidential internal documents and files, resolved
361623, https://hackerone.com/reports/361623, SQLI on uberpartner.eu leads to exposure of sensitive user data of Uber partners, resolved
361647, https://hackerone.com/reports/361647, Reflective XSS at olx.ph, resolved
361793, https://hackerone.com/reports/361793, [SSRF] PDF documentconverterws, resolved
361893, https://hackerone.com/reports/361893, XSS at https://icq.com/people, resolved
361938, https://hackerone.com/reports/361938, [XSS] RSS Feed Widget, resolved
361941, https://hackerone.com/reports/361941, REGISTRATION USING FAKE EMAIL ACCOUNT, informative
361957, https://hackerone.com/reports/361957, Unsanitized input in email field, resolved
361984, https://hackerone.com/reports/361984, I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure), resolved
362033, https://hackerone.com/reports/362033, Csrf token does not meet security design, duplicate
362118, https://hackerone.com/reports/362118, Arbitrary File Write Through Archive Extraction, resolved
362119, https://hackerone.com/reports/362119, Arbitrary File Write through archive extraction, resolved
362133, https://hackerone.com/reports/362133, Reflected XSS in delivery-club.ru, resolved
362601, https://hackerone.com/reports/362601, A single user can subscribe a community multiple times, informative
362702, https://hackerone.com/reports/362702, XSS in express-useragent through HTTP User-Agent, informative
362718, https://hackerone.com/reports/362718, Returning back from the browser after logging off will disclose some information, not-applicable
362735, https://hackerone.com/reports/362735, Stored Cross Site Scripting, resolved
363042, https://hackerone.com/reports/363042, Stored XSS in api.icq.net, resolved
363049, https://hackerone.com/reports/363049, Punny code Detection Parsing should be implemented on Markdown , informative
363544, https://hackerone.com/reports/363544, Bypass Local Authentication (TouchID), not-applicable
363566, https://hackerone.com/reports/363566, Загрузка png бомбы, которая начинает DDOS атаку на бота со Стикерами., resolved
363571, https://hackerone.com/reports/363571, Search Page Reflected XSS on sharjah.dubizzle.com through unencoded output of GET parameter in JavaScript, resolved
363636, https://hackerone.com/reports/363636, DoS through PeerExplorer, resolved
363658, https://hackerone.com/reports/363658, Buffer overflow, not-applicable
363680, https://hackerone.com/reports/363680, Constant-time comparison is not always implemented; critical areas are vulnerable to key-timing attacks, resolved
363714, https://hackerone.com/reports/363714, monerod can be disabled by a well-timed TCP reset packet, resolved
363778, https://hackerone.com/reports/363778, SUBDOMAIN TAKEOVER [http://dev.rbk.money/], resolved
363809, https://hackerone.com/reports/363809, Долгоживущий хеш + получение частичного доступа к аккаунту после сброса сессии, resolved
363815, https://hackerone.com/reports/363815, Blind SQL injection and making any profile comments from any users to disappear using "like" function (2 in 1 issues), resolved
363845, https://hackerone.com/reports/363845, Cross site scripting (content-sniffing), not-applicable
363850, https://hackerone.com/reports/363850, Improper Data Validation / Unvalidated Input, not-applicable
363863, https://hackerone.com/reports/363863, No Data Validation, No Captcha, No Filters..., informative
363934, https://hackerone.com/reports/363934, SEGV in parse_rat(), informative
363971, https://hackerone.com/reports/363971, Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation, resolved
364095, https://hackerone.com/reports/364095, Просмотр приложений любого пользователя / группы, resolved
364904, https://hackerone.com/reports/364904, Misreporting of received amount by show_transfers, resolved
364910, https://hackerone.com/reports/364910, Disclosure of information about the system, configuration files., resolved
364964, https://hackerone.com/reports/364964, Client DoS due to large DH parameter (CVE-2018-0732), resolved
365011, https://hackerone.com/reports/365011, SQL injection on jd.mail.ru, resolved
365093, https://hackerone.com/reports/365093, XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации, resolved
365199, https://hackerone.com/reports/365199, Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password, resolved
365271, https://hackerone.com/reports/365271, Remote code execution on Basecamp.com, resolved
365280, https://hackerone.com/reports/365280, Stealing Arbitrary Private Files of MyMail App , resolved
365504, https://hackerone.com/reports/365504, Comment restriction in subsection "Workshop" of domain "steamcommunity.com" can be bypassed using IDOR, resolved
365755, https://hackerone.com/reports/365755, Privacy policy contains hardcoded link using unencrypted HTTP, resolved
365968, https://hackerone.com/reports/365968, Your page has 2 blocking CSS resources. This causes a delay in rendering your page., not-applicable
366153, https://hackerone.com/reports/366153, Уязвимость в методе auth.restore, resolved
366518, https://hackerone.com/reports/366518, слепая XSS в админ панели torg.mail.ru через отзыв, resolved
367050, https://hackerone.com/reports/367050, PHPinfo page, resolved
367589, https://hackerone.com/reports/367589, athome.starbucks.com - URL parameter tampering of review forms permitted possible content injection, resolved
367966, https://hackerone.com/reports/367966, FileUpload Plugin: CSRF (delete all attached files), resolved
368119, https://hackerone.com/reports/368119, [engineering.udemy.com] - Subdomain Takeover (ghost.io), resolved
368912, https://hackerone.com/reports/368912, XSS via message subject - mobile application, resolved
368927, https://hackerone.com/reports/368927, Open redirect open.rocket.chat/file-upload/ID/filename.svg, resolved
369063, https://hackerone.com/reports/369063, Просмотр записей пользователя, который тебя заблокировал, resolved
369086, https://hackerone.com/reports/369086, URL spoofing in Brave for macOS, resolved
369185, https://hackerone.com/reports/369185, Unsafe handling of protocol handlers, resolved
369201, https://hackerone.com/reports/369201, XSS в теле письма, в новой версии почты., resolved
369218, https://hackerone.com/reports/369218, Navigation to restricted origins via "Open in new tab", resolved
369447, https://hackerone.com/reports/369447, OPEN REDIRECTION at every 302 HTTP CODE, not-applicable
369557, https://hackerone.com/reports/369557, Shell upload in partner service, resolved
369573, https://hackerone.com/reports/369573, stored xss in scrape-metadata when reading metadata from an html page, informative
369581, https://hackerone.com/reports/369581, HTTP PUT method enabled, resolved
369979, https://hackerone.com/reports/369979, Missing X-Content-Type-Options , resolved
370629, https://hackerone.com/reports/370629, Доступ к администраторским faq , resolved
370777, https://hackerone.com/reports/370777, [affiliates.udemy.com] Wordpress user admin information discloure, resolved
371135, https://hackerone.com/reports/371135, CVE-2018-12882: heap-use-after-free in PHP 7.2 through 7.2.6, possible 7.2.7, resolved
371464, https://hackerone.com/reports/371464, Directory Listing on https://promo-services-staging.brave.com, informative
371550, https://hackerone.com/reports/371550, xmlrpc.php FILE IS enable on Main website, not-applicable
371980, https://hackerone.com/reports/371980, Bypass CSP  frame-ancestors at olx.co.za, olx.com.gh, resolved
373721, https://hackerone.com/reports/373721, URL spoofing using protocol handlers, resolved
373899, https://hackerone.com/reports/373899, I can subscribe and unsubscribe any user with the same token for as many times as i want, resolved
373909, https://hackerone.com/reports/373909, Чтение системных данных приложения: данные для авторизации, логи, БД, личная переписка, resolved
373916, https://hackerone.com/reports/373916, Open redirect on https://blog.fuzzing-project.org, resolved
373932, https://hackerone.com/reports/373932, Open redirect in Serendipity (exit.php), duplicate
373950, https://hackerone.com/reports/373950, Reflected Cross-Site Scripting in Serendipity (serendipity.SetCookie), resolved
374007, https://hackerone.com/reports/374007, PII leakage due to caching of Order/Contract ID's on █████████, resolved
374027, https://hackerone.com/reports/374027, blind sql injection, resolved
374053, https://hackerone.com/reports/374053, Accessing to download.nextcloud.com from original ip adreess | insecure Download, informative
374106, https://hackerone.com/reports/374106, Lack of quarantine meta-attribute for downloaded files leads to GateKeeper bypass, resolved
374737, https://hackerone.com/reports/374737, Blind SSRF on errors.hackerone.net due to Sentry misconfiguration, resolved
374817, https://hackerone.com/reports/374817, Clickjacking vkpay, resolved
374818, https://hackerone.com/reports/374818, SSRF in rompager-check, informative
374907, https://hackerone.com/reports/374907, Root user disclosure in data.gov domain though x-amz-meta-s3cmd-attrs header, resolved
374919, https://hackerone.com/reports/374919, Content spoofing and potential Cross-Site Scripting vulnerability on www.hackerone.com, resolved
374969, https://hackerone.com/reports/374969, Navigation to protocol handler URL from the opened page displayed as a request from this page., resolved
375083, https://hackerone.com/reports/375083, Private application files can be uploaded to Slack via malicious uploader, resolved
375097, https://hackerone.com/reports/375097, The POODLE attack (SSLv3 supported) at status.slack.com, resolved
375259, https://hackerone.com/reports/375259, Cross-origin page stays focused before/after downloading + uninformative modal window for download, resolved
375329, https://hackerone.com/reports/375329, Local files reading using `link[rel="import"]`, resolved
375886, https://hackerone.com/reports/375886, XSS-уязвимость, связанная с загрузкой файлов, resolved
376027, https://hackerone.com/reports/376027, █████ - DOM-based XSS, resolved
376563, https://hackerone.com/reports/376563, Admin panel of https://www.stellar.org/wp-admin/, not-applicable
376618, https://hackerone.com/reports/376618, Launch Any Activity in MyMail App, resolved
376808, https://hackerone.com/reports/376808, molotok.m.mail.ru delegated to external entity, resolved
377107, https://hackerone.com/reports/377107, Possible to steal any protected files on Android, resolved
377115, https://hackerone.com/reports/377115, Privacy violation для аттачей в сообщениях., resolved
377206, https://hackerone.com/reports/377206, `settingcontent-ms` files lacks "mark of the web" => execute code by dbl click in Downloads toolbar, informative
377264, https://hackerone.com/reports/377264, █████ - DOM-based XSS, resolved
377542, https://hackerone.com/reports/377542, CVE-2018-0296, resolved
377582, https://hackerone.com/reports/377582, Получение БД кэша из Android-приложения через стороннее приложение, resolved
377592, https://hackerone.com/reports/377592, A bug in the Monero wallet balance can enable theft from exchanges, resolved
378122, https://hackerone.com/reports/378122, HackerOne customer submitted sensitive link to VirusTotal, exposing confidential information, resolved
378148, https://hackerone.com/reports/378148, Vulnerability in project import leads to arbitrary command execution, resolved
378558, https://hackerone.com/reports/378558, Information Leak - GitHub - Endpoint Configuration Details, resolved
378582, https://hackerone.com/reports/378582, [e.mail.ru] XSS в поиске, resolved
378698, https://hackerone.com/reports/378698, Cisco ASA Denial of Service & Path Traversal (CVE-2018-0296), resolved
378805, https://hackerone.com/reports/378805, Navigation to `chrome-extension://` origin (internal pages) from the web, resolved
378809, https://hackerone.com/reports/378809, `alert()` dialogs on `chrome-extension://` origin (internal pages), duplicate
378864, https://hackerone.com/reports/378864, Torrent extension: Cross-origin downloading + "URL spoofing" + CSP-blocked XSS, duplicate
378941, https://hackerone.com/reports/378941, Reflected File Download (RFD) in download video, resolved
379049, https://hackerone.com/reports/379049, Attcker can trick monero wallet into reporting it recived twice as much with alternative tx_keypubs, resolved
379705, https://hackerone.com/reports/379705, Mobile Reflect XSS / CSRF at Advertisement Section on Search page, resolved
380045, https://hackerone.com/reports/380045, Stored XSS in the guide's GameplayVersion (www.dota2.com), resolved
380096, https://hackerone.com/reports/380096, Path Traversal When Sharing with Cloud Mail.Ru App via a file with Crated Name, resolved
380102, https://hackerone.com/reports/380102, Missing memory corruption protection on Windows release built, resolved
380103, https://hackerone.com/reports/380103, Stored Xss Vulnerability on ████████, resolved
380204, https://hackerone.com/reports/380204, Stored XSS on the https://www.redtube.com/users/[profile]/collections, resolved
380207, https://hackerone.com/reports/380207, Stored XSS in galleries - https://www.redtube.com/gallery/[id] path, resolved
380246, https://hackerone.com/reports/380246, Reflect XSS on Mobile Search page , resolved
380410, https://hackerone.com/reports/380410, idor allows you to delete photos and album from a gallery, resolved
380413, https://hackerone.com/reports/380413, Restricted user can bypass permissions restriction to create NR Alert policies, resolved
380760, https://hackerone.com/reports/380760, Open redirect vulnerability, resolved
380782, https://hackerone.com/reports/380782, Ubuntu 12.04 Privilege Escalation, informative
380873, https://hackerone.com/reports/380873, Prototype pollution attack (lodash / constructor.prototype), resolved
380939, https://hackerone.com/reports/380939, Open Redirection in Login - Korean Starbucks, resolved
381129, https://hackerone.com/reports/381129, SSRF in api.slack.com, using slash commands and bypassing the protections., resolved
381185, https://hackerone.com/reports/381185, Prototype pollution attack (extend), resolved
381192, https://hackerone.com/reports/381192, Preview bar: Incomplete message origin validation results in XSS, resolved
381194, https://hackerone.com/reports/381194, Prototype pollution attack (merge.recursive), resolved
381237, https://hackerone.com/reports/381237, CSRF | Ban or unban users in broadcast's chat, resolved
381356, https://hackerone.com/reports/381356, Client-Side Race Condition using Marketo, allows sending user to data-protocol in Safari when form without onSuccess is submitted on www.hackerone.com, resolved
381553, https://hackerone.com/reports/381553, HTML Injection with XSS possible , resolved
381758, https://hackerone.com/reports/381758, sql injection on  /messagecenter/messagingcenter at https://www.███████/, resolved
381762, https://hackerone.com/reports/381762, XSS на странице account.mail.ru/recovery, resolved
381771, https://hackerone.com/reports/381771, ████████ SQL, resolved
382048, https://hackerone.com/reports/382048, Server-Side Request Forgery (SSRF), resolved
382321, https://hackerone.com/reports/382321, POST XSS  in https://www.khanacademy.org.tr/ via page_search_query parameter, resolved
382612, https://hackerone.com/reports/382612, Potential SSRF and disclosure of sensitive site on *shopifycloud.com, resolved
382625, https://hackerone.com/reports/382625, Stored XSS in '' Section and WAF Bypass, resolved
382666, https://hackerone.com/reports/382666, Blind XSS in the rocket.chat registration email, resolved
382667, https://hackerone.com/reports/382667, Improper authentication on registration, not-applicable
382678, https://hackerone.com/reports/382678, Client IP Spoofing using "X-Forwarded-For: 127.0.0.1" on "studio-app.snapchat.com" exposing bucket details, resolved
383112, https://hackerone.com/reports/383112, [ponse] Path traversal in ponse module allows to read any file on server, resolved
383117, https://hackerone.com/reports/383117, HTML injection with AutoComplete suggestions, resolved
383127, https://hackerone.com/reports/383127, SQL Injection in report_xml.php through countryFilter[] parameter, resolved
383564, https://hackerone.com/reports/383564, Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com, resolved
384029, https://hackerone.com/reports/384029, url-parse package return wrong hostname , resolved
384101, https://hackerone.com/reports/384101, Go.imgur.com can be used to phish for account information, resolved
384112, https://hackerone.com/reports/384112, xss - reflected, resolved
384214, https://hackerone.com/reports/384214, heap-buffer-overflow (READ of size 48) in exif_read_data(), resolved
384257, https://hackerone.com/reports/384257, Phishing user to download malicious app could lead to leakage of User Access Token, Email, Name and Profile photo via exported RemoteService, resolved
384289, https://hackerone.com/reports/384289, Redirect on authorization allows account compromise, resolved
384397, https://hackerone.com/reports/384397, SQL Injection vulnerability located at ████████, resolved
384472, https://hackerone.com/reports/384472, Possible to Upload Local Arbitrary Private File to the Cloud  against User's Will, resolved
384477, https://hackerone.com/reports/384477, Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c, resolved
384517, https://hackerone.com/reports/384517, XSS (stored) Wizard is saving executable code, resolved
384569, https://hackerone.com/reports/384569, Bypassing the Trusted Link Alert System, resolved
384719, https://hackerone.com/reports/384719, linkinfo - openbasedir bypass on Windows PHP, resolved
384814, https://hackerone.com/reports/384814, Stored XSS against all Chaturbate users using an application name, resolved
384839, https://hackerone.com/reports/384839, DoS for HTTP/2 connections by crafted requests (CVE-2018-1333), resolved
384872, https://hackerone.com/reports/384872, [target.my.com] CRLF Injection -> XSS, resolved
384882, https://hackerone.com/reports/384882, stamp2-azure-ext.newrelic.com is vulnerable to MS12-020, resolved
384939, https://hackerone.com/reports/384939, http-live-simulator npm module is prone to path traversal attacks, resolved
385037, https://hackerone.com/reports/385037, Missing SPF flags for customerupdates.nextcloud.com, resolved
385145, https://hackerone.com/reports/385145, Homograph attack on redirect URL (https://chaturbate.com/external_link/?url), resolved
385178, https://hackerone.com/reports/385178, Blind SSRF on image proxy camo.stream.highwebmedia.com, resolved
385239, https://hackerone.com/reports/385239, Add non-existent room moderator, resolved
385322, https://hackerone.com/reports/385322, Open API For Username enumeration, not-applicable
385372, https://hackerone.com/reports/385372, Homograph attack on redirect URL , resolved
385381, https://hackerone.com/reports/385381, Rate limit missing at room login, resolved
385407, https://hackerone.com/reports/385407, store xss in calendar via upload filename, resolved
385420, https://hackerone.com/reports/385420,  Missing security best practices (leads to further impact) , informative
386100, https://hackerone.com/reports/386100, [rm.mail.ru] Request-Path XSS, resolved
386112, https://hackerone.com/reports/386112, [allhiphop.vanillacommunities.com] XSS Request-URI, resolved
386116, https://hackerone.com/reports/386116, CSV Injection with the CSV export feature, resolved
386144, https://hackerone.com/reports/386144, Bypass User Interaction to initiate a VoIP call to Another User, resolved
386160, https://hackerone.com/reports/386160, xmlrpc.php on mariadb.org can lead to DDOS and brute force attacks, resolved
386292, https://hackerone.com/reports/386292, Bypass of the SSRF protection in Event Subscriptions parameter., resolved
386334, https://hackerone.com/reports/386334, CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS , resolved
386340, https://hackerone.com/reports/386340, Reflected XSS on ssl-ccstatic.highwebmedia.com  via player.swf, resolved
386351, https://hackerone.com/reports/386351, Users may still able to view chat room panel of password protected rooms, resolved
386556, https://hackerone.com/reports/386556, [NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions, resolved
386570, https://hackerone.com/reports/386570, Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7, resolved
386596, https://hackerone.com/reports/386596, Email Not Completely Deleted after Deleting an account, informative
386614, https://hackerone.com/reports/386614, Slack Token exposed over internet (Github), resolved
386735, https://hackerone.com/reports/386735, Login form on non-HTTPS page on http://stream.highwebmedia.com/auth/login/, resolved
386807, https://hackerone.com/reports/386807, [flintcms] Account takeover due to blind MongoDB injection in password reset, resolved
386997, https://hackerone.com/reports/386997, Private program policy page still accessible after user left the program, resolved
387007, https://hackerone.com/reports/387007, [idp.fr.cloud.gov] Open Redirect, resolved
387052, https://hackerone.com/reports/387052, [evo2.my.com] Internet Explorer XSS, resolved
387250, https://hackerone.com/reports/387250, OpenSSL::X509::Name Equality Check Does Not Work, Patch included, resolved
387272, https://hackerone.com/reports/387272, Stored XSS in email, resolved
387279, https://hackerone.com/reports/387279, App messaging can be hijacked by third-party websites, resolved
387290, https://hackerone.com/reports/387290, NRQL Query allows restricted user to pull all data from Synthetics monitors without having read permissions enabled , resolved
387307, https://hackerone.com/reports/387307, Domain pointing to vimeo portfolio are prone to takeover using on-demand., resolved
387544, https://hackerone.com/reports/387544, Admin bar: Incomplete message origin validation results in XSS, resolved
387760, https://hackerone.com/reports/387760, Subdomain Takeover at test.shipt.com, resolved
388143, https://hackerone.com/reports/388143, Злом (virus).. Смотрим кто голосовал в анонимном опросе!!, resolved
388215, https://hackerone.com/reports/388215, Internal loop going to infinite for cb.setTimeout(func, msecs) for broadcast app., informative
388236, https://hackerone.com/reports/388236, Проверяем принадлеженость email и номера телефона к определенному юзеру / CSRF на смену номера для некоторых пользователей, resolved
388254, https://hackerone.com/reports/388254, Account takeover vulnerability by editor role privileged users/attackers via clickjacking, not-applicable
388506, https://hackerone.com/reports/388506, Stored XSS in Email attachment file name, resolved
388515, https://hackerone.com/reports/388515, Access control issue -- [Allow file system access not validated when using session auth], resolved
388527, https://hackerone.com/reports/388527, Self xss, resolved
388531, https://hackerone.com/reports/388531, CSRF Full Account Takeover - https://redtube.com/settings, duplicate
388554, https://hackerone.com/reports/388554, ████ █████ exposes highly sensitive information to public, resolved
388564, https://hackerone.com/reports/388564, Price manipulation via fraction values (Parameter Tampering), resolved
388740, https://hackerone.com/reports/388740, GitHub API Key for BrewTestBot is publicly exposed, resolved
388743, https://hackerone.com/reports/388743, [NR Insights] Data app permissions setting does not fully prevent other users from modifying/changing changing data related to your data app , resolved
388746, https://hackerone.com/reports/388746, [info.tmgame.mail.ru] Apache Server Status, resolved
388936, https://hackerone.com/reports/388936, [egg-scripts] Command injection, resolved
389076, https://hackerone.com/reports/389076, `open-url` command allows opening unlimited number of tabs pointing to arbitrary URLs, resolved
389078, https://hackerone.com/reports/389078, [experience.uber.com] Node.js source code disclosure & anonymous access to internal Uber documents, templates and tools, resolved
389108, https://hackerone.com/reports/389108, Handling of `tracking` command allows making arbitrary blind requests with user's cookies from Grammarly Extension's origin, resolved
389116, https://hackerone.com/reports/389116, ███ exposes sensitive shipment information to public web, resolved
389145, https://hackerone.com/reports/389145, Sensitive Clickjacking on admin login page., resolved
389561, https://hackerone.com/reports/389561, Command Injection Vulnerability in kill-port Package, resolved
389600, https://hackerone.com/reports/389600, TeamProfile exposes partially sensitive information through GraphQL, resolved
389783, https://hackerone.com/reports/389783, Subdomain takeover at segway.shipt.com, resolved
390013, https://hackerone.com/reports/390013, Local files reading from the web using `brave://`, resolved
390126, https://hackerone.com/reports/390126, Узнаем несколько цифр номера телефона юзера (можно флудить смс), всего раз узнав его remixsid и его ид юзера, и установка оффлайна юзерам., resolved
390181, https://hackerone.com/reports/390181, Reflected XSS on Partners Subdomain, resolved
390362, https://hackerone.com/reports/390362, Local files reading from the "file://" origin through `brave://`, resolved
390386, https://hackerone.com/reports/390386, Reflected XSS on https://www.uber.com , resolved
390429, https://hackerone.com/reports/390429, Reflected XSS on help.steampowered.com, resolved
390499, https://hackerone.com/reports/390499, Stack Overflow in JSON RPC Server, resolved
390537, https://hackerone.com/reports/390537, DNS misconfiguration on email.alerts.newrelic.com, not-applicable
390728, https://hackerone.com/reports/390728, Stored XSS on scan.nextcloud.com, resolved
390847, https://hackerone.com/reports/390847, Prototype Pollution Vulnerability in cached-path-relative Package, resolved
390857, https://hackerone.com/reports/390857, Prototype Pollution Vulnerability in noble Package, resolved
390860, https://hackerone.com/reports/390860, Prototype Pollution Vulnerability in mpath Package, resolved
390871, https://hackerone.com/reports/390871, Command Injection Vulnerability in win-fork/win-spawn Packages, informative
390879, https://hackerone.com/reports/390879, SQL Injection on www.██████████ on countID parameter, resolved
390881, https://hackerone.com/reports/390881, Code Injection Vulnerability in morgan Package, resolved
390929, https://hackerone.com/reports/390929, Code Injection Vulnerability in dot Package, resolved
391092, https://hackerone.com/reports/391092, I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD), resolved
391217, https://hackerone.com/reports/391217, Getting all the CD keys of any game, resolved
391390, https://hackerone.com/reports/391390, Stored XSS on activity, resolved
391611, https://hackerone.com/reports/391611, Malicious get_random_rct_outs.bin rpc can cause a near-infinite loop, resolved
392106, https://hackerone.com/reports/392106, [First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter, resolved
392311, https://hackerone.com/reports/392311, Malware in `active-support` gem, resolved
392426, https://hackerone.com/reports/392426, Хранимая XSS в пожертованиях на dobro.mail.ru, resolved
392457, https://hackerone.com/reports/392457, Admin Macro Description Stored XSS, resolved
392701, https://hackerone.com/reports/392701, Vulnerability Report - Missing Certificate Authority Authorization rule, resolved
392761, https://hackerone.com/reports/392761, vulnerable to Cross-site Request Forgery | Jira, resolved
392785, https://hackerone.com/reports/392785, Domain Takeover in [obviousengine.com] a snapchat acquisitions, resolved
392797, https://hackerone.com/reports/392797, Persistent Cross-Site Scripting in default Laravel installation, resolved
392859, https://hackerone.com/reports/392859, Sending Emails from  DNSDumpster - Server-Side Request Forgery to Internal SMTP Access, resolved
393615, https://hackerone.com/reports/393615, Physical Laptop Takeover, resolved
394253, https://hackerone.com/reports/394253, Validation bypass for queries generated for PostgreSQL, resolved
394329, https://hackerone.com/reports/394329, Account Takeover via billing, resolved
394332, https://hackerone.com/reports/394332, [Клевер/Android] Небезопасный BroadcastReceiver позволяет создавать окно диалога в приложении посредством другого неавторизованного приложения, resolved
394346, https://hackerone.com/reports/394346, Stored Cross Site Scripting on Zendesk agent dashboard, resolved
394516, https://hackerone.com/reports/394516, Stats Token doesn't expire after deactivating account, resolved
394861, https://hackerone.com/reports/394861, Incorrect Permission Assignment for Critical Resource, resolved
395246, https://hackerone.com/reports/395246, ███████ Site Exposes █████████ forms, resolved
395296, https://hackerone.com/reports/395296, Phone Call to XXE via Interactive Voice Response, resolved
395351, https://hackerone.com/reports/395351, Bypass subdomain limits using race condition, resolved
395518, https://hackerone.com/reports/395518, Internal usage of AdBlockPlus may expose PoC URLs to unknown third-parties, resolved
395521, https://hackerone.com/reports/395521, SSRF vulnerability on proxy.duckduckgo.com (access to metadata server on AWS), resolved
395531, https://hackerone.com/reports/395531, test report, resolved
395541, https://hackerone.com/reports/395541, Cross-site request forgery vulnerability resulting in the deletion of a user's account., resolved
395729, https://hackerone.com/reports/395729, `socket` command allows sending data over WebSockets to arbitrary origins from Grammarly Extension, resolved
395731, https://hackerone.com/reports/395731, CSRF in REPORT EMOTICON feature, resolved
395737, https://hackerone.com/reports/395737, `chrome://brave` available for navigation in Release build [-> RCE] + navigation to `chrome://*` using tab_helper ["Open in new tab"], resolved
395845, https://hackerone.com/reports/395845, url.parse() hostname spoofing via javascript: URIs, resolved
395944, https://hackerone.com/reports/395944, Reflected XSS  in the npm module express-cart., resolved
396338, https://hackerone.com/reports/396338, CSRF in cancel group and private show requests, resolved
396370, https://hackerone.com/reports/396370, XSS: Group search terms, resolved
396467, https://hackerone.com/reports/396467, Github Token Leaked publicly for https://github.sc-corp.net, resolved
396802, https://hackerone.com/reports/396802, CSRF in "send them an email and browser notification" feature, resolved
396954, https://hackerone.com/reports/396954, Attacker can add arbitrary data to the blockchain without paying gas, resolved
397031, https://hackerone.com/reports/397031, Disclosure of top 10 vulnerability types for programs that haven't enabled the Insights feature, resolved
397137, https://hackerone.com/reports/397137, [NR Insights] Pull any Insights/NRQL data from any NR account, resolved
397402, https://hackerone.com/reports/397402, SSRF on jira.mariadb.org, resolved
397445, https://hackerone.com/reports/397445, [express-cart] Customer and admin email enumeration through MongoDB injection, resolved
397478, https://hackerone.com/reports/397478, Privilege Escalation via Keybase Helper, resolved
397483, https://hackerone.com/reports/397483, [NR Infrastructure] Restricted user can update integration provider account name via integrations API, resolved
397497, https://hackerone.com/reports/397497, Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover, resolved
397508, https://hackerone.com/reports/397508, Web cache deception attack - expose token information, resolved
397545, https://hackerone.com/reports/397545, Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection, resolved
397600, https://hackerone.com/reports/397600, XSS on New contact, informative
397792, https://hackerone.com/reports/397792, @wearehackerone.com is vulnerable to namespace attacks due to hackerone.com not being RFC2142 compliant., resolved
398054, https://hackerone.com/reports/398054, DOM Based XSS in www.hackerone.com via PostMessage, resolved
398131, https://hackerone.com/reports/398131, Blind SQL injection [https://honor.hi-tech.mail.ru], resolved
398163, https://hackerone.com/reports/398163, DOM based XSS on *.██████.com via document.domain sink in Safari, resolved
398285, https://hackerone.com/reports/398285, [serve] XSS via HTML tag injection in directory lisiting page, resolved
398316, https://hackerone.com/reports/398316, CSRF combined with IDOR within Document Converter exposes files, resolved
398400, https://hackerone.com/reports/398400, AWS Credentials leaked: access to production database backups, SSL certs and more, resolved
398641, https://hackerone.com/reports/398641, SSRF on duckduckgo.com/iu/, resolved
398797, https://hackerone.com/reports/398797, DVR default username and password, resolved
398799, https://hackerone.com/reports/398799, Unauthenticated blind SSRF in OAuth Jira authorization controller, resolved
399165, https://hackerone.com/reports/399165, Possible Subdomain Takeover, resolved
399166, https://hackerone.com/reports/399166, Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat's installation script., resolved
399174, https://hackerone.com/reports/399174, Access MoPub Reports Data even after Company removed you from their MoPub Account., resolved
399427, https://hackerone.com/reports/399427, Same Origin Policy Bypass at ██████.com, resolved
399462, https://hackerone.com/reports/399462, Reflected XSS and Server Side Template Injection  in all HubSpot CMSes, resolved
400781, https://hackerone.com/reports/400781, Browser Self XSS Protection not implemented, resolved
400785, https://hackerone.com/reports/400785, Browser Self XSS Protection not implemented, not-applicable
400826, https://hackerone.com/reports/400826, Broken Authentication – Session Token bug, resolved
400982, https://hackerone.com/reports/400982, Open redirect in securegatewayaccess.com / secure.chaturbate.com via prejoin_data parameter, resolved
401098, https://hackerone.com/reports/401098, [mena.starbucks.com] Laravel App Log & Configuration Disclosure., resolved
401136, https://hackerone.com/reports/401136, Remote Code Execution on Proxy Service (as root), resolved
401483, https://hackerone.com/reports/401483, [chaturbate.com] - CSRF Vulnerability on image upload, resolved
401793, https://hackerone.com/reports/401793, [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure, resolved
401940, https://hackerone.com/reports/401940, [Venmo Android] Remote theft of user session, resolved
402362, https://hackerone.com/reports/402362, RCE due to ImageTragick v2, resolved
402410, https://hackerone.com/reports/402410, Расшифровка всех типов шифрованных ID, resolved
402473, https://hackerone.com/reports/402473, Arbitrary File Download as Shopmanager, resolved
402566, https://hackerone.com/reports/402566, [Half-Life 1] Malformed map name leads to memory corruption and code execution, resolved
402658, https://hackerone.com/reports/402658, XSS in request approvals, resolved
402671, https://hackerone.com/reports/402671, HTTPS is not validating TLS mac codes, resolved
402753, https://hackerone.com/reports/402753, Stored XSS in Jetpack's Simple Payment Module by Contributors / Authors, resolved
403039, https://hackerone.com/reports/403039, WooCommerce Blacklist in 'map_meta_cap' leads to Privilege Escalation of Shopmanagers, resolved
403083, https://hackerone.com/reports/403083, Authenticated Code Execution through Phar deserialization in CSV Importer as Shop manager in WooCommerce, resolved
403417, https://hackerone.com/reports/403417, Remote Code Execution on www.semrush.com/my_reports on Logo upload, resolved
403602, https://hackerone.com/reports/403602, Attachments may be hijacked via AppCache+CookieBombing trick (bc3_production_blobs bucket), resolved
403603, https://hackerone.com/reports/403603, Private and group tokens per minute endpoint active for disabled users, resolved
403616, https://hackerone.com/reports/403616, [www.zomato.com] SQLi - /php/██████████ - item_id, resolved
403692, https://hackerone.com/reports/403692, [tianma-static] Stored xss on filename, resolved
403703, https://hackerone.com/reports/403703, List any file in the folder by using path traversal, resolved
403707, https://hackerone.com/reports/403707, [knightjs] Path Traversal allows to read content of arbitrary files, resolved
403736, https://hackerone.com/reports/403736, [takeapeek] Path traversal allow to expose directory and files, resolved
403783, https://hackerone.com/reports/403783, [www.zomato.com] Tampering with Order Quantity and paying less amount then actual amount, leads to business loss, resolved
403793, https://hackerone.com/reports/403793, Stored 'undefined' Cross-site Scripting, informative
403803, https://hackerone.com/reports/403803, SignUp With Fake Email, informative
403822, https://hackerone.com/reports/403822, Possible Take Over Subdomain For Inbound Emails , resolved
403891, https://hackerone.com/reports/403891, Tab nabbing via window.opener, resolved
403909, https://hackerone.com/reports/403909, Information Exposure Through Directory Listing - https://apps.nextcloud.com/static/, duplicate
404035, https://hackerone.com/reports/404035, flood of comment no rate  limit on commnets >>  by using different user agent , resolved
404126, https://hackerone.com/reports/404126, [buttle] Unsafe rendering of Markdown files, resolved
404323, https://hackerone.com/reports/404323, Logic flaw in the Post creation process allows creating posts with arbitrary types without needing the corresponding nonce, resolved
404713, https://hackerone.com/reports/404713, 2nd issue>>> flood of email  no rate limit on delete account confirmation email >> , resolved
404822, https://hackerone.com/reports/404822, AWS bucket leading to iOS test build code and configuration exposure, resolved
404864, https://hackerone.com/reports/404864, Emails from Grammarly missing sanitization(lack of validation?) -> HTML injection in emails, duplicate
404874, https://hackerone.com/reports/404874, RCE, SQLi, IDOR, Auth Bypass and XSS at [staff.███.edu.eg ], resolved
404898, https://hackerone.com/reports/404898, XSS in HTML Content Generated by Flash Slideshow Maker (All Versions), resolved
405100, https://hackerone.com/reports/405100, Stealing Users OAUTH Tokens via redirect_uri , resolved
405191, https://hackerone.com/reports/405191, DOM XSS on 50x.html page, resolved
405342, https://hackerone.com/reports/405342, Clickjacking at ylands.com, resolved
406289, https://hackerone.com/reports/406289, Stored XSS on Broken Themes via filename, resolved
406387, https://hackerone.com/reports/406387, SSRF on ████████, resolved
406388, https://hackerone.com/reports/406388, Apache Server Version Disclousure, resolved
406486, https://hackerone.com/reports/406486, Thailand – a small number of alarm system portals accessible with the default credentials, resolved
406587, https://hackerone.com/reports/406587, Self DOM-Based XSS in www.hackerone.com, resolved
406614, https://hackerone.com/reports/406614, Resource Consumption DOS on Edgemax v1.10.6, resolved
406702, https://hackerone.com/reports/406702, ICQ 10.0.12371 icq: Uri Handler '-testability' URL File Insecure Library Loading Code Execution Vulnerability, resolved
406704, https://hackerone.com/reports/406704, XSS @ store.steampowered.com via agecheck path name, resolved
407355, https://hackerone.com/reports/407355, Subdomain Takeover on demo.greenhouse.io pointing to unbouncepages, resolved
407971, https://hackerone.com/reports/407971, [help.steampowered.com] Account takeover bruteforcing SteamGuard, resolved
407973, https://hackerone.com/reports/407973, Weak Password Policy on Signup at https://accounts.bistudio.com/auth, informative
408289, https://hackerone.com/reports/408289, ДОБАВЛЕНИЕ СВОИХ ДАТ В КАЛЕНДАРЬ ПОЛЬЗОВАТЕЛЮ !, informative
408583, https://hackerone.com/reports/408583, Personal data of all Dutch public transport cards ("OV-Chipkaart") accessible, resolved
408978, https://hackerone.com/reports/408978, Stored XSS, resolved
409208, https://hackerone.com/reports/409208, Cross-site Scripting (XSS) - Reflected vseapteki.ru, resolved
409230, https://hackerone.com/reports/409230, Cross Site Scripting (XSS) – Reflected, resolved
409370, https://hackerone.com/reports/409370, Denial of service via cache poisoning, resolved
409380, https://hackerone.com/reports/409380, Stored XSS in merge request pages, resolved
409395, https://hackerone.com/reports/409395, Bypass of GitLab CI runner slash fix in YAML validation, resolved
409440, https://hackerone.com/reports/409440, XSS in touch.mail.ru , resolved
409512, https://hackerone.com/reports/409512, mod_userdir CRLF injection (CVE-2016-4975), resolved
409518, https://hackerone.com/reports/409518, "More on Wikipedia" link disclose "Referrer" and leak `window.opener` reference for arbitrary websites, resolved
409943, https://hackerone.com/reports/409943, Http request splitting, resolved
409973, https://hackerone.com/reports/409973, Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation, resolved
409986, https://hackerone.com/reports/409986, Improper handling of Chunked data request in sapi_apache2.c leads to Reflected XSS, resolved
410015, https://hackerone.com/reports/410015, Discrepancy in hacker profile report count may reveal existence of a private program by publishing a report, resolved
410087, https://hackerone.com/reports/410087, Expose user IP if TOR crashs, informative
410099, https://hackerone.com/reports/410099, Account takeover due to CSRF in "Account details" option on █████████, resolved
410187, https://hackerone.com/reports/410187, Full Path and internal information disclosure+ SQLNet.log file disclose internal network information, resolved
410221, https://hackerone.com/reports/410221, unlock self-lock by brute force , resolved
410245, https://hackerone.com/reports/410245, Missing Certificate Authority Authorization rule, resolved
410451, https://hackerone.com/reports/410451, User login page doesn't implement any form of rate limiting, resolved
410475, https://hackerone.com/reports/410475, Unauthorized access to a system used for CI/CD processes, resolved
410789, https://hackerone.com/reports/410789, [sj.my.com] Source Code Disclosure /.svn/wc.db, resolved
410793, https://hackerone.com/reports/410793, [moba.my.com] phpinfo, logs, resolved
411063, https://hackerone.com/reports/411063, Persistent XSS via malicious license file, resolved
411068, https://hackerone.com/reports/411068, License verification mechanism can be bypassed, resolved
411075, https://hackerone.com/reports/411075, Abusing "Report as abuse" functionality to delete any user's post., resolved
411270, https://hackerone.com/reports/411270, Cisco RCE, resolved
411329, https://hackerone.com/reports/411329, code injection, steam chat client, resolved
411337, https://hackerone.com/reports/411337, Forget password link not expiring after email change., resolved
411466, https://hackerone.com/reports/411466, Чтение файлов на сервере и раскрытие директорий mediator.media, resolved
411519, https://hackerone.com/reports/411519, DNS SRV lookup of file:// sources enables local hijacking of gems, resolved
411620, https://hackerone.com/reports/411620, Form Replay in customer information form, resolved
411690, https://hackerone.com/reports/411690, Stored xss in address field in billing activity at https://shop.aaf.com/Order/step1/index.cfm, resolved
411723, https://hackerone.com/reports/411723, Open redirection at https://chaturbate.com/auth/login/, resolved
411822, https://hackerone.com/reports/411822, Password protected rooms total number of viewers disclosure to unauthorized members, resolved
411865, https://hackerone.com/reports/411865, Blind SSRF at https://chaturbate.com/notifications/update_push/, resolved
411920, https://hackerone.com/reports/411920, Leaking Username and Password in the URLs via Virustotal, can leads to account takeover, informative
411930, https://hackerone.com/reports/411930, User with privilege to maintain External Programs can update certain churned HackerOne programs, resolved
412021, https://hackerone.com/reports/412021, Remote Command execution due to image tragick, resolved
412490, https://hackerone.com/reports/412490, Permissive CORS policy trusting arbitrary extensions origin, resolved
412526, https://hackerone.com/reports/412526, No rate limit in stats api token endpoint, resolved
412673, https://hackerone.com/reports/412673, XML hash collision DoS vulnerability in Python's xml.etree module, resolved
412677, https://hackerone.com/reports/412677, Creating Unlimited Fake Accounts., informative
412754, https://hackerone.com/reports/412754, XSS (Cross site scripting) on https://apimgr.8x8.com, resolved
412772, https://hackerone.com/reports/412772, Hardcoded credentials in Android App, resolved
412988, https://hackerone.com/reports/412988, Hacker can request mediation for published reports, resolved
413077, https://hackerone.com/reports/413077, Stored Cross Site Scripting., resolved
413115, https://hackerone.com/reports/413115, CRLF injection agentcrm.8x8.com, resolved
413124, https://hackerone.com/reports/413124, Stored XSS in dropboxforum.com, resolved
413193, https://hackerone.com/reports/413193, Directory Traversal + HTTP Paramater Pollution leaking SQL/LDAP credentials, resolved
413303, https://hackerone.com/reports/413303, Блокированный ящик ( Обход ), resolved
413388, https://hackerone.com/reports/413388, Untrusted strings that are cache fetched with raw option are automatically marshal loaded, resolved
413412, https://hackerone.com/reports/413412, Reflected XSS on secure.chaturbate.com, resolved
413426, https://hackerone.com/reports/413426, Open redirect on chaturbate.com (tipping/purchase_success), resolved
413442, https://hackerone.com/reports/413442, [chatws25.stream.highwebmedia.com] - Reflected XSS in c parameter, resolved
413505, https://hackerone.com/reports/413505, No rate limit in affiliate statsapi endpoint, resolved
413599, https://hackerone.com/reports/413599, [www.dropboxforum.com] - reflected XSS in search, resolved
413655, https://hackerone.com/reports/413655, Server side includes in https://lgtm-com.pentesting.semmle.net/internal_api/v0.2/savePublicInformation leads to 500 server error and  D-DOS, not-applicable
413828, https://hackerone.com/reports/413828, Persistent XSS via Signatures, resolved
414427, https://hackerone.com/reports/414427, WordPress username enumeration (/author), duplicate
415081, https://hackerone.com/reports/415081, IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users, resolved
415092, https://hackerone.com/reports/415092, flag{cha1n1ng_bugs_f0r_fun_4nd_pr0f1t?_or_rep0rt_an_LF1}, resolved
415137, https://hackerone.com/reports/415137, H1-5411 CTF Write-up by erbbysam and ziot, resolved
415139, https://hackerone.com/reports/415139, Reflected xss on theacademy.upserve.com, resolved
415168, https://hackerone.com/reports/415168, [*.rocketbank.ru] Web Cache Deception & XSS, resolved
415178, https://hackerone.com/reports/415178, chrome://brave can still be navigated to, leading to RCE, resolved
415202, https://hackerone.com/reports/415202, Flag WriteUp, resolved
415222, https://hackerone.com/reports/415222, Solution for h15411's CTF challenge, resolved
415233, https://hackerone.com/reports/415233, h1-5411-CTF report: LFI / Deserialization / XXE vulnerability, , resolved
415238, https://hackerone.com/reports/415238, [Admin Panel] CSRF to resume/pause runner, resolved
415258, https://hackerone.com/reports/415258, RCE: DnDing shortcut files to chrome://brave allows loading HTML files in Muon's context, resolved
415272, https://hackerone.com/reports/415272, Linux Desktop application slack executable does not use pie / no ASLR, resolved
415275, https://hackerone.com/reports/415275, CTF Writeup flag{cha1n1ng_bugs_f0r_fun_4nd_pr0f1t?_or_rep0rt_an_LF1}, resolved
415329, https://hackerone.com/reports/415329, Pull Request #12949 - Security Implications without CVE assignment, resolved
415350, https://hackerone.com/reports/415350, Missing CSRF Protection in  /stats EndPoint., informative
415398, https://hackerone.com/reports/415398, Chaturbate "/chat_ignore_list/" endpoint does not check for Account status: Disabled  before adding Ignore via POST, resolved
415484, https://hackerone.com/reports/415484, Stored xss, resolved
415501, https://hackerone.com/reports/415501, RCE via Local File Read -> php unserialization-> XXE -> unpickling, resolved
415622, https://hackerone.com/reports/415622, PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard, resolved
415682, https://hackerone.com/reports/415682, Remote Command Execution in a internal server to get the flag file, resolved
415967, https://hackerone.com/reports/415967, chrome://brave navigation from web, resolved
416004, https://hackerone.com/reports/416004, H1-5411 CTF Writeup, resolved
416123, https://hackerone.com/reports/416123, MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more, resolved
416494, https://hackerone.com/reports/416494, DoS for remote nodes using Slow Loris attack, resolved
416516, https://hackerone.com/reports/416516, A 10GB file is reachable, informative
416682, https://hackerone.com/reports/416682, CSRF on change video thumbnail at https://chaturbate.com, resolved
416906, https://hackerone.com/reports/416906, Missing Rate Limitation at /apps/upload_app/ , resolved
416966, https://hackerone.com/reports/416966, Single User DOS by Poisoning Cookie via Get Parameter, resolved
416978, https://hackerone.com/reports/416978, H1514 CSRF in Domain transfer allows adding your domain to other user's account, resolved
417170, https://hackerone.com/reports/417170, Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance., resolved
417360, https://hackerone.com/reports/417360, Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication., resolved
417382, https://hackerone.com/reports/417382, Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session, resolved
417453, https://hackerone.com/reports/417453, Cross-origin resource sharing: arbitrary origin trusted on chatws25.stream.highwebmedia.com, informative
417515, https://hackerone.com/reports/417515, Locked_Transfer functional burning, resolved
417839, https://hackerone.com/reports/417839, H1514 Lack of access control on edit packing slip template, resolved
418078, https://hackerone.com/reports/418078, DOM XSS on 1.1.1.1(one.one.one.one), resolved
418145, https://hackerone.com/reports/418145, No rate limiting in changing room subject., resolved
418151, https://hackerone.com/reports/418151, No rate limiting in starting up a bot., resolved
418248, https://hackerone.com/reports/418248, Post based XSS (Cross site scripting) on https://apimgr.8x8.com, resolved
418254, https://hackerone.com/reports/418254, Unrestricted POST request size on roomlogin endpoint, resolved
418267, https://hackerone.com/reports/418267, Bypass Email activation on http://axa.dxi.eu, resolved
418271, https://hackerone.com/reports/418271, Stored XSS agent_status , resolved
418294, https://hackerone.com/reports/418294, Найден build.sh в webagent.mail.ru, resolved
418308, https://hackerone.com/reports/418308, [CRITICAL] Remote code execution on http://axa.dxi.eu, resolved
418474, https://hackerone.com/reports/418474, Disclosing a private program in an external link if program is paused, resolved
418743, https://hackerone.com/reports/418743, Email Spoofing Possible on djangoproject.com Email Domain, not-applicable
418823, https://hackerone.com/reports/418823, Reflected XSS on developers.zomato.com, resolved
419017, https://hackerone.com/reports/419017, SQL Injection in ████, resolved
419075, https://hackerone.com/reports/419075, Bypass security fixes by downgrading version of application, resolved
419655, https://hackerone.com/reports/419655, Client secret, server tokens for developer applications returned by internal API, resolved
419731, https://hackerone.com/reports/419731, [www.zomato.com] Blind XSS in one of the Admin Dashboard, resolved
419872, https://hackerone.com/reports/419872, XSS in e.mail.ru, resolved
419875, https://hackerone.com/reports/419875, [NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users, resolved
419891, https://hackerone.com/reports/419891, Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers, resolved
420115, https://hackerone.com/reports/420115, Crash in mrb_ary_push, resolved
420163, https://hackerone.com/reports/420163, Возможность регистрации на сайте qiwi.com на любой номер телефона, resolved
420583, https://hackerone.com/reports/420583, possibility to create account without username, resolved
421009, https://hackerone.com/reports/421009, H1514 Deanonymizing Exchange Marketplace private listings  , resolved
422698, https://hackerone.com/reports/422698, Update Chat Allowed By Option ( without age verification ), resolved
422707, https://hackerone.com/reports/422707, Reflected XSS on $Any$.myshopify.com/admin, resolved
423022, https://hackerone.com/reports/423022, Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account, resolved
423073, https://hackerone.com/reports/423073, Improper UUID validation results in bypass of #419896, resolved
423118, https://hackerone.com/reports/423118, Unencrypted __VIEWSTATE parameter in a DoD website, resolved
423198, https://hackerone.com/reports/423198, H1514 Ability to Edit Packaging Slip Templates and View Product & Shipping Information by a low privileged staff in a Sandbox Store, resolved
423218, https://hackerone.com/reports/423218, H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps, resolved
423269, https://hackerone.com/reports/423269, China - president-starbucks.com.cn DNS configuration reported as takeover, resolved
423286, https://hackerone.com/reports/423286, Sidekiq web UI (Ruby background processing) accessible unauthenticated via https://gift-test.starbucks.co.jp/sidekiq/busy, resolved
423336, https://hackerone.com/reports/423336, Email Spoofing Possible on torproject.org Email Domain, not-applicable
423388, https://hackerone.com/reports/423388, H1514 Get access to non public information by pivoting with graphql queries, resolved
423437, https://hackerone.com/reports/423437, H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret, resolved
423496, https://hackerone.com/reports/423496, H1514 Bypass Wholesale account signup restrictions, resolved
423602, https://hackerone.com/reports/423602, Found CSRF Vulnerability in https://support.rockstargames.com/, resolved
423797, https://hackerone.com/reports/423797, Passive stored XSS at broadcast room, resolved
423986, https://hackerone.com/reports/423986,  CSRF on developer.zendesk.com via Cache Deception, resolved
424003, https://hackerone.com/reports/424003, ******.*****.my.com open proxy, resolved
424443, https://hackerone.com/reports/424443, [PayPal Android] Remote theft of user session using push_notification_webview deeplink, resolved
424447, https://hackerone.com/reports/424447, Integer overflow leading to buffer overflow, resolved
424669, https://hackerone.com/reports/424669, Subdomain Takeover Via unclaimed Heroku Instance tim-exclusive.shopify.com, resolved
424882, https://hackerone.com/reports/424882, Apache server-info enabled, resolved
425007, https://hackerone.com/reports/425007, Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com, resolved
425048, https://hackerone.com/reports/425048, Stored XSS on chaturbate.com (wish list), resolved
425200, https://hackerone.com/reports/425200, XSS [flow] - on www.paypal.com/paypalme/my/landing (requires user interaction), resolved
425314, https://hackerone.com/reports/425314, API request signature can be reused with other parameters/data than the original in certain cases, resolved
425719, https://hackerone.com/reports/425719, Disclosure of Github Issues, resolved
426147, https://hackerone.com/reports/426147, CORS misconfig | Account Takeover, resolved
426165, https://hackerone.com/reports/426165, [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information, resolved
426238, https://hackerone.com/reports/426238, [screenshot.mail.ru] CRLF Injection, resolved
426275, https://hackerone.com/reports/426275, DOM XSS on 50x.html page on proxy.duckduckgo.com, resolved
426547, https://hackerone.com/reports/426547, Missing Rate Limitation at /photo_videos/photoset/create, resolved
426944, https://hackerone.com/reports/426944, Linux privilege escalation via trusted $PATH in keybase-redirector , resolved
427227, https://hackerone.com/reports/427227, Server side request forgery, resolved
427373, https://hackerone.com/reports/427373, Swiftype key stored in JavaScript source, resolved
427502, https://hackerone.com/reports/427502, Proper verification is not done before sending invitations to researchers for certain private programs with rules e.g. "Participants must be US-based", resolved
427835, https://hackerone.com/reports/427835, Server-Side request forgery in New-Subscription feature of the calendar app, resolved
428010, https://hackerone.com/reports/428010, Talk / spreed: Disclosure of Room names and participants for password protected rooms, resolved
428019, https://hackerone.com/reports/428019, CSRF to HTML Injection in Comments, resolved
428637, https://hackerone.com/reports/428637, CSRF on draft message creation in tel.mail.ru, resolved
428651, https://hackerone.com/reports/428651, Subdomain takeover dew to missconfigured project settings for Custom domain ., resolved
428660, https://hackerone.com/reports/428660, Gallery: No feedback for invalid password, resolved
428757, https://hackerone.com/reports/428757, Admin panel take over | User info leakage | Mass Comprimise, resolved
429000, https://hackerone.com/reports/429000, Access to all █████████ files, including CAC authentication bypass, resolved
429026, https://hackerone.com/reports/429026, Race condition in performing retest allows duplicated payments, resolved
429298, https://hackerone.com/reports/429298, Stored XSS in chat topic due to insecure emoticon parsing on any message type, resolved
429647, https://hackerone.com/reports/429647, XSS Reflected at SEARCH >>, resolved
429679, https://hackerone.com/reports/429679, POST-based XSS on apps.shopify.com, resolved
429747, https://hackerone.com/reports/429747, https://help.nextcloud.com::: Web cache poisoning attack, resolved
429873, https://hackerone.com/reports/429873, XSS by MathML at Active Storage, duplicate
429966, https://hackerone.com/reports/429966, Padding Oracle ms10-070 in the a DoD website (https://██████/), resolved
430029, https://hackerone.com/reports/430029, Stored XSS in infogram.com via language , resolved
430249, https://hackerone.com/reports/430249, CORS Misconfiguration leading to Private Information Disclosure, resolved
430254, https://hackerone.com/reports/430254, Reference to external uncontrolled resource in terrhq.ru, resolved
430291, https://hackerone.com/reports/430291, Prototype pollution attack in just-extend, resolved
430831, https://hackerone.com/reports/430831, Prototype pollution attack in node.extend, resolved
430854, https://hackerone.com/reports/430854, Kaspersky Password Manager allows websites to access user's address data, resolved
431002, https://hackerone.com/reports/431002, Golden techniques to bypass host validations in Android apps, resolved
431561, https://hackerone.com/reports/431561, Specially constructed multi-part requests cause multi-second response times; vulnerable to DoS, resolved
431633, https://hackerone.com/reports/431633, Order Creation Webhooks can be edited/deleted by STAFF with `Settings` only permission, resolved
432277, https://hackerone.com/reports/432277, SSRF на api.icq.net, resolved
432600, https://hackerone.com/reports/432600, [static-resource-server]  Path Traversal allows to read content of arbitrary file on the server, resolved
433792, https://hackerone.com/reports/433792, Blind SQL injection in third-party software, that allows to reveal user statistic from rocket.chat and possibly hack into the rocketchat.agilecrm.com, resolved
433904, https://hackerone.com/reports/433904, Вставляем свой код в мобильном приложении в разделе помощи сообществам, resolved
433996, https://hackerone.com/reports/433996, XXE on ██████████ by bypassing WAF ████, resolved
434116, https://hackerone.com/reports/434116, Exposing voting results on the Slowvote application without actually voting, resolved
434670, https://hackerone.com/reports/434670, Text injection at https://media.hboeck.de, not-applicable
434689, https://hackerone.com/reports/434689, Global defaming of any twitter user, not-applicable
434715, https://hackerone.com/reports/434715, No session expiry after log-out and session id exposed in URL, resolved
435144, https://hackerone.com/reports/435144, Reflected Cross Site Scripting (XSS), informative
435457, https://hackerone.com/reports/435457, Ability to login to the Nexus Repo Manager from https://nexus.imgur.com/ , resolved
435618, https://hackerone.com/reports/435618, Kaspersky Password Manager is vulnerable to HTML injection in the browser action pop-up via user name, resolved
435648, https://hackerone.com/reports/435648, TOTP Key is shorter than RFC 4226 recommended minimum, resolved
436928, https://hackerone.com/reports/436928, RCE as Admin defeats WordPress hardening and file permissions, resolved
437142, https://hackerone.com/reports/437142, Instant open redirect on Live preview WEB Ide opening, resolved
437800, https://hackerone.com/reports/437800, Passive mixed content issues on the site https://*.fanduel.com, resolved
437863, https://hackerone.com/reports/437863, SVG file that HTML Included is able to upload via File Manager, resolved
438240, https://hackerone.com/reports/438240, Reflected Cross site Scripting (XSS) on www.starbucks.com, resolved
438274, https://hackerone.com/reports/438274, Prototype pollution attack (smart-extend), resolved
438299, https://hackerone.com/reports/438299, Information Exposure Through Directory Listing vulnerability on 8 vcache**.usw2.snappytv.com websites, resolved
438306, https://hackerone.com/reports/438306, Accidental Access to Programs Information via SAML Login, resolved
438953, https://hackerone.com/reports/438953, Cross site scripting (content-sniffing), resolved
439021, https://hackerone.com/reports/439021, Web cache deception attack - expose earning state information, informative
439075, https://hackerone.com/reports/439075, Open redirect vulnerability in index.php, resolved
439098, https://hackerone.com/reports/439098, Prototype pollution attack (mergify), resolved
439107, https://hackerone.com/reports/439107, Prototype pollution attack (lutils-merge), resolved
439120, https://hackerone.com/reports/439120, Prototype pollution attack (upmerge), resolved
439174, https://hackerone.com/reports/439174, Verbose PHP error messages exposed on a blog article, resolved
439207, https://hackerone.com/reports/439207, account takeover https://teamplay.qiwi.com, resolved
439223, https://hackerone.com/reports/439223, Access to SQL server of ubergreen.pt through password disclosure from different domain on same IP, resolved
439729, https://hackerone.com/reports/439729, Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR), resolved
439828, https://hackerone.com/reports/439828, Event privacy level does not work in Thunderbird, resolved
439912, https://hackerone.com/reports/439912, Stored XSS on demo app link , resolved
440484, https://hackerone.com/reports/440484, Open Redirect on smule.com, resolved
440495, https://hackerone.com/reports/440495, Missing Rate Limit in Password Change, resolved
440629, https://hackerone.com/reports/440629, Starbucks China Android app cloud storage service leaks a credential., resolved
440758, https://hackerone.com/reports/440758, Potential buffer overflow in demoplayer module of GoldSource Engine, resolved
440963, https://hackerone.com/reports/440963, Privilege Escalation by abusing non-existent path. (Windows), duplicate
441090, https://hackerone.com/reports/441090, CRLF injection & SSRF in git:// protocal lead to arbitrary code execution, resolved
441161, https://hackerone.com/reports/441161, Missing Rate Limit in Forgot Password can Lead to email address leakage of all smule accounts, resolved
441204, https://hackerone.com/reports/441204, https://teamplay.qiwi.com/ накрутка баллов => финансовые убытки для компании, resolved
442901, https://hackerone.com/reports/442901, Take over of accounts created using Google or Facebook, resolved
446293, https://hackerone.com/reports/446293, SQL Injection https://www.olx.co.id, resolved
446330, https://hackerone.com/reports/446330, [o2.mail.ru] nginx alias traversal, resolved
446585, https://hackerone.com/reports/446585, Exfiltrate and mutate repository and project data through injected templated service, resolved
446593, https://hackerone.com/reports/446593, GitLab's GitHub integration is vulnerable to SSRF vulnerability, resolved
446662, https://hackerone.com/reports/446662, Node.js HTTP/2 Large Settings Frame DoS, resolved
447488, https://hackerone.com/reports/447488, Corrupted Authorization header can cause logs not to be ingested properly in ████████, resolved
447494, https://hackerone.com/reports/447494, Share recipient can modify a share's expiration date, resolved
447742, https://hackerone.com/reports/447742, SQL Injection in Login Page: https://█████/█████████/login.php, resolved
447930, https://hackerone.com/reports/447930, Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details, resolved
447975, https://hackerone.com/reports/447975, Upgrade menu exposes the mobile application token meant to only be visible to administrators , resolved
448078, https://hackerone.com/reports/448078, A user can request a report to be retested even though the program has not been verified by HackerOne, resolved
448524, https://hackerone.com/reports/448524, xmlrpc.php file is enable it will used for (DOS) and bruteforce attack, resolved
448598, https://hackerone.com/reports/448598, [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB, resolved
448841, https://hackerone.com/reports/448841, Open Redirect In passport.maps.me/logout/?next=//fb.com/, resolved
448849, https://hackerone.com/reports/448849, Slack token leaking in stackoverflow and devtimes , resolved
448928, https://hackerone.com/reports/448928, Отсутствие CSRF ключа на функции Закрытый Профиль., resolved
448985, https://hackerone.com/reports/448985, blog.praca.olx.pl database credentials exposure, resolved
449351, https://hackerone.com/reports/449351, IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier, resolved
449356, https://hackerone.com/reports/449356, 65534 times efficient, Brute-force attack for api_key, resolved
449478, https://hackerone.com/reports/449478, Brave allows flash to follow 307 redirects to other origins with arbitrary content-types, informative
449482, https://hackerone.com/reports/449482, Command injection in Pathname, resolved
449613, https://hackerone.com/reports/449613, benchmark metrics available at 5.61.239.154, resolved
449617, https://hackerone.com/reports/449617, Null character at fnmatch, resolved
449627, https://hackerone.com/reports/449627, XXE крит, resolved
449671, https://hackerone.com/reports/449671, Broken Authentication and session management OWASP A2, not-applicable
449680, https://hackerone.com/reports/449680, Attacker can claim credentials for private program that has a published external program, resolved
449818, https://hackerone.com/reports/449818, Is the 504 Gateway Time-out error ok?, resolved
450006, https://hackerone.com/reports/450006, flatmap-stream malicious package (distributed via the popular events-stream), resolved
450315, https://hackerone.com/reports/450315, XSS on www.██████ alerts and a number of other pages, resolved
450389, https://hackerone.com/reports/450389, Blind XSS via Suspended Ticket Recovery, resolved
450571, https://hackerone.com/reports/450571, xss, resolved
450796, https://hackerone.com/reports/450796, XSSI on refer.xoom.com allows stealing email addresses and posting to Twitter on behalf of victim, resolved
450882, https://hackerone.com/reports/450882, Able to bypass information requirements before launching a Chat., not-applicable
451052, https://hackerone.com/reports/451052, User account blocking by Internal Server error, resolved
451077, https://hackerone.com/reports/451077, source code leak, resolved
452010, https://hackerone.com/reports/452010, сервант статус, resolved
452016, https://hackerone.com/reports/452016, ОДМИН ТЭСТ, resolved
452559, https://hackerone.com/reports/452559, Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv, resolved
452835, https://hackerone.com/reports/452835, Уязвимый класс WebView, resolved
452854, https://hackerone.com/reports/452854, Expired reshare links allow access to all files in share, resolved
452920, https://hackerone.com/reports/452920, Import of repositories from GitHub is tied to username instead of immutable ID, resolved
452959, https://hackerone.com/reports/452959, A user can bypass approval step in Hacker Publishing feature, allowing them to publish reports immediately, resolved
452973, https://hackerone.com/reports/452973, Inline banner on Report page discloses whether organization runs a private program, resolved
453297, https://hackerone.com/reports/453297, sql, resolved
453307, https://hackerone.com/reports/453307, HTML Injection + XSS Vulnerability - https://████████/ | Proof of Concept [PoC], resolved
453513, https://hackerone.com/reports/453513, Fix for CVE-2018-12122 can be bypassed via keep-alive requests, resolved
453791, https://hackerone.com/reports/453791, Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android], resolved
453795, https://hackerone.com/reports/453795, [harp] Unsafe rendering of Markdown files, resolved
453820, https://hackerone.com/reports/453820, [harp] File access even when they have been set to be ignored., resolved
454365, https://hackerone.com/reports/454365, Prototype pollution attack through jQuery $.extend, resolved
454401, https://hackerone.com/reports/454401, [e.mail.ru] Stored xss in Mpop cookie, resolved
454719, https://hackerone.com/reports/454719, PHP-FPM Status Page, resolved
454770, https://hackerone.com/reports/454770, Открытая панель, resolved
454949, https://hackerone.com/reports/454949, Race Condition in Flag Submission, resolved
455645, https://hackerone.com/reports/455645, Exposed Kubernetes API - RCE/Exposed Creds, resolved
455726, https://hackerone.com/reports/455726, Thailand - SNMP Publicly Accessible, resolved
455858, https://hackerone.com/reports/455858, [p2p.qiwi.com] nginx alias traversal, resolved
456333, https://hackerone.com/reports/456333, [auth2.zomato.com] Reflected XSS at `oauth2/fallbacks/error` | ORY Hydra an OAuth 2.0 and OpenID Connect Provider, resolved
456702, https://hackerone.com/reports/456702, [atlasboard-atlassian-package] Cross-site Scripting (XSS), resolved
456727, https://hackerone.com/reports/456727, null pointer dereference in imap_mail, resolved
456963, https://hackerone.com/reports/456963, Open redirect на мобильной версии в контакте (m.vk.com, resolved
457009, https://hackerone.com/reports/457009, Github wiki is editable by anyone, resolved
457032, https://hackerone.com/reports/457032, Github wikis are editable by anyone , resolved
457829, https://hackerone.com/reports/457829, SPF Records (SMTP protection not used), resolved
458696, https://hackerone.com/reports/458696, xmlrpc.php is enabled - Nextcloud, resolved
458842, https://hackerone.com/reports/458842, Malformed save files (.sav) allow to write files with arbitrary extensions and content in GoldSrc-based games., resolved
458929, https://hackerone.com/reports/458929, Malformed BSP in GoldSrc Engine may cause shellcode injection, resolved
459286, https://hackerone.com/reports/459286, protocol & Ports are not shown in third-party site redirect warning page , resolved
459443, https://hackerone.com/reports/459443, [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint, resolved
459502, https://hackerone.com/reports/459502, User Controllable Cookie, not-applicable
459532, https://hackerone.com/reports/459532, Persistent CSV injection, not-applicable
460121, https://hackerone.com/reports/460121, Publicly editable GitHub wikis, not-applicable
460353, https://hackerone.com/reports/460353, XSS , resolved
460428, https://hackerone.com/reports/460428, The impossibility of inclusion of the trial (BROWSER), resolved
460514, https://hackerone.com/reports/460514, Server Header disclose The Os and Web server Version , resolved
460530, https://hackerone.com/reports/460530,  information disclosure which leak the apache version , resolved
460545, https://hackerone.com/reports/460545, information disclosure of secret_key_base via encoding charcters, resolved
460556, https://hackerone.com/reports/460556, Banner Grabbing - Apache Server Version Disclousure, resolved
460642, https://hackerone.com/reports/460642, HTTP PUT method enabled, spam
460815, https://hackerone.com/reports/460815, Milestones leaked via search API, resolved
460911, https://hackerone.com/reports/460911, [FG-VD-18-165] Wordpress Cross-Site Scripting Vulnerability Notification II, resolved
460920, https://hackerone.com/reports/460920, Response program can create bounty table, resolved
460928, https://hackerone.com/reports/460928, Line feed injection in get request leads AWS S3 Bucket information disclosure , resolved
460956, https://hackerone.com/reports/460956, Apache Version Disclosure Through Directory Indexing, informative
461242, https://hackerone.com/reports/461242, Open Directory, informative
461272, https://hackerone.com/reports/461272, [www.zomato.com] Blind XSS in one of the admin dashboard, resolved
461308, https://hackerone.com/reports/461308, Remote attacker can impersonate Social users via ActivityPub API, resolved
461345, https://hackerone.com/reports/461345, Security issue: Github repo's wiki publicly editable, informative
461429, https://hackerone.com/reports/461429, Github repo's wiki publicly editable, informative
461598, https://hackerone.com/reports/461598, Information Disclosure on https://theendlessweb.com/, resolved
461780, https://hackerone.com/reports/461780, Web protection component in Anti-Virus products family ignores HSTS security policy, resolved
462173, https://hackerone.com/reports/462173, Disclose anonymous accessible link on embedded files in paper dropbox sessions, informative
462321, https://hackerone.com/reports/462321, Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter , resolved
462416, https://hackerone.com/reports/462416, Grammarly Keyboard for Android <4.1  leaks user input through logs (except for sensitive input fields), resolved
462441, https://hackerone.com/reports/462441, Retrieval and alteration of exposed media on Android Oreo , informative
462442, https://hackerone.com/reports/462442, Unauthorized access of Monero wallet by an unprivileged process, resolved
463123, https://hackerone.com/reports/463123, Exposure of tinyMCE js source code with plugin version disclosure which can leads to exploit further attacks., resolved
463177, https://hackerone.com/reports/463177, Information Disclosure PHPpgAdmin, resolved
463286, https://hackerone.com/reports/463286, Specially Crafted Closed Captions File can lead to Remote Code Execution in CS:GO and other Source Games, resolved
463330, https://hackerone.com/reports/463330, Account Takeover using Linked Accounts due to lack of CSRF protection, resolved
463380, https://hackerone.com/reports/463380, [webpack-bundle-analyzer] Cross-site Scripting, resolved
463481, https://hackerone.com/reports/463481, Feature-Policy Header is Missing and Pastebin files, informative
463604, https://hackerone.com/reports/463604, Unrestricted File Upload on https://auth.ratelimited.me, resolved
463657, https://hackerone.com/reports/463657, Editable Wiki repo by anyone , informative
463695, https://hackerone.com/reports/463695, Certificate warnings and similar UI elements in Web protection of Anti-Virus products family are susceptible to clickjacking, resolved
463828, https://hackerone.com/reports/463828, Submitting report through Embedded Submission form gives user indefinite access to a profile, resolved
463902, https://hackerone.com/reports/463902, Просмотр новых фотографии со стены частной/закрытой группы или закрытого профиля., resolved
463915, https://hackerone.com/reports/463915, URL Advisor component in KIS products family is vulnerable to Universal XSS, resolved
464426, https://hackerone.com/reports/464426, account takeover https://idea.qiwi.com/ , resolved
469372, https://hackerone.com/reports/469372, Web protection component in Anti-Virus products family uses predictable links for certificate warnings, resolved
469668, https://hackerone.com/reports/469668, Passwords being stored as plain text in logging, resolved
469803, https://hackerone.com/reports/469803, Open redirect at https://inventory.upserve.com/http://google.com/, resolved
469841, https://hackerone.com/reports/469841, Reflected XSS on https://inventory.upserve.com/ (affects IE users only), resolved
470003, https://hackerone.com/reports/470003, Privilege Escalation via Keybase Helper (incomplete security fix), resolved
470010, https://hackerone.com/reports/470010, [lootdog.io] User phone number disclosure, resolved
470041, https://hackerone.com/reports/470041, Дюп предметов lootdog и возможность их продавать., resolved
470067, https://hackerone.com/reports/470067, DoS on the Issue page by exploiting Mermaid., resolved
470298, https://hackerone.com/reports/470298, [██████] Cross-origin resource sharing misconfiguration (CORS), resolved
470380, https://hackerone.com/reports/470380, Cross application scripting via account.mail.ru, resolved
470398, https://hackerone.com/reports/470398, Local privilege escalation bug using Keybase redirector on macOS, resolved
470519, https://hackerone.com/reports/470519, Kaspersky Protection extension for Google Chrome is vulnerable to abuse its features, resolved
470520, https://hackerone.com/reports/470520, RCE on Steam Client via buffer overflow in Server Info, resolved
470544, https://hackerone.com/reports/470544, Unauthorized command execution in Web protection component of Anti-Virus products family, resolved
470547, https://hackerone.com/reports/470547, Unauthorized command execution in Web protection component of Anti-Virus products family [IE], resolved
470553, https://hackerone.com/reports/470553, Unauthorized command execution in Web protection component of Anti-Virus products family [FF, Chrome], resolved
470637, https://hackerone.com/reports/470637, User-assisted RCE in Slack for macOS (from official site) due to improper quarantine meta-attribute handling for downloaded files, resolved
470749, https://hackerone.com/reports/470749, Ability to perform actions (Tweet, Retweet, DM) and other actions, unauthenticated, on any account with SMS enabled., resolved
471087, https://hackerone.com/reports/471087, Hackerone1, spam
471265, https://hackerone.com/reports/471265, unuse domain still in using at wechat by Starbucks East China, resolved
471660, https://hackerone.com/reports/471660, Stored XSS in Macro Editing - Introduced by Admins to affect Admins, resolved
471739, https://hackerone.com/reports/471739, macOS privilege escalation via keybase install, resolved
471941, https://hackerone.com/reports/471941, astrumnival.com subdomain, resolved
471967, https://hackerone.com/reports/471967, Make user buy items via clickjacking possibility, resolved
472013, https://hackerone.com/reports/472013, Changing email address on Twitter for Android unsets "Protect your Tweets", resolved
472026, https://hackerone.com/reports/472026, The auto login link does not expire on changing email id, resolved
472391, https://hackerone.com/reports/472391, Stored XSS @ /engage/<project_slug>, resolved
472470, https://hackerone.com/reports/472470, [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name, resolved
472543, https://hackerone.com/reports/472543, Reflected Xss bypass Content-Type: text/plain , not-applicable
473064, https://hackerone.com/reports/473064, Open Redirect On Your Login Panel, informative
473144, https://hackerone.com/reports/473144, Content spoofing on https://surveyserver.nextcloud.com, resolved
473252, https://hackerone.com/reports/473252, Privilege Escalation through Keybase Installer via Helper, resolved
473690, https://hackerone.com/reports/473690, доступ к com.vk.usersstore.UsersContentProvider, возможна утечка exchange_token на android < 21, resolved
473742, https://hackerone.com/reports/473742, Bug in GraphQL and API integration leads to limited user address disclosure, resolved
473798, https://hackerone.com/reports/473798, Cross Site Request Forgery in auth in https://auth.ratelimited.me/, resolved
473811, https://hackerone.com/reports/473811, [bower] Arbitrary File Write through improper validation of symlinks while package extraction, resolved
473888, https://hackerone.com/reports/473888, RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage), resolved
473950, https://hackerone.com/reports/473950, XSS on Desktop Client, resolved
474021, https://hackerone.com/reports/474021, Race condition vulnerability on "This Rocks" button., resolved
474262, https://hackerone.com/reports/474262, XSS due to incomplete JS escaping, resolved
474397, https://hackerone.com/reports/474397, Error Page Content Spoofing or Text Injection, resolved
474656, https://hackerone.com/reports/474656, Cross-site Scripting (XSS) on HackerOne careers page, resolved
474688, https://hackerone.com/reports/474688, Content spoofing on error pages or text injection, duplicate
474798, https://hackerone.com/reports/474798, Subdomain takeover on healthyhackathon.khanacademy.org and hackweek.khanacademy.org, resolved
474833, https://hackerone.com/reports/474833, CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/, resolved
474899, https://hackerone.com/reports/474899, User Enumeration , informative
474963, https://hackerone.com/reports/474963, Missing Two Factor Authentication in /admin/login, duplicate
475114, https://hackerone.com/reports/475114, Github repo's wiki publicly editable, resolved
475177, https://hackerone.com/reports/475177, Логирование ответов запросов VK API в приложении Клевер, resolved
475442, https://hackerone.com/reports/475442, DOM Based xss on https://www.rockstargames.com/ ( 1 ), resolved
475499, https://hackerone.com/reports/475499, heap buffer overflow in phar_detect_phar_fname_ext, resolved
475660, https://hackerone.com/reports/475660, Response program can display "eligible for bounty" in scope area in program policy, resolved
476150, https://hackerone.com/reports/476150, SQLI on desafio5estrelas.com , resolved
476168, https://hackerone.com/reports/476168, Heap overflow in utf32be_mbc_to_code, resolved
476178, https://hackerone.com/reports/476178, Negative size parameter in mb_split, resolved
476179, https://hackerone.com/reports/476179, Buffer over-write in finfo_open with malformed magic file., resolved
476257, https://hackerone.com/reports/476257, CRLF injection at https://mariadb.org/., resolved
476439, https://hackerone.com/reports/476439, Password authentication at newsletter.nextcloud.com discloses username list, resolved
476526, https://hackerone.com/reports/476526, WordPress vulnerable to multiple attacks at https://nextcloud.com, resolved
476615, https://hackerone.com/reports/476615, Private/confidential setting of calendar events is ignored on activity stream, resolved
476958, https://hackerone.com/reports/476958, IDOR allows accounts to view full name of other accounts based on email through share notes feature, resolved
477073, https://hackerone.com/reports/477073, ZeroMQ libzmq remote code execution, resolved
477222, https://hackerone.com/reports/477222, Last build status and coverage leaked to unauthorized users, resolved
477344, https://hackerone.com/reports/477344, Heap Buffer Overflow (READ: 4) in phar_parse_pharfile, resolved
477771, https://hackerone.com/reports/477771, XSS - main page - search[user_id] parameter, resolved
477896, https://hackerone.com/reports/477896, Use after free and out of bounds read in xmlrpc_decode(), resolved
477897, https://hackerone.com/reports/477897, buffer overread in base64 code of the xmlrpc module, resolved
478367, https://hackerone.com/reports/478367, efree() on uninitialized Heap data in imagescale leads to use-after-free, resolved
478368, https://hackerone.com/reports/478368, imagecolormatch Out Of Bounds Write on Heap , resolved
478530, https://hackerone.com/reports/478530, XSS reflected on [https://www.youporn.com], resolved
478621, https://hackerone.com/reports/478621, Privilege Escalation удаляем все созданные ссылки с okl.lt, resolved
478957, https://hackerone.com/reports/478957, Stored XSS/HTML injection in autocomplete suggestions for sharing, resolved
479021, https://hackerone.com/reports/479021, No Rate Limit  On Add new word, resolved
479135, https://hackerone.com/reports/479135, GET request to accounts.json on support site leaks the root account license key and the browser license key to a restricted user, resolved
479139, https://hackerone.com/reports/479139, Bypass of #447975 - view mobile application token though "Application Information" sidebar on Installation page , resolved
479464, https://hackerone.com/reports/479464, Significant Two step verification Authentication Bypass, informative
479612, https://hackerone.com/reports/479612, DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features , resolved
480778, https://hackerone.com/reports/480778, Heap-buffer-overflow in Perl__byte_dump_string (utf8.c) could lead to memory leak, resolved
480883, https://hackerone.com/reports/480883, Stack overflow in XML Parsing, resolved
480928, https://hackerone.com/reports/480928, Username restriction bypass with SSL client authentication, resolved
480984, https://hackerone.com/reports/480984, Stack overflow affecting "ext" field on stylers.xml configuration file, resolved
481164, https://hackerone.com/reports/481164, Monero can leak unitialized memory, resolved
481335, https://hackerone.com/reports/481335, Security check failure or stack buffer overrun (crash), resolved
481360, https://hackerone.com/reports/481360, Stored XSS in vanilla, resolved
481472, https://hackerone.com/reports/481472, URL link spoofing, resolved
481512, https://hackerone.com/reports/481512, CRLF injection on https://buildbot.mariadb.org, resolved
481518, https://hackerone.com/reports/481518, Bypass GraphQL rate limit by abusing negative cost queries, resolved
481532, https://hackerone.com/reports/481532, heap-use-after-free (READ of size 8) in main(), resolved
481632, https://hackerone.com/reports/481632, Website vulnerable to POODLE (SSLv3) with expired certificate, resolved
481654, https://hackerone.com/reports/481654, No Rate On Add Suggest, resolved
481733, https://hackerone.com/reports/481733, ssl cookkie without secure flag set, resolved
482170, https://hackerone.com/reports/482170, Ports are not shown in third-party site redirect warning page., duplicate
482200, https://hackerone.com/reports/482200, puttygen: heap-buffer-overflow in mp_get_decimal(), resolved
482634, https://hackerone.com/reports/482634, https://████████ Impacted by DNN ImageHandler SSRF, resolved
482707, https://hackerone.com/reports/482707, Information Exposure Through an Error Message at news.starbucks.com, not-applicable
482743, https://hackerone.com/reports/482743, Facebook OAuth Code Theft through referer leakage on support.rockstargames.com, resolved
482780, https://hackerone.com/reports/482780, JSONP hijacking, resolved
482818, https://hackerone.com/reports/482818, CSRF на лайк к отзыву (Pandao), resolved
482998, https://hackerone.com/reports/482998, [QIWI Wallet] Access to protected app components , resolved
483439, https://hackerone.com/reports/483439, ssl cookie without secure flag set, informative
483572, https://hackerone.com/reports/483572, [FG-VD-19-009] Intel(R) Trace Analyzer and Collector 2019 Memory Corruption Vulnerability Notification, resolved
483774, https://hackerone.com/reports/483774, XXE on https://duckduckgo.com, resolved
484160, https://hackerone.com/reports/484160, Возможность зайти на любой аккаунт https://pandao.ru/, resolved
484339, https://hackerone.com/reports/484339, [api.pandao.ru] IDOR позволяет изменять адрес любого пользователя, resolved
484398, https://hackerone.com/reports/484398, Buffer overflow in libavi_plugin memmove() call, resolved
484420, https://hackerone.com/reports/484420, Subdomain takeover on usclsapipma.cv.ford.com, resolved
484434, https://hackerone.com/reports/484434, Stored XSS on imgur profile, resolved
484615, https://hackerone.com/reports/484615, Unsanitized user photo paths allow local file read, resolved
484634, https://hackerone.com/reports/484634, [pandao.ru] Возможность списания несуществующих бонусных баллов, resolved
484745, https://hackerone.com/reports/484745, GoldSrc: Buffer Overflow in DELTA_ParseDelta function leads to RCE, resolved
484801, https://hackerone.com/reports/484801, [███]  SQL injection & Reflected XSS, resolved
484905, https://hackerone.com/reports/484905, XSS Reflected , resolved
484930, https://hackerone.com/reports/484930, puttygen: 160MB memory leak while trying to extract openssh public key from crafted key file, resolved
485354, https://hackerone.com/reports/485354, CSRF при вводе промокода на Pandao, resolved
485359, https://hackerone.com/reports/485359, CSRF на удаление товара из корзины, resolved
485382, https://hackerone.com/reports/485382, Flash injection vulnerability on /IV/imgPlayer/imageEmbed.swf, resolved
485407, https://hackerone.com/reports/485407, From nobody to somebody, resolved
485684, https://hackerone.com/reports/485684, Self XSS combine CSRF at https://████████/index.php, resolved
485748, https://hackerone.com/reports/485748, Stored XSS on reports., resolved
486502, https://hackerone.com/reports/486502, ICQ Windows Application is Vulnerable to DLL Search Order Hijacking, resolved
486629, https://hackerone.com/reports/486629, Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day, resolved
486667, https://hackerone.com/reports/486667, Missing Protection Mechanism in Mail Servers allows malicious user to use staff.ratelimited.me email could lead to identity theft., resolved
486693, https://hackerone.com/reports/486693, 2FA Session not expires after the password reset, resolved
486732, https://hackerone.com/reports/486732, Partial bypass of #483774 with Blind XXE on https://duckduckgo.com, resolved
486837, https://hackerone.com/reports/486837, Users able to set video url for unpublished words and able to see the name of unpublished words, resolved
486933, https://hackerone.com/reports/486933, [serve] Access unlisted internal files/folders revealing sensitive information, resolved
487008, https://hackerone.com/reports/487008, Arbitrary file read via ffmpeg HLS parser at https://www.flickr.com/photos/upload, resolved
487081, https://hackerone.com/reports/487081, Stored XSS in Private Message component (BuddyPress), resolved
487296, https://hackerone.com/reports/487296, Каким-то образом получил чужой платеж к себе на копилку https://qiwi.me/undefined, resolved
487378, https://hackerone.com/reports/487378, CSRF Vulnerability on post creation page /community/create-post.json, resolved
487656, https://hackerone.com/reports/487656, HTTP PUT method is enabled ratelimited.me, resolved
488108, https://hackerone.com/reports/488108, Dom based xss on /reddeadredemption2/br/videos, resolved
488147, https://hackerone.com/reports/488147, Stored XSS on https://paypal.com/signin via cache poisoning, resolved
488269, https://hackerone.com/reports/488269, Stealing Facebook OAuth Code Through Screenshot viewer, resolved
488308, https://hackerone.com/reports/488308, [XSS] data-url в письмах, resolved
488371, https://hackerone.com/reports/488371, Insecure Storage and Overly Permissive Google Maps API Key in Android App, resolved
488643, https://hackerone.com/reports/488643, Disclosure of h1 challenges name through the calendar, resolved
488795, https://hackerone.com/reports/488795, SQL injection on the https://████/, resolved
488923, https://hackerone.com/reports/488923, No Rate Limit on CrowdSignal Polls when Adding Comment, resolved
488985, https://hackerone.com/reports/488985, Race condition in claiming program credentials , resolved
489102, https://hackerone.com/reports/489102, VLC 4.0.0 - Stack Buffer Overflow (SEH), resolved
489284, https://hackerone.com/reports/489284, Access to Employee calendar disclosing internal presentation and meetings, resolved
489483, https://hackerone.com/reports/489483, SQL Injection in the get_publications.php on the https://█████, resolved
490379, https://hackerone.com/reports/490379, [glance] Access unlisted internal files/folders revealing sensitive information, resolved
490402, https://hackerone.com/reports/490402, Доступ к аккаунту после смены пароля., resolved
490728, https://hackerone.com/reports/490728, [takeapeek] XSS via HTML tag injection in directory lisiting page, resolved
490782, https://hackerone.com/reports/490782, Mssing Authorization on Private Message replies (BuddyPress), resolved
490899, https://hackerone.com/reports/490899, Credientals Over GET method in plain Text, resolved
490946, https://hackerone.com/reports/490946, Bypassing lock protection, resolved
490960, https://hackerone.com/reports/490960, macOS privilege escalation, resolved
490997, https://hackerone.com/reports/490997, [downloads.mariadb.org] CRLF injection in case of encoded query mark, resolved
491023, https://hackerone.com/reports/491023, XSS Reflected on my_report, resolved
491191, https://hackerone.com/reports/491191, SQL Injection in the `move_papers.php` on the https://██████████, resolved
491319, https://hackerone.com/reports/491319, Guests Will Disclose the Private Project Full Activity Via Project Activity Feeds, not-applicable
491415, https://hackerone.com/reports/491415, [https://pandao.ru] - PUT method available, resolved
491473, https://hackerone.com/reports/491473, Protected tweets exposure through the URL, resolved
491654, https://hackerone.com/reports/491654, Image Injection vulnerability affecting www.rockstargames.com/careers may lead to Facebook OAuth Theft, resolved
491668, https://hackerone.com/reports/491668, RCE on https://█████/ Using CVE-2017-9248, resolved
491753, https://hackerone.com/reports/491753, DMARC RECORD MISSING, resolved
491892, https://hackerone.com/reports/491892, Broken access control on apps , resolved
492512, https://hackerone.com/reports/492512, [bower] Arbitrary File Write through improper validation of symlinks while package extraction, resolved
492767, https://hackerone.com/reports/492767, [https://███] Local File Inclusion via graph.php, resolved
492841, https://hackerone.com/reports/492841, Web cache poisoning attack leads to user information and more, resolved
493176, https://hackerone.com/reports/493176, Partial report contents leakage - via HTTP/2 concurrent stream handling, resolved
493324, https://hackerone.com/reports/493324, Privilege escalation from any user (including external) to gitlab admin when admin impersonates you, resolved
493484, https://hackerone.com/reports/493484, report id is exposed for undisclosed reports in Hacktivity, informative
493535, https://hackerone.com/reports/493535, CSRF and probable account takeover on https://www.niche.co, resolved
493552, https://hackerone.com/reports/493552, CSRF on https://www.niche.co leads to "account disconnection", duplicate
493791, https://hackerone.com/reports/493791, Inadequate cache control in gitter allows to view private chat room, duplicate
494979, https://hackerone.com/reports/494979, Insufficient sanitizing can lead to arbitrary commands execution, resolved
495382, https://hackerone.com/reports/495382, No SearchEngine sanatizing can lead to command injection, resolved
495495, https://hackerone.com/reports/495495, CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host, resolved
495497, https://hackerone.com/reports/495497, Know whether private project name exists or not within a group using link comments, resolved
495508, https://hackerone.com/reports/495508,  Assertion `len == 1' failed, process aborted while streaming ouput from remote server, resolved
495515, https://hackerone.com/reports/495515, Reflected XSS: Taxonomy Converter via tax parameter, resolved
495525, https://hackerone.com/reports/495525, XSSI: Quick Navigation Interface - leak of private page/post titles, resolved
495583, https://hackerone.com/reports/495583, [FG-VD-19-022] Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification, resolved
495789, https://hackerone.com/reports/495789, Malformed .WAV triggers an Access Violation on GoldSRC (hl.exe), resolved
495793, https://hackerone.com/reports/495793, Malformed .MDL triggers an Access Violation on GoldSRC (hl.exe), resolved
496113, https://hackerone.com/reports/496113, Crash, resolved
496128, https://hackerone.com/reports/496128, XSS via the lang parameter in a POST request on light.mail.ru, resolved
496219, https://hackerone.com/reports/496219, █████ - Pre-generation of VIEWSTATE allows CAC bypass, resolved
496260, https://hackerone.com/reports/496260, CSRF уязвимость позволяет взять беспроцентный кредит пользователю cfire.mail.ru, resolved
496285, https://hackerone.com/reports/496285, Ubuntu Linux privilege escalation (dirty_sock), resolved
496293, https://hackerone.com/reports/496293, [url-parse] Improper Validation and Sanitization, resolved
496326, https://hackerone.com/reports/496326, █████████ - Insecure download cookie generation allows bypass of CAC authentication, access to deleted and locked files, resolved
496360, https://hackerone.com/reports/496360, EMAIL SPOOFING, resolved
496375, https://hackerone.com/reports/496375, Reflected XSS in https://www.starbucks.co.jp/store/search/, resolved
496405, https://hackerone.com/reports/496405, Stored XSS in vanilla, resolved
496414, https://hackerone.com/reports/496414, Leaked artifactory_key, artifactory_api_key, and gcloud refresh_token via GitHub., resolved
496757, https://hackerone.com/reports/496757, [XSS] iframe в payments/phones, resolved
496841, https://hackerone.com/reports/496841, XSS, resolved
496883, https://hackerone.com/reports/496883, Cross site scripting vulnerability in JW Player SWF, resolved
496925, https://hackerone.com/reports/496925, Leaked artifactory_api_key via GitHub., resolved
496937, https://hackerone.com/reports/496937, Employee's GitHub Token Found In Travis CI Build Logs, resolved
496973, https://hackerone.com/reports/496973, Persistent XSS via e-mail when creating merge requests, resolved
497010, https://hackerone.com/reports/497010, PHP-FPM Status Page, resolved
497047, https://hackerone.com/reports/497047, Blocked user Git access through CI/CD token, resolved
497114, https://hackerone.com/reports/497114, Stored XSS на странице pubg.mail.ru/community, resolved
497244, https://hackerone.com/reports/497244, Раскрытие информации о совершенных операциях, resolved
497255, https://hackerone.com/reports/497255, A stack buffer overflow in BabyGrid.cpp can lead to program crashes via a malicious localization file, resolved
497312, https://hackerone.com/reports/497312, Command injection by setting a custom search engine, resolved
497655, https://hackerone.com/reports/497655, Image Injection on www.rockstargames.com/screenshot-viewer/responsive/image may allow facebook oauth token theft., resolved
497664, https://hackerone.com/reports/497664, Open redirect on https://hq-api.upserve.com/, resolved
497724, https://hackerone.com/reports/497724, Stored XSS in Post Preview as Contributor, resolved
497771, https://hackerone.com/reports/497771, [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/, resolved
498351, https://hackerone.com/reports/498351, [█████] Get all tickets (IDOR), resolved
498358, https://hackerone.com/reports/498358, Image Injection on /bully/anniversaryedition may lead to OAuth token theft., resolved
498562, https://hackerone.com/reports/498562, Error Page Content Spoofing or Text Injection , resolved
498845, https://hackerone.com/reports/498845, A small set of users were assigned someone else's payout preference, resolved
498852, https://hackerone.com/reports/498852, XSS On Nextcloud Integrated with zimbra drive, informative
498865, https://hackerone.com/reports/498865, Session Cookie without HttpOnly and secure flag set, informative
498878, https://hackerone.com/reports/498878, User Editable nextcloud Wiki pages of Public Repositories, resolved
499030, https://hackerone.com/reports/499030, DOM Based XSS in www.hackerone.com via PostMessage (bypass of #398054), resolved
499041, https://hackerone.com/reports/499041, [████████] Reflected XSS, resolved
499348, https://hackerone.com/reports/499348, Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect , resolved
500348, https://hackerone.com/reports/500348, URL filter bypass in Enterprise Grid, resolved
500436, https://hackerone.com/reports/500436, DOM based CSS Injection on grammarly.com, resolved
500468, https://hackerone.com/reports/500468, SSRF at ideas.starbucks.com, resolved
500686, https://hackerone.com/reports/500686, url that twitter mobile site can not load, resolved
501585, https://hackerone.com/reports/501585, Zero-amount miner TX + RingCT allows monero wallet to receive arbitrary amount of monero, resolved
501672, https://hackerone.com/reports/501672, Restricted user can view all account invoices, payment method details, PII of account owner through zoura_api endpoints, resolved
502016, https://hackerone.com/reports/502016, Reflected XSS in https://light.mail.ru/login via page, resolved
502593, https://hackerone.com/reports/502593, Attacker is able to access commit title and team member comments which are supposed to be private, resolved
502753, https://hackerone.com/reports/502753, Email addresses exposed in getPersonBySlug API, resolved
502758, https://hackerone.com/reports/502758, RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/, resolved
502816, https://hackerone.com/reports/502816, Access Violation Reading in libfaad_plugin, resolved
502819, https://hackerone.com/reports/502819, [0.vk.com] Reflected XSS на странице подтверждения., resolved
502926, https://hackerone.com/reports/502926, Html Injection and Possible XSS via MathML, duplicate
503208, https://hackerone.com/reports/503208, Access Violation Reading EXPLOITABLE_0228, resolved
503283, https://hackerone.com/reports/503283, Real Time Error Logs Through Debug Information, resolved
503298, https://hackerone.com/reports/503298, Multiple XSS on account settings that can hijack any users in the company. , resolved
503300, https://hackerone.com/reports/503300, █████████ on CRM server without authorization, resolved
503707, https://hackerone.com/reports/503707, [XSS] postMessage в jsapi/button, resolved
503804, https://hackerone.com/reports/503804, Path Disclosure Vulnerability http://crm.******.com, resolved
503821, https://hackerone.com/reports/503821, Assertion `col >= 0 && col < line->cols' failed, process aborted while streaming ouput from remote server, resolved
503988, https://hackerone.com/reports/503988, Cross-site Scripting (XSS) - Reflected, resolved
504122, https://hackerone.com/reports/504122, Sensitive information disclosure, resolved
504162, https://hackerone.com/reports/504162, Делаем плейлист от любого(почти) пользователя/группы/артиста., resolved
504261, https://hackerone.com/reports/504261, Web Cache Deception Attack (XSS), resolved
504355, https://hackerone.com/reports/504355, Various vulnerabilities ultimately lead to attacker control over FliteThermostat server and access to internal accounting application source code, resolved
504362, https://hackerone.com/reports/504362, the login blocking mechanism does not work correctly, not-applicable
504413, https://hackerone.com/reports/504413, CTF write-up: c8889970d9fb722066f31e804e351993, resolved
504507, https://hackerone.com/reports/504507, Domain does not Match SSL Certificate, informative
504514, https://hackerone.com/reports/504514, Web cache poisoning leads to disclosure of CSRF token and sensitive information, resolved
504731, https://hackerone.com/reports/504731,  Predictable Random Number Generator, informative
504751, https://hackerone.com/reports/504751, Open Redirect, resolved
504759, https://hackerone.com/reports/504759, Uploading large avatar images cause excessive CPU usage, resolved
504761, https://hackerone.com/reports/504761, phar_tar_writeheaders_int() buffer overflow, resolved
504782, https://hackerone.com/reports/504782, CSRF at adding new role (user-management.service.newrelic.com), resolved
504951, https://hackerone.com/reports/504951, Malformed playlist.txt in GoldSrc games leads to Access Violation & arbitrary code execution, resolved
504984, https://hackerone.com/reports/504984, XSS inside HTML Link Tag, resolved
505007, https://hackerone.com/reports/505007, [Twitter Open Source] Releases were & are built/executed/tested/released in the context of insecure/untrusted code, resolved
505157, https://hackerone.com/reports/505157, Dom based xss on https://www.rockstargames.com/ via `returnUrl` parameter, resolved
505173, https://hackerone.com/reports/505173, Malformed map detailed texture files in GoldSrc games lead to Remote Code Execution, resolved
505259, https://hackerone.com/reports/505259, Image injection on /screenshot-viewer/responsive/image ( FIX BYPASS), resolved
505278, https://hackerone.com/reports/505278, DOS in stream filters, resolved
505336, https://hackerone.com/reports/505336, Просмотр аттачей удаленного сообщения....., resolved
505347, https://hackerone.com/reports/505347, Просмотр инфы на странице пользователя или группы который тебя добавил в ЧС, resolved
505424, https://hackerone.com/reports/505424, Twitter ID exposure via error-based side-channel attack, resolved
505595, https://hackerone.com/reports/505595, Authenticated Cross-Site-Request-Forgery, not-applicable
505947, https://hackerone.com/reports/505947, XXE on pulse.mail.ru, resolved
506040, https://hackerone.com/reports/506040, ChaCha20-Poly1305 with long nonces, resolved
506126, https://hackerone.com/reports/506126, image injection /screenshot-viewer/responsive/image (ANOTHER FIX BYPASS), resolved
506496, https://hackerone.com/reports/506496, RingCT malformed tx prevents target from being able to sweep balance, resolved
506498, https://hackerone.com/reports/506498, (remote) exabyte allocation via load_from_binary() (DoS), resolved
506595, https://hackerone.com/reports/506595, CryptoNote: remote node DoS, resolved
506644, https://hackerone.com/reports/506644, [@azhou/basemodel] SQL injection, resolved
506654, https://hackerone.com/reports/506654, [typeorm] SQL Injection, resolved
506791, https://hackerone.com/reports/506791, Pippo XML Entity Expansion (Billion Laughs Attack), informative
506798, https://hackerone.com/reports/506798, URL modification changes server side behavior to allow access, resolved
507012, https://hackerone.com/reports/507012, bypass Claudflare access crm.mautic.com, resolved
507023, https://hackerone.com/reports/507023, CTF Writeup, resolved
507097, https://hackerone.com/reports/507097, Open AWS S3 bucket leaks all Images uploaded to Zomato chat, resolved
507132, https://hackerone.com/reports/507132, Stored XSS in notes (charts) because of insecure chart data JSON generation, resolved
507139, https://hackerone.com/reports/507139, DOM based XSS in the WooCommerce plugin, resolved
507148, https://hackerone.com/reports/507148, `Cody trolled us all` h1-702 CTF write-up, resolved
507159, https://hackerone.com/reports/507159, [fileview] Inadequate Output Encoding and Escaping , resolved
507172, https://hackerone.com/reports/507172, Able to bypass "Device credentials" Lock, resolved
507222, https://hackerone.com/reports/507222, [untitled-model] sql injection, resolved
507303, https://hackerone.com/reports/507303, [file-browser] Inadequate Output Encoding and Escaping , resolved
507310, https://hackerone.com/reports/507310, [deliver-or-else] Path Traversal, resolved
507494, https://hackerone.com/reports/507494, xss on https://www.rockstargames.com/GTAOnline/jp/screens/ , resolved
507525, https://hackerone.com/reports/507525, DoS attacks utilizing camo.stream.highwebmedia.com, resolved
507957, https://hackerone.com/reports/507957, Stored XSS on www.starbucks.com.sg/careers/career-center/career-landing-*, resolved
507972, https://hackerone.com/reports/507972, Просмотр удаленного сообщения из лс группы + возможность его переслать., resolved
508011, https://hackerone.com/reports/508011, CTF Writeup - c8889970d9fb722066f31e804e351993, resolved
508024, https://hackerone.com/reports/508024, Public and secret api key leaked via omise github repo(owned by omise), informative
508123, https://hackerone.com/reports/508123, @ajxchapman 50m-ctf writeup, resolved
508184, https://hackerone.com/reports/508184, Persistent XSS in Note objects, resolved
508228, https://hackerone.com/reports/508228, Seven DOM-Based XSS Vulnerabilities | Execution in Login Sequence, resolved
508256, https://hackerone.com/reports/508256, EdgeSwitch Command Injection, resolved
508346, https://hackerone.com/reports/508346, [increments] sql injection, resolved
508446, https://hackerone.com/reports/508446, XSS in Bootbox, resolved
508459, https://hackerone.com/reports/508459, SSRF in webhooks leads to AWS private keys disclosure, resolved
508475, https://hackerone.com/reports/508475, DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter, resolved
508487, https://hackerone.com/reports/508487, Arbitrary SQL command injection, resolved
508490, https://hackerone.com/reports/508490, Nextcloud domain and name of every user leaked to lookup server, resolved
508493, https://hackerone.com/reports/508493, Group admins can remove arbitrary data from "data" directory (including admin data), resolved
508506, https://hackerone.com/reports/508506, Загружаем видеозаписи в основной альбом любой открытой группе/паблику., resolved
508517, https://hackerone.com/reports/508517, DOM based XSS on /GTAOnline/tw/starterpack/, resolved
508894, https://hackerone.com/reports/508894, Vulnerability in GoldSource Engine allows to upload and run an arbitrary DLL on client, resolved
509080, https://hackerone.com/reports/509080, LFI on Accounting server and RCE on FliteThermostat admin server, resolved
509315, https://hackerone.com/reports/509315, c3p0 may be exploited by a Billion Laughs Attack when loading XML configuration, resolved
509390, https://hackerone.com/reports/509390, Missing DNSSEC, resolved
509574, https://hackerone.com/reports/509574, Invited team member can disclosure slack channels, resolved
509697, https://hackerone.com/reports/509697, [md-fileserver] Path Traversal, resolved
509924, https://hackerone.com/reports/509924, JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions, resolved
509930, https://hackerone.com/reports/509930, Potential unprivileged Stored XSS through wp_targeted_link_rel, resolved
510025, https://hackerone.com/reports/510025, Invalid Read on exif_process_SOFn, resolved
510043, https://hackerone.com/reports/510043, [serve] Path Traversal, resolved
510152, https://hackerone.com/reports/510152, Bypass for #488147 enables stored XSS on https://paypal.com/signin again, resolved
510336, https://hackerone.com/reports/510336, Uninitialized read in exif_process_IFD_in_TIFF, resolved
510388, https://hackerone.com/reports/510388, Image injection /br/games/info may lead to phishing attacks or FB OAuth theft., resolved
510759, https://hackerone.com/reports/510759, IDOR in Report CSV export discloses the IDs of Custom Field Attributes of Programs, resolved
510887, https://hackerone.com/reports/510887, [CVE-2018-18312] regcomp: heap-buffer-overflow write / reg_node overrun, resolved
510888, https://hackerone.com/reports/510888, [CVE-2018-18313] regcomp: heap-buffer-overflow read in S_grok_bslash_N, resolved
511025, https://hackerone.com/reports/511025, Privilege-0 to Root Privilege Escalation on EdgeSwitch, resolved
511044, https://hackerone.com/reports/511044, [www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s) , resolved
511317, https://hackerone.com/reports/511317, Potential use-after-free due to struct array_entry_t lacking an explicit copy constructor, resolved
511381, https://hackerone.com/reports/511381, All functions that allow users to specify color code are vulnerable to ReDoS, resolved
511459, https://hackerone.com/reports/511459, [listening-processes] Command Injection, resolved
511536, https://hackerone.com/reports/511536, Unprotected Api EndPoints, not-applicable
511779, https://hackerone.com/reports/511779, Moving a report to a different program doesn't reassign the Custom Field Values, resolved
512023, https://hackerone.com/reports/512023, Writeup Hackerone 50M CTF, resolved
512065, https://hackerone.com/reports/512065, DOM XSS triggered in secure support desk, resolved
512076, https://hackerone.com/reports/512076, Deserialization of Untrusted Data in www/delivery/adxmlrpc.php, resolved
512102, https://hackerone.com/reports/512102, CSRF at acknowledging an incident, resolved
512958, https://hackerone.com/reports/512958, Login as root without password on EdgeSwitchX, resolved
512968, https://hackerone.com/reports/512968, [api.zomato.com] Able to manipulate order amount, resolved
512973, https://hackerone.com/reports/512973, Open Selenoid instance at 188.93.63.186 leads to LFR/SSRF., resolved
513105, https://hackerone.com/reports/513105, CSP : Inline scripts can be inserted, informative
513134, https://hackerone.com/reports/513134, Issue:Form does not contain an anti-CSRF token, not-applicable
513137, https://hackerone.com/reports/513137, Request vulnerable to CSRF, not-applicable
513154, https://hackerone.com/reports/513154, Unchecked weapon id in WeaponList message parser on client leads to RCE, resolved
513172, https://hackerone.com/reports/513172, All Burp Suite Scan report, not-applicable
513236, https://hackerone.com/reports/513236, touch.mail.ru / e.mail.ru memory content disclosure, resolved
513525, https://hackerone.com/reports/513525, Several vulnerabilities lead to Remote Code Execution and Arbitraty File Read on multiple servers, resolved
514224, https://hackerone.com/reports/514224, SSRF in Search.gov via ?url= parameter, resolved
514293, https://hackerone.com/reports/514293, Unrestricted POST request size on /customer_support/information_form/ endpoint, resolved
514415, https://hackerone.com/reports/514415, 0xc0ffee's 50M-CTF Submission, resolved
514421, https://hackerone.com/reports/514421, smtp service vulnerable to POODLE SSLv3, resolved
514451, https://hackerone.com/reports/514451, Deprecated Hacker101 coursework repository mentions Heroku App that is susceptible to takeover, resolved
514488, https://hackerone.com/reports/514488, CRITICAL ISSUE : Leak of all accounts mail login md5 pass and more, resolved
514577, https://hackerone.com/reports/514577, Failure to Invalid Session after Password Change, resolved
514584, https://hackerone.com/reports/514584, Weak credentials, Blind SQLi, Timing attack, that leads to web admin access, resolved
514664, https://hackerone.com/reports/514664, $50 million CTF Writeup, resolved
514897, https://hackerone.com/reports/514897, Possible to enumerate Addresses of users using AddressId and guessing the delivery_subzone, resolved
515322, https://hackerone.com/reports/515322, FLV FILE FORMAT (AUDIOSES.DLL) Out of Bounds, resolved
515484, https://hackerone.com/reports/515484, [Reflected XSS] In Request URL, resolved
515574, https://hackerone.com/reports/515574, Unclaimed Github Repository Takeover on https://www.data.gov/labs, resolved
516237, https://hackerone.com/reports/516237, Uninitialized read in exif_process_IFD_in_MAKERNOTE, resolved
517461, https://hackerone.com/reports/517461, Blind SSRF/XSPA on dashboard.lob.com + blind code injection, duplicate
517470, https://hackerone.com/reports/517470, CSRF on /subscription_manage.php endpoint at allods.mail.ru, resolved
518081, https://hackerone.com/reports/518081, Открытые сорцы , resolved
518097, https://hackerone.com/reports/518097, libcurl: SMTP end-of-response out-of-bounds read - CVE-2019-3823, informative
518196, https://hackerone.com/reports/518196, Rails application running in development mode, resolved
518637, https://hackerone.com/reports/518637, RCE on shared.mail.ru due to "widget" plugin, resolved
518641, https://hackerone.com/reports/518641, LRF on shared.mail.ru due to "markdown" plugin, resolved
518669, https://hackerone.com/reports/518669, SQLi allow query restriction bypass on exposed FileContentProvider, resolved
518837, https://hackerone.com/reports/518837, DLL Hijacking in Burp Suite Pro 2.0.19 Installer, informative
518942, https://hackerone.com/reports/518942, Discloser of Internal Ip address, duplicate
519044, https://hackerone.com/reports/519044, Publicly exposed HashiCorp Vault (Secrets management) at usec-gcp-staging.uberinternal.com & usec-gcp.uberinternal.com, resolved
519059, https://hackerone.com/reports/519059, Protected Tweets setting overridden by Android app, resolved
519061, https://hackerone.com/reports/519061, Ruby is shipping a vulnerable jQuery, resolved
519120, https://hackerone.com/reports/519120, Computing hash of crafted block leads to crash in tree_hash(), resolved
519220, https://hackerone.com/reports/519220, File writing by Directory traversal at actionpack-page_caching and RCE by it, resolved
519367, https://hackerone.com/reports/519367, Attacker can read password from log data, resolved
519582, https://hackerone.com/reports/519582, Catch mails sent to an SMTP Server over SSL using an Evil SMTP Server, resolved
520518, https://hackerone.com/reports/520518, Full name of other accounts exposed through NR API Explorer (another workaround of #476958), resolved
520623, https://hackerone.com/reports/520623, Giving myself access to NR1 UI / one.newrelic.com without the proper feature flags on my account, resolved
520630, https://hackerone.com/reports/520630, (Prerelease UI) Stored XSS via role name in JSON chart, resolved
520717, https://hackerone.com/reports/520717, Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE, resolved
520871, https://hackerone.com/reports/520871, СКР инжект , resolved
520883, https://hackerone.com/reports/520883, [special.mail.ru] Information Disclosure, resolved
520903, https://hackerone.com/reports/520903, Apache HTTP [2.4.17-2.4.38] Local Root Privilege Escalation, resolved
521582, https://hackerone.com/reports/521582, Phpinfo, resolved
521779, https://hackerone.com/reports/521779, phpinfo , resolved
521960, https://hackerone.com/reports/521960, Source code disclosure, resolved
522203, https://hackerone.com/reports/522203, SSRF, resolved
522214, https://hackerone.com/reports/522214, Обход фильтра на ссылки в загрузке историй.., resolved
522403, https://hackerone.com/reports/522403, URL redirection, resolved
522876, https://hackerone.com/reports/522876, In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access, resolved
526258, https://hackerone.com/reports/526258, environment variable leakage in error reporting, resolved
526325, https://hackerone.com/reports/526325, Stored XSS in Wiki pages, resolved
526570, https://hackerone.com/reports/526570, Bypassing push rules via MRs created by Email, resolved
527042, https://hackerone.com/reports/527042, CVE-2019-0196: mod_http2 with scoreboard Use-After-Free (Read), resolved
527296, https://hackerone.com/reports/527296, XSS, resolved
528940, https://hackerone.com/reports/528940, STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL, resolved
529367, https://hackerone.com/reports/529367, Узнаем новые email приглашенного нами пользователя после смены, и так же часть номера телефона, resolved
529371, https://hackerone.com/reports/529371, Writeup , resolved
530289, https://hackerone.com/reports/530289, [harp] Path traversal using symlink, resolved
530292, https://hackerone.com/reports/530292, Local Privilege Escalation during execution of VeraCryptExpander.exe (UAC bypass), resolved
530441, https://hackerone.com/reports/530441, Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system., resolved
530458, https://hackerone.com/reports/530458, Stored XSS in Rich editor via Embed datetime, resolved
530464, https://hackerone.com/reports/530464, Stored XSS in Profile Comments, resolved
530499, https://hackerone.com/reports/530499, WooCommerce: Persistent XSS via customer address (state/county), resolved
530511, https://hackerone.com/reports/530511, Stored XSS at APM applications listing, resolved
530853, https://hackerone.com/reports/530853, Stored XSS in embedded posts containing images, resolved
530871, https://hackerone.com/reports/530871, Stored XSS firing if the error occurs when trying to delete the APM app, resolved
530881, https://hackerone.com/reports/530881, Hidden Stored XSS in nested post embeds, resolved
530967, https://hackerone.com/reports/530967, UniFi Video v3.10.1 (Windows) Local Privileges Escalation to SYSTEM from arbitrary filedelete and DLL hijack vulnerabilities., resolved
531051, https://hackerone.com/reports/531051, SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database, resolved
531146, https://hackerone.com/reports/531146, Information Disclosure (phpinfo()), resolved
531890, https://hackerone.com/reports/531890, Subdomain takeover on dev-admin.periscope.tv, resolved
532225, https://hackerone.com/reports/532225, [Zomato Order] Insecure deeplink leads to sensitive information disclosure, resolved
532643, https://hackerone.com/reports/532643, Stored - XSS, resolved
532667, https://hackerone.com/reports/532667, Server Side JavaScript Code Injection, resolved
534297, https://hackerone.com/reports/534297, Web Cache Poisoning, resolved
534450, https://hackerone.com/reports/534450, Account takeover through the combination of cookie manipulation and XSS, resolved
534541, https://hackerone.com/reports/534541, Combination of content provider allows private data disclosure, resolved
534554, https://hackerone.com/reports/534554, Unpublished Product Images can be disclosed, resolved
534630, https://hackerone.com/reports/534630, Remote Code Execution - Unauthenticated Remote Command Injection (via Microsoft SharePoint CVE-2019-0604), resolved
534711, https://hackerone.com/reports/534711, Stored XSS at APM apps labels autocomplete dropdown (apps listing), resolved
534794, https://hackerone.com/reports/534794, Importing GitLab project archives can replace uploads of other users, resolved
534887, https://hackerone.com/reports/534887, Custom crafted message object in Meteor.Call allows remote code execution and impersonation, resolved
534908, https://hackerone.com/reports/534908, CSRF at https://chatstory.pixiv.net/imported, resolved
535436, https://hackerone.com/reports/535436, Lack or Origin check leads to Cross-Site Websocket Hijacking (CSWSH), resolved
535705, https://hackerone.com/reports/535705, No Access Control, not-applicable
535827, https://hackerone.com/reports/535827, Buffer overflow in yywarning_s, resolved
536130, https://hackerone.com/reports/536130, Path traversal, SSTI and RCE on a MailRu acquisition , resolved
536134, https://hackerone.com/reports/536134, Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604), resolved
536853, https://hackerone.com/reports/536853, Unreleased CTF Levels are Revealed on /group/user/ID1?user=USERID endpoint, resolved
536954, https://hackerone.com/reports/536954, Vulnerability in http-parser & embedded NULL header handling, resolved
537550, https://hackerone.com/reports/537550, Memory corruption in imap-parser.c, resolved
537564, https://hackerone.com/reports/537564, web cache deception in https://tradus.com lead to name/user_id enumeration and other info, resolved
537670, https://hackerone.com/reports/537670, [Zomato for Business Android] Vulnerability in exported activity WebView, resolved
537840, https://hackerone.com/reports/537840, Another window.opener issue, resolved
538008, https://hackerone.com/reports/538008, Add users to groups who have restricted group invites, resolved
538323, https://hackerone.com/reports/538323, Stored XSS in mail app, resolved
538632, https://hackerone.com/reports/538632, Another Stored XSS in mail app using Drive app, resolved
538651, https://hackerone.com/reports/538651, securitytemplate.site domain hijack, resolved
538771, https://hackerone.com/reports/538771, LFI with potential to RCE on ██████ using CVE-2019-3396, resolved
538800, https://hackerone.com/reports/538800, Account takeover by changing email, resolved
538938, https://hackerone.com/reports/538938, [domokeeper] Unintended Require, resolved
540242, https://hackerone.com/reports/540242, Pre-auth Remote Code Execution on multiple Uber SSL VPN servers, resolved
540301, https://hackerone.com/reports/540301, Wordpress VIP leaks email of the test a/c, resolved
540382, https://hackerone.com/reports/540382, CSRF allows attacker to manage customer's shopping cart., duplicate
540399, https://hackerone.com/reports/540399, Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter, resolved
540428, https://hackerone.com/reports/540428, Reflected Cross Site Scripting vuln in tomtom.com, duplicate
540698, https://hackerone.com/reports/540698, Anonymous user login to Nexus Repository Manager , resolved
540711, https://hackerone.com/reports/540711, Access Projects And create projects in gitlab pre production server, resolved
541020, https://hackerone.com/reports/541020, GetGlobalAchievementPercentagesForApp is missing the same release checks as GetSchemaForGame, resolved
541169, https://hackerone.com/reports/541169, GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery, resolved
541199, https://hackerone.com/reports/541199, Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter, resolved
541347, https://hackerone.com/reports/541347, Apache mod_status /server-status Information Disclosure, resolved
541349, https://hackerone.com/reports/541349, Exposed Git Repo at http://betaforum.tomtom.com/.git/{subfolders}, resolved
541354, https://hackerone.com/reports/541354, A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module for decoding  , resolved
541502, https://hackerone.com/reports/541502, [https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection, resolved
541606, https://hackerone.com/reports/541606, [Privilege Escalation] Shopify Admin -- Permission from Settings to Customer, resolved
541701, https://hackerone.com/reports/541701, Gitlab Oauth Misconfiguration Lead To Account Takeover , resolved
541710, https://hackerone.com/reports/541710, Stored Cross-site scripting , resolved
541737, https://hackerone.com/reports/541737, Stored XSS on Zeit.co user profile, resolved
541853, https://hackerone.com/reports/541853, Stored XSS in profile page, resolved
541858, https://hackerone.com/reports/541858, [geekbrains.ru] CVE-2019-5418 Ruby on Rails File Content Disclosure, resolved
541862, https://hackerone.com/reports/541862, Open redirect protection (https://www.pixiv.net/jump.php) is broken for novels, resolved
541948, https://hackerone.com/reports/541948, [Fix Bypass #541631] Open redirect on Signup, resolved
542047, https://hackerone.com/reports/542047, CSRF On Connect Account With Github Lead To Account Takeover, resolved
542180, https://hackerone.com/reports/542180, Malformed NAV file leads to buffer overflow and code execution in Left4Dead2.exe, resolved
542258, https://hackerone.com/reports/542258, Cross Site Scripting at https://app.oberlo.com/, resolved
542340, https://hackerone.com/reports/542340, Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter, resolved
542670, https://hackerone.com/reports/542670, Deserialization of Untrusted Data in www/delivery/dxmlrpc.php, resolved
542897, https://hackerone.com/reports/542897, Algorithmic complexity vulnerability in ZXCVBN leads to remote denial of service attack, informative
543775, https://hackerone.com/reports/543775, Sensitive data disclosure via exposed phpunit file, resolved
543782, https://hackerone.com/reports/543782, Excessive Resource Usage, resolved
544096, https://hackerone.com/reports/544096, [Source Engine] Material path truncation leads to Remote Code Execution, resolved
544329, https://hackerone.com/reports/544329, IDOR and statistics leakage in Orders , resolved
544334, https://hackerone.com/reports/544334, [Critical] Possibility to takeover any user account #2 without interaction on the https://██████████, resolved
544782, https://hackerone.com/reports/544782, Cross-site Scripting (XSS) - Stored in ru.mail.mailapp, resolved
544928, https://hackerone.com/reports/544928, Privilege Escalation From user to SYSTEM via unauthenticated command execution , resolved
545052, https://hackerone.com/reports/545052, Github wikis are editable by anyone #Githubwikistakeover, not-applicable
545121, https://hackerone.com/reports/545121, Reflected DOM-Based XSS On Due Lack Filter On Parameter ?next, resolved
546220, https://hackerone.com/reports/546220, Stored xss on message reply, resolved
546644, https://hackerone.com/reports/546644, Two heap use-after-free errors in IMAP operations, resolved
546753, https://hackerone.com/reports/546753, Remote Code Execution via Extract App Plugin, resolved
547145, https://hackerone.com/reports/547145, [okl.lt] Раскрытие администраторских функций в .js + Возможность использования этих функций., resolved
547630, https://hackerone.com/reports/547630, An integer overflow found in /lib/urlapi.c, resolved
547663, https://hackerone.com/reports/547663, IDOR in changing shared file name, resolved
547683, https://hackerone.com/reports/547683, [web.icq.com] Stored XSS in "О Контакте", resolved
548094, https://hackerone.com/reports/548094, Internal Hostname disclosure from multiple Apache servers via blank host header method, resolved
548587, https://hackerone.com/reports/548587, Users can make accounts with a fake email address., informative
549040, https://hackerone.com/reports/549040, Clientside resource Exhausting by exploiting gitlab math rendering , resolved
549084, https://hackerone.com/reports/549084, Stored XSS firing at transaction map (applicationName field), resolved
549130, https://hackerone.com/reports/549130, [authdl.mail.ru] Spoofing IP address, resolved
549355, https://hackerone.com/reports/549355, Blind SQL Injection on starbucks.com.gt and WAF Bypass  :*, resolved
549364, https://hackerone.com/reports/549364, Account recovery text message is sending a wrong domain to users., resolved
549831, https://hackerone.com/reports/549831, External Storage - WebDAV - New user has access to storage from deleted user (same user-ID), resolved
549882, https://hackerone.com/reports/549882, SSRF  leaking internal google cloud data through upload function [SSH Keys, etc..], resolved
550266, https://hackerone.com/reports/550266, [okmedia.insideok.ru] Web Cache Poisoing & XSS, resolved
550625, https://hackerone.com/reports/550625, [CS:GO] Unchecked texture file name with TEXTUREFLAGS_DEPTHRENDERTARGET can lead to Remote Code Execution, resolved
550696, https://hackerone.com/reports/550696, Heap Buffer Overflow at lib/tftp.c, resolved
550937, https://hackerone.com/reports/550937, Insufficient DKIM record with RSA 512-bit key used on WordPress.com, resolved
557154, https://hackerone.com/reports/557154, DoS attack via comment on Issue, resolved
557389, https://hackerone.com/reports/557389, Reflected XSS on  www.tomtom.com, duplicate
561805, https://hackerone.com/reports/561805, W3 Total Cache plugin multiple vulnerabilities, resolved
562335, https://hackerone.com/reports/562335, Remote Code Execution through Deserialization Attack in OwnBackup app., informative
562417, https://hackerone.com/reports/562417, Open Redirection in [https://www.hackerone.com/index.php], resolved
563268, https://hackerone.com/reports/563268, Spoofing the redirect process using RTLO, resolved
563870, https://hackerone.com/reports/563870, CVE-2019-5765: 1-click HackerOne account takeover on all Android devices, resolved
564196, https://hackerone.com/reports/564196, help.shopify.com Cross Site Scripting, resolved
565736, https://hackerone.com/reports/565736, View HackerOne challenge scope before challenge begins, resolved
565883, https://hackerone.com/reports/565883, Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain, resolved
566056, https://hackerone.com/reports/566056, [larvitbase-api] Unintended Require, resolved
566400, https://hackerone.com/reports/566400, Stored XSS firing at the "Add chart to note" popup, resolved
566811, https://hackerone.com/reports/566811, ████ - Complete account takeover, resolved
567468, https://hackerone.com/reports/567468, Stored XSS at APM key transactions list, resolved
568832, https://hackerone.com/reports/568832, No rate limit on app.crowdsignal.com (Finish quiz), resolved
569241, https://hackerone.com/reports/569241, Reflected XSS , resolved
569350, https://hackerone.com/reports/569350, Nickname disclosure through web-chat, resolved
569891, https://hackerone.com/reports/569891, [min-http-server] List any file in the folder by using path traversal., resolved
569966, https://hackerone.com/reports/569966, [serve-here.js] List any file in the folder by using path traversal., resolved
570035, https://hackerone.com/reports/570035, [statichttpserver] List any file in the folder by using path traversal., resolved
570133, https://hackerone.com/reports/570133, [http-file-server] List any files and sub folders in the folder by using path traversal., resolved
570358, https://hackerone.com/reports/570358, Full Path Disclosure, resolved
570537, https://hackerone.com/reports/570537, SSRF and local file disclosure by video upload on https://www.redtube.com/upload, resolved
570563, https://hackerone.com/reports/570563, [http-file-server] Stored XSS in the filename when directories listing, resolved
570568, https://hackerone.com/reports/570568, [min-http-server] Stored XSS in the filename when directories listing, resolved
570651, https://hackerone.com/reports/570651, Subdomain takeover of mydailydev.starbucks.com, resolved
574133, https://hackerone.com/reports/574133, SSRF and local file disclosure by video upload on https://www.tube8.com/, resolved
574134, https://hackerone.com/reports/574134, SSRF and local file disclosure by video upload on http://www.youporn.com/, resolved
574638, https://hackerone.com/reports/574638, Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance, resolved
574639, https://hackerone.com/reports/574639, Reports Modal in app.mopub.com Disclose by any user, resolved
576288, https://hackerone.com/reports/576288, Testnet address being sent in cleartext as http://rinkeby.chain.link/ is missing SSL certificate, resolved
576504, https://hackerone.com/reports/576504, Authentication Bypass by abusing Insecure crypto tokens in /lib/OA/Dal/PasswordRecovery.php:, resolved
576532, https://hackerone.com/reports/576532, DOM XSS via Shopify.API.remoteRedirect, resolved
576857, https://hackerone.com/reports/576857, Multiple Subdomain Takeovers: fly.staging.shipt.com, fly.us-west-2.staging.shipt.com, fly.us-east-1.staging.shipt.com, resolved
576887, https://hackerone.com/reports/576887, RCE on █████ via CVE-2017-10271, resolved
577584, https://hackerone.com/reports/577584, ISteamAssets gives partners control over unrelated community market transactions, resolved
577612, https://hackerone.com/reports/577612, MSSQL injection via param Customwho in https://█████/News/Transcripts/Search/Sort/ and WAF bypass, resolved
577920, https://hackerone.com/reports/577920, login csrf in analytics.mopub.com, resolved
577969, https://hackerone.com/reports/577969, CORS misconfiguration allows to steal customers data , resolved
578119, https://hackerone.com/reports/578119, Privilege escalation due to insecure use of logrotate, resolved
578138, https://hackerone.com/reports/578138, [http_server] Stored XSS in the filename when directories listing, resolved
579116, https://hackerone.com/reports/579116, Vulnerable W3 Total Cache plugin version in use on nextcloud.com, informative
579517, https://hackerone.com/reports/579517, [hnzserver] Path Traversal allowing to read any files on the server, resolved
579523, https://hackerone.com/reports/579523, [http_server] Path Traversal allowing to read any files on the server, resolved
579560, https://hackerone.com/reports/579560, [larvitbase-www] Unintended Require, resolved
579760, https://hackerone.com/reports/579760, Jenkins Unauthenticated RCE on https://djangoci.com/, informative
580268, https://hackerone.com/reports/580268, API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers., resolved
581939, https://hackerone.com/reports/581939, [static-server-gx] Path Traversal allowing to read any files on the server, resolved
582349, https://hackerone.com/reports/582349, Last pipeline status for MR leaked , resolved
582360, https://hackerone.com/reports/582360, Xss Reflected On spgw.terrhq.ru [ url ], resolved
582810, https://hackerone.com/reports/582810, self XSS на странице https://aw.mail.ru/pin/, resolved
583184, https://hackerone.com/reports/583184, Arbitrary File Write as SYSTEM from unprivileged user, informative
583561, https://hackerone.com/reports/583561, XSS Reflect, duplicate
583624, https://hackerone.com/reports/583624, Clickjacking in ops.cuvva.com, resolved
583710, https://hackerone.com/reports/583710, BUG XSS IN "ADD IMAGES", informative
583819, https://hackerone.com/reports/583819, cookie injection allow dos attack to periscope.tv, resolved
583987, https://hackerone.com/reports/583987, Periscope android app deeplink leads to CSRF in follow action, resolved
584582, https://hackerone.com/reports/584582, Просмотр закрытых фотографий, resolved
584603, https://hackerone.com/reports/584603, RCE on CS:GO client using unsanitized entity ID in EntityMsg message, resolved
584757, https://hackerone.com/reports/584757, Null Pointer Dereference in phar_create_or_parse_filename, resolved
586251, https://hackerone.com/reports/586251, Homebrew installed LaunchDaemons create simple root esclations, resolved
587012, https://hackerone.com/reports/587012, Blind SSRF [ Sentry Misconfiguraton ], resolved
587214, https://hackerone.com/reports/587214, ██████ Authenticated User Data Disclosure, resolved
587687, https://hackerone.com/reports/587687, IDOR to update folder name of other user, resolved
587727, https://hackerone.com/reports/587727, CSS injection via BB code tag "█████", resolved
587733, https://hackerone.com/reports/587733, Improper access control in place for "member only" groups via root.YUI_config.flickr.api.site_key, resolved
587829, https://hackerone.com/reports/587829, CSTI at Plugin page leading to active stored XSS (Publisher name), resolved
587854, https://hackerone.com/reports/587854, Local files could be overwritten in GitLab, leading to remote command execution, resolved
587910, https://hackerone.com/reports/587910, Password not checked when disabling 2FA on HackerOne, resolved
588239, https://hackerone.com/reports/588239, Detect Tor Browser's language, resolved
588562, https://hackerone.com/reports/588562, Memory Leak in OCUtil.dll library in Desktop client can lead to DoS, resolved
589400, https://hackerone.com/reports/589400, Просмотр любых статей по их айди., resolved
590020, https://hackerone.com/reports/590020, CRLF Injection in urllib, resolved
590279, https://hackerone.com/reports/590279, [CS 1.6] Map cycle abuse allows arbitrary file read/write, resolved
590319, https://hackerone.com/reports/590319, Linux client is vulnerable to directory traversal when downloading files, resolved
591002, https://hackerone.com/reports/591002, Full Path Disclosure, informative
591266, https://hackerone.com/reports/591266, open redirect while login at https://apps.dev.jupiterone.io can leak access code., resolved
591302, https://hackerone.com/reports/591302, Denial of service to WP-JSON API by cache poisoning the CORS allow origin header, resolved
591432, https://hackerone.com/reports/591432, Twitter Periscope Clickjacking Vulnerability, resolved
591770, https://hackerone.com/reports/591770, Signed integer overflow in tool_progress_cb(), informative
591786, https://hackerone.com/reports/591786, XSS on services.shopify.com, resolved
591813, https://hackerone.com/reports/591813, [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo, resolved
592090, https://hackerone.com/reports/592090, IDOR in sending support email upon Verifying user business domain, resolved
592094, https://hackerone.com/reports/592094, Remote Daemon RPC Attack, resolved
592200, https://hackerone.com/reports/592200, Remote P2P DoS, resolved
592316, https://hackerone.com/reports/592316, Stored XSS on byddypress Plug-in via groups name, resolved
592400, https://hackerone.com/reports/592400, Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice, resolved
592525, https://hackerone.com/reports/592525, Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS , resolved
592803, https://hackerone.com/reports/592803, Gaining unlimited bonus points on websites with WooCommerce Points and Rewards, resolved
592864, https://hackerone.com/reports/592864, Non-admin users can trigger writes to memcached by entering a malicious server as a share URL, resolved
592885, https://hackerone.com/reports/592885, multiple vulnerabilities on your mautic server, resolved
593229, https://hackerone.com/reports/593229, Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow, resolved
593712, https://hackerone.com/reports/593712, Web cache deception attack on https://open.vanillaforums.com/messages/all, resolved
593893, https://hackerone.com/reports/593893, CSRF in generating developer api_key, resolved
593911, https://hackerone.com/reports/593911, [public] Path traversal using symlink, resolved
593926, https://hackerone.com/reports/593926, Homebrew privilege escalation vulnerability, resolved
594045, https://hackerone.com/reports/594045, CSRF на отправку вопроса на [games.mail.ru], resolved
596363, https://hackerone.com/reports/596363, Бесконечный доступ к аккаунту если мы смогли хотя бы раз зайти на аккаунт., resolved
596368, https://hackerone.com/reports/596368, Открытый .htaccess на cookery.zakazaka.ru, resolved
600359, https://hackerone.com/reports/600359, Integer overflow in the source code tool_cb_prg.c, informative
601287, https://hackerone.com/reports/601287, Vulnerability Name: Host Header Injection Redirect, resolved
601367, https://hackerone.com/reports/601367, Unclaimed facebook  page at www.cuvva.com/about, resolved
602498, https://hackerone.com/reports/602498, SSRF On [ allods.mail.ru ], resolved
602527, https://hackerone.com/reports/602527, Urgent! Stored XSS at plugin's violations leading to account takeover, resolved
602596, https://hackerone.com/reports/602596, Plain text password for 'unknown' user exist in URL when opening jira.apiok.ru, informative
602767, https://hackerone.com/reports/602767, DOM XSS via Shopify.API.Modal.initialize, resolved
603196, https://hackerone.com/reports/603196, Open Redirect in comment section, resolved
603788, https://hackerone.com/reports/603788, Unrestricted File Upload To Xss Stored [ https://ideas.browser.mail.ru/ ], resolved
603941, https://hackerone.com/reports/603941, Blind XSS in redtube administering site my.reflected.net, resolved
604560, https://hackerone.com/reports/604560, Обход комиссии на переводы, resolved
605845, https://hackerone.com/reports/605845, Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin, resolved
605915, https://hackerone.com/reports/605915, Reflected XSS / Markup Injection in `index.php/svg/core/logo/logo` parameter `color`, resolved
606526, https://hackerone.com/reports/606526, [tianma-static] Security issue with XSS., resolved
608031, https://hackerone.com/reports/608031, Open redirect vuln on login, resolved
608577, https://hackerone.com/reports/608577, Windows Privilege Escalation: Malicious OpenSSL Engine, resolved
608620, https://hackerone.com/reports/608620, Industry-Wide MITM Vulnerability Impacting the JVM Ecosystem, resolved
608656, https://hackerone.com/reports/608656, Disabled account can still use GraphQL endpoint, resolved
610219, https://hackerone.com/reports/610219, Stored XSS via Create Project (Add new translation project), resolved
612231, https://hackerone.com/reports/612231, Github Token Leaked publicly for https://github.com/mopub, resolved
614355, https://hackerone.com/reports/614355, GraphQL query "namespace" leaks data, resolved
614441, https://hackerone.com/reports/614441, XSS при загрузке изображения на [games.mail.ru], resolved
614523, https://hackerone.com/reports/614523, Able to manipulate order amount by removing cancellation amount and cause financial impact, resolved
614947, https://hackerone.com/reports/614947, Site-wide clickjacking at IE11, resolved
615336, https://hackerone.com/reports/615336, EXIF Geolocation Data Not Stripped From Uploaded Images, resolved
615448, https://hackerone.com/reports/615448, CSRF in Account Deletion feature (https://www.flickr.com/account/delete), resolved
615840, https://hackerone.com/reports/615840, Blind Stored XSS In  "Report a Problem" on www.data.gov/issue/, resolved
616770, https://hackerone.com/reports/616770, Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text", resolved
617543, https://hackerone.com/reports/617543, Arbitrary File Reading on Uber SSL VPN, resolved
617896, https://hackerone.com/reports/617896, Bypass Email Verification using Salesforce -- Reproducible in gitlab.com, resolved
618214, https://hackerone.com/reports/618214, Open redirection in https://zeit.co/login?next=, duplicate
619484, https://hackerone.com/reports/619484, User with read-only access to a share can gain write access to sub-folders in the share, resolved
619578, https://hackerone.com/reports/619578, Rate Limit workaround in the message of the phone number verification , resolved
621308, https://hackerone.com/reports/621308, NULL pointer dereference in `mrb_check_frozen`, resolved
622112, https://hackerone.com/reports/622112, xss, resolved
622113, https://hackerone.com/reports/622113, SVN repository, resolved
622118, https://hackerone.com/reports/622118, пхпинфо, resolved
622122, https://hackerone.com/reports/622122, DoS on PayPal via web cache poisoning, resolved
622170, https://hackerone.com/reports/622170, Arbitrary code execution in desktop client via OpenSSL config, resolved
622864, https://hackerone.com/reports/622864, https://█████████ Vulnerable to CVE-2018-0296 Cisco ASA Path Traversal Authentication Bypass, resolved
622937, https://hackerone.com/reports/622937, Private ip leaking through response, resolved
623588, https://hackerone.com/reports/623588, Uninitialized read in gdImageCreateFromXbm, resolved
623834, https://hackerone.com/reports/623834, XSS in messages on geekbrains.ru, resolved
624645, https://hackerone.com/reports/624645, Chained vulnerabilities create DOS attack against users on desafio5estrelas.com, resolved
625199, https://hackerone.com/reports/625199, Wordpress Users Disclosure, duplicate
625546, https://hackerone.com/reports/625546, Open Redirection leads to redirect Users to malicious website, resolved
626082, https://hackerone.com/reports/626082, Stored XSS via "my recent queries" selector in NRQL dashboard builder, resolved
627245, https://hackerone.com/reports/627245, Integer overlow in "header_append" function, informative
627376, https://hackerone.com/reports/627376, Application level denial of service due to shutting down the server , resolved
629087, https://hackerone.com/reports/629087, No Valid SPF Records., resolved
629113, https://hackerone.com/reports/629113, CSTI fix (#587829) bypass leading to stored XSS at plugins again, resolved
629879, https://hackerone.com/reports/629879, loader.js is not secure, not-applicable
629892, https://hackerone.com/reports/629892, Lack of CSRF header validation at https://g-mail.grammarly.com/profile, resolved
630146, https://hackerone.com/reports/630146, CSRF vulnerability that allows an attacker to modify encryption settings, resolved
630192, https://hackerone.com/reports/630192, Access control bypass leads to domain information disclosure, resolved
630227, https://hackerone.com/reports/630227, Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install()  function, resolved
630235, https://hackerone.com/reports/630235, User personal data disclosure via API, resolved
630265, https://hackerone.com/reports/630265, Reflected XSS on https://www.olx.co.id/iklan/*.html via "ad_type" parameter, resolved
630462, https://hackerone.com/reports/630462, Heap overflow happen when receiving short length key from ssh server using ssh protocol 1, resolved
630903, https://hackerone.com/reports/630903, Monero Wallet Gui for Windows (Arbitrary Code Execution), resolved
631206, https://hackerone.com/reports/631206, Passcode Protection in Android Devices Can be Bypassed., informative
631227, https://hackerone.com/reports/631227, Some HTML Tags are Getting Executed in com.nextcloud.client, resolved
631348, https://hackerone.com/reports/631348, Public Github Repo Leaking Internal Credentials Leading To DiscoveryIQ Docker Access, resolved
631529, https://hackerone.com/reports/631529, Listing of Amazon S3 Bucket accessible to any amazon authenticated user (vector-maps-e457472599), resolved
631956, https://hackerone.com/reports/631956, Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message, resolved
632017, https://hackerone.com/reports/632017, Self-Stored XSS - Chained with login/logout CSRF, resolved
632101, https://hackerone.com/reports/632101, Server Side Request Forgery mitigation bypass, resolved
632721, https://hackerone.com/reports/632721, Root Remote Code Execution on https://███, resolved
633001, https://hackerone.com/reports/633001, Private System Note Disclosure using GraphQL, resolved
633231, https://hackerone.com/reports/633231, pre-auth Stored XSS in comments via javascript: url when administrator edits user supplied comment, resolved
633245, https://hackerone.com/reports/633245, Delete permission can be added on reshare, resolved
633262, https://hackerone.com/reports/633262, Code Injection in macOS Desktop Client, resolved
633266, https://hackerone.com/reports/633266, Code injection in macOS Desktop Client , resolved
633364, https://hackerone.com/reports/633364, Command Injection in npm module name passed as an argument to pm2.install() function, resolved
633371, https://hackerone.com/reports/633371, Add store to new partner account without confirming email address., resolved
633600, https://hackerone.com/reports/633600, Unsafe downloaded file execution, resolved
633607, https://hackerone.com/reports/633607, Invalid read in `str_replace_partial`, resolved
633751, https://hackerone.com/reports/633751, Reflected XSS on www.olx.co.id via ad_type parameter, resolved
634312, https://hackerone.com/reports/634312, HTML injection and information disclosure in support panel, resolved
634488, https://hackerone.com/reports/634488, Broken Authentication and Session Management Flaw After Change Password and Logout, resolved
634630, https://hackerone.com/reports/634630, Remote OS command Execution in the 3 more Oracle Weblogic on the ████████, ████, ███████ [CVE-2017-10352], resolved
634648, https://hackerone.com/reports/634648, web.icq.com XSS in chat message via contact info, resolved
634679, https://hackerone.com/reports/634679, Custom Field Attributes may be created and updated for customers with Custom Field Trial enabled, resolved
634692, https://hackerone.com/reports/634692, Stored XSS Via NRQL chartbuilder JSON view , resolved
635597, https://hackerone.com/reports/635597, Wrong Interpretation of URL encoded characters, showing different punny code leads to redirection on different domain, resolved
636013, https://hackerone.com/reports/636013, huge COLUMNS causes progress-bar to buffer overflow, informative
636278, https://hackerone.com/reports/636278, Reflected XSS on m.olx.co.id via ad_type parameter, resolved
636560, https://hackerone.com/reports/636560, Project Milestones Disclosed Via Groups When the Victim disabled milestones access in project settings, resolved
637194, https://hackerone.com/reports/637194, Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile), resolved
637800, https://hackerone.com/reports/637800, Libcurl ocasionally sends HTTPS traffic to port 443 rather than specified port 8080, informative
637840, https://hackerone.com/reports/637840, Path traversal in command line client, resolved
638250, https://hackerone.com/reports/638250, Fedora installation instructions fetch repo and validation key from insecure source, allowing mitm attack, resolved
638635, https://hackerone.com/reports/638635, Insecure Zendesk SSO implementation by generating JWT client-side, resolved
638685, https://hackerone.com/reports/638685, Restricted user can add and delete tags of APM key transactions , resolved
639473, https://hackerone.com/reports/639473, Ubuntu/Debian installation method allows key poisoning and code execution for network attacker, resolved
639682, https://hackerone.com/reports/639682, Khan Academy ClickJacking to Steal Users's Credintials, resolved
639684, https://hackerone.com/reports/639684, The return of the ＜, resolved
639796, https://hackerone.com/reports/639796, Reflected XSS in www.olx.co.id, resolved
639876, https://hackerone.com/reports/639876, SQL Injection on https://www.olx.co.id, resolved
640488, https://hackerone.com/reports/640488, Total bounties paid amount is disclosed because of redesign of the Program Profiles, resolved
640530, https://hackerone.com/reports/640530, Insecure Frame (External), not-applicable
640532, https://hackerone.com/reports/640532, Active Mixed Content over HTTPS, not-applicable
640904, https://hackerone.com/reports/640904, Yarn transfers npm credentials over unencrypted http connection, resolved
641240, https://hackerone.com/reports/641240, Basic Authentication Heap Overflow, resolved
641640, https://hackerone.com/reports/641640, RTL override char allowed at khanacademy redirect page, informative
642281, https://hackerone.com/reports/642281, Stored XSS in https://app.mopub.com, resolved
642475, https://hackerone.com/reports/642475, Broken OAuth leads to change photo profile users ., resolved
642488, https://hackerone.com/reports/642488, SMTP Failure Leads to Chain of Internal System Failure, resolved
642494, https://hackerone.com/reports/642494, Application Error disclosure, Verification token seen error and user able to change password, duplicate
642498, https://hackerone.com/reports/642498, Captcha protection Bypass on Forgot password page, resolved
642515, https://hackerone.com/reports/642515, User can delete data in shared folders he's not autorized to access, resolved
642643, https://hackerone.com/reports/642643, Bypass _token in forms [Merchant.Kartpay.com ], resolved
642675, https://hackerone.com/reports/642675, Bypass for blind SSRF #281950 and #287496, resolved
642847, https://hackerone.com/reports/642847, Application Design issue for Phone Number field in Registration., resolved
642862, https://hackerone.com/reports/642862, Option method enabled in kartpay Webservers, resolved
642876, https://hackerone.com/reports/642876, URl redirection , resolved
642886, https://hackerone.com/reports/642886, Reauthentication for changing password bypass, resolved
643039, https://hackerone.com/reports/643039, CSRF Vulnerability at https://aw.my.com/, resolved
643225, https://hackerone.com/reports/643225, HTTP Request Smuggling, informative
643274, https://hackerone.com/reports/643274, Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App, resolved
643446, https://hackerone.com/reports/643446, Wrong link on corne.maximum.nl, resolved
643537, https://hackerone.com/reports/643537, Reflected XSS on https://merchant.kartpay.com/payment_settings [status], resolved
643622, https://hackerone.com/reports/643622, SSRF In Get Video Contents, resolved
643731, https://hackerone.com/reports/643731, Session misconfiguration on change password feature at https://apps-staging.pingone.com/myaccount/?environmentId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx#, resolved
644238, https://hackerone.com/reports/644238, Server Side Request Forgery, resolved
645264, https://hackerone.com/reports/645264, Program Email Nofication settings ignored when being added as an external contributor, resolved
645299, https://hackerone.com/reports/645299, Private information exposed through GraphQL filters, resolved
646505, https://hackerone.com/reports/646505, ██████ DOM XSS via Shopify.API.remoteRedirect, resolved
647130, https://hackerone.com/reports/647130, Stored XSS in "Create Groups", resolved
647409, https://hackerone.com/reports/647409, ██████████ bruteforceable RIC Codes allowing information on contracts , resolved
648222, https://hackerone.com/reports/648222, [██████████] Unauthorized access to admin panel, resolved
648298, https://hackerone.com/reports/648298, [███████] Reflected GET XSS (/mission.php?...&missionDate=*), resolved
648305, https://hackerone.com/reports/648305, [██████] Reflected GET XSS (/personnel.php?..&folder=*) with mouse action, resolved
648346, https://hackerone.com/reports/648346, [████████] Boolean SQL Injection (/personnel.php?content=profile&rcnum=*), resolved
648348, https://hackerone.com/reports/648348, [█████] Reflected GET XSS  (/personnel.php?...&rcnum=*) with mouse action, resolved
648434, https://hackerone.com/reports/648434, Multiple HTTP Smuggling reports, resolved
649322, https://hackerone.com/reports/649322, Important information leaked on Github, resolved
649533, https://hackerone.com/reports/649533, Enable 2FA without verifying the email, resolved
650085, https://hackerone.com/reports/650085, Stored credentials instantly autofilled within sandboxed iframes, resolved
651355, https://hackerone.com/reports/651355, Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information, resolved
651518, https://hackerone.com/reports/651518, OS Command Injection via egrep in Rake::FileList, resolved
651966, https://hackerone.com/reports/651966, [auto.mail.ru] IDOR на редактирование поста любого юзера., resolved
652447, https://hackerone.com/reports/652447, Missing SPF Records, resolved
653125, https://hackerone.com/reports/653125, Git flag injection leading to file overwrite and potential remote code execution, resolved
653214, https://hackerone.com/reports/653214, Error Page Content Spoofing or Text Injection [https://vpn.kartpay.com/], resolved
653221, https://hackerone.com/reports/653221, XSS in https://merchant.kartpay.com/settlements, resolved
653254, https://hackerone.com/reports/653254, CSRF Vulnerabiliy on Facebook Linkage Page Allows Full Account takerover of Socialclub Accounts., resolved
654198, https://hackerone.com/reports/654198, Manipulate hacker profile and private program hacktivity to expose your name as researchers who is actively submitting reports with resolve status, resolved
654851, https://hackerone.com/reports/654851, Обход комиссии при оплате картой, resolved
655288, https://hackerone.com/reports/655288, Image Injection vulnerability on screenshot-viewer/responsive/image may allow Facebook OAuth token theft., resolved
658011, https://hackerone.com/reports/658011, Clickjacking on https://download.nextcloud.com, duplicate
658013, https://hackerone.com/reports/658013, Git flag injection - local file overwrite to remote code execution, resolved
658089, https://hackerone.com/reports/658089, Rate Limit too lenient for endpoint sending emails, resolved
658217, https://hackerone.com/reports/658217, Clickjacking in [exchangemarketplace.com], resolved
659248, https://hackerone.com/reports/659248, China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint, resolved
659419, https://hackerone.com/reports/659419, Reflected XSS on https://make.wordpress.org via 'channel' parameter, resolved
659565, https://hackerone.com/reports/659565, Server Side Request Forgery, resolved
659760, https://hackerone.com/reports/659760, Blind XSS in operator's interface for 33slona.ru, resolved
659784, https://hackerone.com/reports/659784, Image Injection on `/bully/anniversaryedition` may lead to FB's OAuth Token Theft., resolved
659957, https://hackerone.com/reports/659957, Session misconfiguration on forget password feature at https://ort-admin.pingone.com, resolved
660563, https://hackerone.com/reports/660563, [script-manager] Unintended require, resolved
660565, https://hackerone.com/reports/660565, [jsreport] Remote Code Execution, resolved
661051, https://hackerone.com/reports/661051, Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file, resolved
661402, https://hackerone.com/reports/661402, Improper signup & sign-in validation , not-applicable
661646, https://hackerone.com/reports/661646, Image Injection Vulnerability on /bully/screens, resolved
661647, https://hackerone.com/reports/661647, Local File Disclosure (+XSS+CSRF) in AirOS 6.2.0 devices, resolved
661722, https://hackerone.com/reports/661722, WEBrick::HTTPAuth::DigestAuth authentication is vulnerable to regular expression denial of service (ReDoS), resolved
661751, https://hackerone.com/reports/661751, Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com, resolved
661768, https://hackerone.com/reports/661768, Clickjacking on https://nextcloud.com/, duplicate
661847, https://hackerone.com/reports/661847, Integer overflows in tool_operate.c at line 1541, informative
661873, https://hackerone.com/reports/661873, Information Disclosure - Получаем доступ к работам и к приватным презентациям к курсам, resolved
661959, https://hackerone.com/reports/661959, Command Injection vulnerability in kill-port-process package, resolved
661977, https://hackerone.com/reports/661977, Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki, informative
661978, https://hackerone.com/reports/661978, IDOR bug to See hidden slowvote of any user even when you dont have access right, resolved
662083, https://hackerone.com/reports/662083, Inject page in admin panel via Shopify.API.pushState, resolved
662108, https://hackerone.com/reports/662108, Being able to change account contents even after password change, resolved
662155, https://hackerone.com/reports/662155, Clickjacking on https://download.nextcloud.com/, duplicate
662204, https://hackerone.com/reports/662204, Persistent XSS via filename in projects, resolved
662218, https://hackerone.com/reports/662218, Talk - Leak of password-protected room name via already existent resource addition, resolved
662287, https://hackerone.com/reports/662287, Cross-site Scripting (XSS) - Stored in RDoc wiki pages, resolved
662412, https://hackerone.com/reports/662412, Integer overflow  at line 1603 in the src/operator.c file, informative
662583, https://hackerone.com/reports/662583, Manipulation of exam results at Semrush.Academy, resolved
663312, https://hackerone.com/reports/663312, Warehouse dom based xss may lead to Social Club Account Taker Over., resolved
663431, https://hackerone.com/reports/663431, IDOR in Bugs overview enables attacker to determine the date range a hackathon was active, resolved
663628, https://hackerone.com/reports/663628, Access to multiple production Grafana dashboards, resolved
663729, https://hackerone.com/reports/663729, [Brave browser] WebTorrent has DNS rebinding vulnerability, resolved
664038, https://hackerone.com/reports/664038, protected Tweet settings overwritten by other settings, resolved
664044, https://hackerone.com/reports/664044, App Takeover ( makerdao.herokuapp.com ), not-applicable
664200, https://hackerone.com/reports/664200, SignUp using Fake Email, informative
665144, https://hackerone.com/reports/665144, Partial SSN exposed through Presentation slides on ██████████, resolved
665302, https://hackerone.com/reports/665302, [seeftl] Stored XSS when directory listing via filename., resolved
665330, https://hackerone.com/reports/665330, Out of Bounds Memory Read in php_jpg_get16, resolved
665398, https://hackerone.com/reports/665398, Subdomain takeover of datacafe-cert.starbucks.com, resolved
665651, https://hackerone.com/reports/665651, Stealing Users OAuth Tokens through redirect_uri parameter, resolved
665688, https://hackerone.com/reports/665688, Дайте swag, resolved
665791, https://hackerone.com/reports/665791, Publicly Accessible Harshi Corp Consul, resolved
665798, https://hackerone.com/reports/665798, Earn free DAI interest (inflation) through instant CDP+DSR in one tx, resolved
666065, https://hackerone.com/reports/666065, [sso.33slona.ru] Application Messages Error stacktrace PHP., resolved
666557, https://hackerone.com/reports/666557, Content Spoofing /Text Injection in https://docs.nextcloud.com, resolved
666632, https://hackerone.com/reports/666632, Delete direct message history without access the proper conversation_id, resolved
666716, https://hackerone.com/reports/666716, [insideok.ru] Remote Command Execution via file upload., resolved
666722, https://hackerone.com/reports/666722, Email enumeration at SignUp page, resolved
667032, https://hackerone.com/reports/667032, Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov, duplicate
667242, https://hackerone.com/reports/667242, [steam client] Opening a specific steam:// url overwrites files at an arbitrary location, resolved
667400, https://hackerone.com/reports/667400, Settings page in https://support.my.com is vulnerable to clickjacking, resolved
667408, https://hackerone.com/reports/667408, Head pipeline leaked to unauthorized users via blocking merge request feature, resolved
667613, https://hackerone.com/reports/667613, Username Enumeration, informative
667740, https://hackerone.com/reports/667740, Can register any mobile number in MFA without current code., resolved
667770, https://hackerone.com/reports/667770, Stored XSS at APM transaction map (transactionName field), resolved
668439, https://hackerone.com/reports/668439, IDOR leading to downloading of any attachment, resolved
669365, https://hackerone.com/reports/669365, Veracode and security audit record are publicly available, informative
669438, https://hackerone.com/reports/669438, [Bypass #645264] Report title disclosure despite the program settings for email notification is set to "No Content", resolved
669440, https://hackerone.com/reports/669440, Link obfuscation bug, informative
669736, https://hackerone.com/reports/669736, Bypass Rejected ads so user can view it as normal live ad., resolved
669776, https://hackerone.com/reports/669776, Disclosure of Program email Title Report when being removed as contributor. Bypass for Report #645264, resolved
670329, https://hackerone.com/reports/670329, Disable 2FA via CSRF (Leads to 2FA Bypass), resolved
670509, https://hackerone.com/reports/670509, Stored XSS вирус в al_video.php?act=a_choose_video_box, resolved
670572, https://hackerone.com/reports/670572, Uncontrolled Resource Consumption in any Markdown field using Mermaid, resolved
670779, https://hackerone.com/reports/670779, Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input, informative
670924, https://hackerone.com/reports/670924, Account takeover through CSRF in http://███████/██████████/default.asp, resolved
671119, https://hackerone.com/reports/671119, [agent.33slona.ru] Recovery code bruteforce, resolved
671605, https://hackerone.com/reports/671605, Avatar upload allows arbitrary file overwriting, resolved
671749, https://hackerone.com/reports/671749, Pulse Secure File disclosure, clear text and potential RCE, resolved
671857, https://hackerone.com/reports/671857, [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc, resolved
671939, https://hackerone.com/reports/671939, Bash History file log, resolved
672243, https://hackerone.com/reports/672243, accounts.informatica.com - RCE due to exposed Groovy console, resolved
672245, https://hackerone.com/reports/672245, Use After Free in GC with Certain Destructors, resolved
672487, https://hackerone.com/reports/672487, Business Logic Flaw - A non premium user can change/update retailers to get cashback on all the retailers associated with Curve, resolved
672499, https://hackerone.com/reports/672499, Stealing the ip addres from users, not-applicable
672623, https://hackerone.com/reports/672623, Username and Access Token Disclousure, resolved
672629, https://hackerone.com/reports/672629, Online training material disclosing username and password, resolved
672664, https://hackerone.com/reports/672664, Steal collateral during `end` process, by earning DSR interest after `flow`., resolved
673273, https://hackerone.com/reports/673273, subdomain take over at recommendation.algolia.com, resolved
673384, https://hackerone.com/reports/673384, xmlrpc.php file enabled - data.gov, duplicate
673723, https://hackerone.com/reports/673723, Leak of Internal IP addresses, resolved
673724, https://hackerone.com/reports/673724, Circle email-members have still access to a shared folder/file after they are removed from the circle, resolved
674195, https://hackerone.com/reports/674195, Stealing data from customers.gitlab.com without user interaction, resolved
674426, https://hackerone.com/reports/674426, XSS For Profile Name, resolved
674540, https://hackerone.com/reports/674540, mod_remoteip stack buffer overflow and NULL pointer dereference, resolved
674741, https://hackerone.com/reports/674741, Examples directory is PUBLIC on https://████████mil, leading to multiple vulns, resolved
674757, https://hackerone.com/reports/674757, Total Paid Bounty Paid can be disclose, resolved
674774, https://hackerone.com/reports/674774, AppLovin API Key hardcoded in a Github repo, resolved
674838, https://hackerone.com/reports/674838, SQL Injection - https://███/█████████/MSI.portal, resolved
674866, https://hackerone.com/reports/674866, Conversation API Leaks Details Of UnAuthorized Conversations, resolved
675578, https://hackerone.com/reports/675578, Out of Bounds Memory Read in exif_scan_thumbnail, resolved
675580, https://hackerone.com/reports/675580, Out of Bounds Memory Read in exif_process_user_comment, resolved
675614, https://hackerone.com/reports/675614, Delete images of users  with clickjacking in https://pw.mail.ru, resolved
675710, https://hackerone.com/reports/675710, [GoldSrc] Remote Code Execution using malicious WAD list in BSP file, resolved
676212, https://hackerone.com/reports/676212, Github information leaked, resolved
676581, https://hackerone.com/reports/676581, Use Github pack with Coda employee github account (search code of Coda's private repositories), resolved
676710, https://hackerone.com/reports/676710, Http response is not ended although underlying socket is already destroyed, informative
676976, https://hackerone.com/reports/676976, Container scanning and Dependency scanning report leaked to unauthorized users, resolved
677557, https://hackerone.com/reports/677557, mod_http2, memory corruption on early pushes (CVE-2019-10081), resolved
677617, https://hackerone.com/reports/677617, Open Redirect on Gitllab Oauth leading to Acount Takeover, resolved
677955, https://hackerone.com/reports/677955, `indexFile` option passed as an argument to node-server can lead to arbitrary file read, informative
678050, https://hackerone.com/reports/678050, Invalidate session after password reset, resolved
678487, https://hackerone.com/reports/678487, Hostname spoofing, informative
678496, https://hackerone.com/reports/678496, Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███, resolved
678727, https://hackerone.com/reports/678727, potential RCE and XSS via file upload requiring user account and default settings, resolved
678989, https://hackerone.com/reports/678989, [crypto-js] Insecure entropy source - Math.random(), resolved
679657, https://hackerone.com/reports/679657, The twitter accounts are linked on page but unclaimed., resolved
679907, https://hackerone.com/reports/679907, Malformed string sent through FireServer leads to server freezing/hanging, resolved
679969, https://hackerone.com/reports/679969, CSS Injection to disable app & potential message exfil, resolved
680240, https://hackerone.com/reports/680240, Stored XSS at Synthetics private locations (planted through location label or description), resolved
680415, https://hackerone.com/reports/680415, mod_http2, read-after-free in h2 connection shutdown (CVE-2019-10082), resolved
680480, https://hackerone.com/reports/680480, Command Injection (via CVE-2019-11510 and CVE-2019-11539), resolved
681001, https://hackerone.com/reports/681001, User can run monitors at private locations, which he has no access to, resolved
681468, https://hackerone.com/reports/681468, The password recovery let users know whether an email address exists or not in the website, resolved
681473, https://hackerone.com/reports/681473, IDOR allows any user to edit others videos, resolved
681882, https://hackerone.com/reports/681882, Unauthorized admission to any team in zeit.co, informative
681986, https://hackerone.com/reports/681986, [node-red] Stored XSS within Flow's - "Name" field , resolved
682344, https://hackerone.com/reports/682344, Parameter tampering : Price Manipulation of Products, duplicate
682442, https://hackerone.com/reports/682442, Git flag injection - Search API with scope 'blobs' , resolved
682617, https://hackerone.com/reports/682617, Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message, resolved
682774, https://hackerone.com/reports/682774, Arbitrary file creation with semi-controlled content (leads to DoS, EoP and others) at Steam Windows Client, resolved
683024, https://hackerone.com/reports/683024, Unrestricted File Upload, resolved
683318, https://hackerone.com/reports/683318, Windows builds with insecure path defaults (CVE-2019-1552), resolved
683792, https://hackerone.com/reports/683792,  XSS through chat messages, resolved
683925, https://hackerone.com/reports/683925, Referer issue in Kartpay.com, resolved
683957, https://hackerone.com/reports/683957, [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File, resolved
684070, https://hackerone.com/reports/684070, Authentication bypass and RCE on the https://████ due to exposed Cisco TelePresence SX80 with default credentials, resolved
684092, https://hackerone.com/reports/684092, Steal ALL collateral during liquidation by exploiting lack of validation in `flip.kick`, resolved
684099, https://hackerone.com/reports/684099, Periscope-all Firebase database takeover, resolved
684152, https://hackerone.com/reports/684152, Steal all MKR from `flap` during liquidation by exploiting lack of validation in `flap.kick`, resolved
684567, https://hackerone.com/reports/684567, Linux kernel: CVE-2017-7308: a signedness issue in AF_PACKET sockets, resolved
684573, https://hackerone.com/reports/684573, Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch, resolved
684603, https://hackerone.com/reports/684603, Heap buffer overflow in TFTP when using small blksize, resolved
684701, https://hackerone.com/reports/684701, Wordpress users disclosure on blog.makerdao.con, duplicate
684838, https://hackerone.com/reports/684838, Directory Indexing on the ████ (https://████/) leads to the backups disclosure and credentials leak, resolved
685007, https://hackerone.com/reports/685007, Password Reset Link not expiring after changing the email Leads To Account Takeover, resolved
685032, https://hackerone.com/reports/685032, Account takeover via CORS misconfigutation on https://beta.delivery-club.ru, resolved
685304, https://hackerone.com/reports/685304, account takeover https://qiwi.me , resolved
685344, https://hackerone.com/reports/685344, Local File Disclosure on the ████████ (https://████/) leads to the source code disclosure & DB credentials leak, resolved
685432, https://hackerone.com/reports/685432, Race condition при покупке подарков на games.mail.ru, resolved
685447, https://hackerone.com/reports/685447, gitlabhook OS Command Injection, resolved
685491, https://hackerone.com/reports/685491, Persistent XSS on favorite via filename, resolved
685552, https://hackerone.com/reports/685552, XSS in desktop client via invalid server address on login form, resolved
685990, https://hackerone.com/reports/685990, Clear text storage of proxy parameters and passwords, resolved
686015, https://hackerone.com/reports/686015, Administrator access to staging.railto.com, resolved
686343, https://hackerone.com/reports/686343, [██████████] — Directory traversal via `/aerosol-bin/███████/display_directory_████_t.cgi`, resolved
686363, https://hackerone.com/reports/686363, Blind SSRF on sentry.dev-my.com due to Sentry misconfiguration, resolved
686595, https://hackerone.com/reports/686595, Improper Neutralization of Input During Web Page Generation, resolved
686805, https://hackerone.com/reports/686805, .git file accessible, informative
686823, https://hackerone.com/reports/686823, krb5: double-free in read_data() after realloc() fail, resolved
687325, https://hackerone.com/reports/687325, Trojan:JS/CoinMiner in npm files, not-applicable
687734, https://hackerone.com/reports/687734, Double-free of `trailers_buf' on `Curl_http_compile_trailers()` failure, informative
687887, https://hackerone.com/reports/687887, [3DS][StreetPass] Buffer Overflow in Super Mario Maker level decompression, resolved
687908, https://hackerone.com/reports/687908, Found Origin IP's Lead To Access To [ Grafana Instance , PgHero Instance [ Can SQL Injection ]  , resolved
688048, https://hackerone.com/reports/688048, Incorrect IPv6 literal parsing leads to validated connection to unexpected https server., informative
688546, https://hackerone.com/reports/688546,  Clickjacking, resolved
688567, https://hackerone.com/reports/688567, CORS misconfiguration allows to steal client's "password", Authorization token and the customer details e.g. names, SSN, bank account etc., resolved
689257, https://hackerone.com/reports/689257, [████████] — XSS on `/███████_flight/images` via `advanced_val` parameter, resolved
689314, https://hackerone.com/reports/689314, Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests, resolved
689997, https://hackerone.com/reports/689997, Disclosure of Email title report in quick award paypout email (no content mode), resolved
690010, https://hackerone.com/reports/690010, OS Command Injection on Jison [all-parser-ports], resolved
690072, https://hackerone.com/reports/690072, XSS via Cookie in Mail.ru, resolved
690295, https://hackerone.com/reports/690295, OOB XXE , resolved
690330, https://hackerone.com/reports/690330, scripts loader (denial of service) vulnerability, resolved
690338, https://hackerone.com/reports/690338, scripts loader DOS vulnerability, resolved
690387, https://hackerone.com/reports/690387, OOB XXE , resolved
690536, https://hackerone.com/reports/690536, Passive stored XSS at Synthetics job result page (View resource), resolved
690796, https://hackerone.com/reports/690796, Directory listing is enabled that exposes non public data through multiple path , resolved
690812, https://hackerone.com/reports/690812, CSRF in attach phone API endpoint on delivery-club.ru, resolved
691611, https://hackerone.com/reports/691611, XSS while logging using Google, resolved
691698, https://hackerone.com/reports/691698, hard-use account takeover qiwi.com, resolved
691766, https://hackerone.com/reports/691766, Обход комиссии на переводы, resolved
691977, https://hackerone.com/reports/691977, [reveal.js] XSS by calling arbitrary method via postMessage, resolved
692040, https://hackerone.com/reports/692040, PHP 7.3.3: Heap-use-after-free (READ of size 8) in match_at(), resolved
692068, https://hackerone.com/reports/692068, Domain takeover on http://doesfranshaveashell.com/ due to expiration, resolved
692116, https://hackerone.com/reports/692116, Access to ██████████████ due to weak credentials, resolved
692154, https://hackerone.com/reports/692154, Open Redirect in the Path of vendhq.com, resolved
692252, https://hackerone.com/reports/692252, Group search leaks private MRs, code, commits, resolved
692262, https://hackerone.com/reports/692262, Path traversal in https://www.npmjs.com/package/http_server via symlink, resolved
692326, https://hackerone.com/reports/692326, Followup - SQL Injection - https://██████████/██████/MSI.portal, resolved
692352, https://hackerone.com/reports/692352, XSS on https://app.mopub.com/reports/custom/add/ [new-d1], resolved
692360, https://hackerone.com/reports/692360, UNRESTRICTED FILE UPLOAD AT chat.makerdao.com, not-applicable
692603, https://hackerone.com/reports/692603, Privilege escalation in workers container , resolved
693788, https://hackerone.com/reports/693788, [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure, resolved
693933, https://hackerone.com/reports/693933, PII leakage due to scrceenshot of health records, resolved
693943, https://hackerone.com/reports/693943, SSN leak due to editable slides, resolved
694053, https://hackerone.com/reports/694053, [Lark Android] Vulnerability in exported activity WebView, resolved
694141, https://hackerone.com/reports/694141, Directory Traversal in uftpd 2.6-2.10, resolved
694181, https://hackerone.com/reports/694181, Worker container escape lead to arbitrary file reading in host machine, resolved
694449, https://hackerone.com/reports/694449, Buffer write overflow when forming dns over http request, informative
694467, https://hackerone.com/reports/694467, load scripts DOS vulnerability, resolved
694471, https://hackerone.com/reports/694471, [create-git] RCE via insecure command formatting, resolved
694604, https://hackerone.com/reports/694604, HTTP Request Smuggling on vpn.lob.com, resolved
694749, https://hackerone.com/reports/694749, Clicking "http://burp" hyperlink on FireFox CA Installation guide redirects to "burp.com" (unclaimed website)., informative
694930, https://hackerone.com/reports/694930, [snekserve] Stored XSS via filenames HTML formatted, resolved
694931, https://hackerone.com/reports/694931, Information Leak (Github), resolved
694943, https://hackerone.com/reports/694943, Can fake content email of newrelic to any user, duplicate
694988, https://hackerone.com/reports/694988, Resource leak when using a normal site as DOH server, informative
695005, https://hackerone.com/reports/695005, Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████, resolved
695041, https://hackerone.com/reports/695041, The authentication code when activating 2FA can be used again to log in, resolved
695416, https://hackerone.com/reports/695416, Path traversal using symlink, resolved
696198, https://hackerone.com/reports/696198, WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (UNAUTHORIZED), informative
696266, https://hackerone.com/reports/696266, "Bounties paid in the last 90 days" discloses the undisclosed bounty amount in program statistics, resolved
696360, https://hackerone.com/reports/696360, Exposing debug.log file leads to server full path disclosure, resolved
696822, https://hackerone.com/reports/696822, Potential invocation of qsort on uninitialized memory during cookie save, informative
697048, https://hackerone.com/reports/697048, Stored XSS on go.mail.ru, resolved
697055, https://hackerone.com/reports/697055, Worker container escape lead to arbitrary file reading in host machine [again], resolved
697099, https://hackerone.com/reports/697099, Reflected XSS in OAUTH2 login flow , resolved
697512, https://hackerone.com/reports/697512, Information Disclosure through Sentry Instance ███████, resolved
697959, https://hackerone.com/reports/697959, Only the file extensions are checked, not the MIME types as configured, resolved
698416, https://hackerone.com/reports/698416, Host Header Injection, resolved
698579, https://hackerone.com/reports/698579, Able to Become Admin for Any LINE Official Account, resolved
698708, https://hackerone.com/reports/698708, Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections, resolved
699200, https://hackerone.com/reports/699200, Signup with any email and enable 2FA without verifying email, resolved
700075, https://hackerone.com/reports/700075, bypass captcha in the form forgot password, resolved
700091, https://hackerone.com/reports/700091, Mixed content issues on newrelic.com, informative
700612, https://hackerone.com/reports/700612, worki.ru: SMS code bruteforce, resolved
700726, https://hackerone.com/reports/700726, Reflected XSS  on Lark Suite, resolved
700831, https://hackerone.com/reports/700831, Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission, resolved
701160, https://hackerone.com/reports/701160, India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance, resolved
701183, https://hackerone.com/reports/701183, [tree-kill] RCE via insecure command concatenation (only Windows), resolved
702987, https://hackerone.com/reports/702987, No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im, resolved
703086, https://hackerone.com/reports/703086, Information Disclosure [ https://curious.ru/api/submissions ], resolved
703138, https://hackerone.com/reports/703138, [yarn] yarn.lock integrity & hash check logic is broken, resolved
703412, https://hackerone.com/reports/703412, [node-df] RCE via insecure command concatenation, resolved
703415, https://hackerone.com/reports/703415, [treekill] RCE via insecure command concatenation (only Windows), resolved
703600, https://hackerone.com/reports/703600, Information disclosure with sensitive data, resolved
703659, https://hackerone.com/reports/703659, RCE in AirOS 6.2.0 Devices with CSRF bypass, resolved
703759, https://hackerone.com/reports/703759, SSO through odnoklassniki uses http rather than https, resolved
703819, https://hackerone.com/reports/703819, SQL Injection and plaintext passwords via User Search, resolved
703894, https://hackerone.com/reports/703894, View the Starred Projects in a Private Profile, resolved
703910, https://hackerone.com/reports/703910, JMX RMI command injection on 195.211.131.82(Mail.ru Gaming), resolved
703972, https://hackerone.com/reports/703972, Reset any password, resolved
704266, https://hackerone.com/reports/704266, DOM XSS at www.forescout.com in Microsoft Edge and IE Browser, resolved
704621, https://hackerone.com/reports/704621, SSRF via maliciously crafted URL due to host confusion, informative
705420, https://hackerone.com/reports/705420, A reflected XSS in python/Lib/DocXMLRPCServer.py, resolved
706533, https://hackerone.com/reports/706533, Stored XSS at Mobile (Versions tab), resolved
706934, https://hackerone.com/reports/706934, Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON), resolved
707006, https://hackerone.com/reports/707006, use after free in cookie.c, informative
707014, https://hackerone.com/reports/707014, Get-based SSRF limited to HTTP protocol on https://resizer.line-apps.com/form, resolved
707228, https://hackerone.com/reports/707228, Internal IP Address Disclosed, resolved
707231, https://hackerone.com/reports/707231, Account Takeover at vseapteki.ru, resolved
707406, https://hackerone.com/reports/707406, Team object in GraphQL disclosed of private programs via the industry, resolved
707433, https://hackerone.com/reports/707433, Disclosure of `payment_transactions` for programs via GraphQL query, resolved
707720, https://hackerone.com/reports/707720, Stored XSS vulnerability in comments on *.wordpress.com, resolved
707748, https://hackerone.com/reports/707748, Subdomain takeover on mta1a1.spmail.uber.com, resolved
708019, https://hackerone.com/reports/708019, Information disclousure by clicking on the link shown in http://████████/, resolved
708076, https://hackerone.com/reports/708076, Full Path disclosure on 500 error, informative
708081, https://hackerone.com/reports/708081, Reflected XSS on https://www.uber.com, resolved
708182, https://hackerone.com/reports/708182, IDOR позволяет изменить информацию о пользователе., resolved
708303, https://hackerone.com/reports/708303, Two-factor authentication (2FA) Bypass, not-applicable
708589, https://hackerone.com/reports/708589, Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF, resolved
708592, https://hackerone.com/reports/708592, [█████] — DOM-based XSS on endpoint `/?s=`, resolved
708696, https://hackerone.com/reports/708696, Private target account appears in search results, resolved
708820, https://hackerone.com/reports/708820, Group search with Elastic search enable leaks unrelated data, resolved
708886, https://hackerone.com/reports/708886, looch.tv CORS crossite user information and stream_key access, resolved
708917, https://hackerone.com/reports/708917, Rate Limit Misconfiguration on tumblr login ., resolved
709000, https://hackerone.com/reports/709000, donationalerts.com limitations bypass, resolved
709072, https://hackerone.com/reports/709072, Null byte Injection in https://████/, resolved
709378, https://hackerone.com/reports/709378, Session is not expire after logout, resolved
709883, https://hackerone.com/reports/709883, Cross-account stored XSS at embedded charts, resolved
710006, https://hackerone.com/reports/710006, Elasticsearch leaks data through the notes scope, resolved
710368, https://hackerone.com/reports/710368, Publicly accessible .svn repository - aastraconf.packet8.net, resolved
710535, https://hackerone.com/reports/710535, Cross-account stored XSS at notes (through "swf" note parameter), resolved
710813, https://hackerone.com/reports/710813, Able to log in with default ██████g creds at  https█████████████████████.mil , resolved
710864, https://hackerone.com/reports/710864, Remote Code Execution in ██████, resolved
710996, https://hackerone.com/reports/710996, Nextcloud Clickjacking Vulnerability, duplicate
711075, https://hackerone.com/reports/711075, Blind SQL Injection in city-mobil.ru domain, resolved
712065, https://hackerone.com/reports/712065, Prototype pollution attack (lodash), resolved
712103, https://hackerone.com/reports/712103, SSRF in clients.city-mobil.ru, resolved
712318, https://hackerone.com/reports/712318, able to login into login.topechelon.com, resolved
712344, https://hackerone.com/reports/712344, [Bypass fixed #664038 and #519059] Application settings change settings that have been set by the user, resolved
712376, https://hackerone.com/reports/712376, URL is vulnerable to clickjacking, resolved
712979, https://hackerone.com/reports/712979, Creating malformed URLs via new line character in-between two URLs leads to misrepresented hyperlinks in Tweets/DMs, resolved
713006, https://hackerone.com/reports/713006, Keybase client (Windows 10): Write files anywhere in userland using relative path in "download attachement" feature, resolved
713285, https://hackerone.com/reports/713285, http request smuggling in pscp.tv and periscope.tv, resolved
713407, https://hackerone.com/reports/713407, ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages, resolved
713900, https://hackerone.com/reports/713900, Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int, resolved
713975, https://hackerone.com/reports/713975, Only OpenSSL handles a CRL when passed in via CApath , informative
714024, https://hackerone.com/reports/714024, какой-то исходный код в корне сайта, resolved
714186, https://hackerone.com/reports/714186, Раскрытие чувствительной информации composer.lock  docker-compose.yml , resolved
714215, https://hackerone.com/reports/714215, curl on Windows can be forced to execute code via OpenSSL environment variables, informative
714521, https://hackerone.com/reports/714521, stripo.email reflected xss, resolved
714673, https://hackerone.com/reports/714673, [dobro.city-mobil.ru] Недостаточная аутентификация (доступ к панели администратора), resolved
715054, https://hackerone.com/reports/715054, China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn, resolved
715192, https://hackerone.com/reports/715192, Private program disclosure via `vpn_suspended` GraphQL query, resolved
715413, https://hackerone.com/reports/715413, curl successfully matches IP address literal in URL against IP address literal in certificate Common Name, informative
715996, https://hackerone.com/reports/715996, http request smuggling in  twitter.com, duplicate
716448, https://hackerone.com/reports/716448, Unquoted Service Path in "Rockstar Game Library Service", resolved
716976, https://hackerone.com/reports/716976, Open redirect in semrush.com, resolved
717716, https://hackerone.com/reports/717716, Any user with access to program can resume and suspend HackerOne Gateway, resolved
717729, https://hackerone.com/reports/717729, Reporter, external users, collaborators can mark sent swag awarded to reporter as unsent, resolved
718241, https://hackerone.com/reports/718241, [git-lib] RCE via insecure command formatting, resolved
718852, https://hackerone.com/reports/718852, Norway - store.starbucks.no - CSRF on email change, resolved
719426, https://hackerone.com/reports/719426, File-drop content is visible through the gallery app, resolved
719631, https://hackerone.com/reports/719631, [Partial] SSN & [PII] exposed through iPERMs Presentation Slide., resolved
719856, https://hackerone.com/reports/719856, Prototype pollution in dot-prop, resolved
719875, https://hackerone.com/reports/719875, LFI through the MySQL connection, resolved
720306, https://hackerone.com/reports/720306, Docker image with FPM is vulnerable to CVE-2019-11043, resolved
720992, https://hackerone.com/reports/720992, [iot-hackathon.geekbrains.ru] Tilda Subdomain Takeover, resolved
721333, https://hackerone.com/reports/721333, Buffer Overflow in smblib.c, resolved
721341, https://hackerone.com/reports/721341, Information can be changed without a password, resolved
722145, https://hackerone.com/reports/722145, [CRITICAL] Sql Injection on http://axa.dxi.eu, resolved
722281, https://hackerone.com/reports/722281, Reflected XSS on http://axa.dxi.eu, resolved
722301, https://hackerone.com/reports/722301, Xss (cross site scripting) on http://axa.dxi.eu/, resolved
722327, https://hackerone.com/reports/722327, CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm, resolved
722337, https://hackerone.com/reports/722337, Access to Tarantool, resolved
722748, https://hackerone.com/reports/722748, Bypass configured 2FA provider with another provider that can be set up at login, resolved
722919, https://hackerone.com/reports/722919, Unrestricted File Upload on https://app.lemlist.com, resolved
722977, https://hackerone.com/reports/722977, Reflected XSS on https://go.mail.ru/search?fr=mn&q=<payload>, resolved
723175, https://hackerone.com/reports/723175, De-anonymization Attack: Cross Site Information Leakage, resolved
723461, https://hackerone.com/reports/723461, [api.pandao.ru] IDOR for order delivery address, resolved
723974, https://hackerone.com/reports/723974, Bypass password reset rate limit protection at moneybird.com/passwords, resolved
724039, https://hackerone.com/reports/724039, Google Maps API key leaked during device pairing, resolved
724134, https://hackerone.com/reports/724134, Race condition with CURL_LOCK_DATA_CONNECT can cause connections to be used at the same time, informative
724153, https://hackerone.com/reports/724153, XSS (leads to arbitrary file read in Rocket.Chat-Desktop), resolved
724217, https://hackerone.com/reports/724217, tcpdump: CVE-2018-14879 - buffer overflow in tcpdump.c:get_next_file(), resolved
724243, https://hackerone.com/reports/724243, Tcpdump before 4.9.3 has a buffer over-read in print-802_11.c (CVE-2018-16227), resolved
724253, https://hackerone.com/reports/724253, Tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccp_print_option() (CVE-2018-16229), resolved
724522, https://hackerone.com/reports/724522, Change the rating of any trip, therefore change the average driver rating, resolved
724599, https://hackerone.com/reports/724599, OS Command Injection in Nexus Repository Manager 2.x -- Bypass for Nexus Repository Manage 2.14.15-01 Command Injection fix, resolved
724889, https://hackerone.com/reports/724889, [www.zomato.com] Blind XSS on one of the Admin Dashboard, resolved
724944, https://hackerone.com/reports/724944, latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users, resolved
725307, https://hackerone.com/reports/725307, Unchecked URL in attachment datasource, resolved
725569, https://hackerone.com/reports/725569, [IDOR] Attacker user can Approve/Decline AFK on the behalf of other users, resolved
725707, https://hackerone.com/reports/725707, Account Takeover at worki.ru, resolved
725711, https://hackerone.com/reports/725711, unauthorized access to add admin endpoint , resolved
726063, https://hackerone.com/reports/726063, Мини-уязвимость в обработке ссылок, resolved
726117, https://hackerone.com/reports/726117, SMB access smuggling via FILE URL on Windows, not-applicable
726163, https://hackerone.com/reports/726163, IDOR in https://moneybird.com/user/accountant_company/edit(change company name), resolved
726364, https://hackerone.com/reports/726364, Crash Node.js process from handlebars using a small and simple source, resolved
726765, https://hackerone.com/reports/726765, HTTP-Response-Splitting leads to information disclosure (email, firstname, lastname) at https://tz.mail.ru, resolved
726773, https://hackerone.com/reports/726773, HTTP Request Smuggling on https://labs.data.gov, resolved
727330, https://hackerone.com/reports/727330, Header modification results in disclosure of Slack infra metadata to unauthorized parties, resolved
727368, https://hackerone.com/reports/727368, [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927, informative
727487, https://hackerone.com/reports/727487, Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header, resolved
727727, https://hackerone.com/reports/727727, Path traversal in filename in LINE Mac client, resolved
727870, https://hackerone.com/reports/727870, [www.yoti.com] Wordpress user admin information discloure, resolved
727974, https://hackerone.com/reports/727974, [pandao.ru] possibility to attach arbitrary phone number to account registered via social network, resolved
728004, https://hackerone.com/reports/728004, Clickjacking in the admin page, resolved
728040, https://hackerone.com/reports/728040, [meta-git] RCE via insecure command formatting, resolved
728047, https://hackerone.com/reports/728047, [git-promise] RCE via insecure command formatting, resolved
728110, https://hackerone.com/reports/728110, [HTAF4-213] [Pre-submission] CVE-2018-2879 (padding oracle attack in the Oracle Access Manager) at https://█████████, resolved
728664, https://hackerone.com/reports/728664, Cache poisoning DoS to various TTS assets, resolved
729040, https://hackerone.com/reports/729040, Shopify's SF and LA offices Dashboard Information disclosed via Public Gist, resolved
729064, https://hackerone.com/reports/729064, Отправка подарков/стикерпаков не теряя голоса., resolved
729341, https://hackerone.com/reports/729341, Double linking cause XSS (but blokeced by CSP in gitlab.com), not-applicable
730067, https://hackerone.com/reports/730067, Account TakeOver through password recovery at am.ru, resolved
730111, https://hackerone.com/reports/730111, [gity] RCE via insecure command formatting, resolved
730121, https://hackerone.com/reports/730121, [npm-git-publish] RCE via insecure command formatting, resolved
730239, https://hackerone.com/reports/730239, Filesystem Writes via `yarn install` via symlinks and tar transforms inside a crafted malicious package, resolved
730779, https://hackerone.com/reports/730779, HTTP header values do not have trailing OWS trimmed, resolved
730786, https://hackerone.com/reports/730786, CRLF Injection - http://stage.mackeeper.com/, resolved
730788, https://hackerone.com/reports/730788, CRLF Injection - http://stage-static-cdn.mackeeper.com/, resolved
730963, https://hackerone.com/reports/730963, Stored XSS в m.vk.com/video, resolved
731112, https://hackerone.com/reports/731112, XSS in https://mackeeper.com, resolved
731351, https://hackerone.com/reports/731351, No rate limiting on password reset page, resolved
731472, https://hackerone.com/reports/731472, CORS Misconfiguration, could lead to disclosure of sensitive information (translate.kromtech.com), resolved
731618, https://hackerone.com/reports/731618, Open Redirect on Greater Asia domains, resolved
731724, https://hackerone.com/reports/731724, Firebase Firestore insecure database, resolved
731733, https://hackerone.com/reports/731733, Reflected XSS (mackeeperapp2.mackeeper.com), resolved
732287, https://hackerone.com/reports/732287, RXSS on landings/land/3/ron_clean_17_app3_alerts/index.php (mackeeperapp3.mackeeper.com), resolved
732394, https://hackerone.com/reports/732394, RXSS on /landings/123.1/index.php (mackeeperapp.mackeeper.com), resolved
732415, https://hackerone.com/reports/732415, The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes, resolved
732430, https://hackerone.com/reports/732430, Blind SQL Injection on news.mail.ru, resolved
732431, https://hackerone.com/reports/732431, Improper integrity protection of server-side encryption keys, resolved
732987, https://hackerone.com/reports/732987, Reflected XSS , resolved
733015, https://hackerone.com/reports/733015, RXSS on thankyou.pixels.php (yapi.mackeeper.com), resolved
733017, https://hackerone.com/reports/733017, CORS Misconfiguration Leads to Exposing User Data, resolved
733051, https://hackerone.com/reports/733051, The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS., resolved
733148, https://hackerone.com/reports/733148, Reflected XSS on stage.mackeeper.com, resolved
733152, https://hackerone.com/reports/733152, RXSS on unsubscribe feature (affiliates.kromtech.com), resolved
733222, https://hackerone.com/reports/733222, stored xss in https://www.smule.com, resolved
733248, https://hackerone.com/reports/733248, Stored XSS in wordpress.com, resolved
733267, https://hackerone.com/reports/733267, [Portal 2] Remote Code Execution via voice packets, resolved
734418, https://hackerone.com/reports/734418, Open Redirect at https://store.mackeeper.com/767/cookie via redirectto parameter, resolved
734433, https://hackerone.com/reports/734433, XSS in https://affiliates.kromtech.com, resolved
734936, https://hackerone.com/reports/734936, SSO bypass in zendesk using trint organization able to leak internal ticket information, resolved
735748, https://hackerone.com/reports/735748, HTTP request smuggling using malformed Transfer-Encoding header, resolved
735971, https://hackerone.com/reports/735971, Слив какого-то access токена, resolved
736065, https://hackerone.com/reports/736065, IDOR редактирование любого вишлиста, resolved
736236, https://hackerone.com/reports/736236, [qiwi.me] Stored XSS, resolved
736272, https://hackerone.com/reports/736272, DOM-based XSS on mobile.line.me, resolved
736283, https://hackerone.com/reports/736283, open Firebase Database: msdict-dev.firebaseio.com, resolved
736863, https://hackerone.com/reports/736863, Bulgaria - Subdomain takeover of mail.starbucks.bg, resolved
736867, https://hackerone.com/reports/736867, SSRF protection bypass, resolved
737039, https://hackerone.com/reports/737039, OLD SESSION DOES NOT EXPIRE AFTER PASSWORD CHANGE, resolved
737042, https://hackerone.com/reports/737042, Password token leak via Host header, resolved
737161, https://hackerone.com/reports/737161, SSRF - URL Attachments - 725307 bypass, resolved
737163, https://hackerone.com/reports/737163, SSRF - Image Sources in HTML Snippets - 727234 bypass, resolved
737169, https://hackerone.com/reports/737169, Bypass email verification and create email template with the editor, resolved
737315, https://hackerone.com/reports/737315, 'X-Forwarded-Host' key used in input without sanitation - possible cache poisoning, resolved
737323, https://hackerone.com/reports/737323, Bypass front server restrictions and access to forbidden files and directories through X-Rewrite-Url/X-original-url header on account.mackeeper.com, resolved
737334, https://hackerone.com/reports/737334, Account verification bypass on translate.kromtech.com, resolved
737578, https://hackerone.com/reports/737578, Redirection through referer tag, resolved
737625, https://hackerone.com/reports/737625, Clickjacking on my.stripo.email for MailChimp credentials , informative
737695, https://hackerone.com/reports/737695, subdomain takeover at status0.stripo.email, resolved
737772, https://hackerone.com/reports/737772, [https://seosan.io] Account owner disclosure, resolved
738015, https://hackerone.com/reports/738015, SSRF - Office Documents - Image URL, resolved
738072, https://hackerone.com/reports/738072, XSS on product comments in transfers, resolved
738553, https://hackerone.com/reports/738553, SSRF in /cabinet/stripeapi/v1/siteInfoLookup?url=XXX, resolved
738565, https://hackerone.com/reports/738565,  SSL cookie without secure flag set, duplicate
738569, https://hackerone.com/reports/738569, No length on password, resolved
738615, https://hackerone.com/reports/738615, Multiple Vulnerabilities in (*www.yoti.com) - Leads to Leakage user admin Sensitive Exposure, resolved
738740, https://hackerone.com/reports/738740,  allods.mail.ru sql injection, resolved
738810, https://hackerone.com/reports/738810, HTML Injection @ /[restaurant]/order endpoint., resolved
738899, https://hackerone.com/reports/738899, Able to change password by entering wrong old password, resolved
739251, https://hackerone.com/reports/739251, Information disclosure via a misconfigured third-party product, resolved
739321, https://hackerone.com/reports/739321, User account compromised authentication bypass via oauth token impersonation, resolved
739601, https://hackerone.com/reports/739601, Reflected XSS, resolved
739737, https://hackerone.com/reports/739737, Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password, resolved
739752, https://hackerone.com/reports/739752, IDOR в списке пользователей по домену в relap.io, resolved
739858, https://hackerone.com/reports/739858, Able to download any hosted content on AWS S3 bucket(stripo), resolved
739962, https://hackerone.com/reports/739962, SSRF in filtering on relap.io, resolved
740037, https://hackerone.com/reports/740037, Request smuggling on admin-official.line.me could lead to account takeover, resolved
740989, https://hackerone.com/reports/740989, Shopify Stocky App OAuth Misconfiguration, resolved
740999, https://hackerone.com/reports/740999, Reflected XSS, resolved
741439, https://hackerone.com/reports/741439, Unauthenticated Reflected Cross-Site Scripting on https://account.mackeeper.com/signin page, resolved
741549, https://hackerone.com/reports/741549, Lack of HTTPS in service communications, resolved
741683, https://hackerone.com/reports/741683, idor on upload profile functionality , resolved
741862, https://hackerone.com/reports/741862, Mail.Ru Email for Android: Injecting custom screen inside adding new account flow, resolved
742588, https://hackerone.com/reports/742588, Downgrade encryption scheme and break integrity through known-plaintext attack, resolved
743345, https://hackerone.com/reports/743345, HTML injection leads to reflected XSS, resolved
743505, https://hackerone.com/reports/743505, Improper confidentiality protection of server-side encryption keys, resolved
743518, https://hackerone.com/reports/743518, Pending MFA logins aren't immediatly expired after a password change, resolved
743524, https://hackerone.com/reports/743524, Hong Kong - Open Redirect on card.starbucks.com.hk, resolved
743545, https://hackerone.com/reports/743545, Bruteforce password recovery code, resolved
743643, https://hackerone.com/reports/743643, Firewall rules for ████████ can be bypassed to leak site authors, resolved
743687, https://hackerone.com/reports/743687, IDOR of users , resolved
744662, https://hackerone.com/reports/744662, Account Takeover worki.ru, resolved
744692, https://hackerone.com/reports/744692, The login of Hotor Not is Vulnerable to bruteforce., resolved
745276, https://hackerone.com/reports/745276, Dragonblood: Design and Implementation Flaws in WPA3 and EAP-pwd, resolved
745447, https://hackerone.com/reports/745447, Steam chat - trade offer presentation vulnerability, resolved
745495, https://hackerone.com/reports/745495, Unauthenticated users can access all food.grammarly.io user's data, resolved
745921, https://hackerone.com/reports/745921, Code Injection Bug Report, resolved
745938, https://hackerone.com/reports/745938, Boolean-based SQL Injection on relap.io, resolved
745953, https://hackerone.com/reports/745953, Camo Image Proxy Bypass with CSS Escape Sequences, resolved
746000, https://hackerone.com/reports/746000, Subdomain Takeover Via via Dangling NS records on Amazon Route 53 http://api.e2e-kops-aws-canary.test-cncf-aws.canary.k8s.io, resolved
746003, https://hackerone.com/reports/746003, DoS on the Direct Messages, resolved
746024, https://hackerone.com/reports/746024, SSRF on music.line.me through getXML.php, resolved
746186, https://hackerone.com/reports/746186, Leak of authorization urls leads to account takeover, resolved
746497, https://hackerone.com/reports/746497, [https://city-mobil.ru/taxiserv] Blind XSS into username, resolved
746505, https://hackerone.com/reports/746505, [panel.city-mobil.ru/admin/] Blind XSS into username, resolved
746513, https://hackerone.com/reports/746513, [https://city-mobil.ru/taxiserv] IDOR leads to information disclosure, resolved
746541, https://hackerone.com/reports/746541, SSRF on local storage of iOS mobile, resolved
746733, https://hackerone.com/reports/746733, Remotely trigger an assertion on a TLS server with a malformed certificate string, resolved
746766, https://hackerone.com/reports/746766, Two out-of-bounds array reads in Python AST builder (Re-opening 520612 with CVEs), resolved
746786, https://hackerone.com/reports/746786, Disclosure of locally served nerdpacks due to nr-local.net CORS policy misconfiguration, resolved
747612, https://hackerone.com/reports/747612, [city-mobil.ru/taxiserv/] Disclosure  information about drivers, resolved
747726, https://hackerone.com/reports/747726, Bypassing Passcode/Device credentials, resolved
747825, https://hackerone.com/reports/747825, [blog.makerdao.com] Multiple Vulnerabilities - Leads to leakage user admin sensitive exposure, informative
747829, https://hackerone.com/reports/747829, xmlrpc.php file is enable it will used for (Denial of Service) and bruteforce attack, duplicate
748069, https://hackerone.com/reports/748069, SSRF on fleet.city-mobil.ru leads to local file read, resolved
748123, https://hackerone.com/reports/748123, SSRF & LFR via on city-mobil.ru, resolved
748128, https://hackerone.com/reports/748128, SSRF & LFR on city-mobil.ru, resolved
748375, https://hackerone.com/reports/748375, Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result, resolved
748538, https://hackerone.com/reports/748538, tracker.my.com information disclosure via csrf bypass, resolved
748765, https://hackerone.com/reports/748765, [Total.js] Path traversal vulnerability allows to read files outside public directory, resolved
748903, https://hackerone.com/reports/748903, Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image, resolved
748925, https://hackerone.com/reports/748925, Possible tokens leak on ws-app.city-mobil.ru, resolved
749338, https://hackerone.com/reports/749338, Open Redirect in secure.showmax.com, resolved
749677, https://hackerone.com/reports/749677, Mirror of https://city-mobil.ru admin interface, resolved
749887, https://hackerone.com/reports/749887, relap.io IDOR, resolved
750118, https://hackerone.com/reports/750118, Local Privilege escalation to root via XPC, resolved
751263, https://hackerone.com/reports/751263, [https://fleet.city-mobil.ru] Stored XSS into driver mailing, resolved
751281, https://hackerone.com/reports/751281, [city-mobil.ru/taxiserv/] IDOR leads to driver account takeover, resolved
751284, https://hackerone.com/reports/751284, Reflected XSS in https://lite.pubg.com, resolved
751299, https://hackerone.com/reports/751299, Improper Authorization, resolved
751347, https://hackerone.com/reports/751347, [fleet.city-mobil.ru] Driver balance increasing, resolved
751577, https://hackerone.com/reports/751577, IDOR allow access to payments data of any user, resolved
751581, https://hackerone.com/reports/751581, Password Reset Link Leaked In Refer Header In Request To Third Party Sites , resolved
751604, https://hackerone.com/reports/751604, No Rate Limit On Forgot Password Page Of NordVPN, resolved
751699, https://hackerone.com/reports/751699, NR-wide cross account access through misconfigured CORS-policy of multiple endpoints, resolved
751876, https://hackerone.com/reports/751876, Version problem in wordpress leads to the many vulnearability, resolved
751904, https://hackerone.com/reports/751904, Zomato Map server going out of memory while resizing map image, not-applicable
752010, https://hackerone.com/reports/752010, DoS of https://nordvpn.com/ via CVE-2018-6389 exploitation, resolved
752042, https://hackerone.com/reports/752042, Content Injection on api.semrush.com to Reflected XSS, resolved
752073, https://hackerone.com/reports/752073, xmlrpc.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS), resolved
752353, https://hackerone.com/reports/752353, Anonymous file drop page ignores user profile visibility restrictions, resolved
752402, https://hackerone.com/reports/752402, Connection informaton is sent to a third-party service, resolved
753399, https://hackerone.com/reports/753399, Open redirect, resolved
753491, https://hackerone.com/reports/753491, DoS of https://blog.yelp.com/ and other WP instances via CVE-2018-6389, informative
753567, https://hackerone.com/reports/753567, XSS in select attribute options, resolved
753725, https://hackerone.com/reports/753725, Disclosure of User Information, resolved
753835, https://hackerone.com/reports/753835, Reflected XSS at https://www.paypal.com/ppcreditapply/da/us, resolved
753868, https://hackerone.com/reports/753868, Insecure Storage and Overly Permissive  API Keys in Android App, resolved
753939, https://hackerone.com/reports/753939, HTTP SMUGGLING EXPOSED HMAC/DOS , resolved
753971, https://hackerone.com/reports/753971, [htmr] DOM-based XSS, resolved
754025, https://hackerone.com/reports/754025, SSRF in Export template to ActiveCampaign, resolved
754352, https://hackerone.com/reports/754352, Stored XSS on Wordpress 5.3 via Title Post, not-applicable
754536, https://hackerone.com/reports/754536, Mail.Ru Top - Website Counter Bruteforcing, resolved
755322, https://hackerone.com/reports/755322, Stored XSS on https://community.my.games/ (Add Post), resolved
755354, https://hackerone.com/reports/755354, Prevent XSS when passing a parameter directly into link_to , informative
755679, https://hackerone.com/reports/755679, Timeline Editor Self-XSS (Previous Fix #738072 Incomplete), resolved
756149, https://hackerone.com/reports/756149, Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance, resolved
756182, https://hackerone.com/reports/756182, Potential leak of server side software at repogohi.nordvpn.com, resolved
756697, https://hackerone.com/reports/756697, RXSS to Stored XSS - forums.pubg.com | URL parameter, resolved
756729, https://hackerone.com/reports/756729, Stored XSS in Shopify Chat , resolved
756833, https://hackerone.com/reports/756833, Public available Sensitive Information about drivers, not-applicable
756879, https://hackerone.com/reports/756879, Leak Sensetive Data at face.city-mobil.ru, resolved
757100, https://hackerone.com/reports/757100, HTML injection at face.city-mobil.ru, resolved
757957, https://hackerone.com/reports/757957, Restricted user can manage the NerdGraph entities' tags, resolved
758002, https://hackerone.com/reports/758002, Markdown parsing issue enables insertion of malicious tags, resolved
758380, https://hackerone.com/reports/758380, Host header injection/redirection | signup and login page, duplicate
758401, https://hackerone.com/reports/758401, API method at api.my.games allows to enumerate user emails, resolved
758445, https://hackerone.com/reports/758445, HTTP Smuggling multiple issues in Squid 3.x & squid 4.x, resolved
758642, https://hackerone.com/reports/758642, Stored XSS in calendar via UID parameter, resolved
758785, https://hackerone.com/reports/758785, CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover, duplicate
758854, https://hackerone.com/reports/758854, Reflected Xss, resolved
758948, https://hackerone.com/reports/758948, Blind SSRF на calendar.mail.ru при импорте календаря, resolved
758978, https://hackerone.com/reports/758978, XXE на webdav.mail.ru -  PROPFIND/PROPPATCH, resolved
759090, https://hackerone.com/reports/759090, XSS via POST request to https://account.mail.ru/signup/, resolved
759131, https://hackerone.com/reports/759131, Stored XSS in template comments., resolved
759133, https://hackerone.com/reports/759133, Tabnabbing in template comments - stripo.email, resolved
759247, https://hackerone.com/reports/759247, Race Condition allows to redeem multiple times gift cards which leads to free "money", resolved
759418, https://hackerone.com/reports/759418, Reflected Xss  https://██████/, resolved
759454, https://hackerone.com/reports/759454, Helpdesk Takeover at dmc.datastax.com, resolved
760484, https://hackerone.com/reports/760484, Upload directory of Mtn.co.sz has listing enabled, resolved
760595, https://hackerone.com/reports/760595, Customer domain information disclosure at https://biz.mail.ru/api/domains/*, resolved
761000, https://hackerone.com/reports/761000, Account Take over of millions of  MTN users account due to lack of Rate limiting when sending OTP code, resolved
761158, https://hackerone.com/reports/761158, SharePoint exposed web services in a  subdomain, resolved
761218, https://hackerone.com/reports/761218, Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET, resolved
761219, https://hackerone.com/reports/761219, CodeQL query to detect pages with validationRequest disabled, resolved
761220, https://hackerone.com/reports/761220, CodeQL query to detect insecure MaxLengthRequest values in ASP.NET applications, resolved
761304, https://hackerone.com/reports/761304,  SQL Injection on cookie parameter, resolved
761329, https://hackerone.com/reports/761329, Update App Store: Django account high jacking vulnerability, resolved
761382, https://hackerone.com/reports/761382, stripo blog search  SQL Injection, resolved
761463, https://hackerone.com/reports/761463, Reflected XSS with WAF Bypass https://pw.mail.ru, resolved
761573, https://hackerone.com/reports/761573, Cross-Site Scripting through search form on mtnplay.co.zm, resolved
761617, https://hackerone.com/reports/761617, Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/, resolved
761655, https://hackerone.com/reports/761655, Account takeover at geekbrains.ru, resolved
761790, https://hackerone.com/reports/761790, Leaked DB credentials on https://██████████.mil/███, resolved
761904, https://hackerone.com/reports/761904, Self-XSS to Good-XSS - pornhub.com, resolved
761975, https://hackerone.com/reports/761975, Keychain data persistence may lead to account takeover, resolved
762118, https://hackerone.com/reports/762118, Upload directory of Mtn.ci, resolved
762121, https://hackerone.com/reports/762121, Follow by email allows for following by unverified emails, resolved
762251, https://hackerone.com/reports/762251, Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11, resolved
762271, https://hackerone.com/reports/762271, Guest users can change the confidentiality attribute on those issues that have been assigned to them, resolved
762510, https://hackerone.com/reports/762510, How the Bug stole hacking, resolved
762695, https://hackerone.com/reports/762695, India - OTP bypass on Phone number verification for account creation, resolved
763058, https://hackerone.com/reports/763058, through %09 Character the attacker is able to steal Github Token [ Account Takeover ], resolved
763258, https://hackerone.com/reports/763258, information disclosure via IDOR on "https://target.my.com/api/v2/coverage/segment.json?id={id}" endpoint, resolved
763403, https://hackerone.com/reports/763403, [GoldSrc] RCE via malformed BSP file, resolved
763458, https://hackerone.com/reports/763458, Email verification bypasa, resolved
763812, https://hackerone.com/reports/763812, Stored XSS | api.mapbox.com | IE 11 | Styles name, resolved
763994, https://hackerone.com/reports/763994, Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP , resolved
764122, https://hackerone.com/reports/764122, No Rate Limiting on /reset-password-request/ endpoint, resolved
764243, https://hackerone.com/reports/764243, API - Amazon S3 bucket misconfiguration, resolved
764335, https://hackerone.com/reports/764335, Bypass to report #280389 [Thinking The issue is not fixed Yet], resolved
764434, https://hackerone.com/reports/764434, profile-picture name parameter with large value lead to DoS for other users and programs on the platform, resolved
764517, https://hackerone.com/reports/764517, SSRF leads to internal port scan, resolved
764558, https://hackerone.com/reports/764558, Account Takeover with old password and login QR, informative
764725, https://hackerone.com/reports/764725, [http-live-simulator] Application-level DoS, resolved
764731, https://hackerone.com/reports/764731, Publicly accessible Grafana install allows pivoting to Prometheus datasource, resolved
764935, https://hackerone.com/reports/764935, Stored XSS in Review Section https://games.mail.ru/, resolved
765031, https://hackerone.com/reports/765031, Week Passwords generated by password reset function, resolved
765227, https://hackerone.com/reports/765227, Potential Open-Redirection, not-applicable
765291, https://hackerone.com/reports/765291, Remote code execution via path traversal in Zip extraction in the Extract app, resolved
765318, https://hackerone.com/reports/765318, my.stripo.emai email verification bypassed and also create email templates, resolved
765355, https://hackerone.com/reports/765355, Modify account details by exploiting clickjacking vulnerability on refer.wordpress.com, resolved
765565, https://hackerone.com/reports/765565, Cross-account reading of Insights dashboards through GraphQL, resolved
765664, https://hackerone.com/reports/765664, Heap Buffer Overflow (READ of size 1) in ourWriteOut, informative
765825, https://hackerone.com/reports/765825, Git repo on https://██████.mil/ discloses API password, resolved
765955, https://hackerone.com/reports/765955, Clickjacking at join.nordvpn.com, resolved
766145, https://hackerone.com/reports/766145, Restricted user can remove NerdStorage documents/collections scoped to ACCOUNT or ENTITY, resolved
766205, https://hackerone.com/reports/766205, csrf bypass using flash file + 307 redirect method at plugins endpoint, resolved
766346, https://hackerone.com/reports/766346, API Keys Hardcoded in Github repository, resolved
766404, https://hackerone.com/reports/766404, MK Site Cross-Site Scripting (XSS) in script context, resolved
766434, https://hackerone.com/reports/766434, Blind XSS Stored On Admin Panel Through Name Parameter In [ https://technoatom.mail.ru/], resolved
766437, https://hackerone.com/reports/766437, Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card, resolved
766533, https://hackerone.com/reports/766533, CSRF - Modify Project Settings, resolved
766578, https://hackerone.com/reports/766578, Absence of Token expiry leads to Unauthorized login Access, resolved
766633, https://hackerone.com/reports/766633, XSS reflected on [https://www.pixiv.net], resolved
766770, https://hackerone.com/reports/766770, China - Leaked credentials permitted a limited ability to create Starbucks coupons and cards, resolved
766892, https://hackerone.com/reports/766892, [myMail Android] Access to protected app components via RegistrationPhoneActivity, resolved
766963, https://hackerone.com/reports/766963, Potential linkage of public/private (anonymous) node addresses, resolved
767066, https://hackerone.com/reports/767066, Information Disclosure Microsoft IIS Server service.cnf in a mtn website, resolved
767458, https://hackerone.com/reports/767458, User input validation can lead to DOS, resolved
767468, https://hackerone.com/reports/767468, Ability to find out the name of the database table and its columns, resolved
767647, https://hackerone.com/reports/767647, Vulnerabilities chain leading to privilege escalation, resolved
767765, https://hackerone.com/reports/767765, Account Takeover because of the mis-configuration on the Password Reset Page, resolved
768110, https://hackerone.com/reports/768110, Race condition (TOCTOU) in NordVPN can result in local privilege escalation, resolved
768151, https://hackerone.com/reports/768151, Bypassing CORS Misconfiguration Leads to Sensitive Exposure, resolved
768266, https://hackerone.com/reports/768266, Public instance of Jenkins on https://██████████/ with /script enabled, resolved
768313, https://hackerone.com/reports/768313, Cross Site Scripting (XSS) Stored - Private messaging, resolved
768322, https://hackerone.com/reports/768322, Remote Code Execution (Reverse Shell) - File Manager, resolved
768327, https://hackerone.com/reports/768327, Unauthenticated HTML Injection Stored - ContactUs form, resolved
768345, https://hackerone.com/reports/768345, Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters, resolved
768574, https://hackerone.com/reports/768574, Denial Of Service in Strapi Framework using argument injection, resolved
768677, https://hackerone.com/reports/768677, lack of input validation that can lead Denial of Service (DOS), resolved
769014, https://hackerone.com/reports/769014, [GoldSrc] RCE via 'spk' Console Command, resolved
769016, https://hackerone.com/reports/769016, sdrc.starbucks.com - Information Disclosure via unsecured attachment directory, resolved
769058, https://hackerone.com/reports/769058, CORS misconfiguration which leads to the disclosure of certain data concerning the user., resolved
769335, https://hackerone.com/reports/769335, XSS на сайте https://warofdragons.my.games/., resolved
769716, https://hackerone.com/reports/769716, xmlrpc.php FILE IS enable it can be used for conducting a Bruteforce attack and Denial of Service(DoS), not-applicable
769998, https://hackerone.com/reports/769998, Theme Assets uploader allows HTML content, resolved
770190, https://hackerone.com/reports/770190, Unexpected access to process open files via file:///proc/self/fd/n, informative
770209, https://hackerone.com/reports/770209, Unauthorized user can obtain `report_sources` attribute through Team GraphQL object, resolved
770349, https://hackerone.com/reports/770349, Reflected XSS in twitterflightschool.com, resolved
770504, https://hackerone.com/reports/770504, Bypass Password Authentication for updating email and phone number - Security Vulnerability, resolved
770508, https://hackerone.com/reports/770508, Dos  https://iandunn.name/ via CVE-2018-6389 exploitation, not-applicable
770513, https://hackerone.com/reports/770513, Reflected xss on 8x8.com subdomain, resolved
770548, https://hackerone.com/reports/770548, Insecure OAuth redirection at [admin.8x8.vc], resolved
770557, https://hackerone.com/reports/770557, Insecure storage of private files, resolved
770711, https://hackerone.com/reports/770711, Forbidden access to https://apps-staging.pingone.com but "/packages.json" visible and full path disclosure, resolved
771028, https://hackerone.com/reports/771028, No valid SPF record not found, duplicate
771382, https://hackerone.com/reports/771382, SSRF & unrestricted file upload on https://my.stripo.email/, resolved
771465, https://hackerone.com/reports/771465, Open redirect bypass &  SSRF Security Vulnerability, resolved
771596, https://hackerone.com/reports/771596, CRLF Injection in legacy url API (url.parse().hostname), informative
771699, https://hackerone.com/reports/771699, Open redirect on https://account.mackeeper.com, resolved
771882, https://hackerone.com/reports/771882, Хранимый XSS в Business-аккаунте, на странице компании, resolved
771977, https://hackerone.com/reports/771977, nordvpn Linux Desktop executable application does not use pie / no ASLR, informative
772039, https://hackerone.com/reports/772039, Same site Scripting , resolved
772118, https://hackerone.com/reports/772118, [c-api.city-mobil.ru] Client authentication bypass leads to information disclosure, resolved
772448, https://hackerone.com/reports/772448, [blamer] RCE via insecure command formatting, resolved
772509, https://hackerone.com/reports/772509, [node-downloader-helper] Path traversal via Content-Disposition header, resolved
772744, https://hackerone.com/reports/772744, Unsafe cors sharing of admin users , resolved
772778, https://hackerone.com/reports/772778, Disclosure of Users Information On Wordpress Api  [https://jitsi.org/], resolved
772886, https://hackerone.com/reports/772886, Password Reset Link Works Multiple Times, resolved
773313, https://hackerone.com/reports/773313, Port and service scanning on localhost due to improper URL validation., not-applicable
773519, https://hackerone.com/reports/773519, Account TakeOver at my.33slona.ru, resolved
773571, https://hackerone.com/reports/773571, Local Privilege Escalation on Dropbox Desktop for Windows, duplicate
773888, https://hackerone.com/reports/773888, xmlrpc.php file enabled, resolved
774050, https://hackerone.com/reports/774050, No rate limiting for confirmation email lead to email flooding, resolved
774393, https://hackerone.com/reports/774393, Web Server Predictable Session ID on EdgeSwitch , resolved
774792, https://hackerone.com/reports/774792, Reflected cross-site scripting vulnerability on a DoD website, resolved
774872, https://hackerone.com/reports/774872, Configuartion [Sensitive] Information Disclosure, informative
774883, https://hackerone.com/reports/774883, Division by zero if terminal width is 2, informative
774896, https://hackerone.com/reports/774896, Kubelet resource exhaustion attack via metric label cardinality explosion from unauthenticated requests, resolved
775504, https://hackerone.com/reports/775504, Exposed debug.log file leads to information disclosure, informative
775531, https://hackerone.com/reports/775531, No valid SPF record found, not-applicable
775693, https://hackerone.com/reports/775693, Reflected XSS on www/delivery/afr.php, resolved
776017, https://hackerone.com/reports/776017, Half-Blind SSRF found in kube/cloud-controller-manager can be upgraded to complete SSRF (fully crafted HTTP requests) in vendor managed k8s service., resolved
776371, https://hackerone.com/reports/776371, [chart.js] Prototype pollution, resolved
776449, https://hackerone.com/reports/776449, Restricted user can update Apdex target for applications by leveraging the GraphQL mutation, resolved
776461, https://hackerone.com/reports/776461,  Username enumeration via Openssh 7.6, informative
776634, https://hackerone.com/reports/776634, [H1-415 2020] CTF Writeup, resolved
776684, https://hackerone.com/reports/776684, [h1-415 2020] My writeup on how to retrieve the special secret document, resolved
776699, https://hackerone.com/reports/776699, [h1-415 2020] Solution for h1415's CTF challenge, resolved
776932, https://hackerone.com/reports/776932, UI Redressing (Clickjacking) vulnerability , informative
777099, https://hackerone.com/reports/777099, [h1-415 2020] I got the flag, resolved
777241, https://hackerone.com/reports/777241, [h1-415 2020] Multiple chained vulnerabilities lead to leaking secret document, resolved
777274, https://hackerone.com/reports/777274, DoS of https://blog.makerdao.com/ via CVE-2018-6389, informative
777279, https://hackerone.com/reports/777279, xmlrpc.php FILE IS enable it will used for Bruteforce attack , informative
777942, https://hackerone.com/reports/777942, Unrestricted access to any "connected pack" on docs, resolved
777957, https://hackerone.com/reports/777957, OTP bypass - Unintended disclosure of OTP to client allows attacker to manage users' subscriptions, resolved
777984, https://hackerone.com/reports/777984, Denial of Service with Cookie Bomb, resolved
778314, https://hackerone.com/reports/778314, [xss] passrestore на m/touch/tel, resolved
778414, https://hackerone.com/reports/778414, [klona] Prototype pollution, resolved
778610, https://hackerone.com/reports/778610, Squid as reverse proxy RCE and data leak, resolved
778629, https://hackerone.com/reports/778629, (Critical) Remote Code Execution Through Old TinyMCE upload bypass, resolved
778803, https://hackerone.com/reports/778803, Compromise of auth via subset/superset namespace names., resolved
778834, https://hackerone.com/reports/778834, OOB read in php_strip_tags_ex, resolved
778931, https://hackerone.com/reports/778931, Source code disclosed via S3 Bucket, not-applicable
779113, https://hackerone.com/reports/779113, [h1-415 2020] @_bayotop h1-415-ctf writeup, resolved
779442, https://hackerone.com/reports/779442, Subdomain takeover of storybook.lystit.com, resolved
779656, https://hackerone.com/reports/779656, Multiple Vulnerabilities in (*.blog.yelp.com) - Leakage user admin Sensitive Exposure, informative
779908, https://hackerone.com/reports/779908, Stored-Xss at connect.topcoder.com/projects/ affected on project chat members, resolved
779910, https://hackerone.com/reports/779910, [h1-415 2020] finally, resolved
780021, https://hackerone.com/reports/780021, Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/, resolved
780167, https://hackerone.com/reports/780167, Hidden scheduled partner events are propagated to Steam clients in CMsgClientClanState, resolved
780277, https://hackerone.com/reports/780277, Reflected XSS via XML Namespace URI on https://go.mapbox.com/index.php/soap/, resolved
780285, https://hackerone.com/reports/780285, [h1-415 2020] H1-415 CTF Writeup by W--, resolved
780632, https://hackerone.com/reports/780632, Html Injection and Possible XSS in main nordvpn.com domain, resolved
780676, https://hackerone.com/reports/780676, [h1-415 2020] I found Joberts missing file!, resolved
781150, https://hackerone.com/reports/781150, HackerOne Pentesters can access any structured scope object through GraphQL node interface, resolved
781175, https://hackerone.com/reports/781175, Unauthenticated users can obtain information about Checklist objects with unclaimed ChecklistCheck objects, resolved
781238, https://hackerone.com/reports/781238, User data not anonymized is sent to analytics server, resolved
781265, https://hackerone.com/reports/781265, [h1-415 2020] Spent a week and failed at solving the last step., resolved
781281, https://hackerone.com/reports/781281, [h1-415 2020] Chain of vulnerabilities leading to account takeover and unauthorized access of sensitive internal resources, resolved
781282, https://hackerone.com/reports/781282, XSS via HTTP request version in account.my.games, resolved
781284, https://hackerone.com/reports/781284, Cross Site Scripting via CVE-2018-5230 on https://apps.topcoder.com, resolved
781295, https://hackerone.com/reports/781295, [h1-415 2020] SSRF in a headless chrome with remote debugging leads to sensible information leak, resolved
781325, https://hackerone.com/reports/781325, Out-of-bounds Read in php_strip_tags_ex, resolved
781614, https://hackerone.com/reports/781614, subdomain takeover at status-stage0.stripo.email, resolved
781664, https://hackerone.com/reports/781664, Several simple remote code execution in pdf-image, resolved
781673, https://hackerone.com/reports/781673, Accepting error message on twitter sends you to attacker site, resolved
781718, https://hackerone.com/reports/781718, Open redirect affecting  m.rockstargames.com/, resolved
782562, https://hackerone.com/reports/782562, open redirect at https://account.mackeeper.com/auth/signin/continue via improper uri sanitization, resolved
782703, https://hackerone.com/reports/782703, Account owner/admin can't actually delete personal users' API keys, resolved
782764, https://hackerone.com/reports/782764, xss in /users/[id]/set_tier endpoint, resolved
782979, https://hackerone.com/reports/782979, Information disclosure through Server side resource forgery, informative
783117, https://hackerone.com/reports/783117, IDOR at https://account.mackeeper.com/at/load-reports/profile/<profile_id> leaks information about devices/licenses, resolved
783191, https://hackerone.com/reports/783191, Clickjacking to change email address, resolved
783258, https://hackerone.com/reports/783258, 2-factor authentication can be disabled when logged in without confirming account password, resolved
783332, https://hackerone.com/reports/783332, Singapore - IDOR in campaign.starbucks.com.sg, resolved
783356, https://hackerone.com/reports/783356, The password limit is not set, [DoS]., resolved
783360, https://hackerone.com/reports/783360, Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts, resolved
783392, https://hackerone.com/reports/783392, SSRF in img.lemlist.com that leads to Localhost Port Scanning, resolved
783622, https://hackerone.com/reports/783622, Coupon codes indexed by Google, resolved
783688, https://hackerone.com/reports/783688, Ability to buy PRO subscriptions by arbitrary reduced prices, resolved
783708, https://hackerone.com/reports/783708, IDOR in semrush academy, resolved
783807, https://hackerone.com/reports/783807, Multiple Information Disclosure with Go PPROF on api-ne.mackeeper.com, resolved
783852, https://hackerone.com/reports/783852, Nginx version is disclosed in HTTP response, duplicate
783877, https://hackerone.com/reports/783877, Remote Code Execution in Slack desktop apps + bonus, resolved
783993, https://hackerone.com/reports/783993, CSS Injection on static.mackeeper.com - Potential XSS, resolved
784101, https://hackerone.com/reports/784101, Image Injection vulnerability in www.rockstargames.com/IV/screens/1280x720Image.html, resolved
784186, https://hackerone.com/reports/784186, napi_get_value_string_X allow various kinds of memory corruption, resolved
784676, https://hackerone.com/reports/784676, iOS app crashed by specially crafted direct message reactions, resolved
784714, https://hackerone.com/reports/784714, Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation, resolved
784989, https://hackerone.com/reports/784989, [xss] перенаправление со старых url в почте, resolved
785243, https://hackerone.com/reports/785243, Twitter Source Label allow 'mongolian vowel separator' U+180E (app name), resolved
785384, https://hackerone.com/reports/785384, Blind SSRF on [relap.io], resolved
785577, https://hackerone.com/reports/785577, Improper generating of access link at go.larksuite.com leads to access to other organizations/users' private data, resolved
785866, https://hackerone.com/reports/785866, Wordpress directories/files visible to internet, resolved
786109, https://hackerone.com/reports/786109, Attacker can create new account inside any partnership with no approve from the Partnership owner, resolved
786238, https://hackerone.com/reports/786238, Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB, resolved
786301, https://hackerone.com/reports/786301, Stored XSS in Name of Team Member Invitation, duplicate
786609, https://hackerone.com/reports/786609, warofdragons.my.games: configuration files with database account are accessible, resolved
786956, https://hackerone.com/reports/786956, Server Side Request Forgery in Uppy npm module, resolved
786976, https://hackerone.com/reports/786976, HTML injection in email content, resolved
787054, https://hackerone.com/reports/787054, Reflected xss on mackeeper.com, resolved
787160, https://hackerone.com/reports/787160, Referer Leakage Vulnerability in  socialclub.rockstargames.com/crew/ leads to FB'S OAuth token theft., resolved
787179, https://hackerone.com/reports/787179, Application level DoS via xmlrpc.php , resolved
787240, https://hackerone.com/reports/787240, Thumbor misconfiguration at blogapi.uber.com can lead to DoS, resolved
787815, https://hackerone.com/reports/787815, [garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/", resolved
787886, https://hackerone.com/reports/787886, Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values), resolved
787955, https://hackerone.com/reports/787955, PII of Users Disclosure using "/members/invite/" endpoint, resolved
788257, https://hackerone.com/reports/788257, "Secure View" aka "Hide Download" can be bypassed easily, resolved
788420, https://hackerone.com/reports/788420, Authorization for wp-admin directory are vulnerable to brute force., resolved
788499, https://hackerone.com/reports/788499, Secure credentials values disclosure to regular users due to access control issue in monitor creating function, resolved
788691, https://hackerone.com/reports/788691, XSS - Guard - Insufficient escaping of User-IDs from PGP Keys, resolved
788752, https://hackerone.com/reports/788752, [Mail.Ru for Android] Replacing  "Add filter" screen by malicious screen, resolved
788883, https://hackerone.com/reports/788883, [nested-property] Prototype Pollution, resolved
789034, https://hackerone.com/reports/789034, Buffer Overflow in ext_lm_group_acl helper, resolved
789245, https://hackerone.com/reports/789245, Stored XSS at branded site in .mail.ru domain, resolved
789260, https://hackerone.com/reports/789260, Past payments using the Direct Debit method keep subscriptions active even if payments fail, resolved
789305, https://hackerone.com/reports/789305, Bypassing Protection Mechanism: Change of Account Name after Session Log out , informative
789370, https://hackerone.com/reports/789370, [com.smule.autorap.*] Cloud Messaging/Push Notification service takeover due to clear-text usage of Legacy FCM Server keys in the client app , resolved
789388, https://hackerone.com/reports/789388, Accessible Restricted directory on [bcm-bcaw.mtn.cm], resolved
789418, https://hackerone.com/reports/789418, Strored Xss on https://my.stripo.email/ ( multiple inputs), resolved
789579, https://hackerone.com/reports/789579, ActiveStorage direct upload fails to sign content-length header for S3 service, resolved
789652, https://hackerone.com/reports/789652, Reflected-XSS on https://www.topcoder.com/tc via pt parameter, resolved
789689, https://hackerone.com/reports/789689, XSS at https://www.glassdoor.com/Salary/* via filter.jobTitleExact, resolved
789803, https://hackerone.com/reports/789803, Disclosure of Co-Rider user (Uber-pooling) profile picture at Amazon AWS Cloudfront within HTTP RESPONSE , resolved
790061, https://hackerone.com/reports/790061, Site wide CSRF affecting both job seeker and Employer account on glassdoor.com, resolved
790115, https://hackerone.com/reports/790115, Reflected xss, resolved
790465, https://hackerone.com/reports/790465, Image Injection/XSS vulnerability affecting https://www.rockstargames.com/newswire/article, resolved
790623, https://hackerone.com/reports/790623, [sirloin] Web Server Directory Traversal via Crafted GET Request, resolved
790634, https://hackerone.com/reports/790634, When you call your branch the same name as a git hash, it could be checked out by dependents, resolved
790786, https://hackerone.com/reports/790786, Members from parent group keep their access level on a subgroup transfer and are invisible, resolved
790854, https://hackerone.com/reports/790854, NO username used in authenthication to www.mopub.com leading to direct password submission which  has unlimited submission rate., resolved
790873, https://hackerone.com/reports/790873, [hangersteak] Web Server Directory Traversal via Crafted GET Request, resolved
791278, https://hackerone.com/reports/791278, Stealing app credentials by reflected xss on Lark Suite, resolved
791289, https://hackerone.com/reports/791289, idor leads to leak order information, resolved
791293, https://hackerone.com/reports/791293, Modify Host Header which is sent to email, resolved
791498, https://hackerone.com/reports/791498, No Rate Limit On Forgot Password Page Of affiliates.nordvpn.com, informative
791674, https://hackerone.com/reports/791674, Expired Available Domains in nordvpn.com website code, informative
791826, https://hackerone.com/reports/791826, Misconfigured web directory allows to retrieve public proxy list, resolved
791979, https://hackerone.com/reports/791979, [xss] подмена content-type в загрузке лого к почте, resolved
792295, https://hackerone.com/reports/792295, On Singing up with a Phone number , The 4 digit OTP does not expires for a long time leading to an easy attack and make a verified account easilty, resolved
792725, https://hackerone.com/reports/792725, Multiple Links Vulnerable to Reflected xss, resolved
792737, https://hackerone.com/reports/792737, Password Reset Link not expiring after changing the email Leads To Account Takeover, resolved
792847, https://hackerone.com/reports/792847, [geekbrains.ru] Reflected XSS via Angular Template Injection, resolved
792850, https://hackerone.com/reports/792850, Hard-coded API keys at NordVpn Android App, informative
792895, https://hackerone.com/reports/792895, bypass old password with array in /admin/account-user-email.php, resolved
792953, https://hackerone.com/reports/792953, SSRF - Guard - Unchecked HKP servers, resolved
792960, https://hackerone.com/reports/792960, SSRF - Guard - Unchecked WKS servers, resolved
792998, https://hackerone.com/reports/792998, 404-response contains debug-information with all headers, resolved
793532, https://hackerone.com/reports/793532, Email Spoofing, duplicate
793704, https://hackerone.com/reports/793704, Server-Side Request Forgery (SSRF) in Ghost CMS , resolved
794099, https://hackerone.com/reports/794099, SSRF and LFI in site-audit tool, resolved
794144, https://hackerone.com/reports/794144, Open redirection bypass in /www/admin/campaign-modify.php, resolved
794382, https://hackerone.com/reports/794382, Route53 Subdomain Takeover on test-cncf-aws.canary.k8s.io, duplicate
794395, https://hackerone.com/reports/794395, No Rate Limit On forgot Password Leading To Massive Email Flooding, resolved
795291, https://hackerone.com/reports/795291, turboslim.lady.mail.ru - Blind sql-injection., resolved
796013, https://hackerone.com/reports/796013, CRLF Injection in email address, not-applicable
796139, https://hackerone.com/reports/796139, Github test clientID and clientSecret leaked, informative
796295, https://hackerone.com/reports/796295, csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json, resolved
796379, https://hackerone.com/reports/796379, [Critical] Insufficient Access Control On Registration Page of Webapps Website Allows Privilege Escalation to Administrator , resolved
796414, https://hackerone.com/reports/796414, Readonly to Root Privilege Escalation on EdgeSwitch, resolved
796438, https://hackerone.com/reports/796438, Self XSS via help.mail.ru interface, resolved
796487, https://hackerone.com/reports/796487, [dy-server2] - stored Cross-Site Scripting, resolved
796555, https://hackerone.com/reports/796555, access to stack memory beyond array boundaries, resolved
796557, https://hackerone.com/reports/796557, Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information, informative
796897, https://hackerone.com/reports/796897, [icq.im] Reflected XSS via chat invite link, resolved
796956, https://hackerone.com/reports/796956, Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation, resolved
797159, https://hackerone.com/reports/797159, PHP builded for Windows with TS support does not resolve relalative paths with drive letter correctly, resolved
797636, https://hackerone.com/reports/797636, Google API Key is not restricted for specific application package name and signature [Mail.ru Cloud for Android], resolved
797685, https://hackerone.com/reports/797685, IDOR in marketing calendar tool, resolved
797717, https://hackerone.com/reports/797717, Reflected XSS at city-mobil.ru, resolved
797754, https://hackerone.com/reports/797754, Stored XSS in Application menu via Home Page Url, resolved
797988, https://hackerone.com/reports/797988, SNMP Community String Disclosure to ReadOnly Users on EdgeSwitch, resolved
798121, https://hackerone.com/reports/798121, Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft, resolved
798135, https://hackerone.com/reports/798135, PHP code injection at tz.mail.ru, resolved
798301, https://hackerone.com/reports/798301, FileZilla 3.46.3 - 'Scale factor' Buffer Overflow, resolved
798599, https://hackerone.com/reports/798599, xss stored, resolved
798686, https://hackerone.com/reports/798686, x-request-id header reflected in server response without sanitization, resolved
798742, https://hackerone.com/reports/798742, open redirect in eb9f.pivcac.prod.login.gov, resolved
798744, https://hackerone.com/reports/798744, Null Pointer Dereference in PHP Session Upload Progress, resolved
798767, https://hackerone.com/reports/798767, Accessing repository and other files  by directory listing, not-applicable
798812, https://hackerone.com/reports/798812, Broken Authentication and session management OWASP A2, not-applicable
798913, https://hackerone.com/reports/798913, Email address is not validated, No Rate Limit and RCE On Forgot Password Page Of affiliates.nordvpn.com, informative
799056, https://hackerone.com/reports/799056, Reflected XSS on am.ru and subdomains, resolved
799072, https://hackerone.com/reports/799072, Slowloris, body parsing, resolved
799739, https://hackerone.com/reports/799739, Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode, resolved
799867, https://hackerone.com/reports/799867, XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique, resolved
799881, https://hackerone.com/reports/799881, Reflect XSS and CSP Bypass on https://www.paypal.com/businesswallet/currencyConverter/ , resolved
799898, https://hackerone.com/reports/799898, Admin Login Credential Leak for DoD Gitlab EE instance, resolved
800109, https://hackerone.com/reports/800109, An invite-only's program submission state is accessible to users no longer part of the program, resolved
800140, https://hackerone.com/reports/800140, Malformed HTTP/2 SETTINGS frame leads to reachable assert, resolved
800231, https://hackerone.com/reports/800231, GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend, resolved
800324, https://hackerone.com/reports/800324, Several protocol parsers in before 4.9.2 could cause a buffer overflow in util-print.c:bittok2str_internal(), resolved
800356, https://hackerone.com/reports/800356, [express-cart] Wide CSRF in application, resolved
800414, https://hackerone.com/reports/800414, [xss] setTheme в ajax_attach_action, resolved
800909, https://hackerone.com/reports/800909, Blind SSRF while Creating Templates, resolved
801197, https://hackerone.com/reports/801197, Sensitive Information Disclosure on https://nordvpn.com/, informative
801372, https://hackerone.com/reports/801372, Insufficient limitation of web page title  leads to DoS against ICQ for Android, resolved
801522, https://hackerone.com/reports/801522, [utils-extend] Prototype pollution , resolved
801531, https://hackerone.com/reports/801531, Access to Glassdoor's Infra (AWS) and BitBucket account through leaked repo, resolved
801743, https://hackerone.com/reports/801743, Race condition leads to Inflation of coins when bought via Google Play Store at endpoint https://oauth.reddit.com/api/v2/gold/android/verify_purchase , resolved
801973, https://hackerone.com/reports/801973, Email notification about login email changed is not received when using verified linked email address, not-applicable
802011, https://hackerone.com/reports/802011, Grafana Improper authorization , resolved
802079, https://hackerone.com/reports/802079, Unauthenticated request allows changing hostname, resolved
802286, https://hackerone.com/reports/802286, user with no draft order permission can still perform action on draft order's in stocky app (idor), resolved
802498, https://hackerone.com/reports/802498, XW 6.2.0 firmware: 5 Reflected XSS issues in link.cgi, resolved
802846, https://hackerone.com/reports/802846,  The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print-vtp.c:vtp_print(), resolved
802863, https://hackerone.com/reports/802863, CVE-2017-13050: The RPKI-Router parser in tcpdump before 4.9.2 has a buffer over-read in print-rpki-rtr.c:rpki_rtr_pdu_print(), resolved
802896, https://hackerone.com/reports/802896, CVE-2017-13019:  The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print(), resolved
803028, https://hackerone.com/reports/803028, Monero wallet password change is confirmed when not matching, resolved
803114, https://hackerone.com/reports/803114, [aw.mail.ru] XSS on /quiztank page, resolved
803141, https://hackerone.com/reports/803141, Unauthorized User Can Delete Any User Account, informative
803734, https://hackerone.com/reports/803734, Mail does not verify IMAP/SMTP host connected via TLS, resolved
803816, https://hackerone.com/reports/803816, OTP bypass on user account deletion, resolved
803876, https://hackerone.com/reports/803876, Reduced Payment amount while paying on Crypto Currencies, duplicate
803922, https://hackerone.com/reports/803922, Missing resource identifier encoding may lead to security vulnerabilities, resolved
803934, https://hackerone.com/reports/803934, DOM XSS on https://www.rockstargames.com/GTAOnline/feedback, resolved
803941, https://hackerone.com/reports/803941, NordVPN Android Application privacy violation due to Google Advertising Identifier misuse, informative
804080, https://hackerone.com/reports/804080, Domian Takeover in [███████], resolved
804364, https://hackerone.com/reports/804364, Reflected XSS on https://███████/, resolved
804548, https://hackerone.com/reports/804548, [█████████] Administrative access to Oracle WebLogic Server using default credentials, resolved
804772, https://hackerone.com/reports/804772, Prototype pollution in multipart parsing, resolved
804809, https://hackerone.com/reports/804809, phpinfo() disclosure info, resolved
804891, https://hackerone.com/reports/804891, [www.go3.engelvoelkers.com] - Reflected XSS in /dGPS3/default.jsp, resolved
804980, https://hackerone.com/reports/804980, Username&password is Disclosure in readme file in [https://█████████], resolved
805010, https://hackerone.com/reports/805010, PHP link() silently truncates after a null byte on Windows, resolved
805013, https://hackerone.com/reports/805013, DirectoryIterator class silently truncates after a null byte, resolved
805023, https://hackerone.com/reports/805023, Sensitive information of helpdesk is being leaked., resolved
805027, https://hackerone.com/reports/805027, Sensitive Information Leaking Through DARPA Website. [█████████], resolved
805073, https://hackerone.com/reports/805073, Periscope iOS app CSRF in follow action due to deeplink, resolved
805642, https://hackerone.com/reports/805642, Information Exposure at https://printshop.engelvoelkers.com/, resolved
805675, https://hackerone.com/reports/805675, [go3-intern.engelvoelkers.com] - Reflected XSS in /dGPS3/default.jsp, resolved
805676, https://hackerone.com/reports/805676, [go3-stage.engelvoelkers.com] - Reflected XSS in /dGPS3/default.jsp, resolved
805699, https://hackerone.com/reports/805699, Minimal information disclosure of internal asset names and links which were not publicly accessible., resolved
806055, https://hackerone.com/reports/806055, Reset password without knowing current password, resolved
806151, https://hackerone.com/reports/806151, Enumeration of username on password reset page, resolved
806213, https://hackerone.com/reports/806213, Sensitive Information Leaking Through DoD Owned Website. [██████████], resolved
806571, https://hackerone.com/reports/806571, Stored XSS in blob viewer, resolved
806577, https://hackerone.com/reports/806577, Arbitrary Set-Cookie via "?coupon=" due to semi-colon not encoded, resolved
807448, https://hackerone.com/reports/807448, Customer private program can disclose email any users through invited via username, resolved
807772, https://hackerone.com/reports/807772, OOB reads in network message handlers leads to RCE, resolved
807915, https://hackerone.com/reports/807915,  SharePoint Web Services Exposed to Anonymous Access Users, resolved
807924, https://hackerone.com/reports/807924, CSRF on connecting Paypal as Payment Provider, resolved
807961, https://hackerone.com/reports/807961, Blind Command Injection #1, resolved
807989, https://hackerone.com/reports/807989, Since no defined tries for incorrect answer, an attacker can brute the answers and post a submission, resolved
808167, https://hackerone.com/reports/808167, Stored XSS on Company Logo, resolved
808169, https://hackerone.com/reports/808169, Blind SSRF on velodrome.canary.k8s.io, resolved
808287, https://hackerone.com/reports/808287, Unrestricted file upload on the image of contacts, resolved
808338, https://hackerone.com/reports/808338, PII Leak via https://████████, resolved
808730, https://hackerone.com/reports/808730, [v7lk.relap.io] Sending arbitrary emails to any user, resolved
808755, https://hackerone.com/reports/808755, Mismatch between frontend and backend validation via `ban_researcher` leads to H1 support and hackers email spam, resolved
808762, https://hackerone.com/reports/808762, Exposed Slinky Instance Admin Panel, resolved
808832, https://hackerone.com/reports/808832, Information Disclosure in https://www.rockstargames.com/search, resolved
808975, https://hackerone.com/reports/808975, Rounding errors on rewarding a bounty leads to bypassing the 20% H1 commission fee, resolved
809012, https://hackerone.com/reports/809012, [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser, resolved
809212, https://hackerone.com/reports/809212, No ACL on S3 Bucket in [https://www.██████████/], resolved
809248, https://hackerone.com/reports/809248, SSRF into Shared Runner, by replacing dockerd with malicious server in Executor, resolved
809645, https://hackerone.com/reports/809645, full path disclosure on world.engelvoelkers.com via error messages, resolved
809691, https://hackerone.com/reports/809691, Referer Leakge in language changer may lead to FB token theft., resolved
809816, https://hackerone.com/reports/809816, Organization Takeover, resolved
810320, https://hackerone.com/reports/810320, Read-only user can delete higher privileged members using open DELETE /api/memberships/<membershipID> endpoint, resolved
810401, https://hackerone.com/reports/810401, SSRF with information disclosure, resolved
810872, https://hackerone.com/reports/810872, web.icq.com XSS in chat message via contact info, resolved
810880, https://hackerone.com/reports/810880, Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify, resolved
811136, https://hackerone.com/reports/811136, SSRF on image renderer, resolved
811366, https://hackerone.com/reports/811366, CRLF Injection in 301 Redirect allow to Set-Cookies for mail.ru , resolved
811502, https://hackerone.com/reports/811502, Node.js: TLS session reuse can lead to hostname verification bypass, resolved
812028, https://hackerone.com/reports/812028, xss on setup config page , resolved
812064, https://hackerone.com/reports/812064, SAML authentication bypass, resolved
812351, https://hackerone.com/reports/812351, Username Information Disclosure via Json response - Using parameter number Intruder, informative
812585, https://hackerone.com/reports/812585, Sensitive Information Leaking Through Navy Website. [█████], resolved
812754, https://hackerone.com/reports/812754, Denial of Service by requesting to reset a password, resolved
812907, https://hackerone.com/reports/812907, Bypass voting restriction due to HTTP Header Injection, resolved
812969, https://hackerone.com/reports/812969, curl still vulnerable to SMB access smuggling via FILE URL on Windows, informative
813159, https://hackerone.com/reports/813159, Cleartext Transmission of Sensitive Information Leads to administrator access, resolved
813279, https://hackerone.com/reports/813279, Lets Encrypt Certificates affected by CAA Rechecking Incident, resolved
813300, https://hackerone.com/reports/813300, Changes to data in a CVE request after draft via GraphQL query, resolved
813377, https://hackerone.com/reports/813377, [staging.tarantool.org] Github Pages Subdomain-take-over , resolved
813395, https://hackerone.com/reports/813395, Unrestricted File Upload to ███████SubmitRequest/Index.cfm?fwa=wizardform, resolved
813421, https://hackerone.com/reports/813421, Account deletion requests not entirely honoured. Misinformation even after seeking clarification from customer support., resolved
815084, https://hackerone.com/reports/815084, [Limited bypass of #793704] Blind SSRF in Ghost CMS, resolved
815547, https://hackerone.com/reports/815547, Unauthorized updates to extended_info properties in /store/ajaxpackagesave, resolved
816086, https://hackerone.com/reports/816086, Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete", resolved
816143, https://hackerone.com/reports/816143, A team member of the program with Report rights can ban the Admin, resolved
816156, https://hackerone.com/reports/816156, Team members can trigger arbitrary code execution in Slack Desktop Apps via HTML Notifications, resolved
816254, https://hackerone.com/reports/816254, SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution, resolved
816560, https://hackerone.com/reports/816560, SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution, resolved
816637, https://hackerone.com/reports/816637, CVE-2020-10938-buffer overflow/out-of-bounds write in compress.c:HuffmanDecodeImage(), resolved
816888, https://hackerone.com/reports/816888, web.xml configuration file disclosure, resolved
817244, https://hackerone.com/reports/817244, The Linux binaries (nordvpn and nordvpnd) don't use PIE/ASLR, informative
817245, https://hackerone.com/reports/817245, Hardware Wallets Do Not Check Unlock TIme, resolved
818109, https://hackerone.com/reports/818109, MCS Graphite SSRF: internal network access, resolved
818848, https://hackerone.com/reports/818848, Read-only team members can read all properties of webhooks, resolved
818972, https://hackerone.com/reports/818972, SQL Injection [unauthenticated] with direct output at https://news.mail.ru/, resolved
819088, https://hackerone.com/reports/819088, character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error, resolved
819278, https://hackerone.com/reports/819278, Open S3 Bucket Accessible by any Aws User, resolved
819309, https://hackerone.com/reports/819309, mailgun subdomain takeover on "email.mail.geekbrains.ru", resolved
819362, https://hackerone.com/reports/819362, Cross Site Scripting and Open Redirect in affiliate-preview.php file , resolved
819428, https://hackerone.com/reports/819428, xss in ub.icq.net, resolved
819591, https://hackerone.com/reports/819591, Improper Access Controls Allow PII Leak via ████, resolved
819714, https://hackerone.com/reports/819714, [api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет., resolved
819807, https://hackerone.com/reports/819807, Missing ownership check on remote wipe endpoint, resolved
819821, https://hackerone.com/reports/819821, Initial mirror user can be assigned by other user even if the mirror was removed, resolved
819899, https://hackerone.com/reports/819899, Second Order XSS via █████, resolved
819911, https://hackerone.com/reports/819911, Knowledge Base Articles are Globally Modifiable via ██████, resolved
819930, https://hackerone.com/reports/819930, Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques}, resolved
820146, https://hackerone.com/reports/820146, PHPUnit is included in groupfolders release package potentially causing RCE, resolved
820217, https://hackerone.com/reports/820217, Stored XSS In mlbootcamp.ru, resolved
820224, https://hackerone.com/reports/820224, [sapper] Path Traversal, resolved
820277, https://hackerone.com/reports/820277, relap.io CSRF bypass on adding domain to use relap widgets , resolved
821896, https://hackerone.com/reports/821896, Access token stealing., resolved
822002, https://hackerone.com/reports/822002, Apache solr RCE via velocity template, resolved
822547, https://hackerone.com/reports/822547, Unauthorized access to https://shipit.analogpond.com/, resolved
823588, https://hackerone.com/reports/823588, Unrestricted File Upload on https://my.stripo.email and https://stripo.email, resolved
823915, https://hackerone.com/reports/823915, Attacker may be able to bounce enough emails which suspend HackerOne's SES service and cause a DoS of HackerOne's email service, resolved
824163, https://hackerone.com/reports/824163, Squid leaks previous content from reusable buffer, resolved
824203, https://hackerone.com/reports/824203, Cache Manager ACL Bypass, resolved
824433, https://hackerone.com/reports/824433, Reflected XSS in https://blocked.myndr.net, resolved
824666, https://hackerone.com/reports/824666, o2.mail.ru XSS, resolved
824689, https://hackerone.com/reports/824689, Send arbitrary PUT requests when user clicks on a link, resolved
824753, https://hackerone.com/reports/824753, Cache Poisoning, resolved
824771, https://hackerone.com/reports/824771, UrnState Heap Overflow, resolved
824802, https://hackerone.com/reports/824802, URN Request bypass ACL Checks, resolved
824909, https://hackerone.com/reports/824909, Subdomain Takeover uptime, resolved
824931, https://hackerone.com/reports/824931, Grammarly Keyboard for Android "Authorization Code with PKCE" flow implementation vulnerability that allows account takeover, resolved
824973, https://hackerone.com/reports/824973, [icq.com/people/*uin*/edit] Отсутствует фильтр и проверка на дубли в поле "Никнейм", resolved
825091, https://hackerone.com/reports/825091, Array Index Underflow--http rpc, resolved
825643, https://hackerone.com/reports/825643, Flaw in Change Email https://youtu.be/MMvlcHIGs2A, resolved
825646, https://hackerone.com/reports/825646, Improper email address verifiation while saving Account Details, resolved
825729, https://hackerone.com/reports/825729, [logkitty] RCE via insecure command formatting, resolved
825764, https://hackerone.com/reports/825764, View Only to Root Privilege Escalation on UniFi Protect, resolved
825815, https://hackerone.com/reports/825815, Server Name disclosure, informative
826005, https://hackerone.com/reports/826005, Private account causes displayed through API, resolved
826026, https://hackerone.com/reports/826026, Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives, resolved
826097, https://hackerone.com/reports/826097, SSRF chained to hit internal host leading to another SSRF which allows to read internal images., resolved
826176, https://hackerone.com/reports/826176, program_analytics_benchmarks query shows information not visible in public, resolved
826238, https://hackerone.com/reports/826238, load scripts DOS vulnerability, duplicate
826288, https://hackerone.com/reports/826288, Unrestricted File Upload in Chat Window, resolved
826361, https://hackerone.com/reports/826361, SSRF on project import via the remote_attachment_url on a Note, resolved
826394, https://hackerone.com/reports/826394, Authorization Token on PlayStation Network Leaks via postMessage function, resolved
827051, https://hackerone.com/reports/827051, Use after free in smtp_server_connection_handle_command, resolved
827052, https://hackerone.com/reports/827052, Arbitrary file read via the UploadsRewriter when moving and issue, resolved
827158, https://hackerone.com/reports/827158, IDOR Vulnerability in Job Preferences, resolved
827484, https://hackerone.com/reports/827484, Missing rate limit for current password field (Password Change) Account Takeover, resolved
827595, https://hackerone.com/reports/827595, Privilege escalation from member user ( editor ) to admin user, resolved
827606, https://hackerone.com/reports/827606, Stored XSS in files.slack.com, resolved
827729, https://hackerone.com/reports/827729, Null pointer dereference in SMTP server function smtp_string_parse, resolved
827816, https://hackerone.com/reports/827816, Missing server side controls when editing the board’s sharing permissions per user, resolved
831290, https://hackerone.com/reports/831290,  Null pointer dereference in SMTP server function smtp_command_parse_data_with_size, resolved
831353, https://hackerone.com/reports/831353, tcpdump before 4.9.3 has a heap-based buffer over-read related to aoe_print in print-aoe.c and lookup_emem in addrtoname.c, resolved
831654, https://hackerone.com/reports/831654, "Self" DOS with large deployment and scaling, not-applicable
831663, https://hackerone.com/reports/831663, [pulse.mail.ru] Доступ к статистике чужих площадок, resolved
831703, https://hackerone.com/reports/831703, XSS from arbitrary attachment upload., resolved
831803, https://hackerone.com/reports/831803, RXSS in http://procurement-businesscatalog.informatica.com, resolved
831962, https://hackerone.com/reports/831962, XSS on Issue reference numbers, resolved
832217, https://hackerone.com/reports/832217, Android App Crashes while sending message to users/ on channel , informative
832256, https://hackerone.com/reports/832256, Stored xss on https://go.mail.ru/, resolved
832593, https://hackerone.com/reports/832593, Clickjacking, informative
832750, https://hackerone.com/reports/832750, Buffer overflow In hl.exe's launch -game argument allows an attacker to execute arbitrary code locally or from browser, resolved
832858, https://hackerone.com/reports/832858, SSRF via 3d.cs.money/pasteLinkToImage, resolved
833080, https://hackerone.com/reports/833080, Tricking the "Create snippet" feature into displaying the wrong filetype can lead to RCE on Slack users, resolved
833470, https://hackerone.com/reports/833470, [Security Vulnerability Rocket.chat] HTML Injection into Email via Signup, resolved
833735, https://hackerone.com/reports/833735, Broken Access Controls, resolved
833782, https://hackerone.com/reports/833782, Allow authenticated users can edit, trash,and add new in BuddyPress Emails function, resolved
833836, https://hackerone.com/reports/833836, Information disclosure of Internal php files on [mackeeper.com/blog/api/send-event], resolved
833856, https://hackerone.com/reports/833856, DoS for GCSArtifact.RealAll, resolved
834065, https://hackerone.com/reports/834065, Improper access control leading to deletion of Greeting videos on {https://smtp.8mar.mail.ru/}, resolved
834366, https://hackerone.com/reports/834366, Login CSRF vulnerability on hackerone.com, resolved
835005, https://hackerone.com/reports/835005, Organization Takeover via invitation API, resolved
835087, https://hackerone.com/reports/835087, ajaxgetachievementsforgame is not guarded for unreleased apps, resolved
835138, https://hackerone.com/reports/835138, [www.drive2.ru] Insufficient Security Configurability - Email notification is not being sent while changing passwords, resolved
835142, https://hackerone.com/reports/835142, [www.drive2.ru] CSRF through FCTX token bypass, resolved
835200, https://hackerone.com/reports/835200, [www.drive2.ru] There is no rate limit for comments endpoints., resolved
835302, https://hackerone.com/reports/835302, [www.drive2.ru] Insufficient Security Configurability - The user's can set an existing password as a new password., resolved
835437, https://hackerone.com/reports/835437, Access Token Smuggling from my.playstation.com via Referer Header, resolved
835647, https://hackerone.com/reports/835647, [www.drive2.ru] Insufficient Security Configurability - Notification email is not sent when email is changed., resolved
836036, https://hackerone.com/reports/836036, Multiple buffer over reads in mbox_from_parse, resolved
836045, https://hackerone.com/reports/836045, Buffer overread in parse_angle_addr called from message_address_parse_path , resolved
836079, https://hackerone.com/reports/836079, [www.zomato.com] Blind SQL Injection in /php/widgets_handler.php, resolved
836081, https://hackerone.com/reports/836081, Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API, resolved
836149, https://hackerone.com/reports/836149, mailer.i.bizml.ru viber service preprod information disclosure, resolved
836187, https://hackerone.com/reports/836187, CSRF in Profile Fields allows deleting any field in BuddyPress, resolved
836649, https://hackerone.com/reports/836649, Stored XSS in markdown when redacting references, resolved
837018, https://hackerone.com/reports/837018, Privilege Escalation in BuddyPress core allows Moderate to Administrator , resolved
837215, https://hackerone.com/reports/837215, Stored XSS on {https://calendar.mail.ru/}, resolved
837256, https://hackerone.com/reports/837256, Improper Access Control in Buddypress core allows reply,delete any user's activity, resolved
837400, https://hackerone.com/reports/837400, IDOR in the https://market.semrush.com/, resolved
837510, https://hackerone.com/reports/837510, Create an account on auth-sandbox.elastic.co with email @elastic.co or any other @domain.com, resolved
837729, https://hackerone.com/reports/837729, Session works after logout from Shopify account and password of online store is displayed, resolved
837733, https://hackerone.com/reports/837733, Leaking Of Sensitive Information on Github, informative
838127, https://hackerone.com/reports/838127, mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full (CVE-2020-7065), resolved
838178, https://hackerone.com/reports/838178, Reflected XSS in "*.mendix.com/openid/*", resolved
838196, https://hackerone.com/reports/838196, Remote Code Execution via Insecure Deserialization in Telerik UI , resolved
838231, https://hackerone.com/reports/838231, *.shopify.com - Authentication bypass, resolved
838572, https://hackerone.com/reports/838572, No Rate Limit On Reset Password, resolved
838587, https://hackerone.com/reports/838587, Private files exposed to other apps, resolved
838635, https://hackerone.com/reports/838635, Spring Actuator endpoints publicly available and broken authentication, resolved
838647, https://hackerone.com/reports/838647, Improper Input Validation on User's Location on PUT /WhoService/putLocation Could Affect Availability/Falsify Users, resolved
838682, https://hackerone.com/reports/838682, Http Response Splitting on  thumb.cloud.mail.ru, resolved
838685, https://hackerone.com/reports/838685, Use of uninitialized value in ftp_getrc_msg method of mod_proxy_ftp.c, resolved
838855, https://hackerone.com/reports/838855, [www.zomato.com] Blind SQL Injection in /php/geto2banner, resolved
838910, https://hackerone.com/reports/838910, [XSS] Reflected XSS via POST request in (editJobAlert.htm) file, resolved
840285, https://hackerone.com/reports/840285, CSRF Account Deletion on ███ Website, resolved
840515, https://hackerone.com/reports/840515, rxss at https://mackeeper.com page not found via rid parameter, resolved
840598, https://hackerone.com/reports/840598, Possible denial of service when entering a loooong password, resolved
840688, https://hackerone.com/reports/840688, Send Phishing/Spam email from support@sameroom.io to any email address., resolved
840736, https://hackerone.com/reports/840736, Open Redirect filter bypass through '\' character via URL parameter, resolved
840759, https://hackerone.com/reports/840759, Reflected XSS on www.hackerone.com and resources.hackerone.com, resolved
841380, https://hackerone.com/reports/841380, Prototype pollution attack (lodash), resolved
841630, https://hackerone.com/reports/841630, Content Spoofing, resolved
841947, https://hackerone.com/reports/841947, Remote Code Execution through Extension Bypass on Log Functionality, resolved
842035, https://hackerone.com/reports/842035, Open Redirect in  www.shopify.dev Environment , resolved
842050, https://hackerone.com/reports/842050, HTML Injection in Glassdoor job sharing emails, duplicate
842462, https://hackerone.com/reports/842462, Pixel flood attack cause the javascript heap out of memory, resolved
842625, https://hackerone.com/reports/842625, account takeover on 3.0.1 version, resolved
843160, https://hackerone.com/reports/843160, Account takeover through password reset in cups.mail.ru, resolved
843171, https://hackerone.com/reports/843171, Desktop app RCE (#276031 bypass), resolved
843263, https://hackerone.com/reports/843263, Outdated Coturn is vulnerable to known vulnerabilities (High), resolved
843421, https://hackerone.com/reports/843421, Hyperlink Injection on Email Invitation, resolved
844067, https://hackerone.com/reports/844067, Korea - LFI Server directory traversal at starbucks.co.kr, resolved
844428, https://hackerone.com/reports/844428, [www.zomato.com] Abusing LocalParams (city) to Inject SOLR query, resolved
845677, https://hackerone.com/reports/845677, Sourcemaps and Unminified Source Code Exposed on Pages, resolved
845832, https://hackerone.com/reports/845832, SVG file upload leads to XML injection, resolved
846184, https://hackerone.com/reports/846184, Blind SSRF at https://chat.makerdao.com/account/profile, informative
846338, https://hackerone.com/reports/846338, Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/, resolved
846397, https://hackerone.com/reports/846397, XSS on remote.bittorrent.com, informative
846400, https://hackerone.com/reports/846400, .git file accessible on remote.bittorrent.com, informative
846430, https://hackerone.com/reports/846430, frame injection on bittorrent.com, informative
846432, https://hackerone.com/reports/846432, xss on bittorrent.com, informative
846905, https://hackerone.com/reports/846905, Stored XSS in Elastic App Search, resolved
846931, https://hackerone.com/reports/846931, XSS at go.mail.ru, resolved
847101, https://hackerone.com/reports/847101, SSRF via Export Service in  ActiveCampaign, resolved
847176, https://hackerone.com/reports/847176, Stored XSS via 64(?) vulnerable fields in ███ leads to credential theft/account takeover, resolved
847185, https://hackerone.com/reports/847185, Members Personal Information Leak Due to IDOR, resolved
847276, https://hackerone.com/reports/847276, Information Disclosure on {http://pro.tracker.my.com}, resolved
847452, https://hackerone.com/reports/847452, Full Account Take-Over of ████████ Members via IDOR, resolved
847473, https://hackerone.com/reports/847473, Content injection on shared event (calendar.mail.ru), resolved
847493, https://hackerone.com/reports/847493, Cookie Bombing cause DOS -  businesses.uber.com, resolved
847876, https://hackerone.com/reports/847876, IDOR in tracking driver logs at city-mobil.ru, resolved
848732, https://hackerone.com/reports/848732, XSS in [community.my.games], resolved
848742, https://hackerone.com/reports/848742, Reflected XSS in city-mobil.ru/, resolved
848905, https://hackerone.com/reports/848905, Exposed█████████in apk file - devbuilds.uber.com, resolved
850022, https://hackerone.com/reports/850022, CSRF on launchpad.37signals.com OAuth2 authorization endpoint, resolved
850114, https://hackerone.com/reports/850114, SSRF in notifications.server configuration, resolved
850447, https://hackerone.com/reports/850447, gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in `allowed_paths` to be read, resolved
850637, https://hackerone.com/reports/850637, [c-api.city-mobil.ru] IDOR chat messages between driver and customer, resolved
850775, https://hackerone.com/reports/850775, Windows only: arbitrary file read vulnerability in openssl s_server, resolved
850938, https://hackerone.com/reports/850938, [www.drive2.ru] Insufficient Security Configurability - The user can using the same password as your current ID., resolved
852091, https://hackerone.com/reports/852091, Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation, resolved
852103, https://hackerone.com/reports/852103, Out-of-Bound Read in urldecode() [CVE-2020-7067], resolved
852306, https://hackerone.com/reports/852306, SQL LIKE clauses wildcard injection, resolved
852413, https://hackerone.com/reports/852413, SSRF in my.stripo.email, resolved
852613, https://hackerone.com/reports/852613, Remote Code Execution on Cloud via latest Kibana 7.6.2, resolved
852713, https://hackerone.com/reports/852713, Previously Compromised PulseSSL VPN Hosts, resolved
852841, https://hackerone.com/reports/852841, Reduced purmations on encryption, resolved
853068, https://hackerone.com/reports/853068, [city-mobil.ru] SSRF & limited LFR on /taxiserv/photoeditor/save endpoint via base64 POST parameter, resolved
853130, https://hackerone.com/reports/853130, IDOR on stocky application-Low Stock-Varient-Settings-Columns, resolved
853145, https://hackerone.com/reports/853145, Broken validation of user Id for JWT Token, resolved
853284, https://hackerone.com/reports/853284, Disclosure of internal information using hidden NTLM authentication leading to an exploit server, resolved
853355, https://hackerone.com/reports/853355, Unauthorized access to private project security dashboard, resolved
853410, https://hackerone.com/reports/853410, Directory listing of https://get8x8.com/, resolved
853637, https://hackerone.com/reports/853637, "😂" + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/, resolved
853894, https://hackerone.com/reports/853894, Improper Access Control in LINE Timeline API that returns a list of hidden friends, resolved
854032, https://hackerone.com/reports/854032, Unrestricted file upload on [ambassador.mail.ru] , resolved
854049, https://hackerone.com/reports/854049, PulseSSL VPN Site with Compromised Creds @ ████, resolved
854290, https://hackerone.com/reports/854290, IDOR on update user preferences, resolved
854299, https://hackerone.com/reports/854299, Self XSS in Timeline , resolved
854424, https://hackerone.com/reports/854424, 暴力破解用户密码没有速率控制, resolved
854445, https://hackerone.com/reports/854445, Unrestricted file upload leads to stored xss on https://████████/, resolved
854726, https://hackerone.com/reports/854726, Unix time unlock_time values have dangerous validation rules enabling a number of exploits, resolved
854793, https://hackerone.com/reports/854793, No rate limiting for confirmation email lead to email flooding and leads to enumeration of emails in publishers.basicattentiontoken.org, resolved
854973, https://hackerone.com/reports/854973, Vertical Privilege Escalation on {target.my.com}, resolved
855013, https://hackerone.com/reports/855013, [www.stripo.email] You can override the speed limit by adding the X-Forwarded-For header., resolved
855269, https://hackerone.com/reports/855269, Cross-Site Request Forgery (CSRF) in my.games API, resolved
855276, https://hackerone.com/reports/855276, Injection of `http.<url>.*` git config settings leading to SSRF, resolved
855304, https://hackerone.com/reports/855304, No set limit to try to login in "https://auth.nextcloud.com/auth/realms/master/protocol/openid-connect/auth" page., informative
855322, https://hackerone.com/reports/855322, Cross-Site Request Forgery (CSRF) in comment update - api.my.games, resolved
855618, https://hackerone.com/reports/855618, Account takeover intercepting magic link for Arrive app, resolved
856137, https://hackerone.com/reports/856137, China - Open redirect at trackinghub.starbucks.com.cn, resolved
856193, https://hackerone.com/reports/856193, XSS on https://deti.mail.ru/, resolved
856305, https://hackerone.com/reports/856305, [www.stripo.email] There is no rate limit for contact-us endpoints, resolved
856310, https://hackerone.com/reports/856310, [www.stripo.email] There is no rate limit for /it/contact-us/ endpoints, duplicate
856518, https://hackerone.com/reports/856518, CSRF - Close Account, resolved
856554, https://hackerone.com/reports/856554, Stored XSS on the job page, resolved
856588, https://hackerone.com/reports/856588, [flsaba] Stored XSS in the file and directory name when directories listing, resolved
856836, https://hackerone.com/reports/856836, Stored XSS on PyPi simple API endpoint, resolved
856981, https://hackerone.com/reports/856981, CSRF - Modify Company Info, resolved
857770, https://hackerone.com/reports/857770, Time-limit Bypassing, Rate-limit Bypassing and Spamming at https://ops.cuvva.co, informative
858255, https://hackerone.com/reports/858255, Cross site scripting - XSRF Token, resolved
858598, https://hackerone.com/reports/858598, Local Privilege Escalation in anti_ransomware_service.exe via quarantine, resolved
858603, https://hackerone.com/reports/858603, Denial of Service in anti_ransomware_service.exe via logs files, resolved
858608, https://hackerone.com/reports/858608, anti_ransomware_service.exe REST API does not require authentication, resolved
858662, https://hackerone.com/reports/858662, Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number, resolved
858671, https://hackerone.com/reports/858671, Insufficient Type Check on GraphQL leading to Maintainer delete repository, resolved
858674, https://hackerone.com/reports/858674, [wireguard-wrapper] Command Injection via insecure command concatenation, resolved
858854, https://hackerone.com/reports/858854, Recursor accepts unsigned, empty NXDOMAINs in secure zones, resolved
858874, https://hackerone.com/reports/858874, Stored XSS in TSVB Visualizations Markdown Panel, resolved
858894, https://hackerone.com/reports/858894, Potential stored Cross-Site Scripting vulnerability in Support Backend, resolved
858915, https://hackerone.com/reports/858915, CircleCI token in github repo allows for access to sensitive build information, resolved
859136, https://hackerone.com/reports/859136, Malicious apps can crash Nextcloud Android client by sending malformed intents , resolved
859333, https://hackerone.com/reports/859333, Stored XSS in group issue list, resolved
859342, https://hackerone.com/reports/859342, Reflected XSS and HTML Injectionon a DoD website, resolved
859357, https://hackerone.com/reports/859357, [capsula.mail.ru] overriding order info, resolved
859469, https://hackerone.com/reports/859469, Path traversal in ZIP extract routine on LINE Android, resolved
859688, https://hackerone.com/reports/859688, CORS on my.stripo.email, informative
860197, https://hackerone.com/reports/860197, A staff without export customers permissions can still export customers CSV file, resolved
860348, https://hackerone.com/reports/860348, Staff member with no permission can delete POS staff from account settings, resolved
861170, https://hackerone.com/reports/861170, Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request , resolved
861521, https://hackerone.com/reports/861521, Cookie injection leads to complete DoS over whole domain *.mackeeper.com. Injection point accountstage.mackeeper.com/, resolved
861744, https://hackerone.com/reports/861744, Remote Code Execution in coming Kibana 7.7.0, resolved
861940, https://hackerone.com/reports/861940, OAuth `redirect_uri` bypass using IDN homograph attack resulting in user's access token leakage, resolved
862589, https://hackerone.com/reports/862589, Spring Actuator endpoints publicly available, leading to account takeover, resolved
862835, https://hackerone.com/reports/862835, GraphQL introspection query works through unauthenticated WebSocket, resolved
863221, https://hackerone.com/reports/863221, SSRF bypass, resolved
863544, https://hackerone.com/reports/863544, [devcert] Command Injection via insecure command formatting, resolved
863551, https://hackerone.com/reports/863551, Subdomain takeover of resources.hackerone.com, resolved
863553, https://hackerone.com/reports/863553, SSRF protection bypass in /appsuite/api/oxodocumentfilter addfile action, resolved
863944, https://hackerone.com/reports/863944, [extra-ffmpeg] Command Injection via insecure command formatting, resolved
863956, https://hackerone.com/reports/863956, [extra-asciinema] Command Injection via insecure command formatting, resolved
863979, https://hackerone.com/reports/863979, Compromise of node can lead to compromise of pods on other nodes, resolved
863983, https://hackerone.com/reports/863983, Cross-organization data access in city-mobil.ru, resolved
864091, https://hackerone.com/reports/864091, RXSS - https://███/, resolved
864354, https://hackerone.com/reports/864354, [diskstats] Command Injection via insecure command concatenation, resolved
864598, https://hackerone.com/reports/864598, [panel.city-mobil.ru/admin/] Blind XSS via partner name (similar to #746505), resolved
864701, https://hackerone.com/reports/864701, Prototype Pollution lodash 4.17.15, resolved
864751, https://hackerone.com/reports/864751, Hyper Link Injection while signup , resolved
864777, https://hackerone.com/reports/864777, [vboxmanage.js] Command Injection via insecure command concatenation, resolved
865115, https://hackerone.com/reports/865115, unpermitted user can change the device name of admin account, resolved
865168, https://hackerone.com/reports/865168, [xps] Command Injection via insecure command concatenation, resolved
865195, https://hackerone.com/reports/865195, reading the stack data of the imap process, resolved
865354, https://hackerone.com/reports/865354, Arbitrary file upload and stored XSS via ███ support request, resolved
865436, https://hackerone.com/reports/865436, SQL Injection on the administrator panel, resolved
865652, https://hackerone.com/reports/865652, Blind SSRF in /appsuite/api/oxodocumentfilter&action=addfile, resolved
865777, https://hackerone.com/reports/865777, Bypass hide download Nextcloud Share, informative
865828, https://hackerone.com/reports/865828, Incorrect control of the trial period, resolved
865875, https://hackerone.com/reports/865875, XMLRPC, Enabling XPSA and Bruteforce and DOS + A file disclosing installer-logs., resolved
866271, https://hackerone.com/reports/866271, Lack of Input sanitization leads to database Character encoding configuration Disclosure, resolved
866382, https://hackerone.com/reports/866382, HTTP Request Smuggling, informative
866426, https://hackerone.com/reports/866426, Reflected XSS on https://apps.topcoder.com/wiki/, resolved
866433, https://hackerone.com/reports/866433, Reflected XSS on https://apps.topcoder.com/wiki/page/, resolved
866576, https://hackerone.com/reports/866576, Reflected XSS on https://apps.topcoder.com/wiki/pages/createpage.action, resolved
866597, https://hackerone.com/reports/866597, Pre-auth buffer over-read in Dovecot NTLM implementation, resolved
866605, https://hackerone.com/reports/866605, Pre-auth Denial-of-Service in Dovecot RPA implementation, resolved
866815, https://hackerone.com/reports/866815, Stored XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action, resolved
866829, https://hackerone.com/reports/866829, Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action, resolved
866837, https://hackerone.com/reports/866837, Post Based Reflected XSS on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action, resolved
866844, https://hackerone.com/reports/866844, CSRF on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action, resolved
866861, https://hackerone.com/reports/866861, Reflected XSS on error page on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action, resolved
867052, https://hackerone.com/reports/867052, Access Control: Inject tasks into other users decks, resolved
867133, https://hackerone.com/reports/867133, Stored XSS on https://apps.topcoder.com/wiki/pages/editpage.action, resolved
867164, https://hackerone.com/reports/867164, External storage app saves password for all users in the database, resolved
867249, https://hackerone.com/reports/867249, The hacker has access to the administrative part of the management reports in publish report, resolved
867436, https://hackerone.com/reports/867436, misconfigured CORS let to HPP and SOP bypass, not-applicable
867473, https://hackerone.com/reports/867473, CSRF on https://apps.topcoder.com/wiki/pages/doattachfile.action, resolved
867521, https://hackerone.com/reports/867521, CreatorID leaked from public content posted to SnapMaps, resolved
867577, https://hackerone.com/reports/867577, Unauthenticated request smuggling on launchpad.37signals.com, resolved
867616, https://hackerone.com/reports/867616, XSS via referrer parameter, resolved
867699, https://hackerone.com/reports/867699, Node disk DOS by writing to container /etc/hosts, resolved
867952, https://hackerone.com/reports/867952, HTTP request Smuggling, resolved
868146, https://hackerone.com/reports/868146, Unauthorised Account Detail Modification , resolved
868436, https://hackerone.com/reports/868436, Time-Based SQL injection at city-mobil.ru, resolved
868561, https://hackerone.com/reports/868561, CSRF on https://apps.topcoder.com/wiki/users/editmyprofile.action, resolved
868570, https://hackerone.com/reports/868570, XSS on https://o2.mail.ru/jsapi/button via PostMessage, resolved
868572, https://hackerone.com/reports/868572, CSRF on https://apps.topcoder.com/wiki/users/editmyprofilepicture.action, resolved
868583, https://hackerone.com/reports/868583, CSRF on https://apps.topcoder.com/wiki/users general and email preferences, resolved
868590, https://hackerone.com/reports/868590, IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter, resolved
868615, https://hackerone.com/reports/868615, Inject page in admin panel via Shopify.API.pushState with protocol invalid, resolved
868834, https://hackerone.com/reports/868834, Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests, resolved
868934, https://hackerone.com/reports/868934, DOM XSS on duckduckgo.com search, resolved
869450, https://hackerone.com/reports/869450, Support incident can be opened for any user via /███████ and PII leak via █████████ field, resolved
869574, https://hackerone.com/reports/869574, SQL Injection or Denial of Service due to a Prototype Pollution, resolved
869605, https://hackerone.com/reports/869605, Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition), resolved
869831, https://hackerone.com/reports/869831, XSS within Shopify Email App - Admin, resolved
869888, https://hackerone.com/reports/869888, Path Traversal in App Proxy, resolved
870001, https://hackerone.com/reports/870001, access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify-, resolved
870062, https://hackerone.com/reports/870062, Referer Referer Header Leakage in language changer may lead to FB token theft, resolved
870615, https://hackerone.com/reports/870615, [Fixed] A vulnerability in KAVKIS 2020 products family allows full disabling of protection, resolved
870703, https://hackerone.com/reports/870703, Stored XSS in assets.txmblr.com, informative
870709, https://hackerone.com/reports/870709, Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/, resolved
871071, https://hackerone.com/reports/871071, [gfc] Command Injection via insecure command formatting, resolved
871142, https://hackerone.com/reports/871142, Disclosure of the name of a program that has a private part with an external link, resolved
871156, https://hackerone.com/reports/871156, [plain-object-merge] Prototype pollution, resolved
871749, https://hackerone.com/reports/871749, Unauthorized access to metadata of undisclosed reports that were retested, resolved
872089, https://hackerone.com/reports/872089, Curl_auth_create_plain_message integer overflow leads to heap buffer overflow, informative
872190, https://hackerone.com/reports/872190, Plaintext storage of a password on kubernetes release bucket, informative
872304, https://hackerone.com/reports/872304, RXSS - https://████████/, resolved
873474, https://hackerone.com/reports/873474, Stored XSS on express entries, resolved
873584, https://hackerone.com/reports/873584, Stored XSS in the file search filter, resolved
873614, https://hackerone.com/reports/873614, Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application, resolved
873818, https://hackerone.com/reports/873818, capsula.mail.ru - reflected xss, resolved
874017, https://hackerone.com/reports/874017, SSN is exposed on slides, previous critical report was not fixed in an appropriate way, resolved
874093, https://hackerone.com/reports/874093, Reflected XSS, resolved
874198, https://hackerone.com/reports/874198, [m.vk.com] XSS на страницах /artist/ , resolved
874228, https://hackerone.com/reports/874228, HTML Injection leads to XSS on███, resolved
874387, https://hackerone.com/reports/874387, capsula.mail.ru - Admin blind stored XSS, resolved
874401, https://hackerone.com/reports/874401, Use of Ruby Forwardable module and runtime meta-programming may introduce vulnerabilities, informative
874427, https://hackerone.com/reports/874427, Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE, resolved
874482, https://hackerone.com/reports/874482, Subdomain Takeover due to unclaimed domain pointing to Acquia Cloud, resolved
874574, https://hackerone.com/reports/874574, Partner's non-verified business email change reflected into Shopify Collaborator Request, resolved
874778, https://hackerone.com/reports/874778, Partial password leak over DNS on HTTP redirect, resolved
874924, https://hackerone.com/reports/874924, RCE (Remote code execution) in one of DoD's websites , resolved
875049, https://hackerone.com/reports/875049, Register with non accepted email types on https://███████, resolved
875775, https://hackerone.com/reports/875775, Invalid write (or double free) triggers curl command line tool crash, informative
875938, https://hackerone.com/reports/875938, User session access due to Oauth whitelist host bypass and postMessage, resolved
876022, https://hackerone.com/reports/876022, RPC Implementation allows unauthenticated remote calls, resolved
876148, https://hackerone.com/reports/876148, DOM XSS on duckduckgo.com search, resolved
876257, https://hackerone.com/reports/876257, Integer Overflow (CVE_2017_7529), resolved
876295, https://hackerone.com/reports/876295, Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data, resolved
876300, https://hackerone.com/reports/876300, Singapore - Account Takeover via IDOR, resolved
876708, https://hackerone.com/reports/876708, Remote Code Execution through DNN Cookie Deserialization , resolved
876719, https://hackerone.com/reports/876719, Signedness issue in ClassInfo message handler leads to RCE on CS:GO client, resolved
876751, https://hackerone.com/reports/876751, Private RSA key and Server key exposed on the GitHub repository, not-applicable
876800, https://hackerone.com/reports/876800, Time-base SQL Injection in Search Users, resolved
877300, https://hackerone.com/reports/877300, User with single department permission can view applicant list of all department's, resolved
877303, https://hackerone.com/reports/877303, Internal IP addresses range and AWS cluster region leaked in a Github repository , informative
877402, https://hackerone.com/reports/877402, Hard coded Username and password in GiHub commit, informative
877515, https://hackerone.com/reports/877515, [keyd] Prototype pollution, resolved
877598, https://hackerone.com/reports/877598, PII/PHI data available on web https://████████Portals/22/Documents/Meetings, resolved
877642, https://hackerone.com/reports/877642, GraphQL field on Team node can be used to determine if External Program runs invite-only program, resolved
878145, https://hackerone.com/reports/878145, Blind stored XSS due to insecure contact form at https://www.topcoder.com leads to leakage of session token and other PII, resolved
878181, https://hackerone.com/reports/878181, Child process environment injection via prototype pollution, informative
878332, https://hackerone.com/reports/878332, [object-path-set] Prototype pollution, resolved
878339, https://hackerone.com/reports/878339, [extend-merge] Prototype pollution, resolved
878394, https://hackerone.com/reports/878394, [objtools] Prototype pollution, resolved
878420, https://hackerone.com/reports/878420, [windows-edge] RCE via insecure command formatting, resolved
878434, https://hackerone.com/reports/878434, vidyard api auth_token exposed, resolved
878779, https://hackerone.com/reports/878779, Full Read SSRF on Gitlab's Internal Grafana, resolved
879389, https://hackerone.com/reports/879389, MySQL username and password leaked on [2017.russianaicup.ru], resolved
879562, https://hackerone.com/reports/879562, Admin Reseller Account Disclosure, resolved
879582, https://hackerone.com/reports/879582, CORS Misconfiguration, could lead to disclosure of users information, resolved
879740, https://hackerone.com/reports/879740, Repositories of datanucleus are fetched over insecure protocol (http insted of https), resolved
879803, https://hackerone.com/reports/879803, Bypass of SSRF Vulnerability, duplicate
879960, https://hackerone.com/reports/879960, IDOR: Adding Contacts to Other User Groups, resolved
879984, https://hackerone.com/reports/879984, DOM-based XSS in d.miwifi.com on IE 11, resolved
880089, https://hackerone.com/reports/880089, Smartsheet employees email disclosure through enpoint after login., resolved
880099, https://hackerone.com/reports/880099, Unrestricted file upload leads to Stored XSS, resolved
880187, https://hackerone.com/reports/880187, Near to Infinite loop when changing Group's name that has API token as Team Member, resolved
880591, https://hackerone.com/reports/880591, Blind XSS via  Digital Ocean Partner account creation form., informative
880730, https://hackerone.com/reports/880730, SSO Provider Credential Cache (logged out of Google/GitHub, could still log into Courier), informative
880863, https://hackerone.com/reports/880863, Todos are not redacted when membership changes - Access to (confidential) issues and merge requests, resolved
881004, https://hackerone.com/reports/881004, AWS S3 bucket writeable for authenticated AWS users, resolved
881186, https://hackerone.com/reports/881186, [www.stripo.email] You can bypass the speed limit by changing the IP., resolved
881548, https://hackerone.com/reports/881548, Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE, resolved
881713, https://hackerone.com/reports/881713, [last-commit-log] Command Injection, resolved
881733, https://hackerone.com/reports/881733, Collected Telegraf Matrics Accessible , resolved
881855, https://hackerone.com/reports/881855, Arbitrary change of blog's background image via CSRF, resolved
881891, https://hackerone.com/reports/881891, File System Monitoring Queue Overflow, informative
881901, https://hackerone.com/reports/881901, SQL injection at fleet.city-mobil.ru, resolved
882220, https://hackerone.com/reports/882220, XSS via X-Forwarded-Host header, resolved
882258, https://hackerone.com/reports/882258, New users can read all Nextcloud Deck data from previous user with same username, resolved
882412, https://hackerone.com/reports/882412, OrderListInitial leaks order details, resolved
882475, https://hackerone.com/reports/882475, Database read through provider misconfiguration, resolved
882546, https://hackerone.com/reports/882546, DOM-Based XSS in tumblr.com, resolved
882733, https://hackerone.com/reports/882733, Insecure file upload in xiaoai.mi.com Lead to Stored  XSS, resolved
882848, https://hackerone.com/reports/882848, Possibilty to purchase Ultimate - 1 Year (EDU or OSS), resolved
882923, https://hackerone.com/reports/882923, DoS for client-go jsonpath func, resolved
882942, https://hackerone.com/reports/882942, [www.werkenbijderet.nl] There is no rate limit for vacature-alert endpoints, resolved
883104, https://hackerone.com/reports/883104, Directory traversal allows execution of arbitrary binaries usign doveadm exec, informative
883151, https://hackerone.com/reports/883151, Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload, resolved
883606, https://hackerone.com/reports/883606, Missing (or redundant) null check in `dcrypt_openssl_sign`, informative
883731, https://hackerone.com/reports/883731, Minor Account Privacy can Set to Everyone., resolved
883867, https://hackerone.com/reports/883867, Inject page in admin panel via Shopify.API.pushState [New Payload], resolved
884159, https://hackerone.com/reports/884159, Ability to generate shipping labels in another store orders, resolved
884756, https://hackerone.com/reports/884756, xmlrpc.php FILE IS enable which enables attacker to XSPA Brute-force and even Denial of Service(DOS), in https://████/xmlrpc.php, resolved
884931, https://hackerone.com/reports/884931, Stored xss in larksuite internal helpdesk and other user's helpdesk., resolved
885031, https://hackerone.com/reports/885031, [commit-msg] RCE via insecure command formatting, resolved
885041, https://hackerone.com/reports/885041, The password of a mail share is not hashed if the password is given when the share is created, resolved
885975, https://hackerone.com/reports/885975, My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft, resolved
887167, https://hackerone.com/reports/887167, multiple email usage -my.stripo.email-, resolved
887302, https://hackerone.com/reports/887302, XSS reflected in https://tableau.engelvoelkers.com/, resolved
887321, https://hackerone.com/reports/887321, Uploading large payload on domain instructions causes server-side DoS, resolved
887462, https://hackerone.com/reports/887462, curl overwrite local file with -J, resolved
887589, https://hackerone.com/reports/887589, [MY.GAMES] XSS в мессенджере, resolved
887611, https://hackerone.com/reports/887611, [H1-2006 2020] H1-2006 CTF Writeup, resolved
887744, https://hackerone.com/reports/887744, [H1-2006 2020]  Got the flag, resolved
887766, https://hackerone.com/reports/887766, [H1-2006 2020]   CTF Writeup, resolved
887816, https://hackerone.com/reports/887816, [H1-2006 2020] I made the CEO's bounty payment!, resolved
887879, https://hackerone.com/reports/887879, xss stored in https://your store.myshopify.com/admin/, resolved
887889, https://hackerone.com/reports/887889, [H1-2006 2020]  H1-CTF writeup, resolved
887968, https://hackerone.com/reports/887968, Local SQL Injection in Content Provider (ru.mail.data.contact.ContactsProvider) of Mail.ru for Android, version 12.2.0.29734, resolved
887993, https://hackerone.com/reports/887993, [H1-2006 2020] CTF, resolved
888021, https://hackerone.com/reports/888021, [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer, resolved
888030, https://hackerone.com/reports/888030, [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer, resolved
888141, https://hackerone.com/reports/888141, [H1-2006 2020] Flag for H1-CTF, resolved
888176, https://hackerone.com/reports/888176, HTTP Host injection in redirect_to function, informative
888254, https://hackerone.com/reports/888254, stored xss путём загрузки вредоносного файла + обход загрузки файлов., resolved
888261, https://hackerone.com/reports/888261, The password of a mail share is not set if the password is given when the share is created (Nextcloud < 18), resolved
888331, https://hackerone.com/reports/888331, [H1-2006 2020]  ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$, resolved
888694, https://hackerone.com/reports/888694, mail.ru/touch xss(r) debug parameter, resolved
888729, https://hackerone.com/reports/888729, Read-Only user can delete users, resolved
888929, https://hackerone.com/reports/888929, Private file read through file attachment, resolved
888930, https://hackerone.com/reports/888930, SAML Response Reuse on hackerone.com/users/saml/auth, resolved
888939, https://hackerone.com/reports/888939, [H1-2006 2020] CTF Writeup, resolved
888986, https://hackerone.com/reports/888986, [CVE-2020-10543] Buffer overflow caused by a crafted regular expression, resolved
889041, https://hackerone.com/reports/889041, DOM XSS through ads, resolved
889160, https://hackerone.com/reports/889160, Poll loop/hang on incomplete HTTP header, informative
889243, https://hackerone.com/reports/889243, Re-Sharing allows increase of privileges, resolved
889246, https://hackerone.com/reports/889246, Bypassing Rate limit for forgot password by using different ip addresses, resolved
889293, https://hackerone.com/reports/889293, [H1-2006 2020] CTF Writeup!, resolved
889333, https://hackerone.com/reports/889333, [H1-2006 2020]  The Story of Making Bounty Hunters Happy, resolved
889793, https://hackerone.com/reports/889793, [H1-2006 2020]  36 hours of brain cycles utilized on solving a neat puzzle, resolved
889795, https://hackerone.com/reports/889795, Allows any user to share their "Root" level folder by sharing ".", resolved
889874, https://hackerone.com/reports/889874, [account.mail.ru] XSS-уязвимость в форме авторизации, resolved
890196, https://hackerone.com/reports/890196, [H1-2006 2020]  Multiple vulnerabilities lead to CEO account takeover and paid bounties, resolved
890228, https://hackerone.com/reports/890228, lenta_proxy information disclosure, resolved
890272, https://hackerone.com/reports/890272, [H1-2006 2020]  "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers, resolved
890285, https://hackerone.com/reports/890285, Information disclosure at https://printshop.engelvoelkers.com/packages/.bash_history, resolved
890513, https://hackerone.com/reports/890513, Sidekiq Dashboard Publicly accessible at http://shopper.staging.instamart.ru/sidekiq/, resolved
890555, https://hackerone.com/reports/890555, [H1-2006 2020] CTF write-up, resolved
890747, https://hackerone.com/reports/890747, PIN OK attack, resolved
890793, https://hackerone.com/reports/890793, Panic: Input stream data unexpectedly has references, resolved
890798, https://hackerone.com/reports/890798, Panic in file smtp-address.c: line 684 (smtp_address_write): assertion failed: (smtp_char_is_qpair(*p)), resolved
891069, https://hackerone.com/reports/891069, null dereference in `sieve_address_do_validate` (or redundant null check), resolved
891080, https://hackerone.com/reports/891080, Null pointer deference in call to `mail_get_flags`, resolved
891093, https://hackerone.com/reports/891093, [H1-2006 2020] Solution for the h1-2006 CTF challenge, resolved
891270, https://hackerone.com/reports/891270, [Uppy] Internal Server side request forgery (bypass of #786956), resolved
891846, https://hackerone.com/reports/891846, CVE-2020-9383 Floppy OOB read, resolved
892049, https://hackerone.com/reports/892049, Stored XSS & SSRF in Lark Docs, resolved
892289, https://hackerone.com/reports/892289, self-xss with ClickJacking can leads to account takeover in Firefox, resolved
892337, https://hackerone.com/reports/892337, [H1-2006 2020] [CTF Writeup] A story about Bounty Payments, Collaboration & Community, resolved
892510, https://hackerone.com/reports/892510, ICQ Android APP remote DoS, resolved
892610, https://hackerone.com/reports/892610, [www.werkenbijbakertilly.nl] Information Disclosure, resolved
892632, https://hackerone.com/reports/892632, [H1-2006 2020] CTF writeup, resolved
892667, https://hackerone.com/reports/892667, Subdomain takeover of ███, resolved
892717, https://hackerone.com/reports/892717, Reflected XSS via IE, resolved
892904, https://hackerone.com/reports/892904, Ability to link a Google account to another staff account/store owner that isn't linked yet, resolved
892986, https://hackerone.com/reports/892986, Blindy Replace User's Session with Attacker's Session, resolved
893085, https://hackerone.com/reports/893085, 2FA Disable With Wrong Password - Response Tampering., resolved
893240, https://hackerone.com/reports/893240, Cross-Site Scripting thorough XSSJacking/PasteJacking Technique , informative
893305, https://hackerone.com/reports/893305, [H1-2006 2020] CTF Writeup, resolved
893353, https://hackerone.com/reports/893353, Web cache information leakage at sbermarket.ru, resolved
893395, https://hackerone.com/reports/893395, [H1-2006 2020] CTF Writeup, resolved
893745, https://hackerone.com/reports/893745, Users information leak at sbermarket.ru, resolved
893856, https://hackerone.com/reports/893856, Blind SSRF in horizon-heat, resolved
893922, https://hackerone.com/reports/893922, IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136, resolved
893970, https://hackerone.com/reports/893970, Sensitive information about a ██████, resolved
894110, https://hackerone.com/reports/894110, h1-ctf writeup , finally paid the payments by chaining multiple bugs, resolved
894165, https://hackerone.com/reports/894165, [h1-2006 CTF] Payments for May have been processed!, resolved
894170, https://hackerone.com/reports/894170, [H1-2006 2020] Writeup, resolved
894174, https://hackerone.com/reports/894174, [H1-2006 2020] In-depth resolution of the h1-2006 CTF, resolved
894198, https://hackerone.com/reports/894198, [H1-2006 2020]  Includes 1 free content discovery, resolved
894308, https://hackerone.com/reports/894308, Arbitrary code execution via untrusted schemas in is-my-json-valid, resolved
894431, https://hackerone.com/reports/894431, Subdomain Takeover at blog.instamart.ru, resolved
894446, https://hackerone.com/reports/894446, Null dereference in mcht_relational_validate ext-relational-common.c:136, resolved
894518, https://hackerone.com/reports/894518, xss on polaris.shopify.com/demo using postMessage, resolved
894569, https://hackerone.com/reports/894569, An attacker can run pipeline jobs as arbitrary user, resolved
894604, https://hackerone.com/reports/894604, [H1-2006 2020] CTF write-up, resolved
894623, https://hackerone.com/reports/894623, @shakedko H1-2006 CTF writeup, resolved
894657, https://hackerone.com/reports/894657, Subdomain takeover on tilda.geekbrains.ru and fl-change.geekbrains.ru, resolved
894863, https://hackerone.com/reports/894863, [H1-2006 2020] From multiple vulnerabilities to complete ATO on any customer account and staff admin, resolved
894876, https://hackerone.com/reports/894876, XSS through image upload of contacts using svg file, resolved
894880, https://hackerone.com/reports/894880, Email HTML injection , not-applicable
894915, https://hackerone.com/reports/894915, XSS on opening a malicious OpenOffice text document, resolved
894918, https://hackerone.com/reports/894918, XSS on opening malicious OpenOffice presentation document, resolved
894919, https://hackerone.com/reports/894919, XSS on opening malicious OpenOffice presentation document, resolved
894922, https://hackerone.com/reports/894922, [3DS][SSL] Improper certificate validation allows an attacker to perform MitM attacks, resolved
894949, https://hackerone.com/reports/894949, [H1-2006 2020] Exploiting multiple vulnerabilities to get hacker's payment ensured, resolved
895172, https://hackerone.com/reports/895172, [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool, resolved
895202, https://hackerone.com/reports/895202, [H1-2006 2020] Multiple vulnerabilities allow to leak sensitive information , resolved
895551, https://hackerone.com/reports/895551, Grafana SSRF in grafana.instamart.ru, resolved
895587, https://hackerone.com/reports/895587, [H1-2006 2020] How I solved my first H1 CTF, resolved
895650, https://hackerone.com/reports/895650, [h1-2006 2020]  Chained vulnerabilities lead to account takeover, resolved
895696, https://hackerone.com/reports/895696, Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint, resolved
895722, https://hackerone.com/reports/895722, [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments, resolved
895727, https://hackerone.com/reports/895727, Rack parses encoded cookie names allowing an attacker to send malicious `__Host-` and `__Secure-` prefixed cookies, resolved
895730, https://hackerone.com/reports/895730, Contacts menu (not app) fails to restrict (to local groups) for contacts from federated servers, resolved
895769, https://hackerone.com/reports/895769, [3DS][SSL] Use of uninitialized class member leads to RCE in eShop movie player, resolved
895772, https://hackerone.com/reports/895772, [h1-2006 2020] Write up for H1-2006 CTF, resolved
895778, https://hackerone.com/reports/895778, [H1-2006] CTF Writeup, resolved
895780, https://hackerone.com/reports/895780, [h1-2006 2020] CTF Walkthrough, resolved
895798, https://hackerone.com/reports/895798, [H1-2006 2020] Bounty Pay CTF challenge, resolved
895824, https://hackerone.com/reports/895824, [h1-2006 2020] Bounty payments are done !, resolved
895917, https://hackerone.com/reports/895917, DOM Based XSS at docs.8x8.com, resolved
895972, https://hackerone.com/reports/895972, Limited LFI, resolved
896018, https://hackerone.com/reports/896018, [service.engelvoelkers.com] XSS in /video/id, resolved
896093, https://hackerone.com/reports/896093, (CORS) Cross-origin resource sharing misconfiguration, resolved
896511, https://hackerone.com/reports/896511, XSS in image metadata field, resolved
896522, https://hackerone.com/reports/896522, Reflected XSS when renaming a file with a vulnerable name which results in an error, resolved
896648, https://hackerone.com/reports/896648, Получение гарантированного дохода и бонусов без фактического исполнения заказов, при этом используя аккаунты не существующих людей., resolved
896649, https://hackerone.com/reports/896649, [smena.samokat.ru] Predictable JWT secret, resolved
897385, https://hackerone.com/reports/897385, 2FA bypass by sending blank code, resolved
897556, https://hackerone.com/reports/897556, SSH port on store.greenhouse.io is vulnerable to brute force attacks, informative
897606, https://hackerone.com/reports/897606, [3DS][SSL][SDK] Unchecked number of audio channels in Mobiclip SDK leads to RCE in eShop movie player, resolved
897974, https://hackerone.com/reports/897974, Arbitrary code execution via untrusted schemas in ajv, resolved
898269, https://hackerone.com/reports/898269, Открытая админка 1C эмулятора, resolved
898344, https://hackerone.com/reports/898344, Reflected XSS in "keywords" parameter at "https://sbermarket.ru/metro/search", resolved
898522, https://hackerone.com/reports/898522, Source code and internal credentials disclosure, resolved
898528, https://hackerone.com/reports/898528, GraphQL AdminGenerateSessionPayload is leaked to staff with no permission, resolved
898614, https://hackerone.com/reports/898614, DRb denial of service vulnerability, informative
898693, https://hackerone.com/reports/898693, Out of memory with combination of `test_config_set` and `test_config_reload`, resolved
898841, https://hackerone.com/reports/898841, Password reset link not expired at Stocky App, resolved
899069, https://hackerone.com/reports/899069, Untrusted users able to run pending migrations in production, resolved
899954, https://hackerone.com/reports/899954, XSS in message attachment fileds., resolved
899964, https://hackerone.com/reports/899964, XSS leads to RCE on the RocketChat desktop client., resolved
900062, https://hackerone.com/reports/900062, Subdomain takeover of ████, resolved
900137, https://hackerone.com/reports/900137, PII Leak (such as CAC User ID) at https://████████/pages/login.aspx, resolved
900179, https://hackerone.com/reports/900179, Unrestricted File Upload Leads to XSS & Potential RCE, resolved
900543, https://hackerone.com/reports/900543, Stored XSS that allow an attacker to read victim mailboxes contacts in mail.ru and my.com application, resolved
900548, https://hackerone.com/reports/900548, Buffer over read from `smtp_command_parse_parameters`, resolved
900573, https://hackerone.com/reports/900573, xss on [storehouse5.ucs.ru], resolved
900618, https://hackerone.com/reports/900618, SSRF at jira.plazius.ru - CVE-2019-8451, resolved
900619, https://hackerone.com/reports/900619, Reflected XSS on transact.playstation.com using postMessage from the opening window, resolved
900662, https://hackerone.com/reports/900662, SQL Injection at https://lite.r-keeper.ru/site_api/localize/translate/rklscommon/ru, resolved
900685, https://hackerone.com/reports/900685, SQL Injection at https://lite.r-keeper.ru/site_api/clients/derision/?lang=ru, resolved
900930, https://hackerone.com/reports/900930, Логи/sql запросы на http://mx36.ucs.ru/ и reflected XSS., resolved
900973, https://hackerone.com/reports/900973,  [self?] XSS в адресе пользователя [sbermarket.ru], resolved
901050, https://hackerone.com/reports/901050, Blind SSRF on http://info.ucs.ru/settings/check/, resolved
901064, https://hackerone.com/reports/901064, Reflected XSS on http://info.ucs.ru/settings/check/, resolved
901210, https://hackerone.com/reports/901210, Redmin API Key Exposed In GIthub , resolved
901377, https://hackerone.com/reports/901377, Stored XSS at ██████userprofile.aspx, resolved
901542, https://hackerone.com/reports/901542, Брутфорс sms кода подтверждения для смены номера телефона в аккаунте LootDog., resolved
901720, https://hackerone.com/reports/901720, Пользователь может изменить номер телефона в профиле без СМС подтверждения, resolved
901728, https://hackerone.com/reports/901728, SocialClub Account Take Over Through Import Friends feature, resolved
901775, https://hackerone.com/reports/901775, Get analytics token using only apps permission, resolved
901799, https://hackerone.com/reports/901799, Stored XSS on ████████helpdesk, resolved
901956, https://hackerone.com/reports/901956, SMTP Header Injection at http://abonement.ucs.ru, resolved
902064, https://hackerone.com/reports/902064, Sensitive information exposure via git commit, resolved
902322, https://hackerone.com/reports/902322, Source code disclosure at ███, resolved
902336, https://hackerone.com/reports/902336, Data URI Stored XSS on Donations Page, resolved
902733, https://hackerone.com/reports/902733, Sensitive Info Leak - An Attacker Can Retrieve All the Users Mobile Numbers at https://website-api.production.curve.app/api/waitlist/us, resolved
902739, https://hackerone.com/reports/902739, bunyan - RCE via insecure command formatting, resolved
903363, https://hackerone.com/reports/903363, No Rate Limiting On Phone Number Login Leads to Login Bypass, resolved
903424, https://hackerone.com/reports/903424, SSL certificate not validated when registering with a provider, resolved
903521, https://hackerone.com/reports/903521, Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS, resolved
903740, https://hackerone.com/reports/903740, Denial of Service | twitter.com & mobile.twitter.com, resolved
903869, https://hackerone.com/reports/903869, [bugs.fuzzing-project.org] HTML Injection via 'custom_field_7[]' parameter in '/view_all_set.php', resolved
903872, https://hackerone.com/reports/903872, Remote Code Execution through "Files_antivirus" plugin, resolved
904059, https://hackerone.com/reports/904059, Open Redirect (6.0.0 < rails < 6.0.3.2), resolved
904064, https://hackerone.com/reports/904064, Dashboard sharing enables code injection into ████ emails, resolved
904659, https://hackerone.com/reports/904659, PII Leak via /███████, resolved
904671, https://hackerone.com/reports/904671, Access to requests and approvals via /█████ allows sensitive information gathering, resolved
904672, https://hackerone.com/reports/904672, Server-side Template Injection in lodash.js , informative
905015, https://hackerone.com/reports/905015, Long filenames cause OOM and temp files are not cleaned, resolved
905194, https://hackerone.com/reports/905194, Improper Restriction of Excessive Authentication Attempts at https://ucs.ru/login, resolved
905543, https://hackerone.com/reports/905543, Low Privileged user can add or remove cash to/from sales register, resolved
905607, https://hackerone.com/reports/905607, [cs.money] Open Redirect Leads to Account Takeover, resolved
905641, https://hackerone.com/reports/905641, [OPEN S3 BUCKET] All uploaded files are public. , resolved
905679, https://hackerone.com/reports/905679, PII Leak via /████████, resolved
905688, https://hackerone.com/reports/905688, PII Leak via /██████, resolved
905692, https://hackerone.com/reports/905692, Missing rate limit in signup Form , resolved
905756, https://hackerone.com/reports/905756, Access admin interface via bad credentials, resolved
905816, https://hackerone.com/reports/905816, No Rate Limit when accessing "Password protection" enabled surveys leads to bypassing passwords via "pd-pass_surveyid" cookie, resolved
905831, https://hackerone.com/reports/905831, Logout page does not prevent CSRF, informative
906201, https://hackerone.com/reports/906201, XSS / SELF XSS, resolved
906226, https://hackerone.com/reports/906226, disable test send feature if user's email address isn't verified, resolved
906322, https://hackerone.com/reports/906322, Github wikis are editable by anyone https://github.com/nextcloud/bookmarks/wiki, resolved
906790, https://hackerone.com/reports/906790,  Account Takeover on unverified emails in File Sync & Share , resolved
906890, https://hackerone.com/reports/906890, SSRF in www.ucs.ru, resolved
906907, https://hackerone.com/reports/906907, IDOR with Geolocation data not stripped from images, resolved
906959, https://hackerone.com/reports/906959, [cloudron-surfer] Denial of Service via LDAP Injection, resolved
907311, https://hackerone.com/reports/907311, [meemo-app] Denial of Service via LDAP Injection, resolved
907701, https://hackerone.com/reports/907701, PHPinfo page on  http://█████.callstats.io, resolved
907819, https://hackerone.com/reports/907819, Blind SSRF in magnum upgrade_params, resolved
907867, https://hackerone.com/reports/907867, HTML/iframe/XSS injection on https://www.ucs.ru/online/shelter/settings/check/, resolved
908162, https://hackerone.com/reports/908162, Acronis True Image Local Privilege Escalation via insecure folder permissions, resolved
908818, https://hackerone.com/reports/908818, [ICQ] nwwwstg-d01.ops.icq.com check mk agent exposed to public, resolved
908880, https://hackerone.com/reports/908880, Private IP addresses Disclosure, informative
908894, https://hackerone.com/reports/908894, Null dereference or redundant null check in `mail_crypt_load_global_private_key` for plugin mail-crypt, resolved
909166, https://hackerone.com/reports/909166, Log files Leaked In mcsblog.ru, resolved
909576, https://hackerone.com/reports/909576, reflected xss in ██████, duplicate
909757, https://hackerone.com/reports/909757, [is-my-json-valid] ReDoS via 'style' format, resolved
909863, https://hackerone.com/reports/909863, Low privileged user can create high privileged user's KITCRM authorization token and can read and write message to KIT, resolved
910206, https://hackerone.com/reports/910206, property-expr - Prototype pollution, resolved
910398, https://hackerone.com/reports/910398, Mail.ru for Android - Theft of sensitive data, resolved
910427, https://hackerone.com/reports/910427, XSS on Videos IA, resolved
910711, https://hackerone.com/reports/910711, [stories.showmax.com] Cross Origin Misconfiguration - Sensitive Information Exposure, informative
911606, https://hackerone.com/reports/911606, Leaked JFrog Artifactory  username and password exposed on GitHub - https://snapchat.jfrog.io, resolved
911857, https://hackerone.com/reports/911857, increased privileges on staff account, resolved
911880, https://hackerone.com/reports/911880, No rate Limit on Licenses Activation , resolved
912161, https://hackerone.com/reports/912161, Messages disclosure via search feature of other users group(Cross-Tenant)., resolved
912865, https://hackerone.com/reports/912865, Stored XSS at https://app.smtp2go.com/settings/users/  , resolved
913276, https://hackerone.com/reports/913276, Server-Side Request Forgery in "icons.bitwarden.net", resolved
913695, https://hackerone.com/reports/913695, Remote Code Execution via CVE-2019-18935, resolved
914194, https://hackerone.com/reports/914194, Publicly accessible .SVN repository allows downloading entire source code, resolved
914232, https://hackerone.com/reports/914232, CSRF on comment post, not-applicable
914286, https://hackerone.com/reports/914286, Stored self XSS at auto.mail.ru using add_review functionality, resolved
914331, https://hackerone.com/reports/914331, IDOR on notes to HTML injection, resolved
914392, https://hackerone.com/reports/914392, Remote Code Execution (RCE) at "juid" parameter in /get_zip.php (printshop.engelvoelkers.com), resolved
914427, https://hackerone.com/reports/914427, SQL Injection at /displayPDF.php (printshop.engelvoelkers.com), resolved
914472, https://hackerone.com/reports/914472, Открытая админка Tarantool, resolved
914719, https://hackerone.com/reports/914719, Information disclosure via Spring Boot Actuators on gonext-stage.engelvoelkers.com, resolved
914801, https://hackerone.com/reports/914801, XXE on www.publish.engelvoelkers.com, resolved
914877, https://hackerone.com/reports/914877, Improper Restriction of Excessive Authentication Attempts at https://mirror.w1.dwar.ru/login.php, resolved
915073, https://hackerone.com/reports/915073, Stored XSS via Comment Form at ████████, resolved
915110, https://hackerone.com/reports/915110, No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal, resolved
915114, https://hackerone.com/reports/915114, IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal, resolved
915127, https://hackerone.com/reports/915127, IDOR when moving contents at CrowdSignal, resolved
915133, https://hackerone.com/reports/915133, IDOR at 'media_code' when addings media to questions, resolved
915140, https://hackerone.com/reports/915140, Users can bypass page restrictions via Export feature at "Share" feature in CrowdSignal, resolved
915331, https://hackerone.com/reports/915331, Account Takeover via Forgot Password Page at https://3k.mail.ru/send_password.php?, resolved
915346, https://hackerone.com/reports/915346, xss while uploading a file, resolved
915541, https://hackerone.com/reports/915541, Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN, resolved
915573, https://hackerone.com/reports/915573, Reflected XSS on ███████ page, resolved
915585, https://hackerone.com/reports/915585, Social App does not validate server certificates for outgoing connections, resolved
915649, https://hackerone.com/reports/915649, Subdomain Takeover of multiple *.ttcdn.co domains, resolved
915756, https://hackerone.com/reports/915756, [tumblr.com] 69< Firefox Only  XSS Reflected, resolved
915813, https://hackerone.com/reports/915813, Improper authentication on phpmyadmin portal which is hosted in https://eventapp.engelvoelkers.com, resolved
915940, https://hackerone.com/reports/915940, Script Editor preview token still working with uninstalled application, even for unpublished script, resolved
916170, https://hackerone.com/reports/916170, SPF Misconfiguration, informative
916430, https://hackerone.com/reports/916430, [json-bigint] DoS via `__proto__` assignment, resolved
916704, https://hackerone.com/reports/916704, Access control missing while viewing the attachments in the "All boards", resolved
917213, https://hackerone.com/reports/917213, Session not invalidated after password reset, resolved
917688, https://hackerone.com/reports/917688, [combo.mail.ru] SMS code bruteforce, resolved
917791, https://hackerone.com/reports/917791, Improper Restriction of Excessive Authentication Attempts at o2-ac.my.com/token, resolved
917843, https://hackerone.com/reports/917843, Unsafe deserialization in Nexus Repository helm plugin, resolved
917875, https://hackerone.com/reports/917875, STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend, resolved
918923, https://hackerone.com/reports/918923, Clickjacking Vulnerability via https://webagent.mail.ru leading to protection bypass for https://web.icq.com/ end point, resolved
918946, https://hackerone.com/reports/918946, Subdomain takeover due to an unclaimed Amazon S3 bucket on ███, resolved
919112, https://hackerone.com/reports/919112, Authenticity token doesnt expire after single use leading to CSRF, informative
919175, https://hackerone.com/reports/919175, HTTP request smuggling on Basecamp 2 allows web cache poisoning, resolved
919241, https://hackerone.com/reports/919241, Open Redirect at "city-mobil.ru", resolved
919429, https://hackerone.com/reports/919429, Full path disclosure vulnerability  via Upload .htaccess file, informative
919859, https://hackerone.com/reports/919859, stored xss in app.lemlist.com, resolved
920357, https://hackerone.com/reports/920357, Captcha checker "pd-captcha_form_SURVEYID" cookie is accepting any value, resolved
920548, https://hackerone.com/reports/920548, Improper Restriction of Excessive Authentication Attempts at https://api.warrobots.com/auth (Pixonic Games), resolved
920926, https://hackerone.com/reports/920926, [mijn.werkenbijdefensie.nl] Denial of service occurs due to lack of email length confirmation, resolved
921286, https://hackerone.com/reports/921286, Denial of Service  [Chrome], resolved
921288, https://hackerone.com/reports/921288, Arbitrary File delete via PHAR deserialization, resolved
921635, https://hackerone.com/reports/921635, DOM XSS on duckduckgo.com search, resolved
921675, https://hackerone.com/reports/921675, Uncontrolled Search Path Element allows DLL hijacking for priv esc to SYSTEM, resolved
921704, https://hackerone.com/reports/921704, Denial-of- service By Cache Poisoning The Cross-Origin Resource Sharing Misconfiguration Allow Origin Header, resolved
921709, https://hackerone.com/reports/921709, Clickjacking on donation page, resolved
921717, https://hackerone.com/reports/921717, Improper access control to messages of Social app, resolved
922418, https://hackerone.com/reports/922418, SMS Brute Force Possibility via https://youdrive.today/login/web/code can lead to Account Takeover, resolved
922446, https://hackerone.com/reports/922446, [https://youdrive.today/] Nginx directory traversal, resolved
922456, https://hackerone.com/reports/922456, Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties, resolved
922470, https://hackerone.com/reports/922470, No rate limiting on sinup page, resolved
922496, https://hackerone.com/reports/922496, DOM XSS on https://www.███████, resolved
922506, https://hackerone.com/reports/922506, Subdomain takeover at msproject.geekbrains.ru, resolved
922559, https://hackerone.com/reports/922559, Account takeover in cups.mail.ru using punycode characters, resolved
922567, https://hackerone.com/reports/922567, SQL injection (stacked queries) in the export to Excel functionality on Vidyo Server, resolved
922597, https://hackerone.com/reports/922597, HTTP Request Smuggling due to CR-to-Hyphen conversion, resolved
923022, https://hackerone.com/reports/923022, Administrative access to development deployment of web service due to auto-filled credentials, resolved
923132, https://hackerone.com/reports/923132, Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure, resolved
923240, https://hackerone.com/reports/923240, [3DS][StreetPass] Heap Overflow in Swapnote parser leads to userland StreetPass RCE, resolved
923679, https://hackerone.com/reports/923679, stored xss via Campaign Name., resolved
923759, https://hackerone.com/reports/923759, Edit Policy restriction does not prevent comments., informative
923851, https://hackerone.com/reports/923851, IDOR of contracts on dictor.mail.ru, resolved
923864, https://hackerone.com/reports/923864, RXSS - ████, resolved
924393, https://hackerone.com/reports/924393, PIN for passwordless WebAuthn is asked for but not verified, resolved
924407, https://hackerone.com/reports/924407, Local File Disclosure /Delete On [us-az-vpn.acronis.com], resolved
924485, https://hackerone.com/reports/924485, Path traversal on bank.mail.ru ( CVE-2013-3827 ), resolved
924487, https://hackerone.com/reports/924487, Exposed Docker Registry at https://████, resolved
924650, https://hackerone.com/reports/924650, Reflected XSS in https://www.██████/, resolved
924914, https://hackerone.com/reports/924914, Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru], resolved
924951, https://hackerone.com/reports/924951, CORS misconfiguration leads to users information disclosure at https://studyroom.line.me, resolved
925007, https://hackerone.com/reports/925007, blind sql on [selfcare.mtn.com.af], resolved
925425, https://hackerone.com/reports/925425, CVE-2018-6389 exploitation - using scripts loader, resolved
925513, https://hackerone.com/reports/925513, Unrestricted File Upload in Chat Window, resolved
925519, https://hackerone.com/reports/925519, [play.mtn.co.za] Application level DoS via xmlrpc.php, resolved
925527, https://hackerone.com/reports/925527, Blind HTTP GET SSRF via website icon fetch (bypass of pull#812), resolved
925585, https://hackerone.com/reports/925585, RCE via npm misconfig -- installing internal libraries from the public registry, resolved
925757, https://hackerone.com/reports/925757, Getting SmartDNS for free from -  join.nordvpn.com, resolved
926093, https://hackerone.com/reports/926093, Secret_key in GitHub, informative
926222, https://hackerone.com/reports/926222, Vulnerability in Private Data Endorsement Policy Management in Hyperledger Fabric 2.0, informative
926228, https://hackerone.com/reports/926228, Bypass OTP on contact back request at https://driver.city-mobil.ru/, resolved
926638, https://hackerone.com/reports/926638, curl overwrites local file with -J option if file non-readable, but file writable., informative
927338, https://hackerone.com/reports/927338, LINE Profile ID leaks in OpenChat, resolved
927384, https://hackerone.com/reports/927384, Race Condition when following a user, resolved
927413, https://hackerone.com/reports/927413,  The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking., not-applicable
927567, https://hackerone.com/reports/927567, Ability to publish a paid theme without purchasing it., resolved
927661, https://hackerone.com/reports/927661, Ability to manipulate price with a max threshold of `<1 Rupee` in support rider parameter, resolved
928280, https://hackerone.com/reports/928280, Formula Injection vulnerability in CSV export feature, resolved
928602, https://hackerone.com/reports/928602, [performancemarketing.geekbrains.ru] Tilda Subdomain Takeover, resolved
928816, https://hackerone.com/reports/928816, Stored XSS in app.lemlist.com, resolved
929361, https://hackerone.com/reports/929361, Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS., resolved
929633, https://hackerone.com/reports/929633, Open Redirect on [blog.wavecell.com], resolved
929717, https://hackerone.com/reports/929717, XSS via "gp" cookie reflected in source code, resolved
932557, https://hackerone.com/reports/932557, Stored XSS at [ https://app.lemlist.com/campaigns/cam_QRS5caF2ca7MJtiLS/leads ] in " LINKEDIN URL" Field., resolved
933620, https://hackerone.com/reports/933620, Un Authencitated Quartz Pannel with Scheduling tasks , resolved
935503, https://hackerone.com/reports/935503, Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress, resolved
935573, https://hackerone.com/reports/935573, JDBC credentials leaked via github, informative
936399, https://hackerone.com/reports/936399, Path traversal on https://███ allows arbitrary file read (CVE-2020-3452), resolved
937592, https://hackerone.com/reports/937592, Improper Restriction of Excessive Authentication Attempts at http://terrafoot.ru/login.php (Rate Limit bypass via IP Rotation), resolved
937921, https://hackerone.com/reports/937921, app.lemlist.com : Admin Panel Access, informative
938021, https://hackerone.com/reports/938021, Availing Zomato gold by using a random third-party `wallet_id`, resolved
938349, https://hackerone.com/reports/938349, Information Disclosure on qa-delivery-srv.plazius.ru, resolved
938530, https://hackerone.com/reports/938530, Information Disclosure on www7.promo.plazius.ru, resolved
938683, https://hackerone.com/reports/938683, CVE-2019-19935 - DOM based XSS in the froala editor, resolved
939158, https://hackerone.com/reports/939158, cross site scripting bypass session , resolved
940384, https://hackerone.com/reports/940384, https://█████ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability, resolved
941178, https://hackerone.com/reports/941178, SSRF for kube-apiserver cloudprovider scene, resolved
941335, https://hackerone.com/reports/941335, Information Disclosure , resolved
941421, https://hackerone.com/reports/941421, One Click Remote Code Injection - *.blog.newrelic.com, resolved
942103, https://hackerone.com/reports/942103, Server-side template injection at ujs test server, resolved
942146, https://hackerone.com/reports/942146, Open Github Repo Leaking WEBLATE SECRET KEY, resolved
942179, https://hackerone.com/reports/942179, Subdomain Takeover at  analyticstest.geekbrains.ru, resolved
942481, https://hackerone.com/reports/942481, Wordpress Users Disclosure (/wp-json/wp/v2/users/) on data.gov, informative
942629, https://hackerone.com/reports/942629, Denial of service via cache poisoning on https://www.data.gov/, duplicate
942859, https://hackerone.com/reports/942859, Stored XSS in Post title (PoC), resolved
943231, https://hackerone.com/reports/943231, SOCK_RAW sockets reachable from Webkit process allows triggering double free in IP6_EXTHDR_CHECK, resolved
943255, https://hackerone.com/reports/943255, CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files, resolved
943487, https://hackerone.com/reports/943487, tmgame.mail.ru - Blind sql injection, resolved
943725, https://hackerone.com/reports/943725, Remote Code Execution in Rocket.Chat-Desktop, resolved
944025, https://hackerone.com/reports/944025, Uncovering file quarantine and UX security issues in macOS apps ( .terminal, .fileloc and .url) , resolved
944392, https://hackerone.com/reports/944392, Forgot Password Page SMS Brute Force could lead to Account Takeover using Android/IOS app "About the house" via api.prodom.smart.space, resolved
944518, https://hackerone.com/reports/944518, XSS via JavaScript evaluation of an attacker controlled resource at www.pornhub.com, resolved
944665, https://hackerone.com/reports/944665, CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco, resolved
944732, https://hackerone.com/reports/944732, NPM_API_KEY Leak, resolved
944735, https://hackerone.com/reports/944735, Arbitrary DLL injection in mmsminisrv (Acronis Managed Machine Service Mini), resolved
945122, https://hackerone.com/reports/945122, Arbitrary file creation via symlink attack on syncagentsrv (Acronis Sync Agent Service), resolved
945990, https://hackerone.com/reports/945990, Safe Redirect Bypass , resolved
946160, https://hackerone.com/reports/946160, Cross Site Scripting using Email parameter in Ads endpoint 2, resolved
946323, https://hackerone.com/reports/946323, [IDOR] Modify other team's reminders via reminderId parameter, resolved
946384, https://hackerone.com/reports/946384, A member-member privilege could access the https://console.rockset.com/billing?tab=payment page even though the billing page is hidden from the menu. , resolved
946578, https://hackerone.com/reports/946578, [mtn.com.af] Multiple vulnerabilities allow to Application level DoS, resolved
946728, https://hackerone.com/reports/946728, SafeParamsHelper::safe_params is not so safe, resolved
947349, https://hackerone.com/reports/947349, Bypass Too Many Requests Sign Up , informative
947637, https://hackerone.com/reports/947637, Ngnix Server version disclosure., resolved
947690, https://hackerone.com/reports/947690, ClickJacking, not-applicable
947725, https://hackerone.com/reports/947725, S3 bucket data at http://rockset-support.s3-us-west-2.amazonaws.com/ reveals user addresses based on latitudes and longitudes., resolved
947728, https://hackerone.com/reports/947728, staff can able to extend shopify trial period without admin permission, resolved
947790, https://hackerone.com/reports/947790, Reflected XSS on a Atavist theme, resolved
947946, https://hackerone.com/reports/947946, Open SonarQube instance leaking internal source code, resolved
947982, https://hackerone.com/reports/947982, User can Subscribe a plan that is hidden by manipulating the value of "subscription" parameter at [ https://app.dropcontact.io/app/checkout/], resolved
948146, https://hackerone.com/reports/948146, Rate limiting on report video, resolved
948150, https://hackerone.com/reports/948150, Open Redirect Vulnerability on TikTok Ads Portal , resolved
948259, https://hackerone.com/reports/948259, REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter, resolved
948481, https://hackerone.com/reports/948481, В самокате можно просматривать и изменять данные любого заказа без авторизации, resolved
948876, https://hackerone.com/reports/948876, Connect-only connections can use the wrong connection, resolved
948929, https://hackerone.com/reports/948929, Blind Stored XSS Via Staff Name, resolved
949285, https://hackerone.com/reports/949285, Information Disclosure , resolved
949295, https://hackerone.com/reports/949295, Unrestricted File Upload on https://app.dropcontact.io/app/upload/, resolved
949382, https://hackerone.com/reports/949382, DOM-Based XSS in tumblr.com, resolved
949513, https://hackerone.com/reports/949513, XSS by file (Active Storage `Proxying`), resolved
949560, https://hackerone.com/reports/949560, [webvpn.city-srv.ru] Path traversal via CVE-2020-3452, resolved
949643, https://hackerone.com/reports/949643, relap.io/admin/api - административный API доступен без аутентификации, resolved
949686, https://hackerone.com/reports/949686, SECRET_KEY Of Django Leaked In maps.me, resolved
949712, https://hackerone.com/reports/949712, DoS attack against the client when entering a long password, resolved
949823, https://hackerone.com/reports/949823, XSS DI BIODATA, resolved
950180, https://hackerone.com/reports/950180, HTML injection at Alert email, resolved
950190, https://hackerone.com/reports/950190, Store-XSS in error message of build-dependencies , resolved
950192, https://hackerone.com/reports/950192, [@knutkirkhorn/free-space] - Command Injection through Lack of Sanitization, resolved
950201, https://hackerone.com/reports/950201, HTML Injection at "city-mobil.ru", resolved
950299, https://hackerone.com/reports/950299, Use after free vulnerability  in phar_parse_zipfile, resolved
950471, https://hackerone.com/reports/950471, Lack of Password Confirmation  for Account Deletion, not-applicable
950485, https://hackerone.com/reports/950485, Disclosure of personal support email addresses on 'support-fleet.city-mobil.ru', resolved
950507, https://hackerone.com/reports/950507, Possible access to the car's photo and registration by its ID on [fleet.city-mobil.ru], resolved
950700, https://hackerone.com/reports/950700, Reflected XSS in https://www.█████/, resolved
950845, https://hackerone.com/reports/950845, Reflected XSS at /category/ on a Atavis theme , resolved
950853, https://hackerone.com/reports/950853, [z.tochka.com] Unlimited file uploads lead to malware executed, resolved
950881, https://hackerone.com/reports/950881, IDOR when editing email leads to Account Takeover on Atavist, resolved
951190, https://hackerone.com/reports/951190, Public access to Sidekiq dashboard at shopper.sbermarket.ru, resolved
951230, https://hackerone.com/reports/951230, Can buy Atavist Magazine subscription for free, resolved
951249, https://hackerone.com/reports/951249, [freespace] Command Injection due to Lack of Sanitization, resolved
951292, https://hackerone.com/reports/951292, Site-wide CSRF at Atavist , resolved
951468, https://hackerone.com/reports/951468, [m-server] XSS reflected because path does not escapeHtml, resolved
951508, https://hackerone.com/reports/951508, CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower., resolved
951530, https://hackerone.com/reports/951530, [CVE-2020-3452] Unauthenticated file read in Cisco ASA, resolved
951623, https://hackerone.com/reports/951623, Vulnerabilities in Endorsement Mechanism of Private Data Related Transactions in Hyperledger Fabric 2.0, informative
951691, https://hackerone.com/reports/951691, Android: Explanation of Access to app protected components vulnerability, resolved
952035, https://hackerone.com/reports/952035, Admin web sessions remain active after logout of Shopify ID, resolved
952166, https://hackerone.com/reports/952166, Subdomain Takeover – jet.acronis.com pointing to unclaimed Webflow services, resolved
952174, https://hackerone.com/reports/952174, Ability to edit the address of any company by its id on [corporate.city-mobil.ru], resolved
952349, https://hackerone.com/reports/952349, Possible denial of service when entering a loooong password, resolved
952501, https://hackerone.com/reports/952501, Solr Injection in `user_id` parameter at :/v2/leaderboard_v2.json, resolved
952771, https://hackerone.com/reports/952771, CVE-2019-11250 remains in effect., resolved
952983, https://hackerone.com/reports/952983, Stored XSS in history on [corporate.city-mobil.ru], resolved
953041, https://hackerone.com/reports/953041, Cross Site Scripting using Email parameter in Ads endpoint 1, resolved
953053, https://hackerone.com/reports/953053, Multiple Cross-Site Scripting vulnerability via the language parameter, resolved
953083, https://hackerone.com/reports/953083, Ability to publish a paid theme without purchasing it., resolved
953203, https://hackerone.com/reports/953203, [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query, resolved
953579, https://hackerone.com/reports/953579, [api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS, resolved
953649, https://hackerone.com/reports/953649, Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser, resolved
953719, https://hackerone.com/reports/953719, Subdomain Takeover – www.jet.acronis.com pointing to unclaimed Webflow services, resolved
953791, https://hackerone.com/reports/953791, Stored XSS in Satisfaction Surveys via "Ask Reason for Dissatisfaction" option, resolved
953866, https://hackerone.com/reports/953866, Unauthorized Access and updation of EMAIL settings of other user  at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter., resolved
954398, https://hackerone.com/reports/954398, Сode injection host  █████████, resolved
954402, https://hackerone.com/reports/954402, Host Header Injection., resolved
954512, https://hackerone.com/reports/954512, Cross-origin resource sharing misconfiguration (CORS), informative
954667, https://hackerone.com/reports/954667, SQLi on █████████, resolved
954818, https://hackerone.com/reports/954818, Default Creds Spring Boot Admin, resolved
955016, https://hackerone.com/reports/955016, GitLab-Runner on Windows `DOCKER_AUTH_CONFIG` container host Command Injection, resolved
955170, https://hackerone.com/reports/955170, HTTP Request Smuggling on api.flocktory.com Leads to XSS on Customer Sites, resolved
955286, https://hackerone.com/reports/955286, Graphql: Sorting the reports by jira_status field resulted to different value, resolved
955606, https://hackerone.com/reports/955606, Reflected xss and open redirect on larksuite.com using /?back_uri= parameter., resolved
956194, https://hackerone.com/reports/956194, Stored XSS in address on [corporate.city-mobil.ru], resolved
956449, https://hackerone.com/reports/956449, link.avito.ru - Bypass of restrictions on external links., resolved
956791, https://hackerone.com/reports/956791, Возможность изменить поле "E-Mail для доступа в личный кабинет" у другого пользователя [corporate.city-mobil.ru], resolved
956799, https://hackerone.com/reports/956799, IDOR zakazaka (состояние заказа и перезаказ), resolved
957035, https://hackerone.com/reports/957035, Открытый Confluence и доступы к чату операторов в Skype, resolved
957229, https://hackerone.com/reports/957229, Self XSS on Acronis Cyber Cloud, resolved
957557, https://hackerone.com/reports/957557, Failure to Invalid Session after Password Change, duplicate
957829, https://hackerone.com/reports/957829, Sending thousands of notifications with single request, resolved
957874, https://hackerone.com/reports/957874, Adding your account to victim's app via deeplink, resolved
957881, https://hackerone.com/reports/957881, HTTP request smuggling (?) canpol.deti.mail.ru, resolved
958374, https://hackerone.com/reports/958374, Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted, resolved
958432, https://hackerone.com/reports/958432, Corporate Jira credentials disclosed in public gist, resolved
958769, https://hackerone.com/reports/958769, Возможность просмотра коментариев к чужим обращениям [corporate.city-mobil.ru], resolved
958864, https://hackerone.com/reports/958864, Open redirect (DOM-based) on av.ru via "return_url" parameter (Login form), resolved
959187, https://hackerone.com/reports/959187, ███ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability, resolved
959329, https://hackerone.com/reports/959329, В самокат имеется возможность просмотра суммы заказа и номера заказа по ID [smart.space], resolved
959679, https://hackerone.com/reports/959679, Read-only path traversal (CVE-2020-3452)  at https://████████, resolved
959697, https://hackerone.com/reports/959697, Idor for firstpromoter service, resolved
959987, https://hackerone.com/reports/959987, [supermixer] Prototype pollution, resolved
960082, https://hackerone.com/reports/960082, Read-only path traversal (CVE-2020-3452)  at https://█████, resolved
960244, https://hackerone.com/reports/960244, Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ..., resolved
960330, https://hackerone.com/reports/960330, CVE-2020-3187 - Unauthenticated Arbitrary File Deletion, resolved
960851, https://hackerone.com/reports/960851, User has Sender permission can Get Team  information , resolved
961046, https://hackerone.com/reports/961046, Stored XSS in backup scanning plan name, resolved
961226, https://hackerone.com/reports/961226, XSS in (Support Requests) : User Cases, resolved
961428, https://hackerone.com/reports/961428, Bitbucket public repo leaking credentials from the 1C Enterprise system used by Samokat, resolved
961757, https://hackerone.com/reports/961757, Twitter Media Studio Source Information Disclosure With Analyst Role, resolved
961841, https://hackerone.com/reports/961841, Recently added 'Country' field doesn't send email notification when changed, resolved
961929, https://hackerone.com/reports/961929, Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020), resolved
961997, https://hackerone.com/reports/961997, Denial of Service when entring an Array in email at seetings, informative
962013, https://hackerone.com/reports/962013, Remote Code Execution on █████████, resolved
962033, https://hackerone.com/reports/962033, API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation., resolved
962462, https://hackerone.com/reports/962462, Unauthorized user is able to access schedule pipeline variables and values, resolved
962604, https://hackerone.com/reports/962604, Revoked User can still view  the Merge Request  created by him via API, resolved
962705, https://hackerone.com/reports/962705, The “payload” Field of Transactions in a Block Reveals the Private Data to All Peers , informative
962753, https://hackerone.com/reports/962753, Elmah.axd is publicly accessible and leaking  Error Log for ROOT on █████_PRD_WEB1 █████████elmah.axd, resolved
962872, https://hackerone.com/reports/962872, CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218], resolved
962889, https://hackerone.com/reports/962889, SQL Injection in agent-manager, resolved
962895, https://hackerone.com/reports/962895, Stocky App Administrator can create a backdoor admin account by using an existing POS User, resolved
962902, https://hackerone.com/reports/962902, Session Hijack via Self-XSS, resolved
962908, https://hackerone.com/reports/962908, Read-only path traversal (CVE-2020-3452)  at https://██████.mil, resolved
962909, https://hackerone.com/reports/962909, No Valid SPF Records, duplicate
963161, https://hackerone.com/reports/963161, Unauthorized access to choice.av.ru control panel, resolved
963164, https://hackerone.com/reports/963164, Django debug enabled showing information about system, database, configuration files., resolved
963327, https://hackerone.com/reports/963327, Dropcontact's disclosed report is exposing Private/Confidential information, resolved
963352, https://hackerone.com/reports/963352, Sensitive Information Disclosure, resolved
963368, https://hackerone.com/reports/963368, Email flooding using user invitation feature in biz.yelp.com due to lack of rate limiting , not-applicable
963542, https://hackerone.com/reports/963542, Django DEBUG mode enabled and leaked system information., resolved
963546, https://hackerone.com/reports/963546, User registration using public domain email like gmail in place of professional email., resolved
963584, https://hackerone.com/reports/963584, Registering with email [ +70 Chars ] Lead to Disclose some informations [Django Debug Mode ], resolved
963774, https://hackerone.com/reports/963774, Premium Email Address Check Bypass - Hey, resolved
963798, https://hackerone.com/reports/963798, XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024), resolved
963809, https://hackerone.com/reports/963809, Django should not have debug mode enabled, resolved
963921, https://hackerone.com/reports/963921, Information Disclosure through DEBUG at Subscription [https://app.dropcontact.io/app/subscription?connector=salesforce](CRITICAL), resolved
964010, https://hackerone.com/reports/964010, IDOR - Other user's delivery address disclosed, resolved
964167, https://hackerone.com/reports/964167, Stored Xss , resolved
964315, https://hackerone.com/reports/964315, Admin/Info lekage, resolved
964467, https://hackerone.com/reports/964467, Bypass SMS verification to delete TikTok account, resolved
964550, https://hackerone.com/reports/964550, XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com, resolved
964582, https://hackerone.com/reports/964582, CVE-2017-13040 The MPTCP parser in tcpdump before 4.9.2 has a buffer over-read in print-mptcp.c, several functions., resolved
964583, https://hackerone.com/reports/964583, CVE-2017-13041 The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-icmp6.c:icmp6_nodeinfo_print()., resolved
964603, https://hackerone.com/reports/964603, Access to git & and  configuration files on backtoschool.geekbrains.ru via gitfile, resolved
965141, https://hackerone.com/reports/965141, Clickjacking lead to remove review, resolved
965267, https://hackerone.com/reports/965267, Potential HTTP Request Smuggling in ruby webrick, resolved
965314, https://hackerone.com/reports/965314, Leak of Google Sheets API credentials, resolved
965510, https://hackerone.com/reports/965510, Password protection can be removed for newly created development store , resolved
965663, https://hackerone.com/reports/965663, Reflected XSS on av.ru via `q` parameter at https://av.ru/collections/*, resolved
965774, https://hackerone.com/reports/965774, A specifically designed sieve script can cause a DoS in lib-sieve during sieve script compilation via NULL pointer dereference, resolved
965782, https://hackerone.com/reports/965782, Failed assert in `mail_index_transaction_lookup`, resolved
965790, https://hackerone.com/reports/965790, Assert failed in `edit_mail_istream_read`, resolved
965881, https://hackerone.com/reports/965881, Null dereference in `cmd_denotify_operation_execute`, resolved
965914, https://hackerone.com/reports/965914, `fs.realpath.native` on darwin may cause buffer overflow, resolved
966347, https://hackerone.com/reports/966347, [bl] Uninitialized memory exposure via negative .consume(), resolved
966383, https://hackerone.com/reports/966383, secret leaks in vsphere cloud controller manager log, resolved
966494, https://hackerone.com/reports/966494, True Image 2021 - LPE via XPC service communication, resolved
966527, https://hackerone.com/reports/966527, Reflected XSS at  https://www.glassdoor.co.in/Interview/BlackRock-Interview-Questions-E9331.htm via filter.jobTitleExact parameter, resolved
966531, https://hackerone.com/reports/966531, "Basic user" which can only access a limited subset of the platform can access certain pages which are restricted to the user by the account owner., informative
966814, https://hackerone.com/reports/966814, Slack-Corp Heroku application disclosing limited info about company members, resolved
966834, https://hackerone.com/reports/966834, Incomplete fix for CVE-2020-12673 : Specially crafted NTML message leads to buffer over read, resolved
967284, https://hackerone.com/reports/967284, Open Redirect on https://go.bitwala.com/, resolved
967457, https://hackerone.com/reports/967457, Buffer overread off by one in `rpa_read_buffer`, incomplete fix for CVE-2020-12674, resolved
968082, https://hackerone.com/reports/968082, Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration, resolved
968232, https://hackerone.com/reports/968232, Stored XSS in collabora via user name, resolved
968355, https://hackerone.com/reports/968355, [i18next] Prototype pollution attack, resolved
968402, https://hackerone.com/reports/968402, [http://kiwi.youdrive.today/] Information disclosure via Kiwi TCMS vulnerability, resolved
968690, https://hackerone.com/reports/968690, DOM based XSS in store.acronis.com/<id>/purl-corporate-standard-IT [cfg parameter], resolved
968699, https://hackerone.com/reports/968699, bypass  the [OKTA] login redirect can  lead to disclosing limited-information about the sub-domain at [ shiptsec.com ], resolved
968742, https://hackerone.com/reports/968742, Password reset by malicious input on air.line.me, resolved
969456, https://hackerone.com/reports/969456, Getting API access key Through  Introspection query Graphql, informative
969605, https://hackerone.com/reports/969605, Developer uploaded files missing authentication on LINE GAME Developers site(gdc.game.line.me), resolved
969619, https://hackerone.com/reports/969619, Пользователь может изменить способ оплаты указав чужой corporation ID, resolved
969988, https://hackerone.com/reports/969988, Private leaderboard owner email disclosure when sending invites, resolved
970157, https://hackerone.com/reports/970157, Bypass Password Authentication to Update the Password, resolved
970520, https://hackerone.com/reports/970520, exposed Git Repo at http://api.e2e-kops-aws-canary.test-cncf-aws.canary.k8s.io/.git/, duplicate
970760, https://hackerone.com/reports/970760, Pixel Flood Attack leads to Application level DoS, resolved
970878, https://hackerone.com/reports/970878, Reflected XSS via "Error" parameter on https://admin.acronis.com/admin/su/, resolved
970902, https://hackerone.com/reports/970902, CSRF Delete chat invitation link., resolved
971234, https://hackerone.com/reports/971234, Clickjacking on cas.acronis.com login page, resolved
971304, https://hackerone.com/reports/971304, Reflected XSS at https://www.glassdoor.co.in/Job/pratt-whitney-jobs-SRCH_KE0,13.htm?initiatedFromCountryPicker=true&countryRedirect=true, resolved
971360, https://hackerone.com/reports/971360, Reflected XSS on ███████, resolved
971386, https://hackerone.com/reports/971386, CVE-2020-8913 - Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC, resolved
971422, https://hackerone.com/reports/971422, IDOR смена email пользователя через Ситимобил Бизнес, resolved
971599, https://hackerone.com/reports/971599, damage to the timeline so that comment fields cannot be displayed or not available to all members in the store, resolved
971857, https://hackerone.com/reports/971857, Stored xss on helpdesk using user's city, resolved
972045, https://hackerone.com/reports/972045, No brute force protection on web-api-cloud.acronis.com, resolved
972220, https://hackerone.com/reports/972220, [arpping] Remote Code Execution, resolved
972243, https://hackerone.com/reports/972243, Add apps to packages 0, 61, 62 with /store/ajaxpackagemerge, resolved
972355, https://hackerone.com/reports/972355, Able to leak private email of any user given his/her username via graphql, resolved
972374, https://hackerone.com/reports/972374, Возможность создать канал в группе, в которой пользователь не является админом [my.games], resolved
972561, https://hackerone.com/reports/972561, kubeadm logs tokens before deleting them, resolved
972601, https://hackerone.com/reports/972601, Open Redirect at https://oauth.secure.pixiv.net, resolved
972936, https://hackerone.com/reports/972936, A specially crafted value for the 'Cache-Digest' header causing crash in  chat.makerdao.com, not-applicable
973245, https://hackerone.com/reports/973245, [imagickal] Remote Code Execution, resolved
973386, https://hackerone.com/reports/973386, [curling] Remote Code Execution, resolved
973658, https://hackerone.com/reports/973658, This Github Repository Seems Leaking "nino.samokat.ru" Source Code, resolved
974072, https://hackerone.com/reports/974072, the same as #948259 - XSS at jsgames.mail.ru, resolved
974078, https://hackerone.com/reports/974078, Multiple SQL Injections and constrained LFI in esk-static.3igames.mail.ru, resolved
974090, https://hackerone.com/reports/974090, Clickjacking Vulnerability via https://profile.my.games/gamecenter/profile/ can lead to sensitive cross site actions (Bypass X-Frame-Options), resolved
974176, https://hackerone.com/reports/974176, Dependency on private SSH keys in public github, resolved
974473, https://hackerone.com/reports/974473, [my.games, lootdog.io] XSS via MCS Bucket, resolved
974704, https://hackerone.com/reports/974704, Account Takeover possibility via https://awards.donationalerts.com using login with twitch.tv, resolved
974878, https://hackerone.com/reports/974878, [api.my.games/social/chat/multi/add] Privilege escalation on adding new members  to group chat , resolved
975024, https://hackerone.com/reports/975024, Reflected XSS in https://███████ via search parameter, resolved
975047, https://hackerone.com/reports/975047, User sensitive information disclosure, resolved
975212, https://hackerone.com/reports/975212, Access to microtransaction sales data for lots of apps from 2014 to present at /valvefinance/sanity/, resolved
975653, https://hackerone.com/reports/975653, Broken twitter link hijacking at https://games.mail.ru/pc/search/, resolved
975749, https://hackerone.com/reports/975749, IDOR - User is able to download charts/dashboards from cross accounts, not-applicable
975827, https://hackerone.com/reports/975827, Permanent DoS with one click., resolved
975983, https://hackerone.com/reports/975983, Site-wide CSRF on Safari due to CORS misconfiguration (not localhost), resolved
976137, https://hackerone.com/reports/976137, Reflected XSS at https://████████/███/..., resolved
976441, https://hackerone.com/reports/976441, removed user can still join the organization, resolved
976657, https://hackerone.com/reports/976657, Reflected XSS on a Atavist theme at external_import.php, resolved
977092, https://hackerone.com/reports/977092, Пользователь может просматривать, удалять и изменять данные любой компании перебирая domain_id [biz.mail.ru], resolved
977212, https://hackerone.com/reports/977212, read new emails from any inbox IOS APP in notification center, resolved
977597, https://hackerone.com/reports/977597, [api-site.city-mobil.ru] Improper access control leads to information disclosure, resolved
977697, https://hackerone.com/reports/977697, Stored-XSS in merge requests, resolved
977851, https://hackerone.com/reports/977851, Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog, resolved
978143, https://hackerone.com/reports/978143, Team object in GraphQL disclosed private_comment, resolved
978335, https://hackerone.com/reports/978335, Unauthenticated Arbitrary File Deletion ("CVE-2020-3187") in ████████, resolved
978515, https://hackerone.com/reports/978515, A specially crafted message sent to the local delivery agent (LMTP) causes the LMTP child process to issue a panic (call i_panic), resolved
978680, https://hackerone.com/reports/978680, GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=], resolved
978768, https://hackerone.com/reports/978768, Adding everyone to the repo due to the lack of rate limit, not-applicable
978823, https://hackerone.com/reports/978823, SSRF to AWS file read, resolved
979110, https://hackerone.com/reports/979110, Internal Path Disclosure, resolved
979204, https://hackerone.com/reports/979204, XSS on https://partners.acronis.com/, resolved
979333, https://hackerone.com/reports/979333, Api Token Leaked in [shoppers.shipt.com], resolved
979375, https://hackerone.com/reports/979375, Stored open redirect in about page, resolved
979820, https://hackerone.com/reports/979820, Rate limits too low for email 2FA, resolved
980249, https://hackerone.com/reports/980249, Net::SMTP with tls allows forged certificates as long as the hostname matches, informative
980412, https://hackerone.com/reports/980412, Stored XSS in agoric-sdk - malicious iframes, malicious svg, resolved
980511, https://hackerone.com/reports/980511, A staff member with no permissions can edit Store Customer Email, resolved
980599, https://hackerone.com/reports/980599,  [ts-dot-prop] Prototype Pollution, resolved
980649, https://hackerone.com/reports/980649, [json8-merge-patch] Prototype Pollution, resolved
980856, https://hackerone.com/reports/980856, https://publishers.basicattentiontoken.org/favicon.ico is Vulnerable to CVE-2017-7529, resolved
980876, https://hackerone.com/reports/980876, [Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service, resolved
980881, https://hackerone.com/reports/980881, Path traversal lead to LFR via [CVE-2019-3394], resolved
981036, https://hackerone.com/reports/981036, Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation, informative
981357, https://hackerone.com/reports/981357, Improper Input Validation allows an attacker to "double spend" or "respend", violating the integrity of the message command history or causing DoS, resolved
981472, https://hackerone.com/reports/981472, Undocumented `fileCopy` GraphQL API, resolved
981796, https://hackerone.com/reports/981796, Information Disclosure of Garbage Collection Cycle, resolved
981824, https://hackerone.com/reports/981824, DNS Setup allows sending mail on behalf of other customers, resolved
982130, https://hackerone.com/reports/982130, Fetching the update json scheme from concrete5 over HTTP leads to remote code execution, resolved
982202, https://hackerone.com/reports/982202, SQLi in login form of █████, resolved
982291, https://hackerone.com/reports/982291, HEY.com email stored XSS, resolved
982293, https://hackerone.com/reports/982293, Bypass Password Authentication to Update the Password, resolved
982510, https://hackerone.com/reports/982510, Self XSS, resolved
982753, https://hackerone.com/reports/982753, Наблюдатель может оставновить базу данных [mcs.mail.ru], resolved
983070, https://hackerone.com/reports/983070, IDOR when creating App on [platform.streamlabs.com/api/v1/store/whitelist] with user_id field, resolved
983077, https://hackerone.com/reports/983077, Stored Cross-Site Scripting vulnerability in example Custom Digital Agreement, resolved
983331, https://hackerone.com/reports/983331, Public and secret api key leaked  in JavaScript source, resolved
983548, https://hackerone.com/reports/983548, MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass, resolved
983710, https://hackerone.com/reports/983710, SQL injection when configuring a database , resolved
984654, https://hackerone.com/reports/984654, RXSS Via URI Path - https://██████████/, resolved
984947, https://hackerone.com/reports/984947, Tab nabbing via window.opener.location (target "_blank"), resolved
984965, https://hackerone.com/reports/984965, Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform, resolved
985124, https://hackerone.com/reports/985124, GraphQL Query leads to sensitive information disclosure, duplicate
985133, https://hackerone.com/reports/985133, Password Cracking - Weak Password Used to Secure ████ Containing a Plaintext Password, resolved
985272, https://hackerone.com/reports/985272, Логи на http://login.aa.mail.ru/logs/, resolved
985367, https://hackerone.com/reports/985367, weak password poilicy in signup password leak to account takeover, resolved
986365, https://hackerone.com/reports/986365, Reflected XSS on /www/delivery/afr.php (bypass of report #775693), resolved
986386, https://hackerone.com/reports/986386, Reflected XSS on www.hackerone.com via Wistia embed code, resolved
986459, https://hackerone.com/reports/986459, Recently change email but still login with old email, informative
986532, https://hackerone.com/reports/986532, one delegate can add another delegate and delete other delegates, exposing all confidential inbox messages, resolved
987090, https://hackerone.com/reports/987090, https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD, resolved
987132, https://hackerone.com/reports/987132, Отправка произвольных запросов к API с правами любого установленного у пользователя iframe/miniapp, resolved
987650, https://hackerone.com/reports/987650, Bypass MFA requirement to send messages, informative
987751, https://hackerone.com/reports/987751, CSRF to account takeover in https://███████.mil/, resolved
988103, https://hackerone.com/reports/988103, Node.js: use-after-free in TLSWrap, resolved
988271, https://hackerone.com/reports/988271, Reflected XSS in photogallery component on [https://market.av.ru], resolved
988272, https://hackerone.com/reports/988272, stored XSS in hey.com message content, resolved
988332, https://hackerone.com/reports/988332, Webview in LINE client for iOS will render application/octet-stream files as HTML, resolved
988550, https://hackerone.com/reports/988550, Sensitive data exposure via https://████████.mil/secure/QueryComponent!Default.jspa - CVE-2020-14179, resolved
989415, https://hackerone.com/reports/989415, Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription, resolved
989668, https://hackerone.com/reports/989668, A malicious user can upload a malicious script through managesieve  and trigger its execution in order to consume almost 100% of CPU (LMTP)., resolved
990048, https://hackerone.com/reports/990048, Improper Validation at Partners Login, resolved
990112, https://hackerone.com/reports/990112, Пользователь с правами Менеджер может получить Список сотрудников всех кост центров и Удалять пользователей всех кост центров, resolved
990838, https://hackerone.com/reports/990838, Bypass Filter on link of build, resolved
990878, https://hackerone.com/reports/990878, IDOR in https://3d.cs.money/, resolved
991718, https://hackerone.com/reports/991718, hardcoded password stored in javascript of https://████.mil, resolved
991751, https://hackerone.com/reports/991751, xml-rpc file open for public in the domain:https://stories.showmax.com/xmlrpc.php, resolved
992114, https://hackerone.com/reports/992114, Brute Force due to Weak security credentials lead access to LICENSE SYSTEM Web Server on [l.ucs.ru], resolved
992450, https://hackerone.com/reports/992450, Two-factor authentication can be disabled when logged in without 2fa or password confirmation , informative
992564, https://hackerone.com/reports/992564, Незащищённый экземпляр Zeppelin , resolved
992607, https://hackerone.com/reports/992607, Stored XSS through fileupload, resolved
993005, https://hackerone.com/reports/993005, Server-side denial of service via large payload sent to wiki.cs.money/graphql, resolved
993222, https://hackerone.com/reports/993222, XSS - Search - Unescaped contact job, resolved
993582, https://hackerone.com/reports/993582, Application DOS via specially crafted payload on 3d.cs.money, resolved
993711, https://hackerone.com/reports/993711, Отправка писем с произвольным текстом/кликабельными ссылками любому зарегистрированному пользователю с указанной почтой, зная только steamid, resolved
993722, https://hackerone.com/reports/993722, Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application, resolved
993767, https://hackerone.com/reports/993767, Improper authentication in the load sell inventory page, informative
993975, https://hackerone.com/reports/993975, [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files, resolved
994051, https://hackerone.com/reports/994051, Race condition on my.stripo.email at /cabinet/stripeapi/v1/projects/298427/emails/folders uri, resolved
994504, https://hackerone.com/reports/994504, authenticity token not verfied leads to change business name, resolved
995055, https://hackerone.com/reports/995055, [delivery.city-mobil.ru] Stored XSS into support request comment, resolved
995122, https://hackerone.com/reports/995122, [SQLI ]Time  Bassed Injection at ██████████ via referer header, resolved
995273, https://hackerone.com/reports/995273, XSS - Notes - Attribute injection through overlapping tags, resolved
995347, https://hackerone.com/reports/995347, param allows  any external resource to be downloadable | https://████████, resolved
995699, https://hackerone.com/reports/995699, csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC, duplicate
995936, https://hackerone.com/reports/995936, Reflected XSS at https://www.glassdoor.com/Interview/Accenturme-Interview-Questions-E9931.htm  via  filter.jobTitleFTS  parameter, resolved
995969, https://hackerone.com/reports/995969, Manipulate Uneditable Messages in Support, informative
995995, https://hackerone.com/reports/995995, Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com), resolved
996041, https://hackerone.com/reports/996041, Image queue default key of 'None' and GraphQL unhandled type exception, resolved
996122, https://hackerone.com/reports/996122, Insufficient Session Expiration on Adobe Connect | https://█████████, resolved
996141, https://hackerone.com/reports/996141, Race condition while removing the love react in community files., resolved
996237, https://hackerone.com/reports/996237, Stored XSS on add project, resolved
996262, https://hackerone.com/reports/996262, Reflected XSS & Open Redirect at mcs main domain, resolved
996273, https://hackerone.com/reports/996273, SSRF in login page using fetch API exposes victims IP address to attacker controled server, resolved
996303, https://hackerone.com/reports/996303, Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru, resolved
996371, https://hackerone.com/reports/996371, Stored XSS at "Conditions "  through "My Custom Rule" Field at [https://my.stripo.email/cabinet/#/template-editor/] in Template Editor., resolved
996535, https://hackerone.com/reports/996535, POST based RXSS on https://█████ via frm_email parameter, resolved
996540, https://hackerone.com/reports/996540, Apple Pay cryptogram replay and amount tampering, resolved
996956, https://hackerone.com/reports/996956, Subdomain takeover http://promo.instamart.ru/, resolved
996981, https://hackerone.com/reports/996981, Disclosure of the account email by phone number on [corporate.city-mobil.ru], resolved
997070, https://hackerone.com/reports/997070, No rate limiting for confirmation email lead to huge Mass mailings, resolved
997127, https://hackerone.com/reports/997127, Lack of session expiration after password reset on TikTok Careers Portal, resolved
997198, https://hackerone.com/reports/997198, Content Spoofing/Text Injection in https://support.cs.money and JS file not minified and uglyfied which makes it clearly readable , resolved
997350, https://hackerone.com/reports/997350, your-store.myshopify.com  preview link  is leak on third party website lead to preview all action from store owner Without store Password., resolved
997376, https://hackerone.com/reports/997376, External Service Interaction (HTTP/DNS) on https://www.███  (██████████ parameter), resolved
997381, https://hackerone.com/reports/997381, XML Injection on https://www.█████████ (███ parameter), resolved
997514, https://hackerone.com/reports/997514, Bypass "Industry Documents" Validation, resolved
997615, https://hackerone.com/reports/997615, CSRF To Add New App In Developer Account And Bypassing Json Format, resolved
997926, https://hackerone.com/reports/997926, SSRF - Unchecked Snippet IDs for distributed files, resolved
997988, https://hackerone.com/reports/997988, External Service Interaction | https://█████████.mil, resolved
998138, https://hackerone.com/reports/998138, In orginization stored xss using location (Larksuite survey app), resolved
998398, https://hackerone.com/reports/998398, Prototype Pollution leads to XSS on https://blog.swiftype.com/#__proto__[asd]=alert(document.domain), resolved
998422, https://hackerone.com/reports/998422, XSS through image upload of contacts using svg file with png extension , resolved
998925, https://hackerone.com/reports/998925, https://████ is vulnerable to cve-2020-3452, resolved
998935, https://hackerone.com/reports/998935, POST based RXSS on https://███████/ via ███ parameter, resolved
998979, https://hackerone.com/reports/998979, CSRF for deleting videos, resolved
998981, https://hackerone.com/reports/998981, {███} It is posible download all information and files via S3 Bucket  Misconfiguration, resolved
998993, https://hackerone.com/reports/998993, User Able to Reopen a Ticket by Modify the Request, resolved
999314, https://hackerone.com/reports/999314, mrgs.my.games account takeover, resolved
999765, https://hackerone.com/reports/999765, Ticket Trick at https://account.acronis.com, resolved
1000363, https://hackerone.com/reports/1000363, Reflected XSS on https://e.mail.ru/compose/ via Body parameter, resolved
1000567, https://hackerone.com/reports/1000567, ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection), resolved
1000922, https://hackerone.com/reports/1000922, Unsecured Grafana instance on https://monitoring.prow-canary.k8s.io/dashboards, duplicate
1001218, https://hackerone.com/reports/1001218, [@firebase/util] Prototype pollution, resolved
1001951, https://hackerone.com/reports/1001951, CORS bypass on TikTok Ads Endpoint, resolved
1002188, https://hackerone.com/reports/1002188, Potential HTTP Request Smuggling in nodejs, resolved
1002641, https://hackerone.com/reports/1002641, SQL Injection leads to retrieve the contents of an entire database. , duplicate
1003433, https://hackerone.com/reports/1003433, XSS Reflect to POST █████, resolved
1003455, https://hackerone.com/reports/1003455, Access to Unclassified / FOUO Advanced Motion Platform of █████████.mil, resolved
1003468, https://hackerone.com/reports/1003468, Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile], resolved
1004136, https://hackerone.com/reports/1004136, subdomain Takeover, resolved
1004360, https://hackerone.com/reports/1004360, Account TakeOver at kvartira.city-mobil.ru, resolved
1004412, https://hackerone.com/reports/1004412, Possible LDAP username and password disclosed on Github, resolved
1004536, https://hackerone.com/reports/1004536, Reset password cookie leads to account takeover, resolved
1004604, https://hackerone.com/reports/1004604, Subdomain Takeover, resolved
1004745, https://hackerone.com/reports/1004745, View another user information with IDOR vulnerability , resolved
1004750, https://hackerone.com/reports/1004750, IDOR + Account Takeover  [UNAUTHENTICATED], resolved
1004847, https://hackerone.com/reports/1004847, SSRF Possible through /wordpress/xmlrpc.php, not-applicable
1004964, https://hackerone.com/reports/1004964, All private support requests to ███████ are being disclosed at https://███████, resolved
1005020, https://hackerone.com/reports/1005020, Identify unique user ID of all the profiles , resolved
1005315, https://hackerone.com/reports/1005315, Access User Tickets via IDOR in [widget.support.my.games], resolved
1005355, https://hackerone.com/reports/1005355, Unrestricted File Upload Results in Cross-Site Scripting Attacks, resolved
1005374, https://hackerone.com/reports/1005374, CORS misconfiguration which leads to the disclosure , resolved
1005421, https://hackerone.com/reports/1005421, [api.tumblr.com] Denial of Service by cookies manipulation, resolved
1005502, https://hackerone.com/reports/1005502, XSS - Calendar - Unescaped common name of appointment participant, resolved
1006306, https://hackerone.com/reports/1006306, User In The Same Center Can Create CSRF To Change The Information About Business, resolved
1006524, https://hackerone.com/reports/1006524, CORS misconfiguration in TikTok ads portal , resolved
1006599, https://hackerone.com/reports/1006599, Blind SSRF in ads.tiktok.com, resolved
1006677, https://hackerone.com/reports/1006677, [www.drive2.ru] Insufficient Session Expiration - Previously issued email change tokens do not expire upon issuing a new email change token, resolved
1006691, https://hackerone.com/reports/1006691, [www.drive2.ru]  Insufficient Security Configurability - Notification message not sent when account is deleted, resolved
1007014, https://hackerone.com/reports/1007014, RCE via npm misconfig -- installing internal libraries from the public registry, resolved
1007689, https://hackerone.com/reports/1007689, 2020-10-09 Credential Stuffing Attack, resolved
1007702, https://hackerone.com/reports/1007702, PII Leak of USCG Designated Examiner List at https://www.███, resolved
1007799, https://hackerone.com/reports/1007799, Local File Inclusion In Registration Page, resolved
1007988, https://hackerone.com/reports/1007988, Able to comment/view in others support ticket at https://en.instagram-brand.com/requests/dashboard, resolved
1008579, https://hackerone.com/reports/1008579, Camera adoption DoS - UniFi Protect, resolved
1008947, https://hackerone.com/reports/1008947, Debug information at the /sapi endpoint, informative
1009046, https://hackerone.com/reports/1009046, Able to use 'PREMIUM TEMPLATES' in 'FREE PLAN' at [https://my.stripo.email/cabinet/#/my-templates/], resolved
1010132, https://hackerone.com/reports/1010132, Possible DOM XSS on app.hey.com, resolved
1010316, https://hackerone.com/reports/1010316, Reflected XSS on https://████/ (Bypass of #1002977), resolved
1010340, https://hackerone.com/reports/1010340, [CVE-2020-27194] Linux kernel: eBPF verifier bug in `or` binary operation tracking function leads to LPE, resolved
1010522, https://hackerone.com/reports/1010522, [CSRF] TikTok Careers Portal Account Takeover, resolved
1010787, https://hackerone.com/reports/1010787, Request Access for Uber Device Returns Management Platform (https://www.eats-devicereturns.com/request-access/) Bypass Allows Access to PII, resolved
1010806, https://hackerone.com/reports/1010806, [tumblr.com] CSRF in /svc/user/filtered_content, resolved
1010858, https://hackerone.com/reports/1010858, Web cache poisoning at www.acronis.com, resolved
1011035, https://hackerone.com/reports/1011035, XSS in message e.mail.ru , resolved
1011093, https://hackerone.com/reports/1011093, XSS Stored in Cacheable  response, resolved
1011243, https://hackerone.com/reports/1011243, HTTP Parameter Pollution with semicolons in iframe allows loading external Greenhouse forms, resolved
1011463, https://hackerone.com/reports/1011463, XSS Reflected in m.vk.com, resolved
1011767, https://hackerone.com/reports/1011767, X-Forward-For Header allows to bypass access restrictions, resolved
1011888, https://hackerone.com/reports/1011888, Improper Sanitization leads to XSS Fire on admin panel, resolved
1012249, https://hackerone.com/reports/1012249, Reflected XSS  www.█████ search form, resolved
1012644, https://hackerone.com/reports/1012644, Получение локального пути до файла [geekbrains.ru], resolved
1014459, https://hackerone.com/reports/1014459, Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app), resolved
1014593, https://hackerone.com/reports/1014593, CSRF to Stored HTML injection at https://www.█████, resolved
1015406, https://hackerone.com/reports/1015406, SQL Injection in www.██████████, resolved
1016148, https://hackerone.com/reports/1016148, This Github Repository Seems Leaking Incoming Samokat Project, resolved
1016253, https://hackerone.com/reports/1016253, Reflected XSS at https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true via PATH, resolved
1016691, https://hackerone.com/reports/1016691, Guard WKS lookup: Evil WKS server forces connections to last forever, resolved
1016860, https://hackerone.com/reports/1016860, This Github Repository Seems Leaking Samokat Django Project, resolved
1016966, https://hackerone.com/reports/1016966, Remote Code Execution in Basecamp Windows Electron App, resolved
1017189, https://hackerone.com/reports/1017189, Blind Stored XSS on https://█████████ after filling a request at https://█████, resolved
1017576, https://hackerone.com/reports/1017576, Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation, resolved
1018037, https://hackerone.com/reports/1018037, a very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service, resolved
1018094, https://hackerone.com/reports/1018094, Staff Member can Get POS Access Without User Interaction, resolved
1018146, https://hackerone.com/reports/1018146, Potential DDoS when posting long data into workflow validation rules, resolved
1018270, https://hackerone.com/reports/1018270, CSRF to account takeover in https://█████/, resolved
1018336, https://hackerone.com/reports/1018336, Customer's full name disclosure via Shopify Chat (by email lookup), resolved
1018413, https://hackerone.com/reports/1018413, Development Application Credentials + Information Exposed, duplicate
1018568, https://hackerone.com/reports/1018568, Server Side Request Forgery in 'Jabber settings' in Admin Control Panel, resolved
1018608, https://hackerone.com/reports/1018608, Information Disclosure of Advertiser Account on TikTok Ads Portal, resolved
1018621, https://hackerone.com/reports/1018621, [████] SQL Injections on Referer Header exploitable via Time-Based method, resolved
1019367, https://hackerone.com/reports/1019367, Memory Dump and Env Disclosure via Spring Boot Actuator, resolved
1019372, https://hackerone.com/reports/1019372, Parallel upload hangs curl if upload file not found, informative
1019389, https://hackerone.com/reports/1019389, Lack of quarantine macOS attribute(com.apple.quarantine) leads multiple issues including RCE, resolved
1019425, https://hackerone.com/reports/1019425, Bypass extension check leads to stored XSS at https://s2.booth.pm, resolved
1019457, https://hackerone.com/reports/1019457, Data race conditions reported by helgrind when performing parallel DNS queries in libcurl, informative
1019891, https://hackerone.com/reports/1019891, Named pipe connection inteception, resolved
1020371, https://hackerone.com/reports/1020371, User can upload files even after closing his account, resolved
1020472, https://hackerone.com/reports/1020472, System Error Reveals Sensitive SQL Call Data, resolved
1020943, https://hackerone.com/reports/1020943, Improper Restriction of Excessive Authentication Attempts at https://top.mail.ru/edit? for site counter (Rate Limit bypass via IP Rotation), resolved
1021010, https://hackerone.com/reports/1021010, "blog.skillfactory.ru" Vulnerable to Directory Traversal , resolved
1021232, https://hackerone.com/reports/1021232, Account takeover by using  abandoned email id of victim which has already been changed to new  by victim himself on one.newrelic.com, resolved
1021776, https://hackerone.com/reports/1021776, Attacker can generate cancelled transctions in a user's transaction history using only Steam ID, resolved
1021885, https://hackerone.com/reports/1021885, Bypass of image rewriting / tracking blocker via srcset, resolved
1021906, https://hackerone.com/reports/1021906, [Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image, resolved
1022211, https://hackerone.com/reports/1022211, Leaked of Profile Image from URL changing, informative
1022267, https://hackerone.com/reports/1022267, WordPress admin is accessible without HTTP authentication, informative
1022655, https://hackerone.com/reports/1022655, HTML Injection on Company Name on Email, resolved
1023448, https://hackerone.com/reports/1023448, Exposed Credentials May Leads to Tarantool Infrastructure Leak, resolved
1023572, https://hackerone.com/reports/1023572, [acronis.secure.force.com] - Insecure Salesforce default/custom object permissions leads to information disclosure, resolved
1023635, https://hackerone.com/reports/1023635, Improper Restriction of Excessive Authentication Attempts via https://certification.mail.ru/auth-form/?form=auth_certy (Rate limit Bypass), resolved
1023669, https://hackerone.com/reports/1023669, Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events, resolved
1023787, https://hackerone.com/reports/1023787, Stored XSS in markdown file with Nextcloud Talk using Internet Explorer, resolved
1023792, https://hackerone.com/reports/1023792, CVE-2020-3187 на ip адресе 91.231.115.30, resolved
1023899, https://hackerone.com/reports/1023899, Regular expression denial of service in ActiveRecord's PostgreSQL Money type, resolved
1023920, https://hackerone.com/reports/1023920, SSRF external interaction, resolved
1023986, https://hackerone.com/reports/1023986, Account Takeover on [ls5-dev.ucs.ru], resolved
1024029, https://hackerone.com/reports/1024029, SDC bypass on calendar.mail.ru, resolved
1024356, https://hackerone.com/reports/1024356, [api-site.city-mobil.ru] Improper access control leads to information disclosure (bypass of #977597 fix), resolved
1024393, https://hackerone.com/reports/1024393, [files.ucs.ru] ProFTPd mod_copy Arbitrary Read/Write, resolved
1024575, https://hackerone.com/reports/1024575, RCE on TikTok Ads Portal, resolved
1024668, https://hackerone.com/reports/1024668, Brave Browser potentially logs the last time a Tor window was used, resolved
1024734, https://hackerone.com/reports/1024734, DOMPurify bypass, resolved
1024773, https://hackerone.com/reports/1024773, SQL injection  delivery-club.ru (ClickHouse), resolved
1024880, https://hackerone.com/reports/1024880, SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens. , resolved
1024899, https://hackerone.com/reports/1024899, file read on MCS servers via supplying a QCOW2 image with external backing file, resolved
1024984, https://hackerone.com/reports/1024984, [SQLI ]Time Bassed Injection at ██████████ via /██████/library.php?c=G14 parameter, resolved
1025125, https://hackerone.com/reports/1025125, XSS in vk.link, resolved
1025217, https://hackerone.com/reports/1025217, Apparent ██████████ website is publicly exposed, suggests default account details on page and has expired SSL/TLS cert, resolved
1025365, https://hackerone.com/reports/1025365, Stored XSS at Template Editor in "Section Name"  Field of Block element 'Accordion'., resolved
1025575, https://hackerone.com/reports/1025575, Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN, resolved
1026146, https://hackerone.com/reports/1026146, Unauthorized access to admin panel of the Questionmark Perception system at https://██████████, resolved
1026196, https://hackerone.com/reports/1026196, Information Disclosure of Garbage Collection Cycle 'Again' , resolved
1026265, https://hackerone.com/reports/1026265, Unauthenticated Arbitrary File Deletion "CVE-2020-3187" in █████, resolved
1026893, https://hackerone.com/reports/1026893,  Disk-o Cloud application (Windows) does not validate server certificate on a TLS connection, resolved
1027192, https://hackerone.com/reports/1027192, Clickjacking Vulnerability via https://www.donationalerts.com/help/support leads to bypass for widget.support.my.games X-Frame Options, resolved
1027822, https://hackerone.com/reports/1027822, Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg, resolved
1027949, https://hackerone.com/reports/1027949, Exposed Configuration Files at https://www.exodus.io/keybase.txt , informative
1027962, https://hackerone.com/reports/1027962, reflected xss on learn.city-mobil.ru via redirect_url parameter, resolved
1028332, https://hackerone.com/reports/1028332, Stored XSS on https://events.hackerone.com, resolved
1028345, https://hackerone.com/reports/1028345, Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io, resolved
1028396, https://hackerone.com/reports/1028396, Reflected XSS and possible SSRF/XXE on https://events.hackerone.com/conferences/get_recording_slides_xml.xml?url=myserver/xss.xml, resolved
1028820, https://hackerone.com/reports/1028820, Blind Stored XSS in https://partners.acronis.com/admin which lead to sensitive information/PII leakage, resolved
1029027, https://hackerone.com/reports/1029027, Bypass subscription, resolved
1029238, https://hackerone.com/reports/1029238, Reflected XSS in https://███████ via hidden parameter "████████", resolved
1029243, https://hackerone.com/reports/1029243, Reflected XSS on https://███/████via hidden parameter "█████████", resolved
1029457, https://hackerone.com/reports/1029457, [com.icq.mobile.client] Любое стороннее приложение может угнать сессию, а также другие файлы приложения, resolved
1029466, https://hackerone.com/reports/1029466, Нет флуд-контроля на функции "Запрос денег" в VK Pay. Флуд уведомлениями и сообщениями пользователю, находящемуся в друзьях., resolved
1029594, https://hackerone.com/reports/1029594, RDR2 game service method allows adding any player to a new Posse without consent, resolved
1029723, https://hackerone.com/reports/1029723, No rate limiting for subscribe email + lead to Cross origin misconfiguration, resolved
1029877, https://hackerone.com/reports/1029877, Account takeover on [support2.ucs.ru], resolved
1030397, https://hackerone.com/reports/1030397, XSS reflected, informative
1031240, https://hackerone.com/reports/1031240, `account_info.read` scope OAuth app access token can change token owner's account name., resolved
1031321, https://hackerone.com/reports/1031321,  Github Account hijack through broken link in developer.twitter.com, resolved
1031437, https://hackerone.com/reports/1031437, https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD, resolved
1031644, https://hackerone.com/reports/1031644, DOM XSS on http://talks.lystit.com, resolved
1032001, https://hackerone.com/reports/1032001, CSS-Reflected, informative
1032086, https://hackerone.com/reports/1032086, csi-snapshot-controller crashes when processing VolumeSnapshot with non-existing PVC, resolved
1033107, https://hackerone.com/reports/1033107, DNS Max Responses for DOS, resolved
1033423, https://hackerone.com/reports/1033423, Django Debug=True Leaks admin email addresss and serval system information , resolved
1033832, https://hackerone.com/reports/1033832, XSS In https://docs.gocd.org/current/, resolved
1033882, https://hackerone.com/reports/1033882, XSS stored in the Shopify Email app, resolved
1033895, https://hackerone.com/reports/1033895, SDC bypass cloud.mail.ru for every /api/v3/* endpoint., resolved
1034023, https://hackerone.com/reports/1034023, Possible (we need to wait for some time) takeover of subdomain badootech.badoo.com which is pointing to Medium servers, resolved
1034042, https://hackerone.com/reports/1034042, Database read through file attachment [content://], resolved
1034257, https://hackerone.com/reports/1034257, Indexing of urls on the "External link warning" pages discloses many vulnerable endpoints from the past and unlisted videos/photos, resolved
1034317, https://hackerone.com/reports/1034317, HTML injection in an email [delivery.city-mobil.ru], resolved
1034346, https://hackerone.com/reports/1034346, Security@ email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users, resolved
1035320, https://hackerone.com/reports/1035320, Получение стикеров, resolved
1035742, https://hackerone.com/reports/1035742, Able to authenticate as administrator by navigating to https://█████/admin/, resolved
1035976, https://hackerone.com/reports/1035976, Slack server disclose h1 private issue report, resolved
1036877, https://hackerone.com/reports/1036877, Blind stored XSS due to insecure contact form at https://█████.mil leads to leakage of session token and , resolved
1036886, https://hackerone.com/reports/1036886, Kubelet follows symlinks as root in /var/log from the /logs server endpoint , informative
1037157, https://hackerone.com/reports/1037157, Exposed Git Repo at  https://mini-app.delivery-club.ru, resolved
1037430, https://hackerone.com/reports/1037430, Race Condition on "Get free Badoo Premium" which allows to get more days of free premium for Free. , resolved
1037714, https://hackerone.com/reports/1037714, XSS in Email Input [intensedebate.com], resolved
1038129, https://hackerone.com/reports/1038129, assets/vendor.js file exposing sentry.io token and DNS and application id ., resolved
1038594, https://hackerone.com/reports/1038594, CRLF INJECTION , resolved
1038906, https://hackerone.com/reports/1038906, XSS account.mail.ru, resolved
1039325, https://hackerone.com/reports/1039325, Other misconfiguration on Slack Server, resolved
1039504, https://hackerone.com/reports/1039504, Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks), resolved
1039643, https://hackerone.com/reports/1039643, DOM XSS on https://biz.mail.ru/domains/goto/mail/ via parameter pollution, resolved
1039750, https://hackerone.com/reports/1039750, Stored XSS in Intense Debate comment system, resolved
1039805, https://hackerone.com/reports/1039805, Clickjacking URLS, resolved
1039821, https://hackerone.com/reports/1039821, Second-order SOQL injection through email and campaign name parameter in Salesforce lead submission, resolved
1040047, https://hackerone.com/reports/1040047, Email Verification bypass on signup, resolved
1040166, https://hackerone.com/reports/1040166, CVE-2020-8284: trusting FTP PASV responses, resolved
1040373, https://hackerone.com/reports/1040373, Password authentication when changing information bypass. Bypass of report #721341, resolved
1040471, https://hackerone.com/reports/1040471, Login page vulnerable to bruteforce attacks via rate limiting bypass, resolved
1040533, https://hackerone.com/reports/1040533, [intensedebate.com] XSS Reflected POST-Based , resolved
1040639, https://hackerone.com/reports/1040639, [intensedebate.com] XSS Reflected POST-Based on update/tumblr2/{$id}, resolved
1041173, https://hackerone.com/reports/1041173, Permanent DoS at https://happy.tools/ when inviting a user, resolved
1042141, https://hackerone.com/reports/1042141, Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks), informative
1042486, https://hackerone.com/reports/1042486, Reflected XSS at https://www.glassdoor.com/ via the 'numSuggestions' parameter, resolved
1042716, https://hackerone.com/reports/1042716, Async search stores authorization headers in clear text, resolved
1042746, https://hackerone.com/reports/1042746, [intensedebate.com] SQL Injection Time Based on /changeReplaceOpt.php, resolved
1043360, https://hackerone.com/reports/1043360, HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion, resolved
1043385, https://hackerone.com/reports/1043385, Arbitrary Code Execution via npm misconfiguration – installing internal libraries from the public registry, resolved
1043480, https://hackerone.com/reports/1043480, Remote hacker can download all the files of master branch in public projects where everything is members only., resolved
1043801, https://hackerone.com/reports/1043801, BLIND SSRF ON http://jsgames.mail.ru via avaOp parameter , resolved
1043804, https://hackerone.com/reports/1043804, Reflected XSS in https://www.intensedebate.com/js/getCommentLink.php, resolved
1044698, https://hackerone.com/reports/1044698, [intensedebate.com] SQL Injection Time Based On /js/commentAction/, resolved
1044716, https://hackerone.com/reports/1044716, SQL Injection in www.hyperpure.com, resolved
1044869, https://hackerone.com/reports/1044869, Staff with no permissions could possibly list and accept billing promotions, resolved
1044933, https://hackerone.com/reports/1044933, CSRF on api.my.games due to improper validation of token allows an attacker to delete other users notifications, resolved
1045844, https://hackerone.com/reports/1045844, CVE-2020-8285: FTP wildcard stack overflow, resolved
1046084, https://hackerone.com/reports/1046084, SQL Injection Union Based, resolved
1046466, https://hackerone.com/reports/1046466, CSRF in updating username https://pw.mail.ru/, resolved
1046630, https://hackerone.com/reports/1046630, One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on  www.streamlabs.com, resolved
1046697, https://hackerone.com/reports/1046697, ████., resolved
1047086, https://hackerone.com/reports/1047086, Heap buffer overflow vulnerability while processing a malformed TIFF file., resolved
1047100, https://hackerone.com/reports/1047100, No rate limiting - Create data, resolved
1047119, https://hackerone.com/reports/1047119, No rate limiting - Create Plug-ins, resolved
1047124, https://hackerone.com/reports/1047124, No rate limit in email subscription, resolved
1047447, https://hackerone.com/reports/1047447, HostAuthorization middleware does not suitably sanitize the Host / X-Forwarded-For header allowing redirection., resolved
1048322, https://hackerone.com/reports/1048322, SMAP bypass, resolved
1048457, https://hackerone.com/reports/1048457, CVE-2020-8286: Inferior OCSP verification, resolved
1048540, https://hackerone.com/reports/1048540, IDOR on https://██████ via POST UID enables database scraping, resolved
1048571, https://hackerone.com/reports/1048571, ███ on https://████ enable ███ scraping, injection, stored XSS, resolved
1049012, https://hackerone.com/reports/1049012, Stored XSS in [https://streamlabs.com/dashboard#/*goal] pages, resolved
1049040, https://hackerone.com/reports/1049040, Download full backup and Cross site scripting , resolved
1049360, https://hackerone.com/reports/1049360, CSRF in changing users donation_settings [https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings], resolved
1049375, https://hackerone.com/reports/1049375, SAML authentication bypass through unauthenticated `addSamlProvider` Meteor Call, resolved
1049624, https://hackerone.com/reports/1049624, Abusing URL Parsers by long schema name, informative
1049733, https://hackerone.com/reports/1049733, Acessed internal api documentation and information, resolved
1050017, https://hackerone.com/reports/1050017, Stored XSS в профиле водителя [city-mobil.ru/taxiserv], resolved
1050022, https://hackerone.com/reports/1050022, Stored XSS на странице "Изменить клиента" [city-mobil.ru/taxiserv], resolved
1050030, https://hackerone.com/reports/1050030, Stored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv], resolved
1050047, https://hackerone.com/reports/1050047, Stored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv], resolved
1050054, https://hackerone.com/reports/1050054, Stored XSS на странице "Почты" [city-mobil.ru/taxiserv], resolved
1050193, https://hackerone.com/reports/1050193, [intensedebate.com] Open Redirect, resolved
1050196, https://hackerone.com/reports/1050196, PII Leak of ████████ Personal at  https://www.█████████, resolved
1050231, https://hackerone.com/reports/1050231, Path Traversal в iOS приложении, resolved
1050244, https://hackerone.com/reports/1050244, Two-factor authentication enforcement bypass, resolved
1050454, https://hackerone.com/reports/1050454, Sensitive data exposure via https://███/secure/QueryComponent!Default.jspa - CVE-2020-14179, resolved
1050656, https://hackerone.com/reports/1050656, Bypass Tracking Blocker Protection Using Slashes Without Protocol On The Image Source., resolved
1050733, https://hackerone.com/reports/1050733, [sub.wordpress.com] - XSS when adjust block Poll - Confirmation Message -  On submission:Redirect to another webpage - Redirect address:[xss_payload], resolved
1050753, https://hackerone.com/reports/1050753, Endpoint without access control leads to order informations and status changes, resolved
1050912, https://hackerone.com/reports/1050912, PHP info page disclosure, resolved
1051029, https://hackerone.com/reports/1051029, Public and secret api key leaked in JavaScript source, resolved
1051192, https://hackerone.com/reports/1051192, Code Injection via Insecure Yaml.load, resolved
1051369, https://hackerone.com/reports/1051369, Blind Stored XSS Payload fired at the backend on https://█████████/, resolved
1051431, https://hackerone.com/reports/1051431, Blind SSRF on infodesk.engelvoelkers.com via proxy.php, informative
1051734, https://hackerone.com/reports/1051734, [intensedebate.com] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled, resolved
1051885, https://hackerone.com/reports/1051885, Insecure ███████ credentials on staging app at ████ leads to application takeover, resolved
1052174, https://hackerone.com/reports/1052174, [com.icq.mobile.client] Любое стороннее приложение может отправить произвольное сообщение от имени пользователя, resolved
1052819, https://hackerone.com/reports/1052819, subdomain takeover disney.samokat.ru, resolved
1052856, https://hackerone.com/reports/1052856, Reflected XSS в /video, resolved
1054282, https://hackerone.com/reports/1054282, Protocol Smuggling over LDAP password field, resolved
1054526, https://hackerone.com/reports/1054526, Stored XSS in wordpress.com, resolved
1054765, https://hackerone.com/reports/1054765, [supportlocal.delivery-club.ru] Subdomain Takeover, resolved
1055503, https://hackerone.com/reports/1055503, No rate limiting for confirmation email lead to huge Mass mailings, informative
1055823, https://hackerone.com/reports/1055823, SSRF By adding a custom integration on console.helium.com, resolved
1056144, https://hackerone.com/reports/1056144, Acronis True Image  (Windows) does not validate server certificate on a TLS connection, resolved
1056611, https://hackerone.com/reports/1056611, Unauthenticated Arbitrary File Deletion (CVE-2020-3187), resolved
1056676, https://hackerone.com/reports/1056676, Bypass the reverse proxy. Request admin, resolved
1056686, https://hackerone.com/reports/1056686, Обход приватности у фотографий/документов, resolved
1056953, https://hackerone.com/reports/1056953, XSS в названии звонка, resolved
1057216, https://hackerone.com/reports/1057216, Regex Injection from request header (Rack::Sendfile, send_file), informative
1057269, https://hackerone.com/reports/1057269, PII Information Leak at https://████████.mil/, resolved
1057419, https://hackerone.com/reports/1057419, Reflected XSS on ███, resolved
1057531, https://hackerone.com/reports/1057531, GET /api/v2/url_info endpoint is vulnerable to Blind SSRF, informative
1057971, https://hackerone.com/reports/1057971, XSS на странице "Создать водителя" [city-mobil.ru/taxiserv], resolved
1058015, https://hackerone.com/reports/1058015, Full account takeover on https://████████.mil, resolved
1058383, https://hackerone.com/reports/1058383, DoS of LINE client for Android via message containing multiple unicode characters (0x0e & 0x0f), resolved
1058427, https://hackerone.com/reports/1058427, xss reflected on imgur.com, resolved
1058879, https://hackerone.com/reports/1058879, Using gossip to drain miner wallets, resolved
1059395, https://hackerone.com/reports/1059395, Reflected XSS on █████████, resolved
1060496, https://hackerone.com/reports/1060496, XSS in Search field, triaged
1060518, https://hackerone.com/reports/1060518, No rate limit in otp code sending, resolved
1060541, https://hackerone.com/reports/1060541, No rate limit lead to otp brute forcing, resolved
1061199, https://hackerone.com/reports/1061199, Reflected XSS on play.mtn.co.za, resolved
1061204, https://hackerone.com/reports/1061204, CVE 2020 14179 on jira instance , resolved
1061292, https://hackerone.com/reports/1061292, TAMS registration details API for admins open at https://tamsapi.gsa.gov/user/tams/api/usermgmnt/pendingUserDetails/, resolved
1061439, https://hackerone.com/reports/1061439, XSS при Изменения машины на странице "Контроль" [city-mobil.ru/taxiserv], resolved
1061446, https://hackerone.com/reports/1061446, XSS на странице "Платежи водителей" [city-mobil.ru/taxiserv], resolved
1061591, https://hackerone.com/reports/1061591, Acting under any different user via DB-stored credentials, resolved
1061623, https://hackerone.com/reports/1061623, Partner's manager can aсccess statistics of all drivers [city-mobil.ru/taxiserv], resolved
1061664, https://hackerone.com/reports/1061664, Access to alerta.khanacademy.org leak sensitive data , resolved
1062380, https://hackerone.com/reports/1062380, Reflected XSS on ███████, resolved
1062803, https://hackerone.com/reports/1062803, Misconfigured AWS S3 bucket leaks senstive data  such of  admin, Prdouction,beta, localhost and many more directories...., resolved
1062888, https://hackerone.com/reports/1062888, External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing, resolved
1063022, https://hackerone.com/reports/1063022, Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees, resolved
1063039, https://hackerone.com/reports/1063039, Phar Deserialization Vulnerability via Logging Settings, resolved
1063256, https://hackerone.com/reports/1063256, [CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.█████████, resolved
1063298, https://hackerone.com/reports/1063298, Unauthorized access to employee panel with default credentials., resolved
1063371, https://hackerone.com/reports/1063371, Sensitive Information Leaking Through DoD Owned Website https://www.█████.mil, resolved
1064087, https://hackerone.com/reports/1064087, DMARC and SPF records, resolved
1064095, https://hackerone.com/reports/1064095, Stored XSS in Acronis Cyber Protect Console, resolved
1064587, https://hackerone.com/reports/1064587, XSS on ub.icq.net, resolved
1065041, https://hackerone.com/reports/1065041, Google API key leaked to Public, resolved
1065128, https://hackerone.com/reports/1065128, No Rate Limit On dashboard.myndr.net/auth, resolved
1065134, https://hackerone.com/reports/1065134, Firebase Database Takeover in Zego Sense Android app, resolved
1065167, https://hackerone.com/reports/1065167, Reflected XSS on https://█████████/, resolved
1065186, https://hackerone.com/reports/1065186, Weak rate limit could lead to ATO due to weak password protection mechanisms, resolved
1065468, https://hackerone.com/reports/1065468, ctf walkthrough, resolved
1065500, https://hackerone.com/reports/1065500, Multiple bugs leads to RCE on TikTok for Android, resolved
1065517, https://hackerone.com/reports/1065517, h1 hacky holidays CTF solution, resolved
1065583, https://hackerone.com/reports/1065583, Hackyholidays CTF writeup, resolved
1065731, https://hackerone.com/reports/1065731, Writeup Hackyholiday CTF, resolved
1065776, https://hackerone.com/reports/1065776, DOM based XSS via postMessage at store.my.games, resolved
1065829, https://hackerone.com/reports/1065829, Invading Grinch Network and Saving Christmas, resolved
1065885, https://hackerone.com/reports/1065885, Complete destruction of the Grinch server, resolved
1065964, https://hackerone.com/reports/1065964, Stored XSS in the banner block description, resolved
1066007, https://hackerone.com/reports/1066007, Hacky Holidays CTF Writeup, resolved
1066083, https://hackerone.com/reports/1066083, ███████mill is vulnerable to cross site request forgery that leads to full account take over., resolved
1066135, https://hackerone.com/reports/1066135, Wholesome Hacky Holidays: A Writeup, resolved
1066189, https://hackerone.com/reports/1066189, Account takeover just through csrf in https://booking.qiwi.kz/profile, resolved
1066206, https://hackerone.com/reports/1066206, [hacky-holidays] Grinch network is down, resolved
1066410, https://hackerone.com/reports/1066410, Google API key leaks and security misconfiguration leads Open Redirect Vulnerability, resolved
1066502, https://hackerone.com/reports/1066502, XSS (reflected, and then, cookie persisted)  on api documentation site theme selector (old version of dokuwiki), resolved
1066504, https://hackerone.com/reports/1066504, Grinch Networks compromised!, resolved
1066607, https://hackerone.com/reports/1066607, HTML Injection through Account Name field on TikTok ads portal being rendered on emails, resolved
1066790, https://hackerone.com/reports/1066790, Internal API endpoint is accesible for everyone, resolved
1066801, https://hackerone.com/reports/1066801, Hacky Holidays CTF Writeup, resolved
1066851, https://hackerone.com/reports/1066851, 12 Days of Hacky Holidays write-up, but as a text-based RPG?, resolved
1066914, https://hackerone.com/reports/1066914, [ Hacky Holidays CTF ] Completely taken down the Grinch Networks, resolved
1067004, https://hackerone.com/reports/1067004, Sensitive data exposure via https://███████/secure/QueryComponent!Default.jspa - CVE-2020-14179, resolved
1067037, https://hackerone.com/reports/1067037, Taking Grinch Down To Save Holidays, resolved
1067087, https://hackerone.com/reports/1067087, [h1-ctf] 12 Days of Adventure to stop Grinch from ruining Christmas, resolved
1067090, https://hackerone.com/reports/1067090, Mission completed. Grinch Networks is down and Christmas saved., resolved
1067276, https://hackerone.com/reports/1067276, Sending trusted ████ and ██████████ emails through public API endpoint in ███████ site, resolved
1067291, https://hackerone.com/reports/1067291, RCE in ██████ subdomain via CVE-2017-1000486, resolved
1067443, https://hackerone.com/reports/1067443, Screenshot Service leaks X-ABS-App-Token, resolved
1067530, https://hackerone.com/reports/1067530, Successfully took down the Grinch and saved the holidays from being ruined, resolved
1067533, https://hackerone.com/reports/1067533, Rate limit function bypass can leads to occur huge critical problem into website. , resolved
1067547, https://hackerone.com/reports/1067547, Unauthenticated access to webmail at maildev.happytools.dev leading to compromised wordpress site api.happytools.dev [RCE], resolved
1067809, https://hackerone.com/reports/1067809, Cookie poisoning leads to DOS and Privacy Violation, resolved
1067824, https://hackerone.com/reports/1067824, Database error shown to the user when using a long guest name in richdocuments, resolved
1067835, https://hackerone.com/reports/1067835, Hacky Holidays Writeup, resolved
1067870, https://hackerone.com/reports/1067870, Gitlab search exposing personal data of employees on gitlab-edu.geekbrains.ru, resolved
1067912, https://hackerone.com/reports/1067912, A Visit from The Grinch ~ 'Twas the night before Hackmas..., resolved
1067967, https://hackerone.com/reports/1067967, Blocked user can see live video, resolved
1068153, https://hackerone.com/reports/1068153, Cross-site leak allows attacker to de-anonymize members of his team from another origin, resolved
1068412, https://hackerone.com/reports/1068412, Dom XSS  Rootkit on [https://www.glassdoor.com/], informative
1068433, https://hackerone.com/reports/1068433, 12 Days of CTF Walkthroughs, resolved
1068434, https://hackerone.com/reports/1068434, HackyHolidays 2020 Full Write-up: Information Disclosure of 12 Flags, resolved
1068880, https://hackerone.com/reports/1068880, Writeup Submission, resolved
1068881, https://hackerone.com/reports/1068881, HackyHolidays H1 CTF Writeup, resolved
1069034, https://hackerone.com/reports/1069034, Grinchs website takendown with various other exploits, resolved
1069039, https://hackerone.com/reports/1069039, GPS metadata preserved when converting HEIF to PNG, resolved
1069045, https://hackerone.com/reports/1069045, [web.icq.com] Stored XSS in Account Name, resolved
1069080, https://hackerone.com/reports/1069080, hackyholidays CTF Writeup, resolved
1069105, https://hackerone.com/reports/1069105, 2x Remote file inclusion within your VMware Instances, resolved
1069141, https://hackerone.com/reports/1069141, Infiltrating into Grinch-Networks and saving Christmas!, resolved
1069171, https://hackerone.com/reports/1069171, [H1 hackyholidays] CTF Writeup, resolved
1069175, https://hackerone.com/reports/1069175, h1-ctf : 12 days of hack holiday writeup, resolved
1069189, https://hackerone.com/reports/1069189, Grinch-Networks taken down - hacky holidays CTF , resolved
1069263, https://hackerone.com/reports/1069263, First CTF ever!, resolved
1069335, https://hackerone.com/reports/1069335, How The Hackers Saved Christmas, resolved
1069376, https://hackerone.com/reports/1069376, [hackyholidays] CTF write-up, resolved
1069388, https://hackerone.com/reports/1069388, It's just a man on a mission, resolved
1069392, https://hackerone.com/reports/1069392, Old Session Does Not Expires After Password Change, resolved
1069396, https://hackerone.com/reports/1069396, Hackyholidays [ h1-ctf] writeup [mission:- stop the grinch ], resolved
1069467, https://hackerone.com/reports/1069467, H1 Hackyholidays CTF - The Grinch was defeated, resolved
1069487, https://hackerone.com/reports/1069487, DNS rebinding in --inspect (insufficient fix of CVE-2018-7160), resolved
1069527, https://hackerone.com/reports/1069527, Reflected XSS on mtnhottseat.mtn.com.gh, resolved
1069528, https://hackerone.com/reports/1069528, Reflected XSS on gamesclub.mtn.com.g, resolved
1069561, https://hackerone.com/reports/1069561, SQL Injection  intensedebate.com, resolved
1070081, https://hackerone.com/reports/1070081, information disclosure lead to disclose users private notes, resolved
1070247, https://hackerone.com/reports/1070247, Git flag injection leads to arbitrary file write, resolved
1070259, https://hackerone.com/reports/1070259, Stored XSS в выборе метки на странице списка заказов., resolved
1070344, https://hackerone.com/reports/1070344, ArcGIS Rest Service linked to unsecured survey data, resolved
1070510, https://hackerone.com/reports/1070510, Manipulating response leads to free access to Streamlabs Prime , resolved
1070533, https://hackerone.com/reports/1070533, Acronis True Image 2021 (windows) does not validate server hostname on a login TLS connection, resolved
1070835, https://hackerone.com/reports/1070835, CS:GO Server -> Client RCE through OOB access in CSVCMsg_SplitScreen + Info leak in HTTP download, resolved
1070859, https://hackerone.com/reports/1070859, Stored XSS on oslo.io in notifications via project name change, resolved
1070889, https://hackerone.com/reports/1070889, [Bypass #870709] Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/, resolved
1071294, https://hackerone.com/reports/1071294, Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage(), resolved
1071524, https://hackerone.com/reports/1071524, Reflected XSS on https://█████████html?url, resolved
1071660, https://hackerone.com/reports/1071660, No rate limit into email change leads to email notification boombing to its victim., resolved
1071832, https://hackerone.com/reports/1071832, Local privilege escalation via insecure MSI file, resolved
1071918, https://hackerone.com/reports/1071918, Moderator shared access allows access to support.streamlabs.com, resolved
1072210, https://hackerone.com/reports/1072210, Access page must be reloaded to perform multiple requests, informative
1072277, https://hackerone.com/reports/1072277, Host Header injection in oslo.io (using X-Forwarded-For header) leading to email spoofing, resolved
1072616, https://hackerone.com/reports/1072616, Stored XSS through name / last name on https://██████████/, resolved
1072635, https://hackerone.com/reports/1072635, Owner can change themself for another Role Mode but application doesnot have this function., resolved
1072857, https://hackerone.com/reports/1072857, [titans.3clans.ru] phpBB 3.0.8 - Захват аккаунта администратора + удалённое выполнение кода., resolved
1072893, https://hackerone.com/reports/1072893, Sensitive information disclosure to shared access user via streamlabs platform api, resolved
1073114, https://hackerone.com/reports/1073114, 2 Subdomains Takeover at readfu.com, resolved
1073202, https://hackerone.com/reports/1073202, Canonical Snapcraft vulnerable to remote code execution under certain conditions, resolved
1073363, https://hackerone.com/reports/1073363, Index Out Of Bounds in protobuf unmarshalling, resolved
1073420, https://hackerone.com/reports/1073420, IDOR at https://fast.trychameleon.com/observe/v2/profiles/ via uid parameter discloses users' PII data, resolved
1073485, https://hackerone.com/reports/1073485, [Biz] [Mailer] Кроп любых* изображений расположенных на сервере, resolved
1073514, https://hackerone.com/reports/1073514, XSS on kubernetes-csi.github.io (mdBook), informative
1073551, https://hackerone.com/reports/1073551, kds.ucs.ru - раскрытие информации., resolved
1073565, https://hackerone.com/reports/1073565, Open Redirect on https://www.twitterflightschool.com/widgets/experience?destination_url=https://evil.com, resolved
1073571, https://hackerone.com/reports/1073571, XSS в обработчике ссылок, resolved
1073726, https://hackerone.com/reports/1073726, Stored XSS in [https://dashboard.doppler.com/workplace/*/logs] pages, resolved
1073734, https://hackerone.com/reports/1073734, User Access Control in Community Plan, resolved
1073925, https://hackerone.com/reports/1073925, Stored XSS on store.my.games, resolved
1074047, https://hackerone.com/reports/1074047, Misconfigured oauth leads to Pre account takeover , resolved
1074136, https://hackerone.com/reports/1074136, Bypassed a fix to gain access to PII of more than 100 Officers, resolved
1074196, https://hackerone.com/reports/1074196, Bypass Email Verification., resolved
1074613, https://hackerone.com/reports/1074613, com.duckduckgo.mobile.android - Cache corruption, resolved
1074869, https://hackerone.com/reports/1074869, Social Oauth Disconnect CSRF at znakcup.ru, resolved
1074930, https://hackerone.com/reports/1074930, Keybase /AppData/Local/Keybase/uploadtemps folder stores pasted photos, resolved
1074996, https://hackerone.com/reports/1074996,  unauthorized Access To Elastic DB , resolved
1075540, https://hackerone.com/reports/1075540, Limited access to billing dashboard by Admin and Collaborator in conflict with user role permissions., informative
1075827, https://hackerone.com/reports/1075827, Lack of rate limitation on careers site allows the attacker to brute force the verification code, resolved
1077022, https://hackerone.com/reports/1077022, Brave Browser Tor Window leaks user's real IP to the external DNS server, resolved
1077136, https://hackerone.com/reports/1077136, Denial of Service via Hyperlinks in Posts, resolved
1077520, https://hackerone.com/reports/1077520, Parental Pin Bypass, resolved
1078002, https://hackerone.com/reports/1078002, Nextcloud Desktop Client RCE via malicious URI schemes, resolved
1078081, https://hackerone.com/reports/1078081, https://secure.showmax.com/profile/payments, informative
1078432, https://hackerone.com/reports/1078432, todo.mail.ru open .git, resolved
1078479, https://hackerone.com/reports/1078479, Full Account Takeover In ****.ru, resolved
1079275, https://hackerone.com/reports/1079275, Full Account Takeover Student Account In https://********.ru/signin/main/student/email, resolved
1079447, https://hackerone.com/reports/1079447, [city-mobil.ru/taxiserv/] SQLi at /taxiserv/tariffs/dictionary at filter{"id_locality"} param, resolved
1079480, https://hackerone.com/reports/1079480, [city-mobil.ru/taxiserv/] SQLi at /taxiserv/requests path at driver_company param, resolved
1079561, https://hackerone.com/reports/1079561, Big Picture web browser leaks login cookies and discloses sensitive information (may lead to account takeover), resolved
1079630, https://hackerone.com/reports/1079630, licenses key disclosure, resolved
1079766, https://hackerone.com/reports/1079766, Theft of Arbitrary file , resolved
1080508, https://hackerone.com/reports/1080508, [int.ucs.ru] Атаки на внутреннюю сеть UCS через СУБД Clickhouse, resolved
1080839, https://hackerone.com/reports/1080839, Able to upload backgrounds before entering 2FA, informative
1080901, https://hackerone.com/reports/1080901, Misconfiguration of Merchant id in jwt header + Weird Debug mode enabling behavior leads to exposed OTP of mobile number., resolved
1081148, https://hackerone.com/reports/1081148, CSRF + XSS leads to ATO, resolved
1081211, https://hackerone.com/reports/1081211, [nextcloud.com] Control character allowed in Submit Question, resolved
1081367, https://hackerone.com/reports/1081367, crlf injection на https://bug.qiwi.com, resolved
1081406, https://hackerone.com/reports/1081406, Open redirect in ck.php and lg.php, resolved
1081766, https://hackerone.com/reports/1081766, Unrestricted Upload of File with Dangerous Type, resolved
1081817, https://hackerone.com/reports/1081817, mysql.initial.sql file is accessable for everyone, resolved
1081994, https://hackerone.com/reports/1081994, Stored XSS at https://www.█████████.mil, resolved
1082025, https://hackerone.com/reports/1082025, SPF Records, not-applicable
1082288, https://hackerone.com/reports/1082288, Disclosure of Merchant_id into the source code without entered OTP code leads to Victims MID takeover., resolved
1082521, https://hackerone.com/reports/1082521, Full Path Disclosure of Server through 500 Server Error, resolved
1082774, https://hackerone.com/reports/1082774, phpinfo() on graph.rockstargames.com exposes sensitive information, resolved
1082847, https://hackerone.com/reports/1082847, Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state, resolved
1082891, https://hackerone.com/reports/1082891, Duplicate Entry of email leads to 500 Server Error which disclosing the SQL Database table information, resolved
1082900, https://hackerone.com/reports/1082900, Over-Privileged API Credentials for Elastic Agent, resolved
1082991, https://hackerone.com/reports/1082991, Webview address bar spoofing in LINE client for iOS, resolved
1083231, https://hackerone.com/reports/1083231, Reflected XSS on /admin/userlog-index.php, resolved
1083376, https://hackerone.com/reports/1083376, Reflected XSS on /admin/stats.php, resolved
1083421, https://hackerone.com/reports/1083421, Blocked user can send notification by liking the message due to Logical Bug, resolved
1083531, https://hackerone.com/reports/1083531, Reset password policy isn't consistent with registration / change password policy., resolved
1083543, https://hackerone.com/reports/1083543, Debug Mode Leak Critical Information [ AWS Keys , SMTP , Database , Django Secret Key ( RCE )  , Dodoc , Telegram , Twilio .. ], resolved
1083923, https://hackerone.com/reports/1083923,  Sharing products with Mail allows phishing attacks due to misconfiguration., resolved
1084156, https://hackerone.com/reports/1084156, Cross Site Scripting (Reflected) on https://www.acronis.cz/, resolved
1084183, https://hackerone.com/reports/1084183, Stored XSS in profile page, resolved
1084342, https://hackerone.com/reports/1084342, Buffer overflow in PyCArg_repr in _ctypes/callproc.c for Python 3.x to 3.9.1, resolved
1085079, https://hackerone.com/reports/1085079, No Limit on Email Subscription, resolved
1085724, https://hackerone.com/reports/1085724, prometheus server monitoring System publicly accessible, resolved
1085743, https://hackerone.com/reports/1085743, No error thrown when IDOR attempted while editing address, resolved
1085782, https://hackerone.com/reports/1085782, █████████ IDOR leads to disclosure of PHI/PII, resolved
1085914, https://hackerone.com/reports/1085914, Stored XSS via `Create a Fetish` section., resolved
1086134, https://hackerone.com/reports/1086134, [https://geekbrains.ru/profile] - authenticity_token not tied to user session leads to CSRF attacks, resolved
1086259, https://hackerone.com/reports/1086259, Proxy-Authorization header carried to a new host on a redirect, not-applicable
1086453, https://hackerone.com/reports/1086453, restaurant.delivery-club.ru - возможность получить информацию об чужих акциях., resolved
1086752, https://hackerone.com/reports/1086752, CSRF in changing password after using reset password link, resolved
1086781, https://hackerone.com/reports/1086781, Change project visibility to a restricted option, resolved
1086850, https://hackerone.com/reports/1086850, xmlrpc.php FILE IS enabled it will used for Bruteforce attack and Denial of Service(DoS), resolved
1087061, https://hackerone.com/reports/1087061, Stored-XSS on wiki pages, resolved
1087188, https://hackerone.com/reports/1087188, Race Condition allows to get more free trials and get more than 100 languages and strings for free, resolved
1087189, https://hackerone.com/reports/1087189, Open Redirect on Login Page of Stocky App, resolved
1087382, https://hackerone.com/reports/1087382, Store Deletion or Sell without authentication, resolved
1087436, https://hackerone.com/reports/1087436, CSRF on TikTok Ads Portal, resolved
1087525, https://hackerone.com/reports/1087525, PI leakage By Brute Forcing and Phone number deleting without using password, duplicate
1088966, https://hackerone.com/reports/1088966, Ability to invite a new member on Sandbox Program, resolved
1088975, https://hackerone.com/reports/1088975, [int.ucs.ru] Доступ ко внутренней сети UCS через забытый прокси Fiddler на 217.25.235.214:7459, resolved
1089116, https://hackerone.com/reports/1089116, Hi! Security Team Rocket.Chat, It's possible to get information about the users emails without authentication, resolved
1089205, https://hackerone.com/reports/1089205, email verification bypass, resolved
1089467, https://hackerone.com/reports/1089467, Account Takeover via Email ID Change and Forgot Password Functionality, resolved
1089502, https://hackerone.com/reports/1089502, DNS Misconfiguration (Subdomain Takeover) ███.wavecell.com, resolved
1089914, https://hackerone.com/reports/1089914, Responsible Disclosure of Privacy Leakage Issue, informative
1089978, https://hackerone.com/reports/1089978, [h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS, resolved
1090678, https://hackerone.com/reports/1090678, Command injection in OptionParser.load, not-applicable
1090838, https://hackerone.com/reports/1090838, CSRF in  https://███, resolved
1090982, https://hackerone.com/reports/1090982, Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover, informative
1091118, https://hackerone.com/reports/1091118, Blind XSS, resolved
1091165, https://hackerone.com/reports/1091165, RXSS - http://macademy.mtnonline.com, resolved
1091209, https://hackerone.com/reports/1091209, [h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status, resolved
1091296, https://hackerone.com/reports/1091296, CSRF в виджетах , resolved
1091380, https://hackerone.com/reports/1091380, [h1-2102] Partner's team member with no permission can retrieve services financial data, resolved
1091957, https://hackerone.com/reports/1091957, Very long names on demo.openmage.org could redirect victim users to malicious url redirects via email contacts., resolved
1092230, https://hackerone.com/reports/1092230, FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com, resolved
1092574, https://hackerone.com/reports/1092574, PHP Code Injection through "previewBlock()" method, resolved
1092678, https://hackerone.com/reports/1092678, Self stored Xss + Login Csrf, resolved
1092849, https://hackerone.com/reports/1092849, CSRF in Demographic Settings with valid gdtoken of other account , not-applicable
1092859, https://hackerone.com/reports/1092859, KOPS documentation references domains which were not registered, resolved
1093667, https://hackerone.com/reports/1093667, Google  Maps API key stored as plain text leading to DOS and financial damage, resolved
1093908, https://hackerone.com/reports/1093908, IDOR leads to Leakage an ██████████ Login Information, resolved
1094063, https://hackerone.com/reports/1094063, Take over a mail account due missing validation of account id, resolved
1094151, https://hackerone.com/reports/1094151, Leaking Rockset API key on Github, resolved
1094276, https://hackerone.com/reports/1094276, Reflected XSS In https://███████, resolved
1094702, https://hackerone.com/reports/1094702, Theft of arbitrary files in LINE Lite client for Android, resolved
1095612, https://hackerone.com/reports/1095612, Node Validation Admission does not observe all oldObject fields, resolved
1095633, https://hackerone.com/reports/1095633, [VK Android] Access to app protected components leads to arbitrary code execution, resolved
1095765, https://hackerone.com/reports/1095765, Reflected XSS in https://██████████ via "████████" parameter, resolved
1095797, https://hackerone.com/reports/1095797, Cross site scripting  , resolved
1095830, https://hackerone.com/reports/1095830, CRXDE Lite/CRX is on ██████ exposed that leads to PII disclosure, resolved
1095934, https://hackerone.com/reports/1095934, Stored XSS via Angular Expression injection via Subject while starting conversation with other users., resolved
1096560, https://hackerone.com/reports/1096560, Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co, resolved
1096609, https://hackerone.com/reports/1096609, https://themes.shopify.com::: Host header web cache poisoning lead to DoS, resolved
1096907, https://hackerone.com/reports/1096907, API Server DoS (crash?) if many large resources (~1MB each) are concurrently/repeatedly sent to an external Validating WebHook endpoint, informative
1097217, https://hackerone.com/reports/1097217, Reflected XSS on /admin/stats.php, resolved
1097979, https://hackerone.com/reports/1097979, Reflected XSS on /admin/campaign-zone-zones.php, resolved
1098793, https://hackerone.com/reports/1098793, Kroki Arbitrary File Read/Write , resolved
1098948, https://hackerone.com/reports/1098948, Host Header Injection, resolved
1099489, https://hackerone.com/reports/1099489, REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details, resolved
1100096, https://hackerone.com/reports/1100096, SSRF & Blind XSS in Gravatar email , resolved
1101500, https://hackerone.com/reports/1101500, Stored XSS при удалении группы из беседы (m.vk.com), resolved
1101771, https://hackerone.com/reports/1101771, Open redirect on https://signin.rockstargames.com/connect/authorize/rsg, resolved
1101877, https://hackerone.com/reports/1101877, DNS Misconfiguration (Subdomain Takeover) ███████.8x8.com, resolved
1101882, https://hackerone.com/reports/1101882, CVE-2021-22876: Automatic referer leaks credentials, resolved
1101949, https://hackerone.com/reports/1101949, Reflected XSS https://tracker.my.com, resolved
1102018, https://hackerone.com/reports/1102018, Stored unauth XSS in calendar event via CSRF, resolved
1102064, https://hackerone.com/reports/1102064, kubectl creating secrets from stringData leaves secret in plain text, informative
1102067, https://hackerone.com/reports/1102067, Authenticated path traversal to RCE, resolved
1102283, https://hackerone.com/reports/1102283, CVE-2019-11248 on alertmanager.ev-cloud-platform.engelvoelkers.com, resolved
1102297, https://hackerone.com/reports/1102297, Grafana default username password authentication into the Grafana platform of the grafana.ev-cloud-platform.engelvoelkers.com, resolved
1102365, https://hackerone.com/reports/1102365, [dubmash] Lack of authorization checks - Update Sound Titles, resolved
1102591, https://hackerone.com/reports/1102591, Blind SQL iNJECTION , resolved
1102764, https://hackerone.com/reports/1102764, Lack of URL normalization renders Blocked-Previews feature ineffectual, resolved
1102780, https://hackerone.com/reports/1102780, bypassing dashboard without account + Information disclosure trough websockets , informative
1103033, https://hackerone.com/reports/1103033, Reflected XSS on https://█████, resolved
1103258, https://hackerone.com/reports/1103258, Stored DOM XSS via Mermaid chart, resolved
1103448, https://hackerone.com/reports/1103448, Organization Members in Snap Kit may Deactivate Apps, resolved
1103582, https://hackerone.com/reports/1103582, HackerOne Jira integration plugin Leaked JWT to unauthorized jira users, resolved
1104077, https://hackerone.com/reports/1104077, Round-trip instability in REXML, resolved
1104111, https://hackerone.com/reports/1104111, Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID, resolved
1104120, https://hackerone.com/reports/1104120, Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID, resolved
1104693, https://hackerone.com/reports/1104693, [app-01.youdrive.club] RCE in CI/CD via dependency confusion, resolved
1105673, https://hackerone.com/reports/1105673, Origin IP found, Cloudflare bypassed, not-applicable
1106009, https://hackerone.com/reports/1106009, critical information disclosure, resolved
1106238, https://hackerone.com/reports/1106238, Stored XSS via Mermaid Prototype Pollution vulnerability, resolved
1106505, https://hackerone.com/reports/1106505, critical information disclosure, resolved
1107126, https://hackerone.com/reports/1107126, IDOR to delete test/poll/quiz on relap.io, resolved
1107282, https://hackerone.com/reports/1107282, Privilege Escalation via REST API to Administrator leads to RCE, resolved
1107536, https://hackerone.com/reports/1107536, Blind Based SQL Injection in 3d.sc.money, informative
1107726, https://hackerone.com/reports/1107726, Stored XSS on apps.shopify.com, resolved
1108125, https://hackerone.com/reports/1108125, DNS Misconfiguration (Subdomain Takeover) █.staging.█.8x8.com, resolved
1108418, https://hackerone.com/reports/1108418, SSRF allows reading AWS EC2 metadata using "readapi" variable in Streamlabs Cloudbot, resolved
1108420, https://hackerone.com/reports/1108420, HTML Injection on "polls" app - comments section (possibly XSS), resolved
1108662, https://hackerone.com/reports/1108662, The POS app doesn't revoke the Xauth token , resolved
1108874, https://hackerone.com/reports/1108874, Password Reset link hijacking via Host Header Poisoning leads to account takeover, resolved
1109311, https://hackerone.com/reports/1109311, SQL injection in  https://www.acronis.cz/ via the log parameter, resolved
1109544, https://hackerone.com/reports/1109544, Self XSS + CSRF Leads to Reflected XSS in https://████/ , resolved
1109620, https://hackerone.com/reports/1109620, Untrusted deserialization issue when loading newrelic.yml file in Java agent leads to code execution on host, resolved
1110243, https://hackerone.com/reports/1110243, Blind Stored XSS on ███████  leads to takeover admin account, resolved
1110927, https://hackerone.com/reports/1110927, Reflected XSS on https://deti.mail.ru, resolved
1112297, https://hackerone.com/reports/1112297, Reporters can upload design to issues using the "Move to" feature, resolved
1112342, https://hackerone.com/reports/1112342, Open Redirect и подмена ссылки в сниппете приложения VKMA, resolved
1112679, https://hackerone.com/reports/1112679, Dangling cloud instance at vpn.inverselink.com, resolved
1113025, https://hackerone.com/reports/1113025, Integer overflow in CipherUpdate, resolved
1113212, https://hackerone.com/reports/1113212, gifts.flocktory.com/phpmyadmin is vulnerable csrf, resolved
1113289, https://hackerone.com/reports/1113289, Guest users can create new test cases, resolved
1113559, https://hackerone.com/reports/1113559, Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome, resolved
1113663, https://hackerone.com/reports/1113663, Inadequate Cryptographic Key Size and Insecure Cryptographic Mode.  File Name :- curl_ntlm_core.c, not-applicable
1114347, https://hackerone.com/reports/1114347, Account takeover due to misconfiguration, resolved
1114617, https://hackerone.com/reports/1114617, Privilege Escalation leading to post in channel without having privilege, resolved
1115759, https://hackerone.com/reports/1115759, Отправляем смс на любой номер от имени vk.com.  (Сообщение в смс всегда одно и то же, его менять нельзя.), resolved
1115763, https://hackerone.com/reports/1115763, XSS в сюжетах., resolved
1115864, https://hackerone.com/reports/1115864, Persistant Arbitrary code execution in mattermost android, resolved
1116387, https://hackerone.com/reports/1116387, IDOR leads to leak analytics of any restaurant, resolved
1116545, https://hackerone.com/reports/1116545, 4 Subdomains Takeover on 2 domains ( muberscolombia.com &  ubereats.pl ), resolved
1117079, https://hackerone.com/reports/1117079, Broken Link Hijacking on Twitter link, resolved
1117768, https://hackerone.com/reports/1117768, Guest Users can create issues for Sentry errors and track their status, resolved
1118402, https://hackerone.com/reports/1118402, Failure to Invalid Session after Password Change, resolved
1118501, https://hackerone.com/reports/1118501, CSRF to Cross-site Scripting (XSS), resolved
1118521, https://hackerone.com/reports/1118521, CSRF to Cross-site Scripting (XSS), resolved
1118638, https://hackerone.com/reports/1118638, IDOR at training.smartpay.gsa.gov/reports/quizzes-taken-by-user, resolved
1118898, https://hackerone.com/reports/1118898, PHP info page disclosure, resolved
1119224, https://hackerone.com/reports/1119224, SSRF due to CVE-2021-26855 on ████████, resolved
1119228, https://hackerone.com/reports/1119228, CVE-2021-26855 on ████████ resulting in SSRF, resolved
1120982, https://hackerone.com/reports/1120982, HTTP Request Smuggling , resolved
1121132, https://hackerone.com/reports/1121132, Account Confirmation bypass leads to acess some fucntionality , informative
1121169, https://hackerone.com/reports/1121169, bypass parental pin succesfully, resolved
1121317, https://hackerone.com/reports/1121317, Unrestricted file upload vulnerability in IMCE, not-applicable
1121900, https://hackerone.com/reports/1121900, xss is triggered on your web, resolved
1121972, https://hackerone.com/reports/1121972, admin password disclosure via log file , resolved
1121980, https://hackerone.com/reports/1121980, Stored xss in calendar via call link, resolved
1121990, https://hackerone.com/reports/1121990, CSRF leads to account deactivation of users, resolved
1122177, https://hackerone.com/reports/1122177, Third party app could steal access token as well as protected files using inAppBrowser, resolved
1122408, https://hackerone.com/reports/1122408, CSRF on /api/graphql allows executing mutations through GET requests, resolved
1122419, https://hackerone.com/reports/1122419, Information Disclosure of Garbage Collection Cycle 'Again', resolved
1124540, https://hackerone.com/reports/1124540, Login CSRF : Login Authentication Flaw on  https://liberapay.com/, resolved
1125143, https://hackerone.com/reports/1125143, No DMARC record at cordacon.com, resolved
1125329, https://hackerone.com/reports/1125329, Unauth RCE on Jenkins Instance at https://█████████/, resolved
1125389, https://hackerone.com/reports/1125389, [Plazius] SSRF через некорректно сконфигурированный Fiddler 46.148.201.206:10121, resolved
1125425, https://hackerone.com/reports/1125425, RCE via unsafe inline Kramdown options when rendering certain Wiki pages, resolved
1126401, https://hackerone.com/reports/1126401, HTTPS not enforced at dex.sifchain.finance, not-applicable
1126433, https://hackerone.com/reports/1126433, Stored XSS at Module Name, resolved
1127455, https://hackerone.com/reports/1127455, Hackers can reveal the names of private programs that have an external link, informative
1128358, https://hackerone.com/reports/1128358, Used email confirmation link reveals the email address which is tied to it, resolved
1128701, https://hackerone.com/reports/1128701, Lack warning label when receiving a letter, resolved
1129529, https://hackerone.com/reports/1129529, CVE-2021-22890: TLS 1.3 session ticket proxy host mixup, resolved
1129649, https://hackerone.com/reports/1129649, Hackers can find out the ID of private programs, resolved
1129761, https://hackerone.com/reports/1129761, Open Redirect through POST Request in OAuth, resolved
1129816, https://hackerone.com/reports/1129816, Member still able close another user poll on communities topic, resolved
1129996, https://hackerone.com/reports/1129996, Create alias does not validate account id, resolved
1130235, https://hackerone.com/reports/1130235, Hackers can reveal the names of private programs that have an external link and Enterprise Product Edition, resolved
1130416, https://hackerone.com/reports/1130416, SHA512 incorrect on most/many releases, resolved
1130528, https://hackerone.com/reports/1130528, Подмена фотографий автомобиля [city-mobil.ru/taxiserv/], resolved
1130721, https://hackerone.com/reports/1130721, Pre-Auth Blind NoSQL Injection leading to Remote Code Execution, resolved
1130792, https://hackerone.com/reports/1130792, Null pointer dereference in lib-sieve after calling sieve_binary_block_index, informative
1130874, https://hackerone.com/reports/1130874, Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution, resolved
1131306, https://hackerone.com/reports/1131306, User's who are banned from program can still be invited to the new reports as collaborators, resolved
1131473, https://hackerone.com/reports/1131473, CSRF allows to test email forwarding, resolved
1131753, https://hackerone.com/reports/1131753, Open Redirect at https://www.nutanix.com/tw/login via icid parameter, resolved
1131887, https://hackerone.com/reports/1131887, CSV injection in the credentials export, resolved
1132160, https://hackerone.com/reports/1132160, Path Traversal in dict-fs and no-check Escape Character in oauth2-jwt, resolved
1132171, https://hackerone.com/reports/1132171, Race condition allows to send multiple times feedback for the hacker, resolved
1132202, https://hackerone.com/reports/1132202, Post-Auth Stored XSS with User Interaction leads to Remote Code Execution, resolved
1132209, https://hackerone.com/reports/1132209, Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru], resolved
1132378, https://hackerone.com/reports/1132378, Arbitrary file read during project import, resolved
1132457, https://hackerone.com/reports/1132457, Exposed PHP dependencies at ██.8x8.com, resolved
1132606, https://hackerone.com/reports/1132606, Attachment object in GraphQL continues to grant access to files, even if they are removed from rendering, resolved
1132690, https://hackerone.com/reports/1132690, Exposed Openapi Token, informative
1132803, https://hackerone.com/reports/1132803, Graphql introspection is enabled and leaks details about the schema, resolved
1133083, https://hackerone.com/reports/1133083, Blind SQL injection on [city-mobil.ru/taxiserv/] in filter{"id_locality"}, resolved
1133118, https://hackerone.com/reports/1133118, Hackerone is not properly deleting user id, resolved
1133536, https://hackerone.com/reports/1133536, Temporary banned user (from platform) is able to make submissions via embedded submission forms, resolved
1133661, https://hackerone.com/reports/1133661, TikTok Session Donation CSRF via QR code login, resolved
1133670, https://hackerone.com/reports/1133670,  ETHEREUM_PRIVATE_KEY leaked via Open Github Repository, informative
1133672, https://hackerone.com/reports/1133672, Development configurations file  with a sensitive data exposure could be leads to take down the social media accounts and the DB, resolved
1134060, https://hackerone.com/reports/1134060, credentials found in config file on github, resolved
1134687, https://hackerone.com/reports/1134687, Blind SQL in id_locality GET param on [city-mobil.ru/taxiserv], resolved
1137218, https://hackerone.com/reports/1137218, Access control issue on invoice documents downloading feature., resolved
1137321, https://hackerone.com/reports/1137321, Path Traversal - [ CVE-2020-3452 ], resolved
1137819, https://hackerone.com/reports/1137819, IDOR leads to See analytics of Loyalty Program in any restaurant., resolved
1138668, https://hackerone.com/reports/1138668, The possibility of disrupting the normal operation of frontend using markdown, resolved
1139340, https://hackerone.com/reports/1139340, Elmah.axd is publicly accessible leaking Error Log, resolved
1139520, https://hackerone.com/reports/1139520, Bypassing the External Link Warning, resolved
1139528, https://hackerone.com/reports/1139528, Editing Pentest Summary Report Answers After Submitting Them, resolved
1139535, https://hackerone.com/reports/1139535, Changing the 2FA secret key and backup codes without knowing the 2FA OTP, resolved
1139541, https://hackerone.com/reports/1139541, Enumerating HackerOne Pentests, informative
1141318, https://hackerone.com/reports/1141318, Cross-site Scripting (XSS) - Reflected, not-applicable
1141623, https://hackerone.com/reports/1141623, Unexpected input validation of octal literals in nodejs v15.12.0 and below returns defined values for all undefined octal literals., not-applicable
1142918, https://hackerone.com/reports/1142918, Leak arbitrary file under nextcloud android client privacy directory, resolved
1143776, https://hackerone.com/reports/1143776, XSS Reflected on https://███ (███ parameter), resolved
1143780, https://hackerone.com/reports/1143780, xss on https://███████(█████████ parameter), resolved
1143783, https://hackerone.com/reports/1143783, xss reflected on https://███████- (███ parameters), resolved
1145044, https://hackerone.com/reports/1145044, Holes in EndpointSlice Validation Enable Host Network Hijack, resolved
1145162, https://hackerone.com/reports/1145162, XSS  at https://exchangemarketplace.com/blogsearch, resolved
1145293, https://hackerone.com/reports/1145293, No rate Limit, resolved
1145428, https://hackerone.com/reports/1145428, Chain of vulnerabilities in Uber for Business Vouchers program allows for attacker to perform arbitrary charges to victim's U4B payment account, resolved
1145454, https://hackerone.com/reports/1145454, lib/net/ftp.rb: trusting PASV responses allow client abuse, resolved
1145563, https://hackerone.com/reports/1145563, Tab nabbing in Hackerone inbox., resolved
1145581, https://hackerone.com/reports/1145581, Private KEY of crypto wallet, duplicate
1146600, https://hackerone.com/reports/1146600, Administration Authentication Bypass on https://█████, resolved
1147060, https://hackerone.com/reports/1147060, Reflected XSS, resolved
1147449, https://hackerone.com/reports/1147449, xmlrpc.php And /wp-json/wp/v2/users FILE IS enable it will used for bruteforce attack and denial of service, informative
1147611, https://hackerone.com/reports/1147611, DoS due to improper input validation can break the admin access into the user data will disallow him from editing that user's data., resolved
1147949, https://hackerone.com/reports/1147949, CSRF Based XSS @ https://██████████, resolved
1147951, https://hackerone.com/reports/1147951, CVE-2019-3403 on https://████/rest/api/2/user/picker?query=, resolved
1148548, https://hackerone.com/reports/1148548, Bypass t.co link shortener in Twitter direct messages, resolved
1149144, https://hackerone.com/reports/1149144, Reflected XSS through clickjacking at https://████, resolved
1150573, https://hackerone.com/reports/1150573, ████████ portal is open to enumeration once authenticated.  Session ID's appear static.  All PII available once a valid session ID is found., resolved
1150799, https://hackerone.com/reports/1150799, XML Injection / External Service Interaction (HTTP/DNS) On https://█████████.mil, resolved
1152588, https://hackerone.com/reports/1152588, Social media link hijack of team member [Linkedin] at https://mackeeper.com/team/, resolved
1153817, https://hackerone.com/reports/1153817, Sensitive data exposure via https://███████/jira//secure/QueryComponent!Default.jspa - CVE-2020-14179, resolved
1153862, https://hackerone.com/reports/1153862, SSRF на https://qiwi.com с помощью "Prerender HAR Capturer", resolved
1154003, https://hackerone.com/reports/1154003, Ratelimiting can be bypassed using IPv6 subnets, resolved
1154378, https://hackerone.com/reports/1154378, Reflected XSS on https://██████, resolved
1154542, https://hackerone.com/reports/1154542, RCE when removing metadata with ExifTool, resolved
1156748, https://hackerone.com/reports/1156748, XXE in Enterprise Search's App Search web crawler, resolved
1157893, https://hackerone.com/reports/1157893, PHP-FPM status page disclosure, resolved
1158824, https://hackerone.com/reports/1158824, OS Command Injection in '/lib/un.rb -- Utilities to replace common UNIX commands in Makefiles etc', informative
1159255, https://hackerone.com/reports/1159255, DOM Based XSS on https://████ via backURL param, resolved
1159398, https://hackerone.com/reports/1159398, New link opening method makes hackerone vulnerable to tabnabbing, resolved
1160381, https://hackerone.com/reports/1160381, Захват домена ozoncorporate.ru, resolved
1161141, https://hackerone.com/reports/1161141, Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token., informative
1161691, https://hackerone.com/reports/1161691, OS Command Injection in 'rdoc' documentation generator, resolved
1165015, https://hackerone.com/reports/1165015, Disavowing an account doesn't disable it, informative
1165223, https://hackerone.com/reports/1165223, Missing captcha and rate limit protection in help form , resolved
1165225, https://hackerone.com/reports/1165225, [dubsmash] Username and password bruteforce, resolved
1165285, https://hackerone.com/reports/1165285, No Rate limit on change password leads to account takeover, duplicate
1165540, https://hackerone.com/reports/1165540, Moodle XSS on  evolve.glovoapp.com, resolved
1165748, https://hackerone.com/reports/1165748, 'net/ftp': Uncontrolled Resource Consumption (Memory/CPU), informative
1165900, https://hackerone.com/reports/1165900, Kryptor/SECURITY.md missing HACKERONE program update., resolved
1165919, https://hackerone.com/reports/1165919, Content Spoofing, not-applicable
1166054, https://hackerone.com/reports/1166054, User enumeration through forget password, resolved
1166066, https://hackerone.com/reports/1166066, No Rate Limit On Reset Password, resolved
1166069, https://hackerone.com/reports/1166069, No Rate Limit On  Contact Us , resolved
1166076, https://hackerone.com/reports/1166076, old session  dose not   expire  after  password change , resolved
1166500, https://hackerone.com/reports/1166500, Zero click account Takeover due to Api misconfiguration 🏂🎩, resolved
1166535, https://hackerone.com/reports/1166535, Brew bootstrap process is insecure, informative
1166770, https://hackerone.com/reports/1166770, Content Spoofing/Text Injection at https://gateway-production.dubsmash.com, not-applicable
1166977, https://hackerone.com/reports/1166977, [la.mail.ru] - SSRF + кража cookie, resolved
1166996, https://hackerone.com/reports/1166996, Subdomain takeover on "info-edcrunch.skillfactory.ru" , resolved
1167029, https://hackerone.com/reports/1167029, Broken Authendication And Session Management, not-applicable
1167230, https://hackerone.com/reports/1167230, DOM XSS в learning.ozon.ru, resolved
1167453, https://hackerone.com/reports/1167453, Add new development stores without permission, resolved
1167530, https://hackerone.com/reports/1167530, RCE in 'Copy as Node Request' BApp via code injection, resolved
1167753, https://hackerone.com/reports/1167753, Add new managed stores without permission, resolved
1167767, https://hackerone.com/reports/1167767, Unexpected federated shares added via public link, informative
1167773, https://hackerone.com/reports/1167773, Loading YAML in Java client can lead to command execution, resolved
1167817, https://hackerone.com/reports/1167817, Federated shares are not password protected, informative
1167853, https://hackerone.com/reports/1167853, Trusted servers exchange can be triggered by attacker, resolved
1167916, https://hackerone.com/reports/1167916, Default Nextcloud Server and Android Client leak sharee searches to Nextcloud, resolved
1167919, https://hackerone.com/reports/1167919, Default Nextcloud server config and iOS Nextcloud client leak sharee searches to Nextcloud, resolved
1167929, https://hackerone.com/reports/1167929, File drop public link can also be converted to federated share, resolved
1167958, https://hackerone.com/reports/1167958, Nextcloud deck sharee search leaks searches to lookupserver by default, resolved
1168104, https://hackerone.com/reports/1168104, Weak password policy leading to exposure of administrator account access, resolved
1168475, https://hackerone.com/reports/1168475, Non privileged user is able to approve his own app himself leading to mass privilege  escalations., resolved
1168528, https://hackerone.com/reports/1168528, Improper authorization on `/api/as/v1/credentials/` allows any App Search user to access all API keys and escalate privileges, resolved
1168765, https://hackerone.com/reports/1168765, RCE hazard in reporting (via Chromium), resolved
1168962, https://hackerone.com/reports/1168962, Reflected XSS on my.acronis.com, resolved
1169335, https://hackerone.com/reports/1169335, Password policy changes not enforced for existing passwords, informative
1169340, https://hackerone.com/reports/1169340, Improper Access Control on Lark Footer Feature, resolved
1170024, https://hackerone.com/reports/1170024, Attacker can obtain write access to any federated share/public link, resolved
1170522, https://hackerone.com/reports/1170522, Missing rate limit in current password change settings leads to Account takeover, duplicate
1171403, https://hackerone.com/reports/1171403, Reflected XSS through ClickJacking, resolved
1172205, https://hackerone.com/reports/1172205, Insufficient session expiration in the **com.shopify.ping** android app, resolved
1172857, https://hackerone.com/reports/1172857, CVE-2021-22897: schannel cipher selection surprise, resolved
1173219, https://hackerone.com/reports/1173219, HTML Injection In Email In one.newrelic.com, informative
1173411, https://hackerone.com/reports/1173411, Nextcloud update checks leaks information, informative
1173436, https://hackerone.com/reports/1173436, Default settings leak federated cloud id to lookup server of all users, resolved
1173593, https://hackerone.com/reports/1173593, Reflected XSS at www.███████ at /██████████ via the ████████ parameter, resolved
1173598, https://hackerone.com/reports/1173598, S3 bucket listing/download, resolved
1173670, https://hackerone.com/reports/1173670, Trusted server shared secret stored unencrypted in the database, informative
1173684, https://hackerone.com/reports/1173684, index.php/apps/files_sharing/shareinfo endpoint is not properly protected, resolved
1174185, https://hackerone.com/reports/1174185, Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935), resolved
1174527, https://hackerone.com/reports/1174527, Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com], resolved
1175081, https://hackerone.com/reports/1175081, Full account takeover of any user through reset password, duplicate
1175980, https://hackerone.com/reports/1175980, [Transportation Management Services Solution 2.0] Improper authorization at  tmss.gsa.gov leads to data exposure of all registered users, resolved
1176090, https://hackerone.com/reports/1176090, Email Spoofing bug, duplicate
1176104, https://hackerone.com/reports/1176104, Clickjacking misconfiguration bug, duplicate
1176174, https://hackerone.com/reports/1176174, Git Config, resolved
1176461, https://hackerone.com/reports/1176461, CVE-2021-22898: TELNET stack contents disclosure, resolved
1177287, https://hackerone.com/reports/1177287, Password reset token leak on third party website via Referer header, resolved
1177356, https://hackerone.com/reports/1177356, pam_ussh does not properly validate the SSH certificate authority, resolved
1177451, https://hackerone.com/reports/1177451, [mcs.mail.ru] Пользователь с ролью наблюдателя может создавать ключи доступа для очереди сообщений (sqs.mcs.mail.ru), resolved
1177588, https://hackerone.com/reports/1177588, [geekbrains.ru] Node modules path disclosure due to lack of error handling, resolved
1178239, https://hackerone.com/reports/1178239, session takeover via open protocol redirection on streamlabs.com, resolved
1178337, https://hackerone.com/reports/1178337, Improper handling of untypical characters in domain names, resolved
1178562, https://hackerone.com/reports/1178562, imap: StartTLS stripping attack (CVE-2016-0772)., resolved
1179193, https://hackerone.com/reports/1179193, Subdomain takeover of www2.growasyouplan.com, resolved
1179241, https://hackerone.com/reports/1179241, Private program disclosure of `██████████` through notifications, resolved
1180252, https://hackerone.com/reports/1180252, Buffer overrun in Steam SILK voice decoder, resolved
1180380, https://hackerone.com/reports/1180380, CVE-2021-22901: TLS session caching disaster, resolved
1180668, https://hackerone.com/reports/1180668, Vulnerability : Email Spoofing, duplicate
1180697, https://hackerone.com/reports/1180697, Subdomain takeover of v.zego.com, resolved
1181213, https://hackerone.com/reports/1181213, Private eth key found, duplicate
1181253, https://hackerone.com/reports/1181253, e-mail verification bypass through interception & modification of response status, resolved
1181762, https://hackerone.com/reports/1181762, Subdomain takeover of ███.wavecell.com, resolved
1181962, https://hackerone.com/reports/1181962, Session fixation on public talk links, resolved
1182016, https://hackerone.com/reports/1182016, Email verification bypassed during sing up (https://developers.mtn.com/profile), resolved
1182465, https://hackerone.com/reports/1182465, IDOR on www.acronis.com API lead to steal private business user information, resolved
1182824, https://hackerone.com/reports/1182824, Vulnerability Name: URL Redirection / Unvalidate Open Redirect, not-applicable
1182864, https://hackerone.com/reports/1182864, Subdomain takeover of fr1.vpn.zomans.com, resolved
1183263, https://hackerone.com/reports/1183263, Web Cache Poisoning on  █████ , resolved
1183269, https://hackerone.com/reports/1183269, ETHEREUM_PRIVATE_KEY leaked , not-applicable
1183296, https://hackerone.com/reports/1183296, Subdomain Takeover At the Main Domain Of Your Site , resolved
1183302, https://hackerone.com/reports/1183302, Default Nextcloud allows http federated shares, informative
1183502, https://hackerone.com/reports/1183502, Private RSA key for Vagrant exposed in GitHub repository, informative
1183520, https://hackerone.com/reports/1183520, RSA PRIVATE KEY discloser, duplicate
1183601, https://hackerone.com/reports/1183601, Cross-origin resource sharing misconfig | steal user information , resolved
1183809, https://hackerone.com/reports/1183809, mongodb credentials leaked in github, not-applicable
1184644, https://hackerone.com/reports/1184644, [www.███] Reflected Cross-Site Scripting, resolved
1185028, https://hackerone.com/reports/1185028, Several domains on kaspersky.com are vulnerable to Web Cache Deception attack, resolved
1185479, https://hackerone.com/reports/1185479, Previously created sessions continue being valid after MFA activation, informative
1185903, https://hackerone.com/reports/1185903, No Rate Limit in email leads to huge Mass mailings, not-applicable
1185949, https://hackerone.com/reports/1185949, Clickjacking Vulnerability in sifchain.finance, duplicate
1186701, https://hackerone.com/reports/1186701, DMARC and DNS Records not found on  mcuboot.com, resolved
1186740, https://hackerone.com/reports/1186740, Misconfiguration Certificate Authority Authorization Rule, informative
1186897, https://hackerone.com/reports/1186897, Open S3 Bucket | information leakage, not-applicable
1186926, https://hackerone.com/reports/1186926, Flaws In Social media Icon on error page which can lead to financial loss to a company., informative
1186985, https://hackerone.com/reports/1186985, Possibility of DoS attack at https://sifchain.finance// via CVE-2018-6389 exploitation, informative
1187001, https://hackerone.com/reports/1187001, No valid SPF record found, not-applicable
1187003, https://hackerone.com/reports/1187003, critical file found etc/passwd on www.reddit.com, not-applicable
1187018, https://hackerone.com/reports/1187018, wrong url in hackerone > goes to wix.com > unconnected, resolved
1187511, https://hackerone.com/reports/1187511, Email spoofing, duplicate
1187543, https://hackerone.com/reports/1187543, CORS misconfiguration, informative
1187816, https://hackerone.com/reports/1187816, Dependency Confusion Vulnerability in Sifnode Due to Unclaimed npm Packages., informative
1187820, https://hackerone.com/reports/1187820, Reflected XSS on /admin/stats.php, resolved
1188128, https://hackerone.com/reports/1188128, "urllib" will result to deny of service, resolved
1188188, https://hackerone.com/reports/1188188, A password in plain text in conf file, not-applicable
1188471, https://hackerone.com/reports/1188471, CORS (Cross-Origin Resource Sharing) origin validation failure -Any website can issue requests made with user credentials and read the responses to th, duplicate
1188629, https://hackerone.com/reports/1188629, Wrong Url in Main Page, resolved
1188633, https://hackerone.com/reports/1188633, Linux Desktop application "sifnoded" executable does not use Pie / no ASLR, informative
1188639, https://hackerone.com/reports/1188639, Vulnerable for clickjacking attack, duplicate
1188643, https://hackerone.com/reports/1188643, Vulnerable javascript dependency at Main domain, not-applicable
1188652, https://hackerone.com/reports/1188652, Design Issues at Main Domain, duplicate
1188662, https://hackerone.com/reports/1188662, Username disclosure at Main Domain, duplicate
1188684, https://hackerone.com/reports/1188684, CORS Misconfiguration Leads to Sensitive Exposure on  Sifchain main domain, duplicate
1188725, https://hackerone.com/reports/1188725, No Valid SPF Records at sifchain.finance, informative
1188938, https://hackerone.com/reports/1188938, Sifchain token leak , not-applicable
1188982, https://hackerone.com/reports/1188982, Found key_adress and key_password in GitHub history, informative
1188998, https://hackerone.com/reports/1188998,  Information disclosure on Sifchain, duplicate
1189162, https://hackerone.com/reports/1189162, End to end encryption public key is not properly verified on Desktop and Android, resolved
1189168, https://hackerone.com/reports/1189168, Android app does not clear end to end encryption keys, resolved
1189174, https://hackerone.com/reports/1189174, End to end encryption folder locking is not properly protected, resolved
1189282, https://hackerone.com/reports/1189282, Social media links not working, duplicate
1189363, https://hackerone.com/reports/1189363, Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information., duplicate
1189367, https://hackerone.com/reports/1189367, Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion, resolved
1190705, https://hackerone.com/reports/1190705, CSRF in newsletter form, not-applicable
1191209, https://hackerone.com/reports/1191209, Email Spoofing on sifchain.finance, duplicate
1191534, https://hackerone.com/reports/1191534, internal path disclosure via error message, resolved
1192144, https://hackerone.com/reports/1192144, Add to your nextcloud endpoint is not properly protected, resolved
1192147, https://hackerone.com/reports/1192147, CORS (Cross-Origin Resource Sharing) origin validation failure, duplicate
1192159, https://hackerone.com/reports/1192159, public webdav endpoint not bruteforce protected, resolved
1192460, https://hackerone.com/reports/1192460, A deactivated user can access data through GraphQL, resolved
1192470, https://hackerone.com/reports/1192470, Clients do not verify server public key, resolved
1193062, https://hackerone.com/reports/1193062, Privilege escalation of "external user" (with maintainer privilege) to internal access  through project token, resolved
1193321, https://hackerone.com/reports/1193321, Scoped apptokens can be changed by that very apptoken, resolved
1194280, https://hackerone.com/reports/1194280, CORS Misconfiguration, duplicate
1194293, https://hackerone.com/reports/1194293, Wrong implementation of Telegram link on the main page for PC users, informative
1194301, https://hackerone.com/reports/1194301, Reflected XSS in https://www.topcoder.com/blog/category/community-stories/, resolved
1194598, https://hackerone.com/reports/1194598, No Valid SPF Records/don't have DMARC record, duplicate
1194606, https://hackerone.com/reports/1194606, Virtual Data Room / Hide download on collabora is easy to bypass, resolved
1195194, https://hackerone.com/reports/1195194, Wordpress Users Disclosure (/wp-json/wp/v2/users/) on sifchain.finance, duplicate
1195209, https://hackerone.com/reports/1195209, Clickjacking /framing on sensitive Subdomain , not-applicable
1195325, https://hackerone.com/reports/1195325, Default Admin Username and Password on █████ Server at █████████mil, resolved
1195340, https://hackerone.com/reports/1195340, User Account has been taken out, duplicate
1195423, https://hackerone.com/reports/1195423, Information Disclosure at one of your subdomain, not-applicable
1195429, https://hackerone.com/reports/1195429, No Rate Limit protection in user subscription form, duplicate
1195432, https://hackerone.com/reports/1195432, Found a url on source code which was disclosing different juicy informations like ip addresses and available endponts, not-applicable
1195512, https://hackerone.com/reports/1195512, Wrong Url in Main page of sifchain.finance, duplicate
1195568, https://hackerone.com/reports/1195568, Ransomware protection is missing extentions, resolved
1195593, https://hackerone.com/reports/1195593, Talk discloses turn server to anybody, informative
1195618, https://hackerone.com/reports/1195618, No Rate Limit On Forgot Password Page, resolved
1196049, https://hackerone.com/reports/1196049, Sifchain Privacy Policy Webpage Uses Wordpress Default Template. Does Not Display Correct Privacy Policy., not-applicable
1196253, https://hackerone.com/reports/1196253, Error Page Content Spoofing or Text Injection, not-applicable
1196917, https://hackerone.com/reports/1196917, Path Transversal inside saveContracts.js, not-applicable
1196945, https://hackerone.com/reports/1196945, Reflected XSS at [████████], resolved
1196958, https://hackerone.com/reports/1196958, Clipboard DOM-based XSS, resolved
1196976, https://hackerone.com/reports/1196976, IDOR while uploading ████ attachments at [█████████], resolved
1196989, https://hackerone.com/reports/1196989, [█████████] Reflected Cross-Site Scripting Vulnerability, resolved
1197013, https://hackerone.com/reports/1197013, Subdomain takeover of ████.jitsi.net, resolved
1197035, https://hackerone.com/reports/1197035, Information Disclosure on https://rpc.sifchain.finance/, duplicate
1197078, https://hackerone.com/reports/1197078, Session Token in URL, not-applicable
1197160, https://hackerone.com/reports/1197160, GitHub Integration doesn't sanitize repository URLs which might be attacker-controlled, resolved
1198203, https://hackerone.com/reports/1198203, Bootstrap library is vulnerable, not-applicable
1198434, https://hackerone.com/reports/1198434, Cache Posioning leading do Denial of Service on `www.█████████`, resolved
1198439, https://hackerone.com/reports/1198439, No Valid SPF Records/don't have DMARC record, resolved
1198517, https://hackerone.com/reports/1198517, Stored XSS in custom emoji, resolved
1198877, https://hackerone.com/reports/1198877, Wrong Implementation of Url in https://docs.sifchain.finance/, not-applicable
1199527, https://hackerone.com/reports/1199527, CORS Misconfiguration, could lead to disclosure of sensitive information, resolved
1199803, https://hackerone.com/reports/1199803, Possible Database Details stored in values.yaml, duplicate
1199904, https://hackerone.com/reports/1199904, clickjacking vulnerability, spam
1200700, https://hackerone.com/reports/1200700, User deletion is not handled properly everywhere, resolved
1200785, https://hackerone.com/reports/1200785, Ransomware protection is missing extentions take 2, resolved
1200810, https://hackerone.com/reports/1200810, Admin audit is not properly logging unsetting of expiration date, resolved
1200989, https://hackerone.com/reports/1200989, No admin audit entry for enabling/disabling 2FA, informative
1200992, https://hackerone.com/reports/1200992, No admin audit log for auth tokens, informative
1201134, https://hackerone.com/reports/1201134, [https://app.recordedfuture.com] - Reflected XSS via username parameter , resolved
1201396, https://hackerone.com/reports/1201396, Session Hijacking leads to full control of account by attacker, resolved
1202408, https://hackerone.com/reports/1202408, No Rate Limit on redditgifts gift  when Adding Comment, resolved
1202590, https://hackerone.com/reports/1202590, Webauthn tokens are not removed on user deletion, resolved
1203842, https://hackerone.com/reports/1203842, DNS Leaks when using any VPN Browser extension with Brave Shield enabled, resolved
1205604, https://hackerone.com/reports/1205604, account impersonate through broken link, resolved
1206020, https://hackerone.com/reports/1206020, rXSS on https://mackeeperapp.mackeeper.com/landings/download-blue/, resolved
1206117, https://hackerone.com/reports/1206117, Open redirect в карусели сообщения бота, resolved
1206138, https://hackerone.com/reports/1206138, Clickjacking, spam
1206777, https://hackerone.com/reports/1206777, 2 Bypass of  #1067533 rate limit via X-Forwarded-For<space>: Source IP on ( www.trycourier.app ), resolved
1206799, https://hackerone.com/reports/1206799, When uploading attachments, unencrypted file names are made available to the server, resolved
1207040, https://hackerone.com/reports/1207040, Blind XSS on Twitter's internal Big Data panel at █████████████, resolved
1208453, https://hackerone.com/reports/1208453, Account takeover through multistage CSRF at https://autochoice.fas.gsa.gov/AutoChoice/changeQAOktaAnswer and ../AutoChoice/changePwOktaAnswer, resolved
1209098, https://hackerone.com/reports/1209098,  XSS, not-applicable
1209681, https://hackerone.com/reports/1209681, OOB read in libuv, resolved
1210450, https://hackerone.com/reports/1210450, 1-byte heap buffer overflow in DNS resolver, resolved
1210458, https://hackerone.com/reports/1210458, Serverinfo endpoints are not bruteforce protected nor are tokens properly generated, resolved
1210502, https://hackerone.com/reports/1210502, [jitsi-meet] Authentication Bypass when using JWT w/ public keys, resolved
1210921, https://hackerone.com/reports/1210921, Reflected XSS at dailydeals.mtn.co.za, resolved
1211094, https://hackerone.com/reports/1211094, F5 BIG-IP Cookie  potentially reveal BigIP pool name, backend's IP address and port, routed domain., resolved
1211160, https://hackerone.com/reports/1211160, Node Installer Local Privilege Escalation , resolved
1211724, https://hackerone.com/reports/1211724, HTTP Request Smuggling via HTTP/2, resolved
1212067, https://hackerone.com/reports/1212067, Stored XSS in markdown via the DesignReferenceFilter , resolved
1212235, https://hackerone.com/reports/1212235, Reflected XSS on dailydeals.mtn.co.za, resolved
1212337, https://hackerone.com/reports/1212337, Bypass the fix of report #1078283 due to poor validation, resolved
1212374, https://hackerone.com/reports/1212374, Oauth Misconfiguration Lead To Account Takeover, duplicate
1212595, https://hackerone.com/reports/1212595, 	 Clickjacking at sifchain.finance, spam
1212746, https://hackerone.com/reports/1212746, Path traversal on [███], resolved
1212853, https://hackerone.com/reports/1212853, Broken link hijacing in https://kubernetes-csi.github.io/docs/drivers.html, resolved
1213175, https://hackerone.com/reports/1213175, CVE-2021-22922: Wrong content via metalink not discarded, resolved
1213181, https://hackerone.com/reports/1213181, CVE-2021-22923: Metalink download sends credentials, resolved
1213237, https://hackerone.com/reports/1213237, Deleting all DMs on RedditGifts.com, resolved
1213580, https://hackerone.com/reports/1213580, Open Redirect, resolved
1213765, https://hackerone.com/reports/1213765, IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in `order_id` parameter , resolved
1214158, https://hackerone.com/reports/1214158, Ratelimits do not apply to OCS DataResponse, resolved
1214814, https://hackerone.com/reports/1214814, uchi.ru check_lessons Blind SQL Injection, resolved
1215053, https://hackerone.com/reports/1215053, Bypassing SOP with XSS on account.my.games leading to steal CSRF token and user information, resolved
1215179, https://hackerone.com/reports/1215179,  add class vulnerable Stored XSS, resolved
1215251, https://hackerone.com/reports/1215251, Bypass of privacy filter / tracking pixel blocker, resolved
1215263, https://hackerone.com/reports/1215263, Download of file with arbitrary extension via injection into attachment header, resolved
1215919, https://hackerone.com/reports/1215919, ccc.h1ctf.com CTF, resolved
1216408, https://hackerone.com/reports/1216408, H1-CTF 100k Solution - Congratz on the 100k Rep todayisnew, resolved
1216591, https://hackerone.com/reports/1216591, 100K CTF's Writeup, resolved
1217114, https://hackerone.com/reports/1217114, CCC H1 June 2021 CTF Writeup, resolved
1217702, https://hackerone.com/reports/1217702, Adam and the  Deadly  Injections, resolved
1218173, https://hackerone.com/reports/1218173, Cross-site Scripting (XSS) possible  at https://sifchain.finance// via CVE-2019-8331 exploitation, duplicate
1218680, https://hackerone.com/reports/1218680, Improper authorization on `/api/as/v1/credentials/` for  Dev Role User with Limited Engine Access, resolved
1218708, https://hackerone.com/reports/1218708, HackerOne’s 100K CTF Writeup, resolved
1218784, https://hackerone.com/reports/1218784, information disclosure, not-applicable
1219011, https://hackerone.com/reports/1219011, Report Bulk endpoint "agree-on-going-public" action may reveal Report disclosure state for invite-only programs, resolved
1219038, https://hackerone.com/reports/1219038, Cache Poisoning DoS on updates.rockstargames.com, resolved
1219681, https://hackerone.com/reports/1219681, Unauthorized Access  To Admin panel, resolved
1220747, https://hackerone.com/reports/1220747, HackerOne making payments in USDC (Coinbase stable coin), resolved
1223565, https://hackerone.com/reports/1223565, CVE-2021-22924: Bad connection reuse due to flawed path name checks, resolved
1223577, https://hackerone.com/reports/1223577, XSS Reflected - ██████████, resolved
1223882, https://hackerone.com/reports/1223882, CVE-2021-22925: TELNET stack contents disclosure again, resolved
1224008, https://hackerone.com/reports/1224008, Account Takeover through registration to the same email address, resolved
1225158, https://hackerone.com/reports/1225158, ADB Backup is enabled within AndroidManifest, resolved
1225299, https://hackerone.com/reports/1225299, Broken Link on  Ping Identity's Vulnerability Submission Form on Hackerone, resolved
1226891, https://hackerone.com/reports/1226891, Domain Takeover of Reddit.ru via DNS Hijacking, resolved
1234406, https://hackerone.com/reports/1234406, Exfiltrating a victim's exact location (to within 5m), resolved
1234531, https://hackerone.com/reports/1234531, private keys exposed on the GitHub repository, informative
1234746, https://hackerone.com/reports/1234746, Private program disclosure through notifications, resolved
1234760, https://hackerone.com/reports/1234760, CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport, resolved
1235008, https://hackerone.com/reports/1235008, Social Club Account Takeover Via RGL And Steam/Epic Linked Account, resolved
1237428, https://hackerone.com/reports/1237428, [dubsmash] Long String in 'shoutout' Parameter Leading Internal server Error on Popular hastags , Community and User Profile, resolved
1237700, https://hackerone.com/reports/1237700, Improper input validation in projects leads to fully deny access to project resources, resolved
1238099, https://hackerone.com/reports/1238099, HTTP Request Smuggling due to ignoring chunk extensions, resolved
1238470, https://hackerone.com/reports/1238470, Fragmentation and Aggregation Flaws in Wi-Fi, resolved
1238684, https://hackerone.com/reports/1238684, Open URL Redirection, resolved
1238709, https://hackerone.com/reports/1238709, HTTP Request Smuggling due to accepting space before colon, resolved
1238749, https://hackerone.com/reports/1238749, No rate Limit on Add new Translation Project , resolved
1239334, https://hackerone.com/reports/1239334, Broken Link on Urban Company's Vulnerability Submission Form, resolved
1239633, https://hackerone.com/reports/1239633, information discloure via logs files at ==> https://ihelp.mtnbusiness.com/logfiles/Log_21-06-2021.txt, resolved
1241107, https://hackerone.com/reports/1241107, Stored XSS on top.mail.ru, resolved
1241116, https://hackerone.com/reports/1241116, hardcoded api secret & api key in com.reddit.frontpage, informative
1241460, https://hackerone.com/reports/1241460, ApiService#fetch serves content as text/html and inline Content-Disposition, resolved
1241483, https://hackerone.com/reports/1241483, Insufficient Session Expiration, not-applicable
1241637, https://hackerone.com/reports/1241637, informations disclosure(Email,Numbers,Agreements, admin Sessions and more ...) through a PostgreSQL  database belongs to (legium-back.corp.mail.ru), resolved
1241849, https://hackerone.com/reports/1241849, Information Disclosure .htaccess accesible for public, resolved
1242680, https://hackerone.com/reports/1242680, Report Duplicate Detector can match deleted and draft reports, may disclose title and vulnerability information, resolved
1243009, https://hackerone.com/reports/1243009, No Password Length Restriction leads to Denial of Service, duplicate
1243650, https://hackerone.com/reports/1243650, ███████ - XSS - CVE-2020-3580, resolved
1243782, https://hackerone.com/reports/1243782, CUI labled and ████ Restricted pdf on █████, resolved
1244053, https://hackerone.com/reports/1244053, Reflected XSS on https://help.glassdoor.com/GD_HC_EmbeddedChatVF, resolved
1244403, https://hackerone.com/reports/1244403, CUI labled and ████ and ██████  Restricted ██████ intelligence , resolved
1245048, https://hackerone.com/reports/1245048, XSS DUE TO CVE-2020-3580, resolved
1245051, https://hackerone.com/reports/1245051, Error Page Content Spoofing or Text Injection , resolved
1245055, https://hackerone.com/reports/1245055, XSS DUE TO CVE-2020-3580, resolved
1245094, https://hackerone.com/reports/1245094, Exposed data of credit card details to hacker or attacker., not-applicable
1245529, https://hackerone.com/reports/1245529, No Rate Limit On Forgot Password Page, not-applicable
1245787, https://hackerone.com/reports/1245787, [Swiftype] - Stored XSS via document field `url` triggers on `https://app.swiftype.com/engines/<engine>/document_types/<type>/documents/<id>`, resolved
1245972, https://hackerone.com/reports/1245972, clickjacking at  brew.sh, not-applicable
1246721, https://hackerone.com/reports/1246721, Text app leaks file path of shared files, resolved
1247910, https://hackerone.com/reports/1247910, Exposed Golang debugger on tier3.riot.mail.ru:9090, 9080, resolved
1248040, https://hackerone.com/reports/1248040,  Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464), resolved
1248585, https://hackerone.com/reports/1248585, HTML Injection in Email, resolved
1248852, https://hackerone.com/reports/1248852, Misuse of groups feature allows workspace members to join private channels without being invited, resolved
1249050, https://hackerone.com/reports/1249050, Information Disclosure on TikTok Unplugged Site, resolved
1249056, https://hackerone.com/reports/1249056, Brave Browser permanently timestamps & logs connection times for all v2 domains ~/.config/BraveSoftware/Brave-Browser/tor/data/tor.log, resolved
1249456, https://hackerone.com/reports/1249456, Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464), resolved
1249583, https://hackerone.com/reports/1249583, Authenticated kubernetes principal with restricted permissions can retrieve ingress-nginx serviceaccount token and secrets across all namespaces, resolved
1250037, https://hackerone.com/reports/1250037, Email change or personal data change on the account., resolved
1250199, https://hackerone.com/reports/1250199, Cross site scripting , resolved
1250474, https://hackerone.com/reports/1250474, Missing ownership check in 2FA for secondary client login, resolved
1250631, https://hackerone.com/reports/1250631, Verification Link not expiring leading to Account Takeover., not-applicable
1250730, https://hackerone.com/reports/1250730, CSS injection via link tag whitelisted-domain bypass - https://www.glassdoor.com, resolved
1252282, https://hackerone.com/reports/1252282, XSS on ███, resolved
1253124, https://hackerone.com/reports/1253124, XSS в выборе товара., resolved
1253926, https://hackerone.com/reports/1253926, Domain Takeover [3737signals.com], resolved
1255676, https://hackerone.com/reports/1255676, Blind XSS Stored and CORS misconfiguration в отчете "События" сервиса top.mail.ru, resolved
1255869, https://hackerone.com/reports/1255869, private keys exposed on the GitHub repository, duplicate
1256371, https://hackerone.com/reports/1256371, PII data Leakage through hackerone reports , resolved
1256389, https://hackerone.com/reports/1256389, Subdomain takeover of main domain of https://www.cyberlynx.lu/, resolved
1256496, https://hackerone.com/reports/1256496, HTML injection in email content during registration via FirstName/LastName parameter, resolved
1256777, https://hackerone.com/reports/1256777, Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name", resolved
1257091, https://hackerone.com/reports/1257091, Угон домена photo-test.gb.ru (возможно), resolved
1257100, https://hackerone.com/reports/1257100, CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com, resolved
1257428, https://hackerone.com/reports/1257428, Create free Shopify application credits., resolved
1260823, https://hackerone.com/reports/1260823, Reflected XSS - https://███, resolved
1261148, https://hackerone.com/reports/1261148, Stored-XSS in merge requests, informative
1262408, https://hackerone.com/reports/1262408, [allods.mail.ru] - WebCache Poisoning Host Header lead to Potential Stored XSS, resolved
1262757, https://hackerone.com/reports/1262757, SQL injection located in `███` in POST param `████████` , resolved
1262907, https://hackerone.com/reports/1262907, Apache Flink Dashboard exposure at https://streaming-sales-model-production.flink.shopifykloud.com, resolved
1264725, https://hackerone.com/reports/1264725, Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback, resolved
1264805, https://hackerone.com/reports/1264805, Reflected XSS on delivery.glovoapp.com, resolved
1265225, https://hackerone.com/reports/1265225, Multiple server ssh usernames leaked in your github repository, not-applicable
1265390, https://hackerone.com/reports/1265390, Reflected XSS on https://www.glassdoor.com/job-listing/spotlight, resolved
1266188, https://hackerone.com/reports/1266188, Critical || Unrestricted access to private Github repos and properties of Elastic through leaked token of Elastic employee, resolved
1266659, https://hackerone.com/reports/1266659, Subdomain Takeover on 1c-start.tochka.com pointing to unbouncepages, resolved
1266828, https://hackerone.com/reports/1266828, Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link), resolved
1267677, https://hackerone.com/reports/1267677, Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/, resolved
1268115, https://hackerone.com/reports/1268115, Просмотр аватарки замороженной страницы/частной группы., resolved
1269242, https://hackerone.com/reports/1269242, CVE-2021-22945: UAF and double-free in MQTT sending, resolved
1271276, https://hackerone.com/reports/1271276, [play.skillbox.ru] CRLF Injection, resolved
1271701, https://hackerone.com/reports/1271701, Vulnerability Report - sweet32 UPchieve, informative
1271710, https://hackerone.com/reports/1271710, Broken Authentication and Session Management lead to take over account, not-applicable
1271742, https://hackerone.com/reports/1271742, hackers.upchieve.org and argocd.upchieve.org is not preloaded., not-applicable
1271944, https://hackerone.com/reports/1271944, Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage, resolved
1272095, https://hackerone.com/reports/1272095, System Error Reveals  SQL Information, resolved
1273292, https://hackerone.com/reports/1273292, Internal Gitlab Ticket Disclosure via External Slack Channels, resolved
1276373, https://hackerone.com/reports/1276373, Information disclosure -> 2fa bypass -> POST exploitation , resolved
1276384, https://hackerone.com/reports/1276384, Signature Verification /// golang.org/x/crypto/ssh, not-applicable
1276733, https://hackerone.com/reports/1276733, S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com), informative
1276992, https://hackerone.com/reports/1276992, Disclosure handle private program with external link, resolved
1277383, https://hackerone.com/reports/1277383, XSS due to CVE-2020-3580 [███.mil], resolved
1277389, https://hackerone.com/reports/1277389, XSS due to CVE-2020-3580 [███], resolved
1277392, https://hackerone.com/reports/1277392, XSS due to CVE-2020-3580 [██████], resolved
1277753, https://hackerone.com/reports/1277753, Read-only user can edit user segments., resolved
1278050, https://hackerone.com/reports/1278050, [CVE-2021-29156 on ForgeRock OpenAm] LDAP Injection in Webfinger Protocol!, resolved
1278072, https://hackerone.com/reports/1278072, Brute Force against VMware Horizon, resolved
1278254, https://hackerone.com/reports/1278254, Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation, resolved
1278477, https://hackerone.com/reports/1278477, Reflected XSS at https://dev.payments.zynga.com/get_payments_params.php via snId and snUid parameters, resolved
1278481, https://hackerone.com/reports/1278481, Reflected XSS at https://dev.payments.zynga.com/get_zugid.php  via snId and snUid parameters, resolved
1278881, https://hackerone.com/reports/1278881, See drafts and post articles if the account owner hasn't set password (livedoor CMS plugin), resolved
1278891, https://hackerone.com/reports/1278891, [CVE-2021-29156] LDAP Injection at https://██████, resolved
1278928, https://hackerone.com/reports/1278928, blind sql on  [ https://argocd.upchieve.org/login?return_url=id= ], not-applicable
1279322, https://hackerone.com/reports/1279322, Ability to add address without being an admin or staff in the store via wholesale store, resolved
1280002, https://hackerone.com/reports/1280002, Stored XSS via Mermaid Prototype Pollution vulnerability, resolved
1280167, https://hackerone.com/reports/1280167, DNS Misconfiguration (Subdomain Takeover)  - █████████.8x8.com, resolved
1280188, https://hackerone.com/reports/1280188, https://██████/ Vulnerable to CVE-2013-3827 (Directory-traversal vulnerability), resolved
1283200, https://hackerone.com/reports/1283200, url redirection, not-applicable
1283484, https://hackerone.com/reports/1283484, ReDoS in syntax highlighting due to Rouge, resolved
1283605, https://hackerone.com/reports/1283605, ETHEREUM_PRIVATE_KEY leaked via github, not-applicable
1283871, https://hackerone.com/reports/1283871, Bypass of the installation sandbox by injecting keystrokes with TIOCSTI, resolved
1283938, https://hackerone.com/reports/1283938, Missing authentication in buddy group API of LINE TIMELINE, resolved
1285115, https://hackerone.com/reports/1285115, Leaked H1's Employees Email addresses,meeting info on private bug bounty program ████████, resolved
1285598, https://hackerone.com/reports/1285598, s3 bucket takeover presented in https://github.com/reddit/rpan-studio/blob/e1782332c75ecb2f774343258ff509788feab7ce/CI/full-build-macos.sh, resolved
1287686, https://hackerone.com/reports/1287686, [ii.worki.ru ] emarsys  subdomain takeover, resolved
1288898, https://hackerone.com/reports/1288898, Password reset link not expiring after changing password in settings, resolved
1289029, https://hackerone.com/reports/1289029, [185.30.178.57:8080] - Vulnerable to Jetleak, resolved
1290170, https://hackerone.com/reports/1290170, Access to images and videos in drafts on LINE BLOG, resolved
1290872, https://hackerone.com/reports/1290872, Economic Harm through Twitter's Cropping Algorithm, resolved
1294043, https://hackerone.com/reports/1294043, SSH server due to Improper Signature Verification, not-applicable
1294062, https://hackerone.com/reports/1294062, Underrepresentation Bias through Twitter's Cropping Algorithm, resolved
1294231, https://hackerone.com/reports/1294231, Login session not expire, resolved
1294242, https://hackerone.com/reports/1294242, Underrepresentation Bias through Twitter's Cropping Algorithm #2: Favoring Animals over Black People, resolved
1294492, https://hackerone.com/reports/1294492, DNS Miconfiguration Leads to Subdomain Takeover  - max1.liveplan.com, resolved
1294767, https://hackerone.com/reports/1294767, clickjacking on deleting user's clips [https://crossclip.com/clips], resolved
1295187, https://hackerone.com/reports/1295187, Failed to validate Session after Password Change, duplicate
1312365, https://hackerone.com/reports/1312365, Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ], resolved
1312641, https://hackerone.com/reports/1312641, Deserialization of untrusted data at https://www.redtube.com/media/hls?s=data, resolved
1313040, https://hackerone.com/reports/1313040, Path Traversal on meetcqpub1.gsa.gov allows attackers to see arbitrary file listings., resolved
1314162, https://hackerone.com/reports/1314162, Improper authorization allows disclosing users' notification data in Notification channel server, resolved
1316412, https://hackerone.com/reports/1316412, Information Exposure Through Directory Listing, not-applicable
1316650, https://hackerone.com/reports/1316650, unclaimed s3 bucket takeover in the 3 js file located on the github page of  brave software, informative
1317236, https://hackerone.com/reports/1317236, Unauthorized Kubernetes to RCE (root) and found TEAMTNT Crypto Miner on it, resolved
1318395, https://hackerone.com/reports/1318395, Cross-site Scripting (XSS) - Stored, resolved
1319892, https://hackerone.com/reports/1319892, Possible to invite any team member without being logged in. [ Session Management Issue ], resolved
1320976, https://hackerone.com/reports/1320976, [3] Bypassing IP Based Rate Limit Blocking leads to rate limit bypass in Courier Login Panel, resolved
1321070, https://hackerone.com/reports/1321070, AEM forms XXE Vulnerability, resolved
1321407, https://hackerone.com/reports/1321407, Stored XSS in Document Title, resolved
1321830, https://hackerone.com/reports/1321830, Google Maps API Key Leakage, informative
1322104, https://hackerone.com/reports/1322104, XSS on tiktok.com, resolved
1322334, https://hackerone.com/reports/1322334, Ability to subscribe to inactive Post+ creators, resolved
1322732, https://hackerone.com/reports/1322732, Cache Posioning leading to denial of service at `█████████` - Bypass fix from report #1198434	, resolved
1323406, https://hackerone.com/reports/1323406, IDOR to view order information of users and personal information, resolved
1325649, https://hackerone.com/reports/1325649, com.reddit.frontpage vulernable to Task Hijacking (aka StrandHogg Attack), duplicate
1326264, https://hackerone.com/reports/1326264, Universal Cross-Site Scripting vulnerability, resolved
1327443, https://hackerone.com/reports/1327443, Origin IP Disclosure Vulnerability, informative
1327742, https://hackerone.com/reports/1327742, Steal any users `access_token` via open redirect in https://streamlabs.com/global/identity?popup=1&r=, resolved
1328278, https://hackerone.com/reports/1328278, User can pay using archived price by manipulating the request sent to `POST /v1/payment_pages/for_plink`, resolved
1329433, https://hackerone.com/reports/1329433, CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru, resolved
1329434, https://hackerone.com/reports/1329434, Session Fixiation allow attacker to create new evil workspace without being logged in [ Insecure Session management  ], resolved
1329625, https://hackerone.com/reports/1329625, An reflected xss in search query, duplicate
1329792, https://hackerone.com/reports/1329792, AWS subdomain takeover of www.███████, resolved
1330455, https://hackerone.com/reports/1330455, DoD internal documents are leaked to the public, resolved
1331268, https://hackerone.com/reports/1331268, No Rate Limiting on /reset-password-request/ endpoint, not-applicable
1331281, https://hackerone.com/reports/1331281, Stored XSS on 1.4.0, resolved
1331361, https://hackerone.com/reports/1331361, Broken Link Hijacking on kubernetes.io Documentation, resolved
1332433, https://hackerone.com/reports/1332433, RCE on 17 different Docker containers on your network, resolved
1334111, https://hackerone.com/reports/1334111, CVE-2021-22946: Protocol downgrade required TLS bypassed, resolved
1334763, https://hackerone.com/reports/1334763, CVE-2021-22947: STARTTLS protocol injection via MITM, resolved
1336397, https://hackerone.com/reports/1336397, Information disclosure at '████████' --- CVE-2020-14179, resolved
1337351, https://hackerone.com/reports/1337351, BYPASSING COMMENTING ON RESTRICTED  AUDIENCE VIDEOS, resolved
1337425, https://hackerone.com/reports/1337425, No Rate Limit On Regenerate Password on Portswigger, informative
1338256, https://hackerone.com/reports/1338256, No server side check on terms of service page which leads to bypass, duplicate
1338457, https://hackerone.com/reports/1338457, Broken Link on TikTokUS.Info, resolved
1339356, https://hackerone.com/reports/1339356, Xss At Shopify Email App, resolved
1341133, https://hackerone.com/reports/1341133, Subdomain takeover [​████████], resolved
1341142, https://hackerone.com/reports/1341142, Domain does not Match SSL Certificate, resolved
1341957, https://hackerone.com/reports/1341957, Hash-Collision Denial-of-Service Vulnerability in Markdown Parser, resolved
1342422, https://hackerone.com/reports/1342422, Subdomain Takeover due to ████████ NS records at us-east4.37signals.com, resolved
1343086, https://hackerone.com/reports/1343086, [https://www.glassdoor.com] -  Web Cache Deception Leads to gdtoken Disclosure , resolved
1343280, https://hackerone.com/reports/1343280, Получаем название и аватарку (50x50) частной группы., resolved
1343492, https://hackerone.com/reports/1343492, HTML Injection on tiktoktutorials via firstName parameter, resolved
1343733, https://hackerone.com/reports/1343733, Broken link profile in the website leads to identity theft., resolved
1344951, https://hackerone.com/reports/1344951, Expired SSL Certificate allows credentials steal, resolved
1344982, https://hackerone.com/reports/1344982, Domain Takeover at 3hopify.media, resolved
1346618, https://hackerone.com/reports/1346618, Web Cache Poisoning leading to DoS, resolved
1347249, https://hackerone.com/reports/1347249, Information disclosure, not-applicable
1348504, https://hackerone.com/reports/1348504, Subdomain Takeover, resolved
1350095, https://hackerone.com/reports/1350095, Staff  can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all, resolved
1350401, https://hackerone.com/reports/1350401, Email Verification Bypass And Get access to user's private invitation., not-applicable
1350444, https://hackerone.com/reports/1350444, A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution, resolved
1350755, https://hackerone.com/reports/1350755, Tokenless GUI Authentication, resolved
1350887, https://hackerone.com/reports/1350887, Reflected XSS in TikTok endpoints, resolved
1352461, https://hackerone.com/reports/1352461, Vulnerable Jira Instance, resolved
1353103, https://hackerone.com/reports/1353103, Drive-by arbitrary file deletion in the GDK via letter_opener_web gem, resolved
1353244, https://hackerone.com/reports/1353244, [samokat.ru] PHP modules path disclosure due to lack of error handling, resolved
1353603, https://hackerone.com/reports/1353603, Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows, resolved
1354255, https://hackerone.com/reports/1354255, Open redirect in fastify-static via mishandled user's input when attempt to redirect, resolved
1354452, https://hackerone.com/reports/1354452, Выполнение API-методов при открытии сообщества/приложения, resolved
1355537, https://hackerone.com/reports/1355537, Script breaking tag (Forces website to render blank) (Informative), resolved
1355817, https://hackerone.com/reports/1355817, SQL Injection in IBM access control panel & Broken access in admin panel, resolved
1356845, https://hackerone.com/reports/1356845, CVE-2021-40870 on [52.204.160.31], resolved
1357013, https://hackerone.com/reports/1357013, ABLE TO TRICK THE VICTIM INTO USING A CRAFTED EMAIL ADDRESS FOR A PARTICULAR  SESSION AND THEN LATER TAKE BACK THE ACCOUNT , resolved
1358249, https://hackerone.com/reports/1358249, php info file and sql backup at vendor's subdomain, resolved
1358888, https://hackerone.com/reports/1358888, Full Path Disclosure in Wordpress Rest API Response, resolved
1360593, https://hackerone.com/reports/1360593, CVE-2021-40870 in [███], resolved
1361804, https://hackerone.com/reports/1361804, 1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch, resolved
1363185, https://hackerone.com/reports/1363185, Attacker is able to join any tenant on larksuite and view personal files/chats., resolved
1363672, https://hackerone.com/reports/1363672, Bypass a fix for report #708013, resolved
1364022, https://hackerone.com/reports/1364022, Authentication Bypass & ApacheTomcat Misconfiguration in [██], resolved
1364851, https://hackerone.com/reports/1364851, WordPress Plugin Update Confusion at trafficfactory.com, resolved
1365738, https://hackerone.com/reports/1365738, critical server misconfiguration lead to access to any user sensitive data which include user email and password, resolved
1369288, https://hackerone.com/reports/1369288, Path Traversal CVE-2021-26086 CVE-2021-26085, duplicate
1369806, https://hackerone.com/reports/1369806, OPEN REDIRECT , resolved
1370240, https://hackerone.com/reports/1370240, Reflected xss в m.vk.com/chatjoin, resolved
1372797, https://hackerone.com/reports/1372797, two parameters are vulnerable to xss, duplicate
1372930, https://hackerone.com/reports/1372930, get_payments_params.php endpoint is vulnerable to xss attacks, duplicate
1373784, https://hackerone.com/reports/1373784, Able to steal private files by manipulating response using Compose Email function of Lark, resolved
1374512, https://hackerone.com/reports/1374512, The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values, resolved
1376672, https://hackerone.com/reports/1376672, Stored XSS in Email Templates via link, resolved
1376961, https://hackerone.com/reports/1376961, Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text  field, resolved
1379130, https://hackerone.com/reports/1379130, Remote Code Execution at https://169.38.86.185/ (edst.ibm.com), resolved
1379842, https://hackerone.com/reports/1379842, account takeover through password reset in url https://reklama.tochka.com/, resolved
1379910, https://hackerone.com/reports/1379910, Broken subdomain takeover of runpanther which was pointing towards herokuapp, resolved
1382448, https://hackerone.com/reports/1382448, %0A (New line) and limitness URL leads to DoS at all system [Main adress (https://www.acronis.com/)], resolved
1385844, https://hackerone.com/reports/1385844, Information disclosure on error message, informative
1386438, https://hackerone.com/reports/1386438, Reflected XSS in VPN Appliance, resolved
1386547, https://hackerone.com/reports/1386547, Disclosure of github access token in config file via nignx off-by-slash, resolved
1387320, https://hackerone.com/reports/1387320, Able to steal private files by manipulating response using Auto Reply function of Lark, resolved
1391549, https://hackerone.com/reports/1391549, Request line injection via HTTP/2 in Apache mod_proxy, resolved
1392511, https://hackerone.com/reports/1392511, HackerOne Staging uses Production data for testing, resolved
1392630, https://hackerone.com/reports/1392630, IDOR the ability to view support tickets of any user on seller platform, resolved
1394440, https://hackerone.com/reports/1394440, reflected xss on the path m.tiktok.com, resolved
1394910, https://hackerone.com/reports/1394910, Unauthenticated Access to Admin Panel Functions at https://██████████/████████, resolved
1394982, https://hackerone.com/reports/1394982, Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com, resolved
1395068, https://hackerone.com/reports/1395068, The response shows the nginx version, informative
1397564, https://hackerone.com/reports/1397564, Unauthenticated Access to Admin Panel Functions at https://███████/███, resolved
1397564, https://hackerone.com/reports/1397564, Unauthenticated Access to Admin Panel Functions at https://███████/███, resolved
1398270, https://hackerone.com/reports/1398270, [34.96.80.155] Server Logs Disclosure lead to Information Leakage, resolved
1398572, https://hackerone.com/reports/1398572, Broken Link Takeover from kubernetes.io docs, resolved
1398617, https://hackerone.com/reports/1398617, Broken Github Link Used in deployment docs of "github.com/kubernetes/kompose", resolved
1398662, https://hackerone.com/reports/1398662, Мисконфигурация Cisco Smart Install, resolved
1398706, https://hackerone.com/reports/1398706, Google storage bucket takeover which is used to load JS file in dashboard.html in "github.com/kubernetes/release" which can lead to XSS, resolved
1398905, https://hackerone.com/reports/1398905, chainning bugs to get full disclosure of Users addresses , resolved
1400405, https://hackerone.com/reports/1400405, Clickjacking ar https://hackers.upchieve.org/login, not-applicable
1401884, https://hackerone.com/reports/1401884,  Cross site scripting (XSS) in ASP.NET via ResolveUrl , resolved
1403176, https://hackerone.com/reports/1403176, IDOR vulnerability (Price manipulation), resolved
1403302, https://hackerone.com/reports/1403302, blog/wp-json/wp/v2/users FILE is enable it will used for bruteforce attack the admin panel at   blog/wp-login.php, resolved
1404986, https://hackerone.com/reports/1404986, CORS origin validation failure, resolved
1405673, https://hackerone.com/reports/1405673, Sidekiq dashboard exposed at notary.shopifycloud.com, resolved
1406335, https://hackerone.com/reports/1406335, Subdomain takeover of images.crossinstall.com, resolved
1406471, https://hackerone.com/reports/1406471, Authentication Bypass - Email Verification code bypass in account registration process., duplicate
1406598, https://hackerone.com/reports/1406598, Rxss on █████████ via logout?service=javascript:alert(1), resolved
1406712, https://hackerone.com/reports/1406712, Domain digital.nmla.metoffice.gov.uk is vulnerable  Reflected Cross-Site Scriptinng, duplicate
1409727, https://hackerone.com/reports/1409727, Full read SSRF via Lark Docs `import as docs` feature , resolved
1410459, https://hackerone.com/reports/1410459, Reflected XSS online-store-git.shopifycloud.com, resolved
1411363, https://hackerone.com/reports/1411363, No length on password, resolved
1415436, https://hackerone.com/reports/1415436, Deserialization of potentially malicious data to RCE, informative
1415820, https://hackerone.com/reports/1415820, Zero day path traversal vulnerability in Grafana 8.x allows unauthenticated arbitrary local file read, resolved
1416099, https://hackerone.com/reports/1416099, domain cgi.apnic.net is vulnerable to reflected xss vulnerability, duplicate
1416665, https://hackerone.com/reports/1416665, Recaptcha Secret key Leaked, informative
1417635, https://hackerone.com/reports/1417635, Default credentials lead to Spring Boot Admin dashboard access, resolved
1418101, https://hackerone.com/reports/1418101, Exposed kubernetes dashboard, resolved
1419150, https://hackerone.com/reports/1419150, Publicly accessible FTP files @ http://ftp.apnic.net, informative
1419205, https://hackerone.com/reports/1419205, disclosing clients' secret keys https://stage-uapi.tochka.com:2000/, resolved
1419213, https://hackerone.com/reports/1419213, Grafana LFI on https://grafana.mariadb.org, resolved
1421413, https://hackerone.com/reports/1421413, Error Page Content Spoofing or Text Injection, not-applicable
1421804, https://hackerone.com/reports/1421804, Direct Access To admin Dashboard, resolved
1422500, https://hackerone.com/reports/1422500, domain reference.metoffice.gov.uk is vulnerable to xss, triaged
1422641, https://hackerone.com/reports/1422641, Wrong settings in ADF Faces leads to information disclosure, resolved
1422896, https://hackerone.com/reports/1422896, parameter return in domain reference.metoffice.gov.uk is vulnerable to xss, triaged
1423496, https://hackerone.com/reports/1423496, ██████████ running a vulnerable log4j, resolved
1424291, https://hackerone.com/reports/1424291, Able to access private picture/video/writing when requesting for their JSON response, resolved
1425884, https://hackerone.com/reports/1425884, No rate limit on password reset leads to email enumeration at  gateway-production.dubsmash.com , duplicate
1427589, https://hackerone.com/reports/1427589, Log4j RCE on https://judge.me/reviews, resolved
1428690, https://hackerone.com/reports/1428690, Race Condition Vulnerability when creating profiles, informative
1429014, https://hackerone.com/reports/1429014, Log4Shell: RCE 0-day exploit on █████████, resolved
1429515, https://hackerone.com/reports/1429515, CORS enabled at https://api-verify.bankaletihad.com/actuator, informative
1430147, https://hackerone.com/reports/1430147, no rate limit at reset password function, informative
1430199, https://hackerone.com/reports/1430199, HTML injection in email content, triaged
1430405, https://hackerone.com/reports/1430405, Dependency repository hijacking aka Repo Jacking from GitHub repo rubygems/bundler-site & rubygems/bundler.github.io + bundler.io docs, informative
1431042, https://hackerone.com/reports/1431042, Prototype pollution via console.table properties, resolved
1431624, https://hackerone.com/reports/1431624, Log4j CVE-2021–44228, informative
1433125, https://hackerone.com/reports/1433125, Cross site scripting via file upload in subdomain ads.tiktok.com, resolved
1437942, https://hackerone.com/reports/1437942, DLL hijacking in Monero GUI for Windows 0.17.3.0 would allow an attacker to perform remote command execution, informative
1438393, https://hackerone.com/reports/1438393, ███ ████████ running a vulnerable log4j, resolved
1440161, https://hackerone.com/reports/1440161, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), resolved
1441988, https://hackerone.com/reports/1441988, Stored XSS at https://linkpop.com, resolved
1448616, https://hackerone.com/reports/1448616, Dom Xss vulnerability, informative
1454552, https://hackerone.com/reports/1454552, hosted.weblate.org display of unfiltered results, informative
1457512, https://hackerone.com/reports/1457512, Path traversal via misconfigured NGINX alias at http://www.tms.pl, resolved