Inflection: HTTP Host Header Injection on app.goodhire.com

Researcher reported an issue that was previously reported by a different researcher and subsequently removed from program scope and then requested that we publicly disclose the report after closing it as a duplicate...

Inflection: Open redirect at app.goodhire.com via ReturnUrl parameter

At login, the ReturnURL parameter could be manipulated to send a user to any arbitrary URL, rather than just a local redirect, if the user was already logged into their GoodHire account and visited the login page again...