| █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services |
Information Disclosure |
abdallasamir12 |
Medium |
2025-08-14 |
| Information Disclosure of metrics fax.wavecell.com/metrics |
Information Disclosure |
kauenavarro |
Low |
2025-05-30 |
| Jitsi: Bridge Message Spoofing due to Improper JSON Handling leads to Prototype Pollution |
Command Injection - Generic |
afewgoats |
Medium |
2024-08-26 |
| Unprotected Atlantis Server at https://152.70.█.█ |
Improper Authentication - Generic |
ahmadzuriqi3 |
Medium |
2024-04-11 |
| Open Redirect via Non-Latin Subdomain in vcc-*.8x8.com/AGUI/█.php |
Open Redirect |
pentestor |
Low |
2024-03-20 |
| Stored xss at https://█.8x8.com/api/█/ID |
Cross-site Scripting (XSS) - Stored |
pentestor |
High |
2023-10-30 |
| Open Redirect - Polycom Company Directory |
Open Redirect |
mr-k0anti |
Low |
2023-10-17 |
| Unprotected Atlantis Server at https://132.226.█.█ |
Improper Authentication - Generic |
imranhudaa |
Medium |
2023-09-15 |
| xss(r) vcc-na11.8x8.com |
Cross-site Scripting (XSS) - Reflected |
ssharmaz |
Medium |
2023-07-10 |
| connect.8x8.com: Too much resource consumption of the server due to incorrect date range control via /api/v1/reports?dateFrom= |
Violation of Secure Design Principles |
exhandler |
Low |
2023-06-26 |
| connect.8x8.com: Blind SSRF via /api/v2/chats/image-check allows for Internal Ports scan |
Server-Side Request Forgery (SSRF) |
yassinek3ch |
Medium |
2023-05-15 |
| Credential leak on GitHub: https://github.com/█/█/ (Peoplesoft CRM) |
Use of Hard-coded Credentials |
pentestor |
Low |
2023-04-27 |
| Dangling DNS Record docs.jitsi.net (unsuccessful GSuite takeover) |
Violation of Secure Design Principles |
bababounty99 |
Low |
2023-04-03 |
| speedtest.8x8.com: Enabled Directory Listing |
Information Exposure Through Directory Listing |
shriyanss |
Low |
2023-03-28 |
| connect.8x8.com: Users with no permission can track/access restricted details/data via GET /api/v2/support/requests/<ticket number >HTTP/2 |
Information Disclosure |
emperor |
High |
2023-02-15 |
| connect.8x8.com: admin user can send invites on behalf of another admin user via POST /api/v1/users/<User ID>/invites |
Improper Access Control - Generic |
emperor |
High |
2023-02-15 |
| connect.8x8.com: deactivated users remain access to /api/v1/users/UUID/roles |
Improper Access Control - Generic |
emperor |
High |
2023-02-15 |
| jaas.8x8.vc: Removed users can still have READ/WRITE access to the workspace via different API endpoints |
Improper Access Control - Generic |
emperor |
High |
2023-02-15 |
| admin.8x8.vc: Member users with no permission can integrate email to connect calendar via GET /meet-external/spot-roomkeeper/v1/calendar/auth/init?.. |
Improper Access Control - Generic |
emperor |
High |
2023-02-15 |
| Jitsi Desktop Client RCE By Interacting with Malicious URL Schemes on Windows |
OS Command Injection |
ex0dus-0x |
High |
2023-02-10 |
| wavecell.com: Broken Link Hijacking / Instagram Takeover @██ |
Externally Controlled Reference to a Resource in Another Sphere |
xxxdopa |
Low |
2023-01-27 |
| Unprotected Atlantis Server at https://152.70.█.█ |
Improper Authentication - Generic |
shuvam321 |
Medium |
2022-12-06 |
| Jitsi: Attacker is able to cast a vote using the Victim's name on the Polls |
None supplied |
xsky |
Low |
2022-11-18 |
| Directory Listing at https://█.█.█.█ |
File and Directory Information Exposure |
shuvam321 |
Low |
2022-11-18 |
| Subdomain Takeover at http://██.get8x8.com/ |
Leftover Debug Code (Backdoor) |
testingforbugs |
Medium |
2022-10-14 |
| Directory Listing vulnerability on █.packet8.net/php/include/ |
Information Exposure Through Directory Listing |
rajauzairabdullah |
Low |
2022-09-28 |
| DLL Search-Order Hijacking Vulnerability in work-64-exe-v7.16.3-1.exe |
Privilege Escalation |
is- |
Low |
2022-09-22 |
| LFI via Jolokia at https://█.█.█.█:1293 |
Information Disclosure |
shuvam321 |
Medium |
2022-07-20 |
| CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine |
Information Disclosure |
mr-k0anti |
Low |
2022-07-18 |
| Public Apache Tomcat /examples example directory |
Information Exposure Through Directory Listing |
mr-k0anti |
Medium |
2022-07-18 |
| Open Redirect ███.8x8.com |
Open Redirect |
mr-k0anti |
Low |
2022-07-17 |
| 8x8pilot.com: Reflected XSS in Apache Tomcat /jsp-examples example directory |
Cross-site Scripting (XSS) - Reflected |
huntinex |
Medium |
2022-05-19 |
| Hardcoded AWS credentials in ███████.msi |
Use of Hard-coded Credentials |
chip_sec |
Critical |
2022-04-29 |
| subdomain takeover (abandoned Zendesk █.easycontactnow.com) |
None supplied |
bx_1 |
Medium |
2022-04-28 |
| F5 BIG-IP TMUI RCE - CVE-2020-5902 (██.packet8.net) |
Code Injection |
remonsec |
Critical |
2022-03-25 |
| Open Redirect on https://██.8x8.com/login?nextPage=%2F |
Open Redirect |
0x7v |
Low |
2022-03-10 |
| ████ api key exposed in github.com/███/███ |
Cleartext Storage of Sensitive Information |
adnanmalikinfo |
High |
2022-02-22 |
| Remote Code Execution on ██.8x8.com via .NET VSTATE Deserialization |
Code Injection |
0daystolive |
Critical |
2022-02-03 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
n1had |
Low |
2022-01-05 |
| Default credentials lead to Spring Boot Admin dashboard access |
Information Disclosure |
sparroww |
Medium |
2022-01-02 |
| Subdomain takeover of ████.jitsi.net |
Privilege Escalation |
ian |
High |
2021-05-14 |
| Any meeting chat history can be read and modified by an arbitrary user |
Incorrect Authorization |
pmnh |
Critical |
2021-04-29 |
| DNS Misconfiguration (Subdomain Takeover) █.staging.█.8x8.com |
Privilege Escalation |
melbadry9 |
High |
2021-02-28 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles