+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-11-20 (/Thread-HackerOne-Disclosed-Reports-2025-11-20)
HackerOne disclosed reports - 2025-11-20 - hashXploiter - 11-21-2025
resolved
Lack of minimum value bid wheel verification on customer_bid in Rental Trips
Bug reported by Sameer Ali was disclosed at November 20, 2025, 5:46 am | Business Logic Errors
A missing validation on the customer_bid field when creating rental trips allowed passengers to submit arbitrary bid amounts, including very low fares. Proper validation was added to prevent unrealistic values.
resolved
Customer can cancel a individual booking in a batch, causing locking of partner.
Bug reported by Sameer Ali was disclosed at November 20, 2025, 5:32 am | Business Logic Errors
The vulnerability allowed users to update the status of individual trips inside a batch, even though only batch-level status changes were intended. By cancelling the single trip inside a one-parcel batch, the batch was placed into an inconsistent state, causing the assigned partner to become stuck in a booking they could not complete or cancel.