Vulnerabilities tagged "bounty"

A nice little logic error abusing an edge case between two different command flags.Curl may remove the wrong file when `--no-clobber` and `--remove-on-error` flags are used together...

Seems like a case of a generic endpoint being implemented up update any field provided without consideration of other restrictions on said field.In this case we have a `PATCH /api/v2.0/accounts/` endpoint which ultimately takes in a dictionary containing field/value pairs to be updated for the account id...

By hiding a cross-site-scripting attack in the profile update functionality, specifically the profile image.Judging from the payload it looks like a straight-forward unescaped input that gets reflected on profile pages, though they did need to contend with Cloudflare's WAF...

Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a "feature" because the developers thought it was crashing on that point so disabled it to let the user continue to use the application...

Another case of different normalization routines resulting in smuggling a request to an endpoint blocked by a reverse proxy.

Somewhat traditional CE.TE request smuggling attack on a few of Apple's domains.The main trick with this one was to place a `\n ` in the `Transfer-Encoding` header name...

The title says it all, CSRF protection was disabled for a period of time on Stripe's Dashboard.As the most sensitive actions required reentering the user's password or solving a captcha the damage was limited but you could still change various account settings...

The bulk import API when importing a group would, if the group had any uploads, download the `uploads.tar.gz` and extract it including any symlinks. When the extracted files are later listed, viewing any of the symlinked files will result in the symlink being followed and arbitrary files being read from outside the upload directory.

Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device's time. So by changing the time on the device you can make more attempts at the pin.

Great bounty for a fairly simple bug, the `showSaveFilePicker`would allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.