Khan Academy


46 total issues disclosed

$0 total paid publicly


Most disclosed (13 disclosures) — Cross-site Scripting (XSS) - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Access to alerta.khanacademy.org leak sensitive data Improper Access Control - Generic kolayma_sec Critical 2021-09-08
Enumerate all the class codes via google dorking Improper Access Control - Generic renganathan High 2021-07-22
Bypass the fix of report #1078283 due to poor validation Open Redirect lucenaxpl0it High 2021-07-08
CSV Injection Via Student Password/Name Leads To Client Side RCE And Reading Client Files Code Injection demonia Medium 2020-08-27
Unauthorised Account Detail Modification Improper Access Control - Generic 5kyw41k3r High 2020-06-19
Information can be changed without a password Unverified Password Change jamesconnor High 2020-03-14
Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers Cross-Site Request Forgery (CSRF) rlaneth High 2019-06-22
Take over of accounts created using Google or Facebook Cross-Site Request Forgery (CSRF) tomoh Critical 2019-05-17
Possible Take Over Subdomain For Inbound Emails None supplied rootbakar Medium 2018-11-08
POST XSS in https://www.khanacademy.org.tr/ via page_search_query parameter Cross-site Scripting (XSS) - Generic miguel_santareno Medium 2018-09-19
SignUp With Fake Email Business Logic Errors rootbakar Medium 2018-09-06
Stored 'undefined' Cross-site Scripting Cross-site Scripting (XSS) - Stored rootbakar Medium 2018-09-05
Possible Subdomain Takeover None supplied cyberdolt Medium 2018-08-31
CSRF token fixation and potential account takeover Violation of Secure Design Principles co0nan Medium 2018-04-20
Rate Limitation Vulnerability (DDos) Denial of Service hamzar97 High 2018-04-17
XSS through document projects Cross-site Scripting (XSS) - Stored ethanluismcdonough High 2018-03-31
[critical] sql injection by GET method SQL Injection securitygab High 2018-03-06
Frameset(Frame) html tag is allowed in html editor.(can lead to clickjacking) UI Redressing (Clickjacking) na5ne3t Low 2018-02-14
Possible to join any class without coache's knowledge & Little Information Disclosure Business Logic Errors tanim__ Medium 2017-10-12
Weak Bithdate Validation Implemented on Sign Up Violation of Secure Design Principles paranoidglitch Low 2017-08-14
Password Functionality not working correctly None supplied utkarsh123 Low 2017-08-03
The web app's forgot password page is vulnerable to text injection/content spoofing Command Injection - Generic dermeister No rating 2017-03-01
SSL/TLS Vulnerability at khanacademy.org Cryptographic Issues - Generic hack40077 High 2017-02-22
No Security check at changing password and at adding mobile number which leads to account takeover and spam Violation of Secure Design Principles mohith_kalyan Medium 2017-02-21
OPEN URL REDIRECT through PNG files Cross-site Scripting (XSS) - Generic dineshvicky Medium 2017-02-17
XSS vulnerability in "/coach/roster/" ( create your first class) Cross-site Scripting (XSS) - Generic hacker00000000 No rating 2016-02-12
Escaping the iframe via exceptions Cross-site Scripting (XSS) - Generic benburrill No rating 2015-12-29
Html injection on khanacademy Command Injection - Generic manish_prajapat No rating 2015-12-14
Sql injection And XSS Cross-site Scripting (XSS) - Generic jayden No rating 2015-12-08
Suffix of url-path is vulnerable to XSS-attack Cross-site Scripting (XSS) - Generic bigbear No rating 2014-09-16
Unchecking hidden parameter is vulnerable to XSS-attack Cross-site Scripting (XSS) - Generic bigbear No rating 2014-08-07
CRLF Injection Cross-Site Request Forgery (CSRF) bigbear No rating 2014-08-07
Possible clickjacking at shop.khanacademy.org UI Redressing (Clickjacking) internetwache No rating 2014-05-08
CSRF - Adding/Removing items to cart - shop.khanacademy.org Cross-Site Request Forgery (CSRF) internetwache No rating 2014-05-08
User guessing/enumeration at sw.khanacademy.org Information Disclosure internetwache No rating 2014-04-15
Lighttpd version disclosure / directory listing Information Disclosure internetwache No rating 2014-04-13
Full Path Disclosure on [smarthistory.khanacademy.org] Information Disclosure gsalazar No rating 2014-04-11
https://www.khanacademy.org/login open-redirect Open Redirect smiegles No rating 2014-04-09
https://www.khanacademy.org/coach/reports/activity XSS Cross-site Scripting (XSS) - Generic smiegles No rating 2014-04-09
Persistent class XSS [the fuck] Cross-site Scripting (XSS) - Generic smiegles No rating 2014-04-09
Stored XSS {dangerous?} https://www.khanacademy.org/coach/roster/?listId=allStudents Cross-site Scripting (XSS) - Generic smiegles No rating 2014-04-09
http://smarthistory.khanacademy.org/search-results.html XSS Cross-site Scripting (XSS) - Generic smiegles No rating 2014-04-09
Dom based XSS https://www.khanacademy.org/ Cross-site Scripting (XSS) - Generic smiegles No rating 2014-04-09
Open Redirection in SmartHistory KhanAcademy Open Redirect atom No rating 2014-04-09
Weak Ciphers Enabled Information Disclosure chmosama No rating 2014-04-09
XSS at http://smarthistory.khanacademy.org Cross-site Scripting (XSS) - Generic prakharprasad No rating 2014-04-09