Basecamp


23 total issues disclosed

$35,537 total paid publicly


Most disclosed (3 disclosures) — HTTP Request Smuggling

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Privilege Escalation leads to trash other users comment without having admin rights. Privilege Escalation fuzzsqlb0f Low 2021-12-01
Privilege Escalation leads to trash other users comment without having admin rights. Privilege Escalation fuzzsqlb0f Low 2021-12-01
Subdomain Takeover due to ████████ NS records at us-east4.37signals.com Information Disclosure nagli Medium 2021-09-17
HTTP Request Smuggling via HTTP/2 HTTP Request Smuggling neex Critical 2021-08-27
Domain Takeover [3737signals.com] Phishing mrmax4o4 Low 2021-08-13
Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org Command Injection - Generic zofrex High 2021-08-10
Password reset link not expiring after changing password in settings Improper Authentication - Generic blackbibin Low 2021-08-10
Login session not expire Insufficient Session Expiration blackbibin Low 2021-08-10
Information Disclosure .htaccess accesible for public None supplied alone_breecher Low 2021-07-18
Error Page Content Spoofing or Text Injection Violation of Secure Design Principles princej_76 Low 2021-07-14
User can upload files even after closing his account Improper Authentication - Generic h4x0r_dz No rating 2021-03-29
DNS Setup allows sending mail on behalf of other customers Violation of Secure Design Principles aisforarray Medium 2021-02-21
Remote code execution on Basecamp.com Command Injection - Generic gammarex Critical 2020-11-26
Attachments may be hijacked via AppCache+CookieBombing trick (bc3_production_blobs bucket) Business Logic Errors hudmi High 2020-11-26
Remote Code Execution in Basecamp Windows Electron App Code Injection co0sin High 2020-11-19
a very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service Denial of Service tw4v3sx Medium 2020-11-10
Information Disclosure of Garbage Collection Cycle Information Disclosure ahmd_halabi Low 2020-11-04
stored XSS in hey.com message content Cross-site Scripting (XSS) - Stored carbon61 Medium 2020-10-31
CSRF on launchpad.37signals.com OAuth2 authorization endpoint Cross-Site Request Forgery (CSRF) carbon61 High 2020-10-30
Unauthenticated request smuggling on launchpad.37signals.com HTTP Request Smuggling hazimaslam Critical 2020-10-28
HTTP request smuggling on Basecamp 2 allows web cache poisoning HTTP Request Smuggling hazimaslam Critical 2020-10-28
HEY.com email stored XSS Cross-site Scripting (XSS) - Stored jouko Critical 2020-10-27
Possible DOM XSS on app.hey.com Cross-site Scripting (XSS) - DOM enigmaticjohn High 2020-10-27