Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com) |
Cross-site Scripting (XSS) - Stored |
nahamsec |
None |
2020-11-09 |
Getting New Invitations without Leaving Programs |
Business Logic Errors |
mygf |
Low |
2020-10-16 |
2020-10-09 Credential Stuffing Attack |
None supplied |
jobert |
No rating |
2020-10-13 |
Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS. |
Information Disclosure |
spongebhav |
Low |
2020-10-02 |
Reflected XSS on www.hackerone.com via Wistia embed code |
Cross-site Scripting (XSS) - Reflected |
vakzz |
Low |
2020-09-24 |
Team object in GraphQL disclosed private_comment |
Information Disclosure |
haxta4ok00 |
Medium |
2020-09-10 |
Graphql: Sorting the reports by jira_status field resulted to different value |
Improper Access Control - Generic |
0619 |
Low |
2020-08-27 |
Recently added 'Country' field doesn't send email notification when changed |
Violation of Secure Design Principles |
bugra |
Low |
2020-08-25 |
Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted |
Information Disclosure |
haxta4ok00 |
Low |
2020-08-24 |
GraphQL field on Team node can be used to determine if External Program runs invite-only program |
Information Disclosure |
kunal94 |
Medium |
2020-07-25 |
SAML Response Reuse on hackerone.com/users/saml/auth |
Improper Authentication - Generic |
samtink |
Low |
2020-07-24 |
Near to Infinite loop when changing Group's name that has API token as Team Member |
None supplied |
lucenaxpl0it |
Medium |
2020-07-23 |
Uploading large payload on domain instructions causes server-side DoS |
Denial of Service |
one- |
Medium |
2020-06-20 |
Attacker may be able to bounce enough emails which suspend HackerOne's SES service and cause a DoS of HackerOne's email service |
Denial of Service |
iamr0000t |
Medium |
2020-06-12 |
Login CSRF vulnerability on hackerone.com |
Cross-Site Request Forgery (CSRF) |
what_web |
Low |
2020-06-12 |
Unauthorized access to metadata of undisclosed reports that were retested |
Information Disclosure |
msdian7 |
Medium |
2020-06-05 |
Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request |
Denial of Service |
iamr0000t |
Low |
2020-05-25 |
Disclosure of the name of a program that has a private part with an external link |
Information Disclosure |
haxta4ok00 |
Low |
2020-05-22 |
404-response contains debug-information with all headers |
Information Exposure Through Debug Information |
p4fg |
Low |
2020-05-16 |
Subdomain takeover of resources.hackerone.com |
None supplied |
amans |
Low |
2020-05-15 |
Rounding errors on rewarding a bounty leads to bypassing the 20% H1 commission fee |
Business Logic Errors |
haxta4ok00 |
Low |
2020-05-15 |
Changes to data in a CVE request after draft via GraphQL query |
Modification of Assumed-Immutable Data (MAID) |
haxta4ok00 |
Low |
2020-05-15 |
A team member of the program with Report rights can ban the Admin |
Business Logic Errors |
haxta4ok00 |
Low |
2020-05-15 |
Customer private program can disclose email any users through invited via username |
Information Disclosure |
haxta4ok00 |
High |
2020-05-15 |
GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend |
Information Disclosure |
jobert |
Medium |
2020-05-11 |
Reflected XSS on www.hackerone.com and resources.hackerone.com |
Cross-site Scripting (XSS) - Reflected |
todayisnew |
Low |
2020-05-05 |
Potential stored Cross-Site Scripting vulnerability in Support Backend |
Cross-site Scripting (XSS) - Stored |
jobert |
Medium |
2020-05-04 |
Read-only team members can read all properties of webhooks |
Improper Access Control - Generic |
bencode |
Low |
2020-04-29 |
An invite-only's program submission state is accessible to users no longer part of the program |
Information Disclosure |
d4rk_g1rl |
Low |
2020-04-22 |
program_analytics_benchmarks query shows information not visible in public |
Information Disclosure |
qw3ty |
Low |
2020-03-27 |
profile-picture name parameter with large value lead to DoS for other users and programs on the platform |
Denial of Service |
red_assassin |
Medium |
2020-03-25 |
Race Condition leads to undeletable group member |
Time-of-check Time-of-use (TOCTOU) Race Condition |
yashrs |
Low |
2020-03-20 |
Unauthenticated users can obtain information about Checklist objects with unclaimed ChecklistCheck objects |
Improper Access Control - Generic |
jobert |
Medium |
2020-03-20 |
Disabled account can still use GraphQL endpoint |
Improper Access Control - Generic |
tolo7010 |
Low |
2020-03-12 |
HackerOne Pentesters can access any structured scope object through GraphQL node interface |
Improper Access Control - Generic |
jobert |
High |
2020-03-11 |
Total Paid Bounty Paid can be disclose |
Information Disclosure |
zrachessanasz |
Low |
2020-02-28 |
"Bounties paid in the last 90 days" discloses the undisclosed bounty amount in program statistics |
Information Disclosure |
japz |
Low |
2020-02-21 |
Email address of any user can be queried on Report Invitation GraphQL type when username is known |
Improper Authorization |
msdian7 |
High |
2020-02-20 |
Unauthorized user can obtain `report_sources` attribute through Team GraphQL object |
Information Disclosure |
haxta4ok00 |
Medium |
2020-02-10 |
How the Bug stole hacking |
Insecure Direct Object Reference (IDOR) |
the_arch_angel |
None |
2019-12-20 |
ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages |
Denial of Service |
ninetynine |
Medium |
2019-12-13 |
Account takeover via leaked session cookie |
Improper Authentication - Generic |
haxta4ok00 |
High |
2019-12-03 |
Account takeover via leaked session cookie |
Improper Authentication - Generic |
haxta4ok00 |
High |
2019-12-03 |
Disclosure of `payment_transactions` for programs via GraphQL query |
Information Disclosure |
msdian7 |
Medium |
2019-12-01 |
Team object in GraphQL disclosed of private programs via the industry |
None supplied |
haxta4ok00 |
Low |
2019-11-23 |
latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users |
Information Disclosure |
egrep |
Low |
2019-11-10 |
Searching from Hacktivity returns hits for words in limited disclosure reports that are not visible |
Information Disclosure |
nathand |
Medium |
2019-11-08 |
Reporter, external users, collaborators can mark sent swag awarded to reporter as unsent |
Insecure Direct Object Reference (IDOR) |
jobert |
Medium |
2019-10-25 |
Any user with access to program can resume and suspend HackerOne Gateway |
Insecure Direct Object Reference (IDOR) |
jobert |
Medium |
2019-10-21 |
Private program disclosure via `vpn_suspended` GraphQL query |
Information Disclosure |
unknown_person |
None |
2019-10-21 |
Disclosure of Email title report in quick award paypout email (no content mode) |
Information Disclosure |
kunal94 |
Low |
2019-10-11 |
Manipulate hacker profile and private program hacktivity to expose your name as researchers who is actively submitting reports with resolve status |
Information Disclosure |
japz |
Low |
2019-09-29 |
[Bypass #645264] Report title disclosure despite the program settings for email notification is set to "No Content" |
None supplied |
japz |
Low |
2019-09-09 |
Private information exposed through GraphQL filters |
Information Disclosure |
reigertje |
Medium |
2019-07-23 |
Race Condition in Flag Submission |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
dropper |
Low |
2019-07-22 |
Team member with Program permission only can escalate to Admin permission |
Privilege Escalation |
metnew |
Medium |
2019-06-26 |
Password not checked when disabling 2FA on HackerOne |
Violation of Secure Design Principles |
tester1231233 |
Low |
2019-06-08 |
Account recovery text message is sending a wrong domain to users. |
Business Logic Errors |
lowkey-tech |
Low |
2019-05-31 |
Account recovery text message is sending a wrong domain to users. |
Business Logic Errors |
lowkey-tech |
Low |
2019-05-31 |
Banned researcher gets email updates on a private program. |
None supplied |
fixit |
No rating |
2019-05-18 |
DOM Based XSS in www.hackerone.com via PostMessage (bypass of #398054) |
Cross-site Scripting (XSS) - DOM |
honoki |
Low |
2019-05-04 |
Discrepancy in hacker profile report count may reveal existence of a private program by publishing a report |
Information Disclosure |
haxta4ok00 |
Medium |
2019-04-24 |
Unreleased CTF Levels are Revealed on /group/user/ID1?user=USERID endpoint |
Insecure Direct Object Reference (IDOR) |
spaceraccoon |
Low |
2019-04-23 |
Emails of invited collaborators are disclosed in full in payload for report participants |
Information Disclosure |
flashdisk |
Low |
2019-04-09 |
Client-Side Race Condition using Marketo, allows sending user to data-protocol in Safari when form without onSuccess is submitted on www.hackerone.com |
Business Logic Errors |
fransrosen |
Low |
2019-04-05 |
DOM Based XSS in www.hackerone.com via PostMessage |
Cross-site Scripting (XSS) - DOM |
adac95 |
Low |
2019-02-21 |
Cross-site Scripting (XSS) on HackerOne careers page |
Cross-site Scripting (XSS) - DOM |
khoiasd |
Low |
2019-02-18 |
Confidential data of users and limited metadata of programs and reports accessible via GraphQL |
Information Disclosure |
yashrs |
Critical |
2019-02-03 |
Race condition in performing retest allows duplicated payments |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
cablej |
Medium |
2018-12-27 |
Denial of service via cache poisoning |
Denial of Service |
albinowax |
Medium |
2018-12-22 |
SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter |
SQL Injection |
jobert |
Critical |
2018-11-30 |
IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier |
Cross-site Scripting (XSS) - Stored |
dagruxxx |
Medium |
2018-11-27 |
Accidental Access to Programs Information via SAML Login |
None supplied |
npbhatter17 |
Critical |
2018-11-14 |
Self DOM-Based XSS in www.hackerone.com |
Cross-site Scripting (XSS) - DOM |
adac95 |
Low |
2018-11-08 |
Disclosure of top 10 vulnerability types for programs that haven't enabled the Insights feature |
Information Disclosure |
tolo7010 |
Low |
2018-11-08 |
Proper verification is not done before sending invitations to researchers for certain private programs with rules e.g. "Participants must be US-based" |
Improper Access Control - Generic |
ateek |
Medium |
2018-11-07 |
Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form |
Improper Authorization |
japz |
Medium |
2018-10-31 |
Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form |
Improper Authorization |
japz |
Medium |
2018-10-31 |
Improper UUID validation results in bypass of #419896 |
Improper Input Validation |
popeax |
High |
2018-10-26 |
User with privilege to maintain External Programs can update certain churned HackerOne programs |
Improper Authorization |
haxta4ok00 |
Low |
2018-10-25 |
Unauthenticated user can upload an attachment to the last updated report draft |
Improper Null Termination |
jobert |
High |
2018-10-10 |
Internal usage of AdBlockPlus may expose PoC URLs to unknown third-parties |
Information Disclosure |
dudez |
Low |
2018-08-17 |
Private program policy page still accessible after user left the program |
Information Disclosure |
japz |
Medium |
2018-08-12 |
TeamProfile exposes partially sensitive information through GraphQL |
Information Disclosure |
amjamjamj |
Low |
2018-08-09 |
Content spoofing and potential Cross-Site Scripting vulnerability on www.hackerone.com |
Cross-site Scripting (XSS) - Generic |
suresh1c |
Medium |
2018-08-04 |
HackerOne customer submitted sensitive link to VirusTotal, exposing confidential information |
Information Disclosure |
mohammed__fayez |
None |
2018-07-26 |
Information leakage - Private reports cached by Google |
Information Disclosure |
tisisire |
No rating |
2018-07-23 |
Team object exposes amount of participants in a private program to non-invited users |
Information Disclosure |
kapytein |
Medium |
2018-07-20 |
Ajouter le même utilisateur que celui déjà inscrit dans les équipes |
None supplied |
rbcafe |
No rating |
2018-07-17 |
CSRF at [Apply to this program] that lead to submit your request automatic with out any validations |
Violation of Secure Design Principles |
modam3r5 |
Low |
2018-07-06 |
Team object in GraphQL that have a published external program may expose existence of a private program |
Information Disclosure |
nismo |
None |
2018-07-04 |
Blind SSRF on errors.hackerone.net due to Sentry misconfiguration |
Server-Side Request Forgery (SSRF) |
ruvlol |
Low |
2018-07-04 |
Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot |
Improper Access Control - Generic |
parth |
Low |
2018-06-27 |
Invalid Phabricator API token revealed through error message when escalating a report |
Information Exposure Through an Error Message |
bigbug |
None |
2018-06-27 |
User object in GraphQL exposes number of trial reports for External Programs that also have a Private Program |
Information Disclosure |
ashish_r_padelkar |
None |
2018-06-27 |
People who interviewed for HackerOne security analyst position can be enumerated and their personal email address may be exposed |
Information Disclosure |
r3naissance |
Low |
2018-06-25 |
Exposing hackerone users personally identifiable information by abusing sandbox with swag reward enabled |
Information Disclosure |
japz |
None |
2018-06-07 |
Lack of cross-origin request blocking allows leaking of sensitive information on several endpoints |
Information Disclosure |
herrera |
No rating |
2018-06-07 |
HackerOne support disclosing report state without checking user identity |
None supplied |
amans |
Low |
2018-06-02 |
Private program email forwarding response invitation not expire after first use. |
Violation of Secure Design Principles |
japz |
High |
2018-05-30 |
Team object in GraphQL disclosed total number of whitelisted hackers |
Information Disclosure |
haxta4ok00 |
Medium |
2018-05-12 |
Program metrics disclosed response_efficiency_percentage via /program_name json response despite the team decided not to show on their profile |
Information Disclosure |
japz |
Medium |
2018-05-08 |
Team object in GraphQL discloses team group names and permissions |
Information Disclosure |
haxta4ok00 |
Medium |
2018-05-04 |
Email Forwarding invitations for Drafts are not marked as accepted, allowing multiple users to join a program after disabling Email Forwarding |
Business Logic Errors |
d4rk_g1rl |
Low |
2018-04-18 |
Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature |
Business Logic Errors |
japz |
Medium |
2018-04-18 |
Unicorn worker pool exhaustion by continuously updating payout preferences |
Denial of Service |
blackni9ht |
Medium |
2018-03-31 |
Extra program metrics disclosed via /PROGRAM_NAME json response |
Information Disclosure |
yaworsk |
Medium |
2018-03-28 |
h1-202 leaderboard photo discloses local wifi password |
Insufficiently Protected Credentials |
0x0g |
Medium |
2018-03-25 |
Leakage badges on disabled user |
Information Disclosure |
e333jsjs7se |
Low |
2018-03-15 |
HTTP Parameter Pollution using semicolons in iframe element at hackerone.com/careers allows loading external Greenhouse forms |
None supplied |
kapytein |
None |
2018-03-13 |
Can read features from any user |
Information Disclosure |
firs0v |
Medium |
2018-03-12 |
Program profile_metrics.json contains time to triage for deptofdefense even it's turned off |
Information Disclosure |
kunal94 |
None |
2018-03-09 |
Open Redirection in index.php page |
Open Redirect |
prashantkumar96 |
None |
2018-03-07 |
Information Disclosure which violate program privacy |
Privacy Violation |
eqbang |
Low |
2018-02-20 |
The request tells the number of private programs, the new system of authorization /invite/token |
Information Disclosure |
haxta4ok00 |
Medium |
2018-02-14 |
ImageMagick GIF coder vulnerability leading to memory disclosure |
Information Disclosure |
kunal94 |
Low |
2018-02-07 |
Reputation gain split by company can be used to track the existence of otherwise undisclosed reports |
Information Disclosure |
aidantwoods |
Low |
2018-02-02 |
Updating payout preference to CurrencyCloud doesn't notify user via email |
Violation of Secure Design Principles |
dr_dragon |
None |
2018-01-31 |
Domain spoofing in redirect page using RTLO |
Open Redirect |
ashish_r_padelkar |
Low |
2018-01-30 |
Markdown parsing issue enables insertion of malicious tags and event handlers |
Cross-site Scripting (XSS) - Stored |
dr_dragon |
High |
2018-01-29 |
While adding a payment method - Notification email not sent to newly added email ID as well as there is no verification for new email id (Paypal) |
Violation of Secure Design Principles |
us111 |
Low |
2018-01-23 |
Common response suggestion is sent to Google Analytics when user accepts duplicate comment Genius suggestion |
Violation of Secure Design Principles |
bigbug |
Low |
2018-01-22 |
Submitted reports state logs leakage |
Information Disclosure |
666reda |
Medium |
2018-01-19 |
Invitation token leaks to https://bat.bing.com |
Information Disclosure |
zuriel |
Low |
2018-01-11 |
Partial disclosure of undisclosed programs through <meta> tags |
Information Disclosure |
bigbug |
No rating |
2018-01-11 |
Missing Password Confirmation at a Critical Function (Payout Method) |
Violation of Secure Design Principles |
hk755a |
Medium |
2018-01-10 |
Open redirect deceive in hackerone.com via another open redirect link. |
Open Redirect |
abidbaseer |
Low |
2017-12-13 |
Content Security Policy not applied to error pages at multiple HackerOne endpoints |
Violation of Secure Design Principles |
brad07 |
Low |
2017-12-12 |
Able To Check The Exact Bounty Balance of any Bug Bounty Program |
Information Disclosure |
cjlegacion |
Medium |
2017-12-06 |
Invalid Host detection at https://hackerone.com/redirect |
Violation of Secure Design Principles |
shailesh4594 |
Low |
2017-12-03 |
GraphQL sessions aren't immediately invalidated when user password is changed |
Violation of Secure Design Principles |
bigbug |
No rating |
2017-11-30 |
Query parameter reordering causes redirect page to render unsafe URL |
Cross-site Scripting (XSS) - Reflected |
kenziy |
Medium |
2017-11-30 |
Validation message in Bounty award endpoint can be used to determine program balances |
Information Disclosure |
cyriac |
Medium |
2017-11-29 |
IDOR on Program Visibilty (Revealed / Concealed) against other team members |
Insecure Direct Object Reference (IDOR) |
japz |
Medium |
2017-11-23 |
Introspection query leaks sensitive graphql system information. |
Violation of Secure Design Principles |
zuriel |
No rating |
2017-11-22 |
Reverse Tabnabbing Vulnerability in Outgoing Links |
None supplied |
what94 |
Medium |
2017-11-21 |
Pending member invitations are not revoked on program name change |
Information Disclosure |
ashish_r_padelkar |
None |
2017-11-18 |
Issue with password change in Disabled Account |
Violation of Secure Design Principles |
clarckowen_ |
Low |
2017-11-17 |
Private Program all members disclosed |
Information Disclosure |
khalifah |
No rating |
2017-11-16 |
Additional bypass allows SSRF for internal netblocks |
Server-Side Request Forgery (SSRF) |
edoverflow |
No rating |
2017-11-16 |
Program profile metrics endpoint contains mean time to triage, even when turned off |
Information Disclosure |
flashdisk |
Medium |
2017-11-14 |
Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver. |
Server-Side Request Forgery (SSRF) |
edoverflow |
No rating |
2017-11-09 |
Private partial disclosure of h1 infrastructure |
Information Disclosure |
exadmin |
None |
2017-11-03 |
View Any Program's Team Members through GET https://hackerone.com/invitations/ |
Information Disclosure |
nickcas |
Medium |
2017-11-01 |
Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page |
Information Disclosure |
holvonix-advay |
None |
2017-11-01 |
Adding or removing a new non-preferred payout method does not trigger an e-mail or account notification |
Business Logic Errors |
mohammed__fayez |
Medium |
2017-11-01 |
Report Private Links Leaks to Google Analytics via Query String Param |
Information Disclosure |
axolotl |
Medium |
2017-10-26 |
Homograph fix Bypass |
Violation of Secure Design Principles |
hk755a |
Medium |
2017-10-16 |
resolved bugs in a program are public despite the program settings |
Information Disclosure |
flashdisk |
Low |
2017-10-14 |
Lack of input sanitization in Marketo form leads to execution of HTML in lead emails |
Server-Side Request Forgery (SSRF) |
encrypt |
No rating |
2017-10-03 |
IDOR on HackerOne Feedback Review |
Insecure Direct Object Reference (IDOR) |
japz |
Low |
2017-09-02 |
HackerOne reports escalation to JIRA is CSRF vulnerable |
Cross-Site Request Forgery (CSRF) |
whhackersbr |
Medium |
2017-08-30 |
Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP |
Violation of Secure Design Principles |
fransrosen |
No rating |
2017-08-29 |
Missing Certificate Authority Authorization rule |
Cryptographic Issues - Generic |
ericlaw |
No rating |
2017-08-17 |
Reading redacted data via hackbot's answers |
Information Disclosure |
inhibitor181 |
Medium |
2017-07-27 |
Invitation tokens leak to Google Analytics |
Information Disclosure |
h33t |
Low |
2017-07-16 |
Insecure SHA1withRSA in b5s.hackerone-ext-content.com and a4l.hackerone-ext-content.com |
Use of a Broken or Risky Cryptographic Algorithm |
evanricafort |
No rating |
2017-06-22 |
Subdomain takeover #3 at info.hacker.one |
Privilege Escalation |
ak1t4 |
Low |
2017-06-21 |
Subdomain takeover #4 at info.hacker.one |
Privilege Escalation |
ak1t4 |
Low |
2017-06-21 |
A HackerOne employee's GitHub personal access token exposed in Travis CI build logs |
Information Exposure Through an Error Message |
sainaen |
Medium |
2017-05-23 |
www.hackerone.com website CSP "script-src" includes "unsafe-inline" |
Violation of Secure Design Principles |
rootkid |
None |
2017-05-23 |
Report invitation links not restricted to any existing user |
Information Disclosure |
japz |
Low |
2017-05-23 |
Changing Victim's JIRA Integration Settings Through Multiple Bugs |
Business Logic Errors |
whhackersbr |
Medium |
2017-05-23 |
Information leakage via CSV when content is valid JavaScript |
Cross-Site Request Forgery (CSRF) |
mikkocarreon |
Low |
2017-05-23 |
Race condition leads to duplicate payouts |
Improper Access Control - Generic |
jigarthakkar39 |
Low |
2017-05-23 |
WannaCrypt “Killswitch” |
None supplied |
malwaretech |
No rating |
2017-05-13 |
CRLF injection in info.hacker.one |
CRLF Injection |
thalaivarsubu |
No rating |
2017-05-03 |
Subdomain takeover #2 at info.hacker.one |
Privilege Escalation |
ak1t4 |
Low |
2017-04-28 |
Able to create basic user account via Google login on HackerOne Drupal CMS |
Improper Authentication - Generic |
ishahriyar |
No rating |
2017-04-25 |
HackerOne is still prone to Internet Explorer UXSS |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2017-04-19 |
javascript: and mailto: links are allowed in JIRA integration settings |
Violation of Secure Design Principles |
jamesclyde |
Low |
2017-04-10 |
Example HackerOne security@ forward domain is not registered |
Violation of Secure Design Principles |
intidc |
No rating |
2017-04-10 |
Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers |
Information Disclosure |
0xffe4 |
Medium |
2017-04-05 |
IE 11 Self-XSS on Jira Integration Preview Base Link |
Cross-site Scripting (XSS) - Generic |
ziot |
Low |
2017-03-29 |
Subdomain takeover at info.hacker.one |
Privilege Escalation |
ak1t4 |
Low |
2017-03-27 |
Limited Open redirection using SSO-SAML |
Open Redirect |
shailesh4594 |
Low |
2017-03-26 |
Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com |
Violation of Secure Design Principles |
aaron_costello |
Low |
2017-03-26 |
Websites opened from reports can change url of report page |
Open Redirect |
devil13 |
Medium |
2017-02-25 |
Report redaction doesn't apply to report title update activities |
Violation of Secure Design Principles |
1lastbr3ath |
Low |
2017-02-25 |
Disclose any user's private email through API |
Information Disclosure |
zombiehelp54 |
Medium |
2017-02-24 |
Information Disclosure in /skills call |
Information Disclosure |
deepankerchawla |
Medium |
2017-01-05 |
Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?) |
Violation of Secure Design Principles |
zseano |
None |
2016-12-08 |
Internal attachments can be exported via "Export as .zip" feature |
Information Disclosure |
japz |
High |
2016-11-30 |
Partial disclosure of report activity through new "Export as .zip" feature |
Information Disclosure |
faisalahmed |
High |
2016-11-29 |
Partial disclosure of report activity through new "Export as .zip" feature |
Information Disclosure |
faisalahmed |
High |
2016-11-29 |
Researcher gets email updates on a private program after he/she quits that program. |
Information Disclosure |
sasi2103 |
Low |
2016-11-21 |
Information disclosure via policy update notifications after removal from program |
Information Disclosure |
staytuned |
Low |
2016-10-29 |
(HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation |
Cross-site Scripting (XSS) - Generic |
whhackersbr |
Low |
2016-10-27 |
Possible CSRF during external programs |
Cross-Site Request Forgery (CSRF) |
malcolmx |
Low |
2016-10-18 |
Obtain the username & the uid of the one doing the S3 sync on Hackerone |
Information Disclosure |
rbcafe |
No rating |
2016-10-03 |
Hacker.One Subdomain Takeover |
Violation of Secure Design Principles |
geekboy |
Low |
2016-09-20 |
Ability to enumerate private programs using SAML |
Information Disclosure |
ayoubfathi |
No rating |
2016-09-15 |
Users contents on AWS is cacheable |
Information Disclosure |
abdullah |
No rating |
2016-09-06 |
Know undisclosed Bounty Amount when Bounty Statistics are enabled. |
Information Disclosure |
vijay_kumar |
No rating |
2016-09-02 |
Disclosure of external users invited to a specific report |
Information Disclosure |
kirils |
No rating |
2016-09-01 |
Non-secure requests are not automatically upgraded to HTTPS |
None supplied |
koenrh |
No rating |
2016-08-19 |
Requesting Mediation possible on reports that are too old for mediation |
Privilege Escalation |
troubleshooter |
No rating |
2016-08-18 |
Information leakage of private program |
Information Disclosure |
faisalahmed |
No rating |
2016-08-18 |
Ability to monitor reports' submission in real time |
Privilege Escalation |
saeedhashem |
No rating |
2016-08-17 |
Reward Money Leakage |
Information Disclosure |
xsserboiii |
No rating |
2016-08-09 |
Race Conditions in Popular reports feature. |
Memory Corruption - Generic |
shmoo |
No rating |
2016-08-03 |
Report title and issue information prepopulated |
None supplied |
yaworsk |
No rating |
2016-07-16 |
Possible CSRF during joining report as participant |
Cross-Site Request Forgery (CSRF) |
ehsahil |
No rating |
2016-07-12 |
Able to remove the admin access of my program |
Violation of Secure Design Principles |
pardeepbattu02 |
No rating |
2016-07-06 |
Unauthorized Team members viewing |
Improper Authentication - Generic |
temmyscript |
No rating |
2016-07-02 |
Manipulate report timeline activity by using null byte. |
Violation of Secure Design Principles |
siddiki |
No rating |
2016-07-01 |
Web Authentication Endpoint Credentials Brute-Force Vulnerability |
Improper Authentication - Generic |
arneswinnen |
No rating |
2016-06-24 |
Old titles are not hidden in reports with limited disclosure |
Information Disclosure |
jthetechguy |
No rating |
2016-06-22 |
Hackerone Email Addresses Enumeration |
Information Disclosure |
eronx |
No rating |
2016-06-18 |
RCE in profile picture upload |
Code Injection |
c666a323be94d57 |
No rating |
2016-06-08 |
Denial of service in report view. |
Denial of Service |
apok |
No rating |
2016-05-28 |
Content Spoofing via reports |
Violation of Secure Design Principles |
testoid |
No rating |
2016-05-25 |
URL Crashing browser. {Tested on firefox, Chrome and Safari} |
Denial of Service |
avicoder_ |
No rating |
2016-05-25 |
Redirection Page throwing error instead of redirecting to site |
Violation of Secure Design Principles |
mafia |
No rating |
2016-05-25 |
DOS Report FILE html inside <code> in markdown |
Denial of Service |
pisarenko |
No rating |
2016-05-21 |
HackerOne Important Emails Notification are sent in clear-text |
Improper Authentication - Generic |
ala_arfaoui |
No rating |
2016-05-19 |
LinkedIN URL should be HTTPS |
None supplied |
teo |
No rating |
2016-05-18 |
Inadequate access controls in "Vote" functionality??? |
Privilege Escalation |
apok |
No rating |
2016-05-12 |
Spamming any user from Reset Password Function |
Violation of Secure Design Principles |
coolboss |
No rating |
2016-05-03 |
SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments |
Violation of Secure Design Principles |
nismo |
No rating |
2016-04-30 |
New hacktivity view discloses report IDs of non-public reports |
None supplied |
ayoubfathi |
No rating |
2016-04-26 |
Race Conditions Exist When Accepting Invitations |
Violation of Secure Design Principles |
yaworsk |
No rating |
2016-04-26 |
Reflected File Download |
Violation of Secure Design Principles |
0xdeadpool |
No rating |
2016-04-25 |
Mediation link can be accepted by other users |
Improper Authentication - Generic |
kirkj |
No rating |
2016-04-25 |
CSV Injection via the CSV export feature |
Command Injection - Generic |
stewie |
No rating |
2016-04-25 |
Signals get affected once reports closed as self |
Violation of Secure Design Principles |
kpr |
No rating |
2016-04-25 |
Reflected Filename Download |
Code Injection |
dsopas |
No rating |
2016-04-25 |
Add text to the title of the page "Thanks" |
Violation of Secure Design Principles |
ragnar |
No rating |
2016-04-25 |
All Active user sessions should be deleted when user change his password! |
Violation of Secure Design Principles |
faisalahmed |
No rating |
2016-04-25 |
Distinguish EP+Private vs Private programs in HackerOne |
Information Disclosure |
nismo |
No rating |
2016-04-25 |
Increase number of bugs by sending duplicate of your own valid report |
Violation of Secure Design Principles |
ashish_r_padelkar |
No rating |
2016-04-25 |
Accepting Invalid characters on email address |
Violation of Secure Design Principles |
siddiki |
No rating |
2016-04-25 |
Internal bounty and swag details disclosed as part of JSON response |
Information Disclosure |
techguynoob |
No rating |
2016-04-25 |
Possible XSS |
Cross-site Scripting (XSS) - Generic |
paulos_ |
No rating |
2016-04-22 |
Abusing HOF rankings in limited circumstances |
Violation of Secure Design Principles |
ashish_r_padelkar |
No rating |
2016-04-22 |
Websites opened from reports can change url of report page |
Cross-Site Request Forgery (CSRF) |
cablej |
No rating |
2016-04-21 |
Multiple issues with Markdown and URL parsing |
Violation of Secure Design Principles |
pisarenko |
No rating |
2016-04-21 |
Deleted name still present via mouseover functionality for user accounts |
Information Disclosure |
meals |
No rating |
2016-04-21 |
User with Read-Only permissions can manually public disclosure the report |
Violation of Secure Design Principles |
techguynoob |
No rating |
2016-04-21 |
Reputation Manipulation (Theoretical) |
Violation of Secure Design Principles |
paulos_ |
No rating |
2016-04-20 |
New hacktivity view discloses report IDs of non-public reports |
Violation of Secure Design Principles |
paresh_parmar |
No rating |
2016-04-05 |
AWS S3 bucket writeable for authenticated aws users |
Improper Authentication - Generic |
yaworsk |
No rating |
2016-04-05 |
External links should use rel="noopener" or use the redirect service |
Open Redirect |
lukasreschke |
No rating |
2016-04-05 |
Putting link inside link in markdown |
Denial of Service |
pikachu |
No rating |
2016-04-02 |
External programs revealing info |
Improper Authentication - Generic |
1337coder |
No rating |
2016-04-01 |
User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports |
Privilege Escalation |
techguynoob |
No rating |
2016-04-01 |
User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions |
Privilege Escalation |
techguynoob |
No rating |
2016-04-01 |
Disclosure of private programs that have an "external" page on HackerOne |
Information Disclosure |
saeedhashem |
No rating |
2016-04-01 |
Email Address Leak |
Information Disclosure |
mikkz |
No rating |
2016-03-31 |
Sending emails (via HackerOne) impersonating other users |
Violation of Secure Design Principles |
anshuman_bh |
No rating |
2016-03-18 |
Private program activity timeline information disclosure |
Improper Authentication - Generic |
charfe |
No rating |
2016-03-16 |
Edit Auto Response Messages |
Violation of Secure Design Principles |
rohk |
No rating |
2016-03-15 |
Denial of Service any Report |
Denial of Service |
cyberunit |
No rating |
2016-03-10 |
Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint |
Information Disclosure |
charfee |
No rating |
2016-02-25 |
Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session |
Open Redirect |
zombiehelp54 |
No rating |
2016-02-24 |
Unintended HTML inclusion as a result of https://hackerone.com/reports/110578 |
None supplied |
yaworsk |
No rating |
2016-02-24 |
Null byte injection |
None supplied |
zombiehelp54 |
No rating |
2016-02-23 |
Requesting unknown file type returns Ruby object w/ address |
Information Disclosure |
run |
No rating |
2016-02-19 |
User with Read-Only permissions can request/approve public disclosure |
Violation of Secure Design Principles |
aboukir |
No rating |
2016-02-19 |
CSV Injection via the CSV export feature |
Command Injection - Generic |
zombiehelp54 |
No rating |
2016-02-16 |
Private Program Disclosure in /:handle/reports/draft.json endpoint |
Improper Authentication - Generic |
charfe |
No rating |
2016-02-16 |
attack in not an authorized user |
Denial of Service |
pisarenko |
No rating |
2016-02-16 |
Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants |
Privilege Escalation |
dz_samir |
No rating |
2016-01-27 |
HTML injection can lead to data theft |
Violation of Secure Design Principles |
intidc |
No rating |
2016-01-26 |
Know whether private program for company exist or not |
Information Disclosure |
ashish_r_padelkar |
No rating |
2016-01-15 |
Improve signals in reputation |
Violation of Secure Design Principles |
ashish_r_padelkar |
No rating |
2016-01-07 |
CSRF possible when SOP Bypass/UXSS is available |
Cross-Site Request Forgery (CSRF) |
avlidienbrunn |
No rating |
2015-12-30 |
Team Member███ associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports |
Improper Authentication - Generic |
h13- |
No rating |
2015-12-29 |
Parameter pollution in social sharing buttons |
Violation of Secure Design Principles |
goro |
No rating |
2015-12-19 |
HackerOne Private Programs users disclosure and de-anonymous-ize |
Information Disclosure |
symbiansymoh |
No rating |
2015-12-08 |
profile cover can also load external URL's |
Violation of Secure Design Principles |
smiegles |
No rating |
2015-12-02 |
HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com |
None supplied |
harisec |
No rating |
2015-12-02 |
Limited CSRF bypass. |
Cross-Site Request Forgery (CSRF) |
defmax |
No rating |
2015-12-02 |
Pre-generation of 2FA secret/backup codes seems like an unnecessary risk |
None supplied |
danlec |
No rating |
2015-12-02 |
Hackerone impersonation |
None supplied |
abhisheksingh |
No rating |
2015-12-02 |
Cross-domain AJAX request |
Open Redirect |
ragnar |
No rating |
2015-11-14 |
Send AJAX request to external domain |
Cross-site Scripting (XSS) - Generic |
r0x33d |
No rating |
2015-11-14 |
Content spoofing on invitations page |
None supplied |
rohan_x3 |
No rating |
2015-10-21 |
Minimum bounty of a private program is visible for users that were removed from the program |
Information Disclosure |
coolboss |
No rating |
2015-10-21 |
Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc. |
Information Disclosure |
ericr |
No rating |
2015-09-25 |
CSV Injection with the CVS export feature |
Command Injection - Generic |
appsec3 |
No rating |
2015-09-22 |
Weak HSTS age in support hackerone site |
Violation of Secure Design Principles |
codequick |
No rating |
2015-09-18 |
Private Program and bounty details disclosed as part of JSON search response |
Improper Authentication - Generic |
techguynoob |
No rating |
2015-08-31 |
Gain reputation by creating a duplicate of an existing report |
Violation of Secure Design Principles |
huzaifa_jawaid |
No rating |
2015-08-14 |
Number of invited researchers disclosed as part of JSON search response |
Information Disclosure |
jessescitech |
No rating |
2015-08-05 |
Logical Issue (Boosting Reputation points) |
None supplied |
coolboss |
No rating |
2015-07-21 |
Accessing title of the report of which you are marked as duplicate |
Improper Authentication - Generic |
mafia |
No rating |
2015-07-17 |
Invitation is not properly cancelled while inviting to bug reports. |
Improper Authentication - Generic |
batman |
No rating |
2015-07-10 |
In markdown, parsing things like @danlec and #46072 after links is unsafe |
None supplied |
danlec |
No rating |
2015-07-04 |
Markdown code block sequence makes report unreadable |
None supplied |
danlec |
No rating |
2015-06-29 |
Email Notification should be get while changing Paypal Email |
Improper Authentication - Generic |
mvcdabra |
No rating |
2015-06-20 |
Open redirect in "Language change". |
Open Redirect |
seifelsallamy |
No rating |
2015-06-19 |
mailto: link injection on https://hackerone.com/directory |
Violation of Secure Design Principles |
ashesh |
No rating |
2015-06-10 |
Potential denial of service in hackerone.com/<program>/reward_settings |
Denial of Service |
ashesh |
No rating |
2015-06-10 |
Flawed account creation process allows registration of usernames corresponding to existing file names |
None supplied |
robots-txt |
No rating |
2015-06-08 |
Report title autocompletion |
Information Disclosure |
janpaul123 |
No rating |
2015-06-08 |
SPF whitelist of mandrill leads to email forgery |
Improper Authentication - Generic |
mikebrooks |
No rating |
2015-06-08 |
Reopen Disable Accounts/ Hidden Access After Disable |
Improper Authentication - Generic |
antrax |
No rating |
2015-06-08 |
Privilege escalation..., or not?! |
Violation of Secure Design Principles |
tomvg |
No rating |
2015-06-08 |
Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account |
Violation of Secure Design Principles |
brdoors2 |
No rating |
2015-06-04 |
External URL page bypass |
None supplied |
danielchatfield |
No rating |
2015-05-28 |
Logical issues with account settings |
Violation of Secure Design Principles |
introvertmac |
No rating |
2015-05-28 |
Email spoofing |
Violation of Secure Design Principles |
introvertmac |
No rating |
2015-05-28 |
Autocomplete enabled in Paypal preferences |
Violation of Secure Design Principles |
xtross1 |
No rating |
2015-05-28 |
RTL override symbol not stripped from file names |
Violation of Secure Design Principles |
mathias |
No rating |
2015-05-28 |
Issue with remember_user_token |
Violation of Secure Design Principles |
dawidczagan |
No rating |
2015-05-28 |
PNG compression DoS |
Denial of Service |
dutchgraa |
No rating |
2015-05-28 |
Issue with password change |
Violation of Secure Design Principles |
dawidczagan |
No rating |
2015-05-28 |
javascript: and mailto: links are allowed on users' profiles |
Cross-site Scripting (XSS) - Generic |
tectonic |
No rating |
2015-05-13 |
Content Spoofing - External Link Warning Page |
Violation of Secure Design Principles |
vagg-a-bond |
No rating |
2015-05-11 |
Fake URL + Additional vectors for homograph attack |
Violation of Secure Design Principles |
r0x33d |
No rating |
2015-05-09 |
Making any Report Failed to load |
Denial of Service |
atom |
No rating |
2015-05-09 |
Homograph Attack |
Open Redirect |
atom |
No rating |
2015-05-09 |
Enumeration/Guess of Private (Invited) Programs |
Violation of Secure Design Principles |
prakharprasad |
No rating |
2015-05-09 |
Homograph attack |
Violation of Secure Design Principles |
filedescriptor |
No rating |
2015-05-09 |
(lack of) smtp transport layer security |
Cryptographic Issues - Generic |
leander |
No rating |
2015-05-05 |
Homograph attack |
Violation of Secure Design Principles |
r0x33d |
No rating |
2015-05-03 |
Marking notifications as read CSRF bug |
Cross-Site Request Forgery (CSRF) |
redkan |
No rating |
2015-04-28 |
Denial of Service |
Denial of Service |
coolboss |
No rating |
2015-04-28 |
Anti-MIME-Sniffing header X-Content-Type-Options header has not been set. |
Violation of Secure Design Principles |
uname |
No rating |
2015-04-28 |
Logic Issue with Reputation: Boost Reputation Points |
Violation of Secure Design Principles |
prakharprasad |
No rating |
2015-04-28 |
Open-redirect on hackerone.com |
Open Redirect |
r0x33d |
No rating |
2015-04-23 |
Missing spf flags for hackerone.com |
Cryptographic Issues - Generic |
d1pakda5 |
No rating |
2015-04-23 |
Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain |
Command Injection - Generic |
rickypaipie |
No rating |
2015-04-16 |
Markdown parsing issue enables insertion of malicious tags and event handlers |
Cross-site Scripting (XSS) - Generic |
danlec |
High |
2015-04-07 |
Team member invitations to sandboxed teams are not invalidated consistently |
Improper Authentication - Generic |
mazengamal |
No rating |
2015-03-28 |
Restrict any user from logging into his account. |
Improper Authentication - Generic |
siddiki |
No rating |
2015-03-24 |
"learn more here", reward email - domain expired. |
Open Redirect |
smiegles |
No rating |
2015-03-23 |
Improperly validated fields allows injection of arbitrary HTML via spoofed React objects |
Cross-site Scripting (XSS) - Generic |
danlec |
High |
2015-03-18 |
Substantially weakened authenticity verification when using 'Remember me for a week' |
Cryptographic Issues - Generic |
guido |
No rating |
2015-03-12 |
Auto Approval of Invitation to join Team as a Team member |
Violation of Secure Design Principles |
h122- |
No rating |
2015-03-11 |
HTTPS is not enforced for objects stored by HackerOne on Amazon S3 |
Violation of Secure Design Principles |
srkgupta |
No rating |
2015-03-08 |
Team member invitations to sandboxed teams are not invalidated consistently (v2) |
Privilege Escalation |
siddiki |
No rating |
2015-02-28 |
CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain |
Cross-Site Request Forgery (CSRF) |
danlec |
No rating |
2015-02-26 |
Insecure Direct Object Reference vulnerability |
Violation of Secure Design Principles |
anshuman_bh |
No rating |
2015-02-20 |
Improper way of validating a program |
Cryptographic Issues - Generic |
atom |
No rating |
2015-02-04 |
Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered |
Cross-site Scripting (XSS) - Generic |
danlec |
High |
2015-02-03 |
"early preview" programs disclosure |
Information Disclosure |
d4d1a179c0f3 |
No rating |
2015-01-21 |
Breaking Bugs as team member |
Denial of Service |
melvin |
No rating |
2014-12-09 |
File Name Enumeration |
Information Disclosure |
nahamsec |
No rating |
2014-11-17 |
No email verification on username change |
Information Disclosure |
shahmeer-amir |
No rating |
2014-11-17 |
Window Opener Property Bug |
None supplied |
prakharprasad |
No rating |
2014-10-29 |
Redirect FILTER bypass in report/comment |
Open Redirect |
coolboss |
No rating |
2014-10-19 |
Ability to see common response titles of other teams (limited) |
Information Disclosure |
prakharprasad |
No rating |
2014-10-15 |
homograph attack. IDNs displayed in unicode in bug reports and on external link warning page |
Violation of Secure Design Principles |
mrrm |
No rating |
2014-10-09 |
Enumeration of users |
Violation of Secure Design Principles |
dawidczagan |
No rating |
2014-10-03 |
Password Reset Bug |
Violation of Secure Design Principles |
christypriory |
No rating |
2014-09-26 |
Change Any username and profile link in hackerone |
Privilege Escalation |
looping |
No rating |
2014-09-26 |
Redirect while opening links in new tabs |
Open Redirect |
thetime |
No rating |
2014-09-13 |
Notification of previous signed out user leakage. |
Information Disclosure |
siddiki |
No rating |
2014-09-01 |
Email changing |
None supplied |
djamel-ghorab |
No rating |
2014-08-28 |
Account Hijacking (Only rare case scenario) |
Improper Authentication - Generic |
xtross1 |
No rating |
2014-08-23 |
Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met) |
Improper Authentication - Generic |
appsecure_in |
No rating |
2014-07-26 |
No option to logout concurrent sessions |
None supplied |
ashesh |
No rating |
2014-07-18 |
Account takeover |
Improper Authentication - Generic |
coolboss |
No rating |
2014-07-18 |
Cache leads to Privacy leaks |
Improper Authentication - Generic |
ashesh |
No rating |
2014-07-18 |
Session Hijacking attack (Different Scenario) |
Improper Authentication - Generic |
shahmeer-amir |
No rating |
2014-07-18 |
Improper filtering of classes used in codeblocks in Markdown |
Cross-site Scripting (XSS) - Generic |
markijbema |
No rating |
2014-07-08 |
Potential denial of service in hackerone.com/teams/new |
Denial of Service |
idps |
No rating |
2014-06-21 |
Adding an user email address to the list before confirming. |
Violation of Secure Design Principles |
siddiki |
No rating |
2014-06-11 |
Session not invalidated after password reset |
Violation of Secure Design Principles |
guido |
No rating |
2014-06-10 |
harvesting attack on user registration |
None supplied |
niks |
No rating |
2014-05-19 |
Flooding mailbox of user |
Violation of Secure Design Principles |
dawidczagan |
No rating |
2014-05-01 |
Arbitrary file uploads to Amazon WS. |
Violation of Secure Design Principles |
leander |
No rating |
2014-04-27 |
Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!) |
Cryptographic Issues - Generic |
simon90 |
No rating |
2014-04-22 |
Securing sensitive pages from SearchBots |
Violation of Secure Design Principles |
siddiki |
No rating |
2014-04-20 |
Weird Bug - Ability to see partial of other user's notification |
None supplied |
wcypierre |
No rating |
2014-04-19 |
A password reset page does not properly validate the authenticity token at the server side. |
Cross-Site Request Forgery (CSRF) |
niks |
No rating |
2014-04-19 |
Flawed account creation process allows registration of usernames corresponding to existing file names |
None supplied |
mortes |
No rating |
2014-04-19 |
Session Management |
None supplied |
javidhussain21 |
No rating |
2014-04-19 |
Session not expired on logout |
None supplied |
satishb3 |
No rating |
2014-04-19 |
creating titleless and non-closable bugs |
None supplied |
leander |
No rating |
2014-04-17 |
Control Characters Not Stripped From Username on Signup |
Violation of Secure Design Principles |
wkcaj |
No rating |
2014-03-11 |
CSS leaks SCSS debug info |
Information Disclosure |
guido |
No rating |
2014-02-28 |
Switching the user to the attacker's account |
Cross-Site Request Forgery (CSRF) |
dawidczagan |
No rating |
2014-02-20 |
Improper session management |
Improper Authentication - Generic |
dawidczagan |
No rating |
2014-02-20 |
Information disclosure (reset password token) and changing the user's password |
Cross-Site Request Forgery (CSRF) |
dawidczagan |
No rating |
2014-02-20 |
Upload profile photo from URL |
Server-Side Request Forgery (SSRF) |
yeahyeah |
No rating |
2014-02-15 |
DNS Misconfiguration |
None supplied |
szgru |
No rating |
2014-02-15 |
Login page password-guessing attack |
None supplied |
gazly |
No rating |
2014-01-16 |
CSRF login |
Cross-Site Request Forgery (CSRF) |
andrisatteka |
No rating |
2014-01-13 |
Missing SPF for hackerone.com |
Violation of Secure Design Principles |
szgru |
No rating |
2014-01-09 |
Broken Authentication and session management OWASP A2 |
Improper Authentication - Generic |
appsecure_in |
No rating |
2014-01-09 |
DNS Cache Poisoning |
None supplied |
michael1026 |
No rating |
2014-01-09 |
GIF flooding |
Denial of Service |
dutchgraa |
No rating |
2013-11-30 |
Pixel flood attack |
Denial of Service |
dutchgraa |
No rating |
2013-11-30 |
CSP not consistently applied |
Cross-site Scripting (XSS) - Generic |
janpaul123 |
No rating |
2013-11-30 |
Real impersonation |
None supplied |
janpaul123 |
No rating |
2013-11-30 |