GitHub - HackerOne Reports
View on HackerOne36
Total Reports
1
Critical
12
High
20
Medium
1
Low
[PATs] Ability to leak comments from issues without ANY "Issues" repo permissions by utilizing "Pull Request" permissions
Reported by:
archangel
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Bypassing Collaborator Restrictions: Retaining Admin Access Post-Repository Transfer
Reported by:
inspector-ambitious
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
DoS via markdown API from unauthenticated user
Reported by:
legit-security
|
Disclosed:
Medium
Weakness: Uncontrolled Resource Consumption
Bounty: $4000.00
Delimiter injection in GitHub Actions core.exportVariable
Reported by:
jupenur
|
Disclosed:
Medium
Weakness: Misconfiguration
Bounty: $4617.00
Information Leakage via Clicked Link in GitHub Repository (Fingerprinting)
Reported by:
pinguluk
|
Disclosed:
Medium
Weakness: Information Disclosure
Bounty: $4000.00
Git Reference Ambiguity in GitHub - Commit Smuggling, Account Takeover, and Remote Code Execution
Reported by:
inspector-ambitious
|
Disclosed:
Medium
Weakness: Resource Injection
[Git Gud] GitHub.com Svnbridge memcached deserialization vulnerability chain leading to Remote Code Execution
Reported by:
ajxchapman
|
Disclosed:
Medium
Weakness: Deserialization of Untrusted Data
Self XSS in Tag name pattern field /<username>/<reponame>/settings/tag_protection/new
Reported by:
sudi
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Generic
Persistent Unauthorized Administrative Access on All Organization Repositories via RC in User Conversion to Organization
Reported by:
inspector-ambitious
|
Disclosed:
Medium
Weakness: Improper Authentication - Generic
CSRF protection bypass in GitHub Enterprise management console
Reported by:
bitquark
|
Disclosed:
High
Weakness: Cross-Site Request Forgery (CSRF)
Bounty: $10000.00
Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api
Reported by:
ahacker1
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Bounty: $20000.00
GitHub Apps can access suspended installations via scoped user-to-server tokens
Reported by:
ahacker1
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Bounty: $4000.00
RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention
Reported by:
inspector-ambitious
|
Disclosed:
Medium
Weakness: Misconfiguration
Command injection in GitHub Actions ContainerStepHost
Reported by:
jupenur
|
Disclosed:
Weakness: Resource Injection
Bounty: $4000.00
Rogue collaborators and ambiguous branch names in GitHub
Reported by:
inspector-ambitious
|
Disclosed:
Weakness: Business Logic Errors
Authentication bypass on gist.github.com through SSH Certificates
Reported by:
ammar2
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Bounty: $10000.00
Improper handling of null bytes in GitHub Actions Runner allows an attacker to set arbitrary environment variables
Reported by:
ryotak
|
Disclosed:
Medium
Weakness: Resource Injection
Smuggling content in PR with refs/replace in GitHub
Reported by:
inspector-ambitious
|
Disclosed:
Medium
Weakness: Resource Injection
Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in syslog-ng
Reported by:
inspector-ambitious
|
Disclosed:
High
Weakness: Command Injection - Generic
Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in collectd
Reported by:
inspector-ambitious
|
Disclosed:
High
Weakness: Command Injection - Generic
Page 1 of 2
Next