- Subdomain Takeover
- Open Redirect
- IDOR
- XXE
- SSTI
- SQL Injection
- XSS
- RCE
- Code Injection
- Command Injection
- SSRF
- CSRF
- CRLF
- LFI
- Race Condition
- HTTP Smuggling
- Local File Include
- Race Condition
- Leaking Information
- Business Logic Errors
- More Bugs
- AWS subdomain Takeover at estore.razersynapse.com
- subdomain takeover at status0.stripo.email
- Bulgaria - Subdomain takeover of mail.starbucks.bg
- Subdomain takeover on mta1a1.spmail.uber.com
- Subdomain takeover of datacafe-cert.starbucks.com
- Subdomain takeover on usclsapipma.cv.ford.com
- Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account
- subdomain Takeover at blog.exchangemarketplace.com
- Domain Takeover in [obviousengine.com] a snapchat acquisitions
- Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com
- Subdomain takeover on wfmnarptpc.starbucks.com
- Subdomain Takeover at test.shipt.com
- svcardproxydevus.starbucks.com Subdomain take over
- [engineering.udemy.com] - Subdomain Takeover (ghost.io)
- Subdomain takeover on svcgatewayus.starbucks.com
- Subdomain Takeover due to unclaimed domain pointing to AWS
- subdomain takeover at news-static.semrush.com
- Subdomain Takeover at creatorforum.roblox.com
- Account Takeover using Third party Auth CSRF
- [ux.shopify.com] Subdomain takeover
- Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
- Subdomain takeover #4 at info.hacker.one
- Subdomain takeover #3 at info.hacker.one
- Subdomain takeover #2 at info.hacker.one
- Subdomain takeover at signup.uber.com
- Subdomain takeover on podcasts.slack-core.com
- Subdomain Takeover (moderator.ubnt.com)
- Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront
- Subdomain takeover due to unclaimed Amazon S3 bucket on a2.bime.io
- Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition)
- URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS
- Subdomain takeover of resources.hackerone.com
- Domian Takeover in [███████]
- Subdomain Takeover Via via Dangling NS records on Amazon Route 53 http://api.e2e-kops-aws-canary.test-cncf-aws.canary.k8s.io
- Open redirect
- Open Redirect on Greater Asia domains
- open redirect while login at https://apps.dev.jupiterone.io can leak access code.
- Open Redirect
- Open redirect open.rocket.chat/file-upload/ID/filename.svg
- Open Redirect after login at http://ecommerce.shopify.com
- [dev.twitter.com] XSS and Open Redirect
- Open redirect using theme install
- Open redirect
- open redirect in eb9f.pivcac.prod.login.gov
- [cs.money] Open Redirect Leads to Account Takeover
- Instant open redirect on Live preview WEB Ide opening
- IDOR allow access to payments data of any user
- IDOR in marketing calendar tool
- IDOR to view other user folder name
- Missing Access Control(IDOR) To Know LinkedAccounts
- IDOR allow to extract all registered email
- IDOR on HackerOne Feedback Review
- [city-mobil.ru/taxiserv/] IDOR leads to driver account takeover
- Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number
- IDOR on update user preferences
- Idor on the DELETE /comments/
- [https://city-mobil.ru/taxiserv] IDOR leads to information disclosure
- XXE through injection of a payload in the XMP metadata of a JPEG file
- XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx
- Partial bypass of #483774 with Blind XXE on https://duckduckgo.com
- XXE on ██████████ by bypassing WAF ████
- Blind XXE via Powerpoint files
- XXE on sms-be-vip.twitter.com in SXMP Processor
- Blind OOB XXE At "http://ubermovement.com/"
- H1514 Server Side Template Injection in Return Magic email templates?
- uber.com may RCE by Flask Jinja2 Template Injection
- Drupal 7 pre auth sql injection and remote code execution
- SQL Injection https://www.olx.co.id
- SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent
- Blind SQL injection and making any profile comments from any users to disappear using "like" function (2 in 1 issues)
- SQL Injection https://www.olx.co.id
- SQL Injection on cookie parameter
- SQL Injection in Login Page: https://█████/█████████/login.php
- SQL injection at https://sea-web.gold.razer.com/ajax-get-status.php via txid parameter
- Open Redirection leads to redirect Users to malicious website
- Potential stored Cross-Site Scripting vulnerability in Support Backend
- Reflected XSS on www.hackerone.com and resources.hackerone.com
- Html Injection and Possible XSS in main nordvpn.com domain
- Stored XSS | api.mapbox.com | IE 11 | Styles name
- Stored XSS in Shopify Chat
- Reflected XSS at https://pay.gold.razer.com escalated to account takeover
- Reflective Cross-site Scripting via Newsletter Form
- Reflected cross-site scripting on multiple Starbucks assets.
- IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier
- H1514 Stored XSS on Wholesale sales channel allows cross-organization data leakage
- XSS in "explore-keywords-dropdown" results.
- Xss was found by exploiting the URL markdown on http://store.steampowered.com
- Stored XSS in www.learnboost.com via ZIP codes.
- Stored XSS in *.myshopify.com
- Stored XSS templates -> 'call for action' feature
- [app.mixmax.com] Stored XSS on Adding new enhancement.
- Reflected XSS in Zomato Mobile - category parameter
- Dropbox Paper - Markdown XSS
- Stored XSS in comments on https://www.starbucks.co.uk/blog/*
- Stored XSS in e.mail.ru (payload affect multiple users)
- IE 11 Self-XSS on Jira Integration Preview Base Link
- Stored XSS via Discussion Title and Send as Email attribute in [marketplace.informatica.com]
- [nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html
- [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS
- [IMP] - Blind XSS in the admin panel for reviewing comments
- XSS on username when register to proffesional account
- Stored XSS in blog comments through Shopify API
- [careers.informatica.com] XSS on "isJTN"
- Stored XSS in Adress Book (starbucks.com/account/profile)
- XSS in my.shopify.com in widget
- XSS in IE11 on portswigger.net via Flash
- Reflected XSS on blockchain.info
- Stored XSS in community.ubnt.com
- DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request
- Stored XSS(Cross Site Scripting) In Slack App Name
- csp bypass + xss
- Stored XSS using SVG
- Reflected XSS on business-blog.zomato.com - Part I
- Stored self-XSS at m.uber.com
- Reflected Self-XSS in Slack
- Reflected XSS in cart at hardware.shopify.com
- Self-XSS in posts by formatting text as code
- Multiple DOMXSS on Amplify Web Player
- XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app
- [controlsyou.quora.com] 429 Too Many Requests Error-Page XSS
- [GitHub Extension] Unsanitised HTML leading to XSS on GitHub.com
- Web Cache Deception Attack (XSS)
- shopifyapps.com XSS on sales channels via currency formatting
- Reflective XSS on wholesale.shopify.com
- Stored xss
- Stored XSS in Slack (weird, trial and error)
- XSS: Group search terms
- XSS Reflected on my_report
- Blind Stored XSS In "Report a Problem" on www.data.gov/issue/
- Reflected XSS on developers.zomato.com
- [wakatime.com] HTML Injection github-btn.html
- Query parameter reordering causes redirect page to render unsafe URL
- Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/
- [dev.twitter.com] XSS and Open Redirect
- Reflected XSS on www.hackerone.com via Wistia embed code
- RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/
- RCE on Steam Client via buffer overflow in Server Info
- Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat's installation script.
- Unsecured DB instance
- Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com
- Code injection in macOS Desktop Client
- [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927
- Code injection in https://www.semrush.com
- Remote Code Execution on www.semrush.com/my_reports on Logo upload
- RCE by command line argument injection to
gm convertin/edit/process?a=crop - Remote Code Execution - Unauthenticated Remote Command Injection (via Microsoft SharePoint CVE-2019-0604)
- Urgent: Server side template injection via Smarty template allows for RCE
- Mercurial can be tricked into granting authorized users access to the Python debugger
- Webshell via File Upload on ecjobs.starbucks.com.cn
- Command Injection (via CVE-2019-11510 and CVE-2019-11539)
- CSV Injection with the CVS export feature - Glossary
- [SSRF] PDF documentconverterws
- SSRF protection bypass
- [SSRF] PDF documentconverterws
- SSRF on fleet.city-mobil.ru leads to local file read
- SSRF & LFR via on city-mobil.ru
- Unauthenticated blind SSRF in OAuth Jira authorization controller
- Blind SSRF/XSPA on dashboard.lob.com + blind code injection
- SSRF in notifications.server configuration
- Possible SSRF in email server settings(SMTP mode)
- SSRF in Exchange leads to ROOT access in all instances
- SSRF in https://cards-dev.twitter.com/validator
- SSRF vulnerability on ██████████ leaks internal IP and various sensitive information
- CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS
- Possible CSRF during external programs
- H1514 CSRF in Domain transfer allows adding your domain to other user's account
- Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites
- CSRF in all API endpoints when authenticated using HTTP Authentication
- CSRF To Like/Unlike Photos
- JSON CSRF on POST Heartbeats API
- CRLF Injection on https://vpn.mixmax.com
- CSRF vulnerability that allows an attacker to purge plugin metric data
- Cross-Site Request Forgery (CSRF)
- CSRF on https://apps.topcoder.com/wiki/users general and email preferences
- Login CSRF using Twitter OAuth
- CRLF injection
- CRLF Injection in legacy url API (url.parse().hostname)
- CRLF and XSS stored on ton.twitter.com
- Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/
- Arbitrary local system file read on open-xchange server
- Local files could be overwritten in GitLab, leading to remote command execution
- Race Condition allows to redeem multiple times gift cards which leads to free "money"
- Race Condition leads to undeletable group member
- Race Condition in Flag Submission
- Race Condition : Exploiting the loyalty claim https://xxx.vendhq.com/loyalty/claim/email/xxxxx url and gain x amount of loyalty bonus/cash
- Race Condition allows to redeem multiple times gift cards which leads to free "money"
- Race condition in activating email resulting in infinite amount of diamonds received
- HTTP Request Smuggling on my.stripo.email
- HTTP SMUGGLING EXPOSED HMAC/DOS
- Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies
- HTTP-Response-Splitting on v.shopify.com
- HTTP Request Smuggling on https://labs.data.gov
- Request smuggling on admin-official.line.me could lead to account takeover
- Multiple HTTP Smuggling reports
- Arbitrary file read via the UploadsRewriter when moving and issue
- Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP
- Password reset token leakage via referer
- [www.coursera.org] Leaking password reset link on referrer header
- Password reset token leak on third party website via Referer header
- password reset token leaking allowed for ATO of an Uber account
- Sensitive Information Leaking Through DARPA Website. [█████████]
- Sensitive Information Leaking Through DoD Owned Website. [██████████]
- Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]
- ability to retrieve a user's phone-number/email for a given inviteCode
- Disclosure of the name of a program that has a private part with an external link
- Private program policy page still accessible after user left the program
- Banner Grabbing - Apache Server Version Disclousure
- Email address of any user can be queried on Report Invitation GraphQL type when username is known
- Private information exposed through GraphQL filters
- Disabled account can still use GraphQL endpoint
- Confidential data of users and limited metadata of programs and reports accessible via GraphQL
- SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter
- GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend
- Private account causes displayed through API
- ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages
- "Bounties paid in the last 90 days" discloses the undisclosed bounty amount in program statistics
- Privilege escalation in workers container
- Viral Direct Message Clickjacking
- DOM based cookie bomb
- heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()
- HTML Injection on airlink.ubnt.com
- A HackerOne employee's GitHub personal access token exposed in Travis CI build logs
- Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?)
- AWS S3 bucket writeable for authenticated aws users
- Open S3 Bucket Accessible by any Aws User
- HTML injection in support.razer.com [IE only]
- Ethereum account balance manipulation
- ETH contract handling errors
- Team member with Program permission only can escalate to Admin permission
- Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session
- Organization Takeover
- Organization Takeover via invitation API
- Bypassing one-time checkout router page (revealing payment information)
- Reading redacted data via hackbot's answers
- Null pointer dereference with send/method_missing
- Content (Text) Injection at https://nextcloud.com
- Reflected File Download in community.ubnt.com/restapi/
- Password Reset link hijacking via Host Header Poisoning
- SSLv3 POODLE Vulnerability
- 404-response contains debug-information with all headers
- S3 bucket unnecessarily discloses permissions
- Unauthenticated users can obtain information about Checklist objects with unclaimed ChecklistCheck objects
- SOP bypass using browser cache
- Account takeover via leaked session cookie
- JumpCloud API Key leaked via Open Github Repository.
- Misconfigured s3 Bucket exposure
- Http response is not ended although underlying socket is already destroyed
- Arbitrary File Write as SYSTEM from unprivileged user
- CORS misconfiguration allows to steal customers data
- Two heap use-after-free errors in IMAP operations
- Arbitrary file read via ffmpeg HLS parser at https://www.flickr.com/photos/upload
- CORS Misconfiguration leading to Private Information Disclosure
- [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information
- H1514 Ability to MiTM Shopify PoS Session to Takeover Communications
- Http request splitting
- Referer in /servlet/TestServlet
- Cross-origin resource sharing misconfig | steal user information
- IRC-Bot exposes information
- [Studio.twitter.com] See someone else pics
- Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
- Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO
- [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation
- Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation
- misconfigured CORS let to HPP and SOP bypass
- CORS Misconfiguration Leads to Exposing User Data
- No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im
- character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error
- Username restriction bypass with SSL client authentication
- Bypassing Digits bridge origin validation