| [allods.mail.ru] - WebCache Poisoning Host Header lead to Potential Stored XSS |
Cross-site Scripting (XSS) - Stored |
0xd0ff9 |
Medium |
2021-12-08 |
| Stored XSS on https://community.my.games/ (Add Post) |
Cross-site Scripting (XSS) - Stored |
c1kada |
Medium |
2021-12-01 |
| Cross-site Scripting (XSS) - Stored |
Cross-site Scripting (XSS) - Stored |
ghost_shell |
High |
2021-11-25 |
| REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details |
Privilege Escalation |
updatelap |
High |
2021-11-06 |
| bit.games - sql-inj |
SQL Injection |
alexeysergeevich |
Medium |
2021-11-06 |
| [titans.3clans.ru] phpBB 3.0.8 - Захват аккаунта администратора + удалённое выполнение кода. |
OS Command Injection |
alexeysergeevich |
None |
2021-11-06 |
| tmgame.mail.ru - Blind sql injection |
SQL Injection |
alexeysergeevich |
Medium |
2021-11-06 |
| kds.ucs.ru - раскрытие информации. |
Business Logic Errors |
alexeysergeevich |
High |
2021-11-06 |
| [samokat.ru] PHP modules path disclosure due to lack of error handling |
Information Exposure Through Debug Information |
andridev_ |
None |
2021-11-03 |
| [play.skillbox.ru] CRLF Injection |
CRLF Injection |
s_kustm |
Medium |
2021-10-30 |
| Незащищённый экземпляр Zeppelin |
None supplied |
k3ypt0 |
Critical |
2021-10-20 |
| CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru |
Cross-site Scripting (XSS) - Stored |
melbadry9 |
None |
2021-10-11 |
| [ii.worki.ru ] emarsys subdomain takeover |
Privilege Escalation |
uddeshaya001 |
Medium |
2021-09-28 |
| Stored XSS on top.mail.ru |
Cross-site Scripting (XSS) - Stored |
savproga |
Medium |
2021-09-10 |
| SQL injection on jd.mail.ru |
SQL Injection |
pisarenko |
High |
2021-09-08 |
| [185.30.178.57:8080] - Vulnerable to Jetleak |
Memory Corruption - Generic |
xaleraf4ra |
Critical |
2021-09-08 |
| subdomain takeover disney.samokat.ru |
Privilege Escalation |
nanwn |
Medium |
2021-09-07 |
| informations disclosure(Email,Numbers,Agreements, admin Sessions and more ...) through a PostgreSQL database belongs to (legium-back.corp.mail.ru) |
Information Disclosure |
yukusawa18 |
Medium |
2021-09-05 |
| [Biz] [Mailer] Кроп любых* изображений расположенных на сервере |
Resource Injection |
kriakiku |
Medium |
2021-08-30 |
| Blind XSS Stored and CORS misconfiguration в отчете "События" сервиса top.mail.ru |
Cross-site Scripting (XSS) - Stored |
savproga |
High |
2021-08-17 |
| Subdomain takeover on "info-edcrunch.skillfactory.ru" |
Privilege Escalation |
abosala7 |
Medium |
2021-08-15 |
| mailer.i.bizml.ru viber service preprod information disclosure |
Information Disclosure |
cutoffurmind |
Medium |
2021-08-13 |
| uchi.ru check_lessons Blind SQL Injection |
SQL Injection |
cutoffurmind |
High |
2021-08-13 |
| [http://kiwi.youdrive.today/] Information disclosure via Kiwi TCMS vulnerability |
Improper Access Control - Generic |
act1on3 |
Medium |
2021-08-13 |
| [app-01.youdrive.club] RCE in CI/CD via dependency confusion |
Command Injection - Generic |
act1on3 |
High |
2021-07-27 |
| [geekbrains.ru] Node modules path disclosure due to lack of error handling |
Information Disclosure |
nakabonne |
Low |
2021-07-27 |
| [tanks.mail.ru] SSRF + Кража cookie |
Cross-Site Request Forgery (CSRF) |
alexeysergeevich |
Medium |
2021-07-22 |
| Unauthorized Access To Admin panel |
Improper Access Control - Generic |
01alsanosi |
None |
2021-07-22 |
| Bypassing SOP with XSS on account.my.games leading to steal CSRF token and user information |
Cross-Site Request Forgery (CSRF) |
sec_zone64 |
Medium |
2021-07-22 |
| CSRF + XSS leads to ATO |
Cross-Site Request Forgery (CSRF) |
bombon |
Medium |
2021-06-22 |
| [com.icq.mobile.client] Любое стороннее приложение может угнать сессию, а также другие файлы приложения |
Information Disclosure |
igorpyan |
Medium |
2021-06-22 |
| internal path disclosure via error message |
Information Exposure Through an Error Message |
ali-h-hasan |
None |
2021-06-22 |
| [mcs.mail.ru] Пользователь с ролью наблюдателя может создавать ключи доступа для очереди сообщений (sqs.mcs.mail.ru) |
Improper Access Control - Generic |
mrd0x1 |
Medium |
2021-06-22 |
| XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki) |
Cross-site Scripting (XSS) - Stored |
mvm |
Medium |
2021-06-06 |
| Stored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv] |
Cross-site Scripting (XSS) - Stored |
kwel |
Low |
2021-05-28 |
| Stored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv] |
Cross-site Scripting (XSS) - Stored |
kwel |
Low |
2021-05-28 |
| Disk-o Cloud application (Windows) does not validate server certificate on a TLS connection |
Improper Certificate Validation |
aapo |
High |
2021-05-26 |
| Account takeover on [support2.ucs.ru] |
Brute Force |
tounsi_007 |
Low |
2021-05-26 |
| Blind SQL in id_locality GET param on [city-mobil.ru/taxiserv] |
SQL Injection |
organdonor |
High |
2021-05-25 |
| Blind SQL injection on [city-mobil.ru/taxiserv/] in filter{"id_locality"} |
SQL Injection |
organdonor |
High |
2021-05-25 |
| Debug Mode Leak Critical Information [ AWS Keys , SMTP , Database , Django Secret Key ( RCE ) , Dodoc , Telegram , Twilio .. ] |
Information Disclosure |
yukusawa18 |
Critical |
2021-05-24 |
| SSRF at jira.plazius.ru - CVE-2019-8451 |
Server-Side Request Forgery (SSRF) |
cutedoggo |
High |
2021-05-12 |
| Path traversal lead to LFR via [CVE-2019-3394] |
Path Traversal |
tounsi_007 |
Critical |
2021-05-12 |
| [web.icq.com] Stored XSS in Account Name |
Cross-site Scripting (XSS) - Stored |
0x7 |
Medium |
2021-04-30 |
| [Plazius] SSRF через некорректно сконфигурированный Fiddler 46.148.201.206:10121 |
Server-Side Request Forgery (SSRF) |
p1006 |
High |
2021-04-24 |
| relap.io/admin/api - административный API доступен без аутентификации |
Improper Authentication - Generic |
stanhates |
High |
2021-04-23 |
| Stored XSS on store.my.games |
Cross-site Scripting (XSS) - Stored |
3xternull |
Medium |
2021-04-17 |
| Blind SSRF on [relap.io] |
Server-Side Request Forgery (SSRF) |
kiriknik |
Medium |
2021-04-12 |
| read new emails from any inbox IOS APP in notification center |
Insecure Direct Object Reference (IDOR) |
dennisleo6 |
Critical |
2021-04-10 |
| DOM XSS on https://biz.mail.ru/domains/goto/mail/ via parameter pollution |
Cross-site Scripting (XSS) - DOM |
p4fg |
Medium |
2021-04-06 |
| Открытый Confluence и доступы к чату операторов в Skype |
Information Disclosure |
r0hack |
Medium |
2021-03-25 |
| XSS via POST request to https://account.mail.ru/signup/ |
Cross-site Scripting (XSS) - Reflected |
login-denied |
Medium |
2021-03-20 |
| file read on MCS servers via supplying a QCOW2 image with external backing file |
Information Disclosure |
neex |
High |
2021-03-19 |
| [city-mobil.ru/taxiserv/] SQLi at /taxiserv/tariffs/dictionary at filter{"id_locality"} param |
SQL Injection |
act1on3 |
Critical |
2021-03-19 |
| SQL injection delivery-club.ru (ClickHouse) |
SQL Injection |
k3ypt0 |
Medium |
2021-03-18 |
| MCS Graphite SSRF: internal network access |
Server-Side Request Forgery (SSRF) |
cutoffurmind |
Medium |
2021-03-13 |
| XXE на webdav.mail.ru - PROPFIND/PROPPATCH |
XML External Entities (XXE) |
0ang3el |
High |
2021-03-01 |
| Blind SSRF на calendar.mail.ru при импорте календаря |
Server-Side Request Forgery (SSRF) |
0ang3el |
Medium |
2021-03-01 |
| Access User Tickets via IDOR in [widget.support.my.games] |
None supplied |
sicksec |
High |
2020-11-25 |
| Source code and internal credentials disclosure |
Information Disclosure |
paul_axe |
High |
2020-11-25 |
| Redmin API Key Exposed In GIthub |
Information Disclosure |
elmahdi |
Medium |
2020-11-25 |
| the same as #948259 - XSS at jsgames.mail.ru |
Cross-site Scripting (XSS) - Reflected |
sodium_ |
Low |
2020-11-25 |
| Blind SSRF on http://info.ucs.ru/settings/check/ |
Server-Side Request Forgery (SSRF) |
elmahdi |
Medium |
2020-11-25 |
| lenta_proxy information disclosure |
Information Exposure Through an Error Message |
naategh |
Medium |
2020-11-25 |
| Information Disclosure |
Information Disclosure |
steal_wart |
None |
2020-11-25 |
| Disclosure of personal support email addresses on 'support-fleet.city-mobil.ru' |
Information Disclosure |
olidayw |
Low |
2020-11-11 |
| cross site scripting bypass session |
Cross-site Scripting (XSS) - Reflected |
dennisleo6 |
High |
2020-11-04 |
| Path traversal on bank.mail.ru ( CVE-2013-3827 ) |
Path Traversal |
st00rm |
Medium |
2020-11-04 |
| mrgs.my.games account takeover |
Improper Access Control - Generic |
maxarr |
High |
2020-11-03 |
| Account Takeover possibility via https://awards.donationalerts.com using login with twitch.tv |
Improper Authentication - Generic |
jayesh25 |
High |
2020-11-03 |
| SQL LIKE clauses wildcard injection |
SQL Injection |
bazzy |
No rating |
2020-10-31 |
| SQL LIKE clauses wildcard injection |
SQL Injection |
bazzy |
No rating |
2020-10-31 |
| [my.games, lootdog.io] XSS via MCS Bucket |
Cross-site Scripting (XSS) - Stored |
bobrov |
Medium |
2020-10-31 |
| [api.my.games/social/chat/multi/add] Privilege escalation on adding new members to group chat |
Privilege Escalation |
mainteemoforfun |
None |
2020-10-30 |
| SQL Injection [unauthenticated] with direct output at https://news.mail.ru/ |
SQL Injection |
derision |
High |
2020-10-30 |
| SQL Injection [unauthenticated] with direct output at https://news.mail.ru/ |
SQL Injection |
derision |
High |
2020-10-30 |
| Multiple SQL Injections and constrained LFI in esk-static.3igames.mail.ru |
SQL Injection |
haxonaut |
High |
2020-10-29 |
| Логи на http://login.aa.mail.ru/logs/ |
Information Disclosure |
devirok |
Low |
2020-10-28 |
| Reflected XSS on https://e.mail.ru/compose/ via Body parameter |
Cross-site Scripting (XSS) - Reflected |
panya |
Medium |
2020-10-27 |
| [combo.mail.ru] SMS code bruteforce |
Brute Force |
esetal |
High |
2020-10-27 |
| OTP bypass on user account deletion |
Modification of Assumed-Immutable Data (MAID) |
risinghunter |
Low |
2020-10-27 |
| Stored XSS through fileupload |
Cross-site Scripting (XSS) - Stored |
ther3d0ne |
Medium |
2020-10-27 |
| Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru |
Cross-site Scripting (XSS) - DOM |
magzhan |
High |
2020-10-27 |
| Insufficient limitation of web page title leads to DoS against ICQ for Android |
Denial of Service |
artebels |
Medium |
2020-10-24 |
| web.icq.com XSS in chat message via contact info |
Cross-site Scripting (XSS) - Stored |
superboyxxx |
High |
2020-10-15 |
| NPM_API_KEY Leak |
Information Disclosure |
rzx007x |
Low |
2020-10-14 |
| SMS Brute Force Possibility via https://youdrive.today/login/web/code can lead to Account Takeover |
Brute Force |
jayesh25 |
High |
2020-10-13 |
| Возможность создать канал в группе, в которой пользователь не является админом [my.games] |
Business Logic Errors |
kwel |
None |
2020-10-13 |
| This Github Repository Seems Leaking "nino.samokat.ru" Source Code |
Information Disclosure |
gevakun |
Medium |
2020-10-13 |
| Stored XSS in history on [corporate.city-mobil.ru] |
Cross-site Scripting (XSS) - Stored |
organdonor |
Low |
2020-10-12 |
| Stored XSS in address on [corporate.city-mobil.ru] |
Cross-site Scripting (XSS) - Stored |
organdonor |
Low |
2020-10-12 |
| Пользователь может изменить способ оплаты указав чужой corporation ID |
Business Logic Errors |
moonwalker |
Medium |
2020-10-12 |
| Stored Xss |
Cross-site Scripting (XSS) - Stored |
ja3far |
Medium |
2020-10-07 |
| Forgot Password Page SMS Brute Force could lead to Account Takeover using Android/IOS app "About the house" via api.prodom.smart.space |
Brute Force |
jayesh25 |
High |
2020-10-06 |
| Возможность просмотра коментариев к чужим обращениям [corporate.city-mobil.ru] |
Insecure Direct Object Reference (IDOR) |
kwel |
Medium |
2020-10-05 |
| Improper Restriction of Excessive Authentication Attempts at https://api.warrobots.com/auth (Pixonic Games) |
Brute Force |
jayesh25 |
Low |
2020-10-05 |
| HTTP request smuggling (?) canpol.deti.mail.ru |
None supplied |
maxarr |
High |
2020-10-05 |
| HTTP request smuggling (?) canpol.deti.mail.ru |
None supplied |
maxarr |
High |
2020-10-05 |
| [geekbrains.ru] CVE-2019-5418 Ruby on Rails File Content Disclosure |
Path Traversal |
bobrov |
Medium |
2020-10-05 |
| ICQ Android APP remote DoS |
Denial of Service |
zoczus |
Low |
2020-10-05 |
| IDOR of contracts on dictor.mail.ru |
Insecure Direct Object Reference (IDOR) |
tr3harder |
None |
2020-10-05 |
| Ability to edit the address of any company by its id on [corporate.city-mobil.ru] |
Insecure Direct Object Reference (IDOR) |
organdonor |
None |
2020-10-05 |
| Открытая админка Tarantool |
Information Disclosure |
0x01alka |
Medium |
2020-10-05 |
| SECRET_KEY Of Django Leaked In maps.me |
Information Disclosure |
sniper302 |
Medium |
2020-10-05 |
| В самокате можно просматривать и изменять данные любого заказа без авторизации |
Insecure Direct Object Reference (IDOR) |
kwel |
Medium |
2020-10-05 |
| В самокат имеется возможность просмотра суммы заказа и номера заказа по ID [smart.space] |
Insecure Direct Object Reference (IDOR) |
kwel |
Low |
2020-10-05 |
| [https://youdrive.today/] Nginx directory traversal |
Path Traversal |
act1on3 |
Medium |
2020-10-05 |
| XSS via "gp" cookie reflected in source code |
Cross-site Scripting (XSS) - Generic |
setuid |
Medium |
2020-10-05 |
| Improper Restriction of Excessive Authentication Attempts at o2-ac.my.com/token |
Brute Force |
jayesh25 |
Low |
2020-10-05 |
| Access to git & and configuration files on backtoschool.geekbrains.ru via gitfile |
Violation of Secure Design Principles |
damian89 |
Medium |
2020-10-05 |
| Clickjacking Vulnerability via https://webagent.mail.ru leading to protection bypass for https://web.icq.com/ end point |
UI Redressing (Clickjacking) |
jayesh25 |
Low |
2020-10-05 |
| [city-mobil.ru] SSRF & limited LFR on /taxiserv/photoeditor/save endpoint via base64 POST parameter |
Server-Side Request Forgery (SSRF) |
byq |
High |
2020-10-01 |
| Blind SSRF in horizon-heat |
Server-Side Request Forgery (SSRF) |
paul_axe |
No rating |
2020-10-01 |
| Blind SSRF in magnum upgrade_params |
Server-Side Request Forgery (SSRF) |
paul_axe |
No rating |
2020-10-01 |
| [panel.city-mobil.ru/admin/] Blind XSS via partner name (similar to #746505) |
Cross-site Scripting (XSS) - Stored |
act1on3 |
High |
2020-10-01 |
| Broken twitter link hijacking at https://games.mail.ru/pc/search/ |
None supplied |
nagli |
None |
2020-09-18 |
| Log files Leaked In mcsblog.ru |
Information Disclosure |
sniper302 |
Medium |
2020-09-18 |
| Broken twitter link hijacking at https://games.mail.ru/pc/search/ |
None supplied |
nagli |
None |
2020-09-18 |
| [icq.im] Reflected XSS via chat invite link |
Cross-site Scripting (XSS) - Reflected |
romesful |
Low |
2020-09-15 |
| IDOR in tracking driver logs at city-mobil.ru |
Insecure Direct Object Reference (IDOR) |
r0hack |
Low |
2020-09-15 |
| Database read through provider misconfiguration |
Insecure Storage of Sensitive Information |
kanytu |
Medium |
2020-09-15 |
| Private files exposed to other apps |
Insecure Storage of Sensitive Information |
kanytu |
High |
2020-09-15 |
| SQL injection at fleet.city-mobil.ru |
SQL Injection |
r0hack |
High |
2020-09-03 |
| REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter |
Cross-site Scripting (XSS) - Reflected |
yukusawa18 |
Medium |
2020-09-03 |
| SQL injection at fleet.city-mobil.ru |
SQL Injection |
r0hack |
High |
2020-09-03 |
| looch.tv CORS crossite user information and stream_key access |
Cross-Site Request Forgery (CSRF) |
iframe |
Medium |
2020-09-02 |
| [api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет. |
None supplied |
iframe |
None |
2020-09-02 |
| Subdomain Takeover at analyticstest.geekbrains.ru |
Privilege Escalation |
steal_wart |
Medium |
2020-09-02 |
| Public access to Sidekiq dashboard at shopper.sbermarket.ru |
None supplied |
avolume |
Medium |
2020-09-02 |
| warofdragons.my.games: configuration files with database account are accessible |
Information Disclosure |
iframe |
Medium |
2020-09-01 |
| warofdragons.my.games: configuration files with database account are accessible |
Information Disclosure |
iframe |
Medium |
2020-09-01 |
| IDOR позволяет изменить информацию о пользователе. |
Insecure Direct Object Reference (IDOR) |
iframe |
Medium |
2020-09-01 |
| [garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/" |
Cross-site Scripting (XSS) - Reflected |
iframe |
Low |
2020-09-01 |
| Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru] |
Insecure Direct Object Reference (IDOR) |
organdonor |
Medium |
2020-09-01 |
| An implementation flaw in Mail.ru can be exploited for DKIM signature spoofing and email spoofing |
Improper Authentication - Generic |
jianjun |
Medium |
2020-08-31 |
| [self?] XSS в адресе пользователя [sbermarket.ru] |
Cross-site Scripting (XSS) - Stored |
pisarenko |
None |
2020-08-31 |
| [performancemarketing.geekbrains.ru] Tilda Subdomain Takeover |
Improper Access Control - Generic |
xaleraf4ra |
Low |
2020-08-12 |
| [c-api.city-mobil.ru] IDOR chat messages between driver and customer |
Improper Authentication - Generic |
anyday |
No rating |
2020-08-12 |
| tracker.my.com information disclosure via csrf bypass |
Cross-Site Request Forgery (CSRF) |
shuraros |
Low |
2020-08-12 |
| information disclosure via IDOR on "https://target.my.com/api/v2/coverage/segment.json?id={id}" endpoint |
Insecure Direct Object Reference (IDOR) |
shuraros |
None |
2020-08-12 |
| Vertical Privilege Escalation on {target.my.com} |
Privilege Escalation |
dedsec69 |
Medium |
2020-08-12 |
| Subdomain takeover at msproject.geekbrains.ru |
Privilege Escalation |
steal_wart |
Medium |
2020-08-12 |
| Bypass OTP on contact back request at https://driver.city-mobil.ru/ |
None supplied |
nitin1205 |
None |
2020-08-12 |
| xss while uploading a file |
None supplied |
aslanemre |
None |
2020-08-03 |
| Account takeover through password reset in cups.mail.ru |
Insecure Direct Object Reference (IDOR) |
weev3kyaw |
High |
2020-08-03 |
| xss on [storehouse5.ucs.ru] |
Cross-site Scripting (XSS) - Reflected |
pisarenko |
Low |
2020-08-03 |
| Open Redirect at "city-mobil.ru" |
Open Redirect |
kursadalsan |
None |
2020-08-03 |
| relap.io IDOR |
Insecure Direct Object Reference (IDOR) |
shuraros |
Low |
2020-08-03 |
| Reflected XSS in "keywords" parameter at "https://sbermarket.ru/metro/search" |
Cross-site Scripting (XSS) - Reflected |
mehulpanchal007 |
Medium |
2020-08-03 |
| Account takeover through password reset in cups.mail.ru |
Insecure Direct Object Reference (IDOR) |
weev3kyaw |
High |
2020-08-03 |
| Stored self XSS at auto.mail.ru using add_review functionality |
Cross-site Scripting (XSS) - Stored |
avolume |
None |
2020-07-31 |
| Sidekiq Dashboard Publicly accessible at http://shopper.staging.instamart.ru/sidekiq/ |
None supplied |
sudi |
Medium |
2020-07-31 |
| SMTP Header Injection at http://abonement.ucs.ru |
CRLF Injection |
killinem_sec |
None |
2020-07-30 |
| HTML/iframe/XSS injection on https://www.ucs.ru/online/shelter/settings/check/ |
None supplied |
h2x0 |
Medium |
2020-07-28 |
| "😂" + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/ |
Cross-site Scripting (XSS) - Stored |
samet |
High |
2020-07-28 |
| Blindy Replace User's Session with Attacker's Session |
Cross-Site Request Forgery (CSRF) |
sayaanalam |
Low |
2020-07-28 |
| Stored XSS In mlbootcamp.ru |
Cross-site Scripting (XSS) - Stored |
sniper302 |
High |
2020-07-28 |
| Content injection on shared event (calendar.mail.ru) |
Phishing |
urban_tramp |
Low |
2020-07-28 |
| capsula.mail.ru - Admin blind stored XSS |
Cross-site Scripting (XSS) - Stored |
alexeysergeevich |
Medium |
2020-07-20 |
| [geekbrains.ru] Reflected XSS via Angular Template Injection |
Cross-site Scripting (XSS) - Reflected |
esetal |
Low |
2020-07-20 |
| User session access due to Oauth whitelist host bypass and postMessage |
Cross-Site Request Forgery (CSRF) |
mariuszpoplawski |
High |
2020-07-20 |
| Stored XSS that allow an attacker to read victim mailboxes contacts in mail.ru and my.com application |
None supplied |
weev3kyaw |
High |
2020-07-13 |
| Reflected XSS on http://info.ucs.ru/settings/check/ |
Cross-site Scripting (XSS) - Reflected |
h2x0 |
Low |
2020-07-13 |
| Stored XSS that allow an attacker to read victim mailboxes contacts in mail.ru and my.com application |
None supplied |
weev3kyaw |
High |
2020-07-13 |
| Cross-organization data access in city-mobil.ru |
Improper Access Control - Generic |
r0hack |
High |
2020-07-13 |
| [icq.com/people/*uin*/edit] Отсутствует фильтр и проверка на дубли в поле "Никнейм" |
None supplied |
ch0c0 |
None |
2020-07-13 |
| Cross-organization data access in city-mobil.ru |
Improper Access Control - Generic |
r0hack |
High |
2020-07-13 |
| Sensitive information exposure via git commit |
Insecure Storage of Sensitive Information |
woj_ciech |
Medium |
2020-07-13 |
| Subdomain Takeover at blog.instamart.ru |
Externally Controlled Reference to a Resource in Another Sphere |
m7mdharoun |
Low |
2020-07-13 |
| Reflected XSS in city-mobil.ru/ |
Cross-site Scripting (XSS) - Generic |
mariuszpoplawski |
Medium |
2020-07-13 |
| Subdomain takeover on tilda.geekbrains.ru and fl-change.geekbrains.ru |
Externally Controlled Reference to a Resource in Another Sphere |
akash-labade |
Low |
2020-07-07 |
| [account.mail.ru] XSS-уязвимость в форме авторизации |
Cross-site Scripting (XSS) - DOM |
rainbow_json |
High |
2020-06-29 |
| SSRF in filtering on relap.io |
Server-Side Request Forgery (SSRF) |
rumiljonov |
High |
2020-06-29 |
| MySQL username and password leaked on [2017.russianaicup.ru] |
Password in Configuration File |
organdonor |
Medium |
2020-06-29 |
| Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
whitespots |
Medium |
2020-06-29 |
| Stored XSS on go.mail.ru |
Cross-site Scripting (XSS) - Stored |
myasnikovalexey |
Medium |
2020-06-18 |
| Time-Based SQL injection at city-mobil.ru |
SQL Injection |
r0hack |
Critical |
2020-06-17 |
| Time-Based SQL injection at city-mobil.ru |
SQL Injection |
r0hack |
Critical |
2020-06-17 |
| Time-Based SQL injection at city-mobil.ru |
SQL Injection |
r0hack |
Critical |
2020-06-17 |
| [pulse.mail.ru] Доступ к статистике чужих площадок |
Improper Access Control - Generic |
rainbow_json |
Medium |
2020-06-04 |
| [my.games] Stored XSS via untrusted bucket |
Cross-site Scripting (XSS) - Stored |
byq |
Medium |
2020-06-04 |
| Reflected XSS at city-mobil.ru |
Cross-site Scripting (XSS) - Reflected |
tr3harder |
Medium |
2020-05-28 |
| Account Takeover worki.ru |
Brute Force |
tr3harder |
Critical |
2020-05-28 |
| XSS in [community.my.games] |
Cross-site Scripting (XSS) - Stored |
anishacks |
Medium |
2020-05-28 |
| IDOR of users |
Insecure Direct Object Reference (IDOR) |
tr3harder |
Medium |
2020-05-28 |
| Account Takeover worki.ru |
Brute Force |
tr3harder |
Critical |
2020-05-28 |
| Mirror of https://city-mobil.ru admin interface |
Misconfiguration |
merron |
None |
2020-05-14 |
| Unsafe downloaded file execution |
User Interface (UI) Misrepresentation of Critical Information |
iframe |
Low |
2020-05-13 |
| Unrestricted file upload on [ambassador.mail.ru] |
Code Injection |
organdonor |
Critical |
2020-05-08 |
| XSS at go.mail.ru |
Cross-site Scripting (XSS) - DOM |
adiosmf |
Medium |
2020-05-08 |
| Unrestricted file upload on [ambassador.mail.ru] |
Code Injection |
organdonor |
Critical |
2020-05-08 |
| Stored xss on https://go.mail.ru/ |
Cross-site Scripting (XSS) - Reflected |
01alsanosi |
Medium |
2020-05-08 |
| [city-mobil.ru/taxiserv/] Disclosure information about drivers |
Insecure Direct Object Reference (IDOR) |
act1on3 |
Medium |
2020-05-07 |
| [https://city-mobil.ru/taxiserv] IDOR leads to information disclosure |
Information Disclosure |
act1on3 |
Low |
2020-05-07 |
| [city-mobil.ru/taxiserv/] IDOR leads to driver account takeover |
Insecure Direct Object Reference (IDOR) |
act1on3 |
Medium |
2020-05-07 |
| [c-api.city-mobil.ru] Client authentication bypass leads to information disclosure |
Missing Authentication for Critical Function |
act1on3 |
Critical |
2020-04-22 |
| HTML injection at face.city-mobil.ru |
Improper Input Validation |
r0hack |
Low |
2020-04-16 |
| [fleet.city-mobil.ru] Driver balance increasing |
Business Logic Errors |
act1on3 |
Low |
2020-04-15 |
| [panel.city-mobil.ru/admin/] Blind XSS into username |
Cross-site Scripting (XSS) - Stored |
act1on3 |
High |
2020-04-14 |
| SSRF & LFR via on city-mobil.ru |
Remote File Inclusion |
byq |
High |
2020-04-14 |
| SSRF on fleet.city-mobil.ru leads to local file read |
Server-Side Request Forgery (SSRF) |
byq |
Medium |
2020-04-14 |
| SSRF & LFR on city-mobil.ru |
Server-Side Request Forgery (SSRF) |
byq |
High |
2020-04-14 |
| Leak Sensetive Data at face.city-mobil.ru |
Information Disclosure |
r0hack |
Medium |
2020-04-14 |
| [https://city-mobil.ru/taxiserv] Blind XSS into username |
Cross-site Scripting (XSS) - Stored |
act1on3 |
Medium |
2020-04-14 |
| SSRF & LFR via on city-mobil.ru |
Remote File Inclusion |
byq |
High |
2020-04-14 |
| PHP code injection at tz.mail.ru |
Code Injection |
cutoffurmind |
High |
2020-04-06 |
| 3igames.mail.ru SQL Injection |
SQL Injection |
cutoffurmind |
High |
2020-04-06 |
| SSRF/XSPA [parapa.mail.ru] 2 |
None supplied |
haxta4ok00 |
No rating |
2020-04-06 |
| idor leads to leak order information |
Insecure Direct Object Reference (IDOR) |
risinghunter |
Low |
2020-04-06 |
| Reflected XSS on am.ru and subdomains |
Cross-site Scripting (XSS) - Reflected |
ms-13 |
No rating |
2020-04-06 |
| CSRF on https://market.my.games |
Cross-Site Request Forgery (CSRF) |
naategh |
Low |
2020-04-06 |
| Self XSS via help.mail.ru interface |
Cross-site Scripting (XSS) - Reflected |
chiraggupta8769- |
None |
2020-04-01 |
| [cfire.mail.ru] Time Based SQL Injection 2 |
SQL Injection |
haxta4ok00 |
No rating |
2020-04-01 |
| [parapa.mail.ru] SQL Injection reapet |
SQL Injection |
haxta4ok00 |
No rating |
2020-04-01 |
| SSRF/XSPA [parapa.mail.ru] |
None supplied |
haxta4ok00 |
No rating |
2020-04-01 |
| ssrf xspa [https://prt.mail.ru/] |
Server-Side Request Forgery (SSRF) |
haxta4ok00 |
No rating |
2020-04-01 |
| donationalerts.com limitations bypass |
Cross-Site Request Forgery (CSRF) |
iframe |
Medium |
2020-03-31 |
| Blind XSS in operator's interface for 33slona.ru |
Cross-site Scripting (XSS) - Stored |
iframe |
Medium |
2020-03-31 |
| Blind SQL injection [https://honor.hi-tech.mail.ru] |
SQL Injection |
haxta4ok00 |
No rating |
2020-03-31 |
| ssrf xspa [https://prt.mail.ru/] 2 |
Server-Side Request Forgery (SSRF) |
haxta4ok00 |
No rating |
2020-03-31 |
| [https://seosan.io] Account owner disclosure |
None supplied |
circuit |
Medium |
2020-03-16 |
| Account TakeOver through password recovery at am.ru |
Brute Force |
r0hack |
Critical |
2020-03-10 |
| Account takeover at geekbrains.ru |
Violation of Secure Design Principles |
godofdarkness_msf |
Medium |
2020-03-10 |
| [windows10.hi-tech.mail.ru] Blind SQL Injection |
SQL Injection |
api_0 |
High |
2020-03-10 |
| turboslim.lady.mail.ru - Blind sql-injection. |
SQL Injection |
alexeysergeevich |
High |
2020-03-10 |
| [windows10.hi-tech.mail.ru] Blind SQL Injection |
SQL Injection |
api_0 |
High |
2020-03-10 |
| Account TakeOver through password recovery at am.ru |
Brute Force |
r0hack |
Critical |
2020-03-10 |
| turboslim.lady.mail.ru - Blind sql-injection. |
SQL Injection |
alexeysergeevich |
High |
2020-03-10 |
| Blind SQL Injection on news.mail.ru |
SQL Injection |
asdqwedev |
High |
2020-03-10 |
| allods.mail.ru sql injection |
SQL Injection |
linkks |
Critical |
2020-03-10 |
| [pandao.ru] possibility to attach arbitrary phone number to account registered via social network |
Improper Input Validation |
n4sty |
Medium |
2020-03-06 |
| [api.pandao.ru] IDOR for order delivery address |
Insecure Direct Object Reference (IDOR) |
n4sty |
Medium |
2020-03-06 |
| Access to Tarantool |
Improper Access Control - Generic |
danila |
Medium |
2020-03-05 |
| JMX RMI command injection on 195.211.131.82(Mail.ru Gaming) |
Command Injection - Generic |
johndoe1492 |
Critical |
2020-02-18 |
| IP address can be leaked on Image preview in ICQ for Android chat |
Privacy Violation |
rainbow_json |
Low |
2020-02-14 |
| [API] ICQ user's avatar can be manipulated remotely |
Improper Input Validation |
rainbow_json |
High |
2020-02-14 |
| [Web ICQ Client] XSS уязвимость в имени пользователя |
Cross-site Scripting (XSS) - DOM |
rainbow_json |
Medium |
2020-02-14 |
| Account TakeOver at my.33slona.ru |
Brute Force |
r0hack |
High |
2020-02-04 |
| Blind XSS Stored On Admin Panel Through Name Parameter In [ https://technoatom.mail.ru/] |
Cross-site Scripting (XSS) - Stored |
elmahdi |
High |
2020-02-04 |
| Stored XSS in Review Section https://games.mail.ru/ |
Cross-site Scripting (XSS) - Stored |
sicksec |
High |
2020-02-04 |
| Account TakeOver at my.33slona.ru |
Brute Force |
r0hack |
High |
2020-02-04 |
| SSRF in clients.city-mobil.ru |
Server-Side Request Forgery (SSRF) |
johndoe1492 |
High |
2020-01-29 |
| Blind SQL Injection in city-mobil.ru domain |
SQL Injection |
kiriknik |
Medium |
2020-01-29 |
| Boolean-based SQL Injection on relap.io |
SQL Injection |
agametov |
Critical |
2020-01-22 |
| Information disclosure with sensitive data |
Information Disclosure |
mickey01 |
No rating |
2020-01-14 |
| API method at api.my.games allows to enumerate user emails |
Information Disclosure |
mobius07 |
Medium |
2020-01-14 |
| IDOR в списке пользователей по домену в relap.io |
Insecure Direct Object Reference (IDOR) |
agametov |
Medium |
2019-12-17 |
| Account Takeover at worki.ru |
Violation of Secure Design Principles |
r0hack |
Critical |
2019-12-17 |
| Account Takeover at worki.ru |
Violation of Secure Design Principles |
r0hack |
Critical |
2019-12-17 |
| RCE on shared.mail.ru due to "widget" plugin |
Code Injection |
ruvlol |
Critical |
2019-12-02 |
| Account Takeover at vseapteki.ru |
Brute Force |
r0hack |
High |
2019-12-02 |
| Account Takeover at vseapteki.ru |
Brute Force |
r0hack |
High |
2019-12-02 |
| XSS via message subject - mobile application |
Cross-site Scripting (XSS) - DOM |
almaco |
High |
2019-11-25 |
| worki.ru: SMS code bruteforce |
Business Logic Errors |
r0hack |
High |
2019-11-15 |
| touch.mail.ru / e.mail.ru memory content disclosure |
None supplied |
maxarr |
Critical |
2019-10-30 |
| touch.mail.ru / e.mail.ru memory content disclosure |
None supplied |
maxarr |
Critical |
2019-10-30 |
| [XSS] postMessage в jsapi/button |
Cross-site Scripting (XSS) - DOM |
secator |
Medium |
2019-10-28 |
| Reflected XSS in https://light.mail.ru/login via page |
Cross-site Scripting (XSS) - Reflected |
harisec |
Medium |
2019-10-25 |
| [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File |
Improper Access Control - Generic |
elmahdi |
High |
2019-10-23 |
| XSS via Cookie in Mail.ru |
Cross-site Scripting (XSS) - Stored |
mase289 |
Medium |
2019-10-11 |
| [agent.33slona.ru] Recovery code bruteforce |
Brute Force |
iframe |
High |
2019-10-11 |
| Avatar upload allows arbitrary file overwriting |
Path Traversal |
taraszelyk |
Medium |
2019-09-28 |
| [special.mail.ru] Information Disclosure |
Information Disclosure |
bobrov |
Medium |
2019-09-25 |
| Stored XSS |
Cross-site Scripting (XSS) - Stored |
pikky |
High |
2019-09-01 |
| web.icq.com XSS in chat message via contact info |
Cross-site Scripting (XSS) - Stored |
superboyxxx |
High |
2019-08-24 |
| Дюп предметов lootdog и возможность их продавать. |
Business Logic Errors |
ilyailya |
High |
2019-08-02 |
| [https://pandao.ru] - PUT method available |
None supplied |
godex |
Medium |
2019-08-02 |
| [XSS] data-url в письмах |
Cross-site Scripting (XSS) - Stored |
secator |
High |
2019-08-02 |
| Open Selenoid instance at 188.93.63.186 leads to LFR/SSRF. |
Improper Access Control - Generic |
chaosbolt |
Medium |
2019-07-18 |
| LRF on shared.mail.ru due to "markdown" plugin |
Path Traversal |
chaosbolt |
High |
2019-07-18 |
| Path traversal, SSTI and RCE on a MailRu acquisition |
Code Injection |
0xc0ffee |
Critical |
2019-07-08 |
| Stored XSS in email |
None supplied |
pikky |
No rating |
2019-07-07 |
| Stealing Arbitrary Private Files of MyMail App |
Information Disclosure |
heeeeen |
Medium |
2019-06-12 |
| molotok.m.mail.ru delegated to external entity |
Externally Controlled Reference to a Resource in Another Sphere |
aieti |
Medium |
2019-06-06 |
| SSRF |
None supplied |
linkks |
None |
2019-06-03 |
| Source code disclosure |
Information Disclosure |
linkks |
Medium |
2019-06-03 |
| XXE on pulse.mail.ru |
XML External Entities (XXE) |
chaosbolt |
Low |
2019-04-02 |
| Cross application scripting via account.mail.ru |
Cross-site Scripting (XSS) - Stored |
tr3harder |
High |
2019-03-11 |
| Возможность зайти на любой аккаунт https://pandao.ru/ |
None supplied |
circuit |
Critical |
2019-02-06 |
| Shell upload in partner service |
Code Injection |
danila_xawdxawdx |
Medium |
2018-11-13 |
| Stored Blind XSS |
Cross-site Scripting (XSS) - Stored |
danila_xawdxawdx |
High |
2018-11-12 |
| XSS in e.mail.ru |
Cross-site Scripting (XSS) - Stored |
akop07 |
High |
2018-11-12 |
| [moba.my.com] phpinfo, logs |
Information Disclosure |
bobrov |
None |
2018-11-12 |
| [rm.mail.ru] Request-Path XSS |
Cross-site Scripting (XSS) - Reflected |
bobrov |
Medium |
2018-11-12 |
| Reflected XSS in delivery-club.ru |
Cross-site Scripting (XSS) - Reflected |
ph0b0s |
High |
2018-11-12 |
| Раскрытие серии/номера паспорта и снилс пользователя lootdog.io |
Information Disclosure |
lincoln9932 |
Low |
2018-11-12 |
| IDOR on mcs.mail.ru |
Information Exposure Through Sent Data |
danila_xawdxawdx |
None |
2018-11-12 |
| Reflected XSS on https://www.delivery-club.ru/ |
Cross-site Scripting (XSS) - Reflected |
danila_xawdxawdx |
Medium |
2018-11-12 |
| XSS on https://www.delivery-club.ru |
Cross-site Scripting (XSS) - Reflected |
danila_xawdxawdx |
Medium |
2018-11-12 |
| CSRF on lootdog.io |
Cross-Site Request Forgery (CSRF) |
danila_xawdxawdx |
Medium |
2018-11-12 |
| CSRF на покупку товара https://lootdog.io/ |
Cross-Site Request Forgery (CSRF) |
danila_xawdxawdx |
High |
2018-11-12 |
| XSS on https://www.delivery-club.ru/sd/test_330933/info/ |
Cross-site Scripting (XSS) - Stored |
danila_xawdxawdx |
High |
2018-11-12 |
| [target.my.com] CRLF Injection -> XSS |
Cross-site Scripting (XSS) - Reflected |
bobrov |
Medium |
2018-11-06 |
| [sj.my.com] Source Code Disclosure /.svn/wc.db |
Information Disclosure |
bobrov |
Medium |
2018-11-06 |
| [info.tmgame.mail.ru] Apache Server Status |
Information Disclosure |
bobrov |
Low |
2018-11-06 |
| [evo2.my.com] Internet Explorer XSS |
Cross-site Scripting (XSS) - Reflected |
bobrov |
Low |
2018-11-06 |
| [lk-cdn.3igames.mail.ru] apc.php |
Information Disclosure |
bobrov |
Low |
2018-11-06 |
| [new.wf.mail.ru] XSS Request-URI |
Cross-site Scripting (XSS) - Reflected |
bobrov |
Medium |
2018-11-06 |
| [beta.tracker.my.com] XSS Request-URI |
Cross-site Scripting (XSS) - Reflected |
bobrov |
Medium |
2018-11-06 |
| [gamesventures.mail.ru] Publicly accessible GIT directory |
Information Disclosure |
bobrov |
Low |
2018-11-06 |
| [sputnik.mail.ru] Publicly accessible GIT directory |
Information Disclosure |
bobrov |
Medium |
2018-11-06 |
| [hs.mail.ru] CRLF Injection / XSS |
Cross-site Scripting (XSS) - Generic |
bobrov |
Low |
2018-11-06 |
| [hs.mail.ru] XSS play_now.php |
Cross-site Scripting (XSS) - Reflected |
bobrov |
Low |
2018-11-06 |
| Чтение файлов на сервере и раскрытие директорий mediator.media |
Server-Side Request Forgery (SSRF) |
truwa |
Medium |
2018-10-19 |
| Blind XSS pets.mail.ru/admin/ |
Cross-site Scripting (XSS) - Stored |
w2w |
High |
2018-10-19 |
| Full account takeover am.ru |
Business Logic Errors |
w2w |
Medium |
2018-10-19 |
| Disclosure of user email address and Deanonymization [mail.ru] + Blind | Stored XSS pets.mail.ru |
Cross-site Scripting (XSS) - Stored |
w2w |
Low |
2018-10-19 |
| Блокированный ящик ( Обход ) |
Business Logic Errors |
hack2tools |
Low |
2018-10-19 |
| Double authentication bypass |
None supplied |
w2w |
None |
2018-10-11 |
| 3rd party shop admin panel blind XSS |
Information Disclosure |
w2w |
Medium |
2018-10-11 |
| ДОБАВЛЕНИЕ СВОИХ ДАТ В КАЛЕНДАРЬ ПОЛЬЗОВАТЕЛЮ ! |
Cross-Site Request Forgery (CSRF) |
pisarenko |
Low |
2018-10-03 |
| XSS in touch.mail.ru |
Cross-site Scripting (XSS) - DOM |
saiyajin |
High |
2018-10-02 |
| XSS in e.mail.ru |
Cross-site Scripting (XSS) - Stored |
sql |
Medium |
2018-09-24 |
| Хранимая XSS в пожертованиях на dobro.mail.ru |
Cross-site Scripting (XSS) - Stored |
pisarenko |
High |
2018-09-24 |
| XSS https://health.mail.ru/my/ через внешнее имя аккаунта |
None supplied |
lincoln9932 |
No rating |
2018-09-04 |
| Раскрытие IP, почты и другой полезной информации lootdog.io |
Information Disclosure |
lincoln9932 |
Low |
2018-09-04 |
| XSS in delivery club |
Cross-site Scripting (XSS) - Reflected |
truwa |
Medium |
2018-08-21 |
| DNS Misconfiguration |
None supplied |
rootbakar |
Medium |
2018-08-16 |
| XSS в теле письма, в новой версии почты. |
Cross-site Scripting (XSS) - Stored |
maxarr |
High |
2018-08-15 |
| XSS ( Работа с письмами ) |
Cross-site Scripting (XSS) - Stored |
hack2tools |
Low |
2018-08-15 |
| XSS via Cookie in e.mail.ru |
Cross-site Scripting (XSS) - DOM |
obmi |
Medium |
2018-08-15 |
| Stored self-xss and its escalation to a victim account in e.mail.ru |
Cross-site Scripting (XSS) - Reflected |
obmi |
High |
2018-08-15 |
| XSS touch.mail.ru compose Body |
Cross-site Scripting (XSS) - DOM |
shafigullin |
No rating |
2018-08-15 |
| XSS account.mail.ru in state JSON script |
Cross-site Scripting (XSS) - Reflected |
shafigullin |
No rating |
2018-08-15 |
| XSS e.mail.ru fixSpecialSymbols |
Cross-site Scripting (XSS) - DOM |
shafigullin |
No rating |
2018-08-15 |
| [account.mail.ru] XSS на странице удаления аккаунта через backUrl |
Cross-site Scripting (XSS) - DOM |
s_p_q_r |
No rating |
2018-07-31 |
| [account.mail.ru] XSS на странице восстановления пароля |
Cross-site Scripting (XSS) - Reflected |
s_p_q_r |
No rating |
2018-07-31 |
| Race condition на market.games.mail.ru |
Write-what-where Condition |
diabllo |
High |
2018-07-18 |
| Attacker can send requests from mail.ru server |
Server-Side Request Forgery (SSRF) |
aieti |
Medium |
2018-07-16 |
| CSRF на biz.mail.ru |
Cross-Site Request Forgery (CSRF) |
c37hun |
None |
2018-07-16 |
| Вывод значений переменных Nginx в теле страницы |
Information Disclosure |
webr0ck |
Low |
2018-07-16 |
| слепая XSS в админ панели torg.mail.ru через отзыв |
Cross-site Scripting (XSS) - DOM |
pisarenko |
High |
2018-07-02 |
| CRLF injection mcs.mail.ru (leads to XSS) |
CRLF Injection |
w2w |
Medium |
2018-06-19 |
| XSS в отправителе, БЕТА-версия почты |
Cross-site Scripting (XSS) - Stored |
maxarr |
High |
2018-06-10 |
| XSS в теле письма. |
Cross-site Scripting (XSS) - Stored |
maxarr |
High |
2018-06-10 |
| Modifying application settings via clickjacking on o2.mail.ru |
UI Redressing (Clickjacking) |
zishanadthandar |
Low |
2018-06-08 |
| Local paths disclosure through error message |
Information Exposure Through an Error Message |
inet_freedom |
None |
2018-06-04 |
| lootdog.io XSS |
Cross-site Scripting (XSS) - Reflected |
lincoln9932 |
Medium |
2018-06-04 |
| Blind Stored XSS |
Cross-site Scripting (XSS) - Stored |
danila_xawdxawdx |
High |
2018-06-04 |
| Partner Account Takeover on https://www.delivery-club.ru через пользовательский аккаунт. |
Improper Authentication - Generic |
danila_xawdxawdx |
High |
2018-06-04 |
| Возможность залить шелл на https://widget.operator.mail.ru |
Code Injection |
danila_xawdxawdx |
Critical |
2018-06-04 |
| CSRF на добавление товара на продажу |
Cross-Site Request Forgery (CSRF) |
danila_xawdxawdx |
High |
2018-06-04 |
| Account Takeover on https://www.delivery-club.ru через партнерский аккаунт. |
Improper Authentication - Generic |
danila_xawdxawdx |
Critical |
2018-06-04 |
| Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/ |
UI Redressing (Clickjacking) |
nullsaint |
None |
2018-06-01 |
| Открытая информация phpinfo() на сайте https://agent.mail.ru |
Information Disclosure |
mobius07 |
Low |
2018-05-29 |
| LFI in beta.mail.ru |
None supplied |
catferq |
Critical |
2018-05-28 |
| Хранимая XSS ( API ) |
Cross-site Scripting (XSS) - Stored |
hack2tools |
High |
2018-05-23 |
| XSS уязвимость |
Cross-site Scripting (XSS) - Reflected |
hack2tools |
High |
2018-05-23 |
| [dl.beepcar.ru] CRLF Injection |
None supplied |
vik0nd |
Low |
2018-05-22 |
| invalid handling of redirect_uri at o2.mail.ru/jsapi/button |
Improper Access Control - Generic |
ruvlol |
No rating |
2018-05-22 |
| [mobs.mail.ru] nginx path traversal via misconfigured alias |
Information Disclosure |
bobrov |
High |
2018-05-22 |
| [e.mail.ru] XSS на странице отправки денежного перевода |
Cross-site Scripting (XSS) - Reflected |
s_p_q_r |
No rating |
2018-05-16 |
| CSRF на calendar.mail.ru |
Cross-Site Request Forgery (CSRF) |
danila_xawdxawdx |
Medium |
2018-05-11 |
| XSS on e.mail.ru via postMessage |
Cross-site Scripting (XSS) - DOM |
obmi |
High |
2018-05-11 |
| Shell upload in http://widget.support.my.com/ |
OS Command Injection |
danila_xawdxawdx |
Critical |
2018-05-11 |
| [maps.me] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [aw.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [games.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [sf.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [lucky-fields.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [account.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [wos.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [support.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [mg.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [evo.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [evo2.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [furry.aw.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [id.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [allods.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [legal.my.com] Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
bigbear_ |
No rating |
2018-04-26 |
| [babel.mail.ru] Admin Page Found |
Improper Access Control - Generic |
bigbear_ |
No rating |
2018-04-26 |
| [tanks.mail.ru] Content Spoofing |
Phishing |
bigbear_ |
No rating |
2018-04-26 |
| [s2.jugger.ru] Content Spoofing |
Phishing |
bigbear_ |
No rating |
2018-04-26 |
| [warofdragons.com] Content Spoofing |
Phishing |
bigbear_ |
No rating |
2018-04-26 |
| IDOR widget.support.my.com |
Insecure Direct Object Reference (IDOR) |
w2w |
Medium |
2018-04-26 |
| [tanks.mail.ru] Open Redirect |
Violation of Secure Design Principles |
101usb |
None |
2018-04-12 |
| blind XXE in autodiscover parser |
XML External Entities (XXE) |
obmi |
Medium |
2018-04-03 |
| Same origin policy bypass on e.mail.ru via Cross-Site Flashing |
None supplied |
opnsec |
No rating |
2018-04-02 |
| Stored XSS when you read eamils. <style> |
Cross-site Scripting (XSS) - Stored |
ras-it |
High |
2018-03-13 |
| Открытое перенапровление на OpenID |
Open Redirect |
pisarenko |
Low |
2018-03-13 |
| filin.mail.ru user's e-mail address disclosure |
None supplied |
isaeva |
No rating |
2018-02-21 |
| [afisha.mail.ru] HTML-инъекция через XSS на портале виджета |
None supplied |
s_p_q_r |
No rating |
2018-02-12 |
| blind XXE when uploading avatar in mymail phone app |
XML External Entities (XXE) |
ruvlol |
High |
2018-02-12 |
| Blind XXE on my.mail.ru |
XML External Entities (XXE) |
ruvlol |
High |
2018-02-06 |
| XSS bypass Script execute,Read any file,execute any javascript code--UXSS |
Cross-site Scripting (XSS) - Stored |
tea |
High |
2018-01-27 |
| XSS в письме, в поле отправителя. |
Cross-site Scripting (XSS) - Stored |
maxarr |
High |
2018-01-27 |
| Отраженная XSS на cloud.mail.ru в URL в функционале создания и редактировании презентации. |
Cross-site Scripting (XSS) - Reflected |
ro_ |
High |
2018-01-27 |
| reflected xss on cycloferon.health.mail.ru |
Cross-site Scripting (XSS) - Reflected |
whitesector |
Medium |
2018-01-26 |
| XSS в письме, в теле письма. |
Cross-site Scripting (XSS) - Stored |
maxarr |
High |
2018-01-26 |
| XSS в теле письма, в блочных стилях. |
Cross-site Scripting (XSS) - Stored |
maxarr |
High |
2018-01-26 |
| Self-xss via drag&drop in email form |
Cross-site Scripting (XSS) - Reflected |
obmi |
Low |
2018-01-26 |
| XSS on account.mail.ru/login |
Man-in-the-Middle |
obmi |
Medium |
2018-01-26 |
| Uninitilized server memory disclosure via ImageMagick |
Information Disclosure |
hudmi |
High |
2018-01-26 |
| Android MailRu Email: Thirdparty can access private data files with small user interaction |
Privilege Escalation |
dzmitry |
Medium |
2018-01-02 |
| CSRF. Удаление адресной книги, добавление контактов |
Cross-Site Request Forgery (CSRF) |
napalube |
Medium |
2017-12-29 |
| При передаче в ID сообщения нулевого байта, происходит вывод какого-то буфера. |
Buffer Over-read |
bytehope |
High |
2017-12-29 |
| Reflected XSS in https://e.mail.ru/ |
Cross-site Scripting (XSS) - Reflected |
ras-it |
High |
2017-12-28 |
| [et.mail.ru] ssrf 2 |
Server-Side Request Forgery (SSRF) |
haxta4ok00 |
High |
2017-12-28 |
| XSS when replying / forwarding to a malicious email on iOS |
Cross-site Scripting (XSS) - Stored |
pwnsdx |
Medium |
2017-12-28 |
| Download attachments with traversal path into any sdcard directory (incomplete fix 106097) |
Path Traversal |
dzmitry |
Low |
2017-12-28 |
| touch.mail.ru/messages - Stored XSS |
Cross-site Scripting (XSS) - Stored |
luigigubello |
High |
2017-12-27 |
| Unupdated ImageMagic leads to uninitialized server memory disclosure |
Information Disclosure |
ruvlol |
Medium |
2017-12-27 |
| Stored XSS and html injection in biz.mail.ru |
Cross-site Scripting (XSS) - DOM |
ruvlol |
None |
2017-12-27 |
| A manager of a determinate group of users still might have access to any user account from any group that he doesn't administrate anymore. |
Client-Side Enforcement of Server-Side Security |
ruvlol |
Low |
2017-12-27 |
| XSS on https://account.mail.ru/login via postMessage |
Cross-site Scripting (XSS) - DOM |
buglloc |
High |
2017-12-27 |
| Possibility to view subdepartments for arbitrary domain |
Insecure Direct Object Reference (IDOR) |
ruvlol |
Medium |
2017-12-20 |
| Monitor |
Information Disclosure |
linkks |
No rating |
2017-12-04 |
| Stored XSS using SVG on subdomain infra.mail.ru |
Cross-site Scripting (XSS) - Stored |
whitesector |
Low |
2017-12-01 |
| XSS через подгрузку ссылки. |
Cross-site Scripting (XSS) - Stored |
lincoln9932 |
Medium |
2017-11-21 |
| reflected XSS on healt.mail.ru |
Cross-site Scripting (XSS) - Reflected |
whitesector |
Medium |
2017-11-20 |
| CRLF инъекция на https://tz.mail.ru |
HTTP Response Splitting |
lalka |
Low |
2017-11-07 |
| SSRF на https://target.my.com/ |
Server-Side Request Forgery (SSRF) |
lalka |
Medium |
2017-11-07 |
| Stored self-XSS pubg.mail.ru в нескольких местах |
Cross-site Scripting (XSS) - Stored |
lincoln9932 |
None |
2017-10-31 |
| Clickjacking Full account takeover and editing the personal information at [account.my.com] |
UI Redressing (Clickjacking) |
t-pwn |
No rating |
2017-10-19 |
| XSS in biz.mail.ru/error |
Cross-site Scripting (XSS) - DOM |
ruvlol |
Medium |
2017-10-09 |
| uninitilized server memory disclosure via ImageMagick in my.mail.ru and cloud.mail.ru |
Information Disclosure |
neex |
No rating |
2017-09-11 |
| BruteForce Any [My.com] Account Credentials. |
Brute Force |
0xradi |
No rating |
2017-09-04 |
| Излишние права при авторизации через интерфейс mail.ru |
Improper Authentication - Generic |
f4lrik |
No rating |
2017-08-22 |
| Logical Vulnerability : REDIRECTING on pw.mail.ru by Parameter Spoofing |
Open Redirect |
othmanetamagart |
No rating |
2017-08-21 |
| Open Redirect on [My.com] |
Open Redirect |
0xradi |
Low |
2017-08-14 |
| Обход basic авторизации [qpt.mail.ru] |
None supplied |
haxta4ok00 |
No rating |
2017-07-17 |
| XSS в портальной навигации |
Cross-site Scripting (XSS) - Stored |
lincoln9932 |
Medium |
2017-07-11 |
| By pass admin panel [conference.mail.ru] |
Improper Authentication - Generic |
haxta4ok00 |
No rating |
2017-07-11 |
| By pass admin panel [seminars.mail.ru] |
Improper Authentication - Generic |
haxta4ok00 |
No rating |
2017-07-11 |
| Admin panel access restrictions bypass [poll.mail.ru/admin/] |
Improper Authentication - Generic |
haxta4ok00 |
No rating |
2017-07-11 |
| Reflected XSS на https://aw.mail.ru/news/ |
Cross-site Scripting (XSS) - Generic |
lalka |
No rating |
2017-07-03 |
| Reflected XSS. |
Cross-site Scripting (XSS) - Generic |
lalka |
No rating |
2017-07-03 |
| Reflected XSS. |
Cross-site Scripting (XSS) - Generic |
lalka |
No rating |
2017-07-03 |
| Reflected XSS on hi-tech.mail.ru |
Cross-site Scripting (XSS) - Generic |
lalka |
No rating |
2017-07-03 |
| XSS с помощью специально сформированного файла. |
Cross-site Scripting (XSS) - Generic |
lalka |
No rating |
2017-07-03 |
| Xss в https://e.mail.ru/ |
Cross-site Scripting (XSS) - Stored |
danila_xawdxawdx |
Medium |
2017-06-02 |
| Xss в https://e.mail.ru/ |
Cross-site Scripting (XSS) - Stored |
danila_xawdxawdx |
Medium |
2017-05-25 |
| IDOR in tender.mail.ru leading to Information Disclosure |
None supplied |
khalidamin |
No rating |
2017-05-25 |
| xss на нескольких форумах игр от mail.ru (Cross-Site Scripting) |
Cross-site Scripting (XSS) - Generic |
danila_xawdxawdx |
No rating |
2017-05-25 |
| Reflected XSS on frag.mail.ru |
Cross-site Scripting (XSS) - Reflected |
twicedi |
No rating |
2017-05-10 |
| Open Redirect |
Open Redirect |
t-pwn |
No rating |
2017-05-04 |
| Open Redirection at https://it.mail.ru/ |
Open Redirect |
t-pwn |
No rating |
2017-05-04 |
| Stored XSS in e.mail.ru (payload affect multiple users) |
Cross-site Scripting (XSS) - Stored |
afine-team |
Medium |
2017-04-17 |
| Stored XSS |
Cross-site Scripting (XSS) - Generic |
t-pwn |
Low |
2017-03-30 |
| [allods.mail.ru] Reflected XSS |
Cross-site Scripting (XSS) - Generic |
bigbear_ |
No rating |
2017-03-27 |
| [w1.dwar.ru] Core Dump |
Memory Corruption - Generic |
bigbear_ |
No rating |
2017-03-27 |
| [otus.p.mail.ru] Full Path Disclosure |
Information Disclosure |
bigbear_ |
No rating |
2017-03-27 |
| Potential SSRF in sales.mail.ru |
Server-Side Request Forgery (SSRF) |
paresh_parmar |
Medium |
2017-03-27 |
| [gitmm.corp.mail.ru] Auth Bypass, Information Disclosure |
Improper Authentication - Generic |
bigbear_ |
No rating |
2017-03-27 |
| Open Redirect |
Open Redirect |
sup3r-b0y |
No rating |
2017-03-17 |
| [allods.mail.ru] Cross-Site Request Forgery (Add-Item) |
Cross-Site Request Forgery (CSRF) |
ahsan |
Low |
2017-03-17 |
| CSRF Send a message at street-combats.mail.ru |
Cross-Site Request Forgery (CSRF) |
xhzeem |
Medium |
2017-03-17 |
| [otus.p.mail.ru] CRLF Injection |
Information Disclosure |
bigbear_ |
No rating |
2017-03-03 |
| [it.mail.ru] Open Redirect |
Open Redirect |
bigbear_ |
No rating |
2017-03-03 |
| [allods.my.com] Full SQL Disclosure |
Information Disclosure |
bigbear_ |
No rating |
2017-03-03 |
| [allods.my.com] Full Path Disclosure |
Information Disclosure |
bigbear_ |
No rating |
2017-03-03 |
| [opensource.mail.ru] Debug Mode |
Information Disclosure |
bigbear_ |
No rating |
2017-03-03 |
| [api.login.icq.net] Reflected XSS |
Cross-site Scripting (XSS) - Generic |
bigbear_ |
No rating |
2017-03-03 |
| [3k.mail.ru] Content Spoofing |
Violation of Secure Design Principles |
bigbear_ |
No rating |
2017-03-03 |
| [api.login.icq.net] Open Redirect |
Open Redirect |
bigbear_ |
No rating |
2017-03-03 |
| [pokerist.mail.ru] XSS Request-URI |
Cross-site Scripting (XSS) - Generic |
bobrov |
Low |
2017-03-02 |
| [qpt.mail.ru] CRLF Injection / Open Redirect |
HTTP Response Splitting |
bobrov |
Low |
2017-03-02 |
| [element.mail.ru] /.svn/entries |
Information Disclosure |
bobrov |
Low |
2017-03-02 |
| [cooking.lady.mail.ru] Open Redirect |
Open Redirect |
bobrov |
Low |
2017-03-02 |
| [ml.money.mail.ru] Open Redirect |
Open Redirect |
bobrov |
Low |
2017-03-02 |
| Disclosure of information on static.dl.mail.ru |
Information Disclosure |
rbcafe |
No rating |
2017-02-12 |
| Activities are not Protected and able to crash app using other app (Can Malware or third parry app). |
Information Disclosure |
bugwrangler |
No rating |
2017-02-12 |
| Stored XSS на street-combats.mail.ru |
Cross-site Scripting (XSS) - Generic |
cyberpunkych |
No rating |
2016-12-26 |
| [torg.mail.ru] CRLF Injection |
None supplied |
s_p_q_r |
No rating |
2016-12-12 |
| Time-based sql-injection на https://puzzle.mail.ru |
SQL Injection |
lalka |
No rating |
2016-11-15 |
| Mail.ru for Android Content Provider Vulnerability |
Information Disclosure |
murthy68 |
No rating |
2016-11-02 |
| Reflected XSS @ games.mail.ru |
Cross-site Scripting (XSS) - Generic |
ahsan |
No rating |
2016-10-18 |
| [realty.mail.ru] XSS, SSI Injection |
Command Injection - Generic |
bobrov |
No rating |
2016-10-06 |
| [touch.lady.mail.ru] CRLF Injection |
None supplied |
bobrov |
No rating |
2016-10-06 |
| [support.my.com] Internet Explorer XSS |
Cross-site Scripting (XSS) - Generic |
bobrov |
No rating |
2016-10-06 |
| [tanks.mail.ru] Internet Explorer XSS via Request-URI |
Cross-site Scripting (XSS) - Generic |
bobrov |
No rating |
2016-10-06 |
| [mrgs.mail.ru] Internet Explorer XSS via Request-URI |
Cross-site Scripting (XSS) - Generic |
bobrov |
No rating |
2016-10-06 |
| [corp.mail.ru] CRLF Injection / Insecure nginx configuration |
None supplied |
bobrov |
No rating |
2016-10-06 |
| [rabota.mail.ru] Open Redirect |
Open Redirect |
bobrov |
No rating |
2016-10-03 |
| [my.mail.ru] CRLF Injection |
None supplied |
bobrov |
No rating |
2016-10-03 |
| [s.mail.ru] CRLF Injection |
None supplied |
bobrov |
No rating |
2016-10-03 |
| [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References |
Improper Authentication - Generic |
bobrov |
No rating |
2016-10-03 |
| [my.mail.ru] HTML injection в письмах от [email protected] |
Cross-site Scripting (XSS) - Generic |
bobrov |
No rating |
2016-10-03 |
| Full Path Disclosure |
Information Disclosure |
c37hun |
No rating |
2016-09-29 |
| [odnoklassniki.ru] XSS via Host |
Cross-site Scripting (XSS) - Generic |
bobrov |
No rating |
2016-09-26 |
| [tidaltrek.mail.ru] SQL Injection |
SQL Injection |
konqi |
No rating |
2016-09-16 |
| [cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info' |
Cross-Site Request Forgery (CSRF) |
ahsan |
No rating |
2016-09-09 |
| XSS at af.attachmail.ru |
Cross-site Scripting (XSS) - Generic |
paresh_parmar |
No rating |
2016-08-12 |
| [opensource.mail.ru] system accounts enumeration |
Information Disclosure |
konqi |
No rating |
2016-08-08 |
| HTML Injection на e.mail.ru |
Cross-site Scripting (XSS) - Generic |
c37hun |
No rating |
2016-07-20 |
| Cross Site Request Forgery (CSRF) |
Cross-Site Request Forgery (CSRF) |
malcolmx |
No rating |
2016-07-20 |
| Possibility to attach any mobile number to any email |
Improper Authentication - Generic |
hunter |
No rating |
2016-07-18 |
| [connect.mail.ru] Memory Disclosure / IE XSS |
None supplied |
bobrov |
No rating |
2016-07-11 |
| [townwars.mail.ru] Time-Based SQL Injection |
SQL Injection |
konqi |
No rating |
2016-07-06 |
| Back Refresh Attack after registration and successful logout |
Violation of Secure Design Principles |
sudoshekhar |
No rating |
2016-07-01 |
| BRUTE FORCE ATTACK |
None supplied |
md-firdous |
No rating |
2016-06-27 |
| Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru] |
SQL Injection |
xsam |
No rating |
2016-06-22 |
| Утечка информации через JSONP (XXSI) |
Information Disclosure |
cyberpunkych |
No rating |
2016-06-20 |
| bgplay.mail.ru |
Code Injection |
isox |
No rating |
2016-06-20 |
| AXFR на plexus.m.smailru.net работает |
Information Disclosure |
isox |
No rating |
2016-06-15 |
| [sales.mail.ru] CRLF Injection |
None supplied |
s_p_q_r |
No rating |
2016-06-15 |
| [tidaltrek.mail.ru] SQL Injection |
SQL Injection |
konqi |
No rating |
2016-05-26 |
| SQL Injection |
SQL Injection |
konqi |
No rating |
2016-05-26 |
| [tz.mail.ru] XSS в функционале авторизации |
Cross-site Scripting (XSS) - Generic |
s_p_q_r |
No rating |
2016-05-25 |
| Insecure cookies without httpOnly flag set |
None supplied |
thalaivarsubu |
No rating |
2016-05-25 |
| Reflected XSS на games.mail.ru |
Cross-site Scripting (XSS) - Generic |
cyberpunkych |
No rating |
2016-05-12 |
| VERY DANGEROUS XSS STORED inside emails |
Cross-site Scripting (XSS) - Generic |
seifelsallamy |
No rating |
2016-04-07 |
| Раскрытие номера мобильного телефона при двухфакторной аутентификации |
None supplied |
gorodnya |
No rating |
2016-03-25 |
| [orsotenslimselfie.lady.mail.ru] SQL Injection |
SQL Injection |
konqi |
No rating |
2016-03-15 |
| Time-Based Blind SQL Injection Attacks |
SQL Injection |
lukazorge |
No rating |
2016-03-10 |
| Cross Site Scripting |
Cross-site Scripting (XSS) - Generic |
architaa |
No rating |
2016-03-10 |
| SSRF на element.mail.ru |
Information Disclosure |
cyberpunkych |
No rating |
2016-02-24 |
| [3k.mail.ru] SQL Injection |
SQL Injection |
konqi |
No rating |
2016-02-24 |
| reflected in xss |
Cross-site Scripting (XSS) - Generic |
ilsen |
No rating |
2016-02-17 |
| [allods.my.com] SSRF / XSPA |
None supplied |
konqi |
No rating |
2016-02-11 |
| XSS at forum : |
Cross-site Scripting (XSS) - Generic |
paresh_parmar |
No rating |
2016-02-01 |
| [afisha.mail.ru] SQL Injection |
SQL Injection |
konqi |
No rating |
2016-02-01 |
| Multiple vulnerabilities in mail.ru subdomains |
Cross-site Scripting (XSS) - Generic |
harry_mg |
No rating |
2016-01-27 |
| [parapa.mail.ru] SQL Injection |
SQL Injection |
konqi |
No rating |
2016-01-18 |
| [cfire.mail.ru] Time Based SQL Injection |
SQL Injection |
konqi |
No rating |
2016-01-15 |
| Flash XSS на old.corp.mail.ru |
Cross-site Scripting (XSS) - Generic |
c37hun |
No rating |
2015-12-11 |
| Авторизуюсь от имени любого пользователя parapa.mail.ru |
Privilege Escalation |
c37hun |
No rating |
2015-12-11 |
| Выполнение кода PHP через FastCGI |
None supplied |
c37hun |
No rating |
2015-12-11 |
| Cross site scripting |
Cross-site Scripting (XSS) - Generic |
smit |
No rating |
2015-12-11 |
| Reflective Xss on news.mail.ru and admin.news.mail.ru |
Cross-site Scripting (XSS) - Generic |
mak |
No rating |
2015-12-11 |
| [api.allodsteam.com] Authentication Data |
Command Injection - Generic |
bigbear_ |
No rating |
2015-12-01 |
| XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо |
Cross-site Scripting (XSS) - Generic |
aesteral |
No rating |
2015-11-16 |
| [ling.go.mail.ru] Server-Status opened for all users |
Information Disclosure |
bigbear_ |
No rating |
2015-11-13 |
| Ошибка фильтрации |
UI Redressing (Clickjacking) |
cyberunit |
No rating |
2015-11-02 |
| Flash XSS on img.mail.ru |
Cross-site Scripting (XSS) - Generic |
tunnelshade |
No rating |
2015-10-30 |
| Vulnerability :- "XSS vulnerability" |
Cross-site Scripting (XSS) - Generic |
bhavi |
No rating |
2015-10-24 |
| [riot.mail.ru] Reflected XSS in debug-mode |
Cross-site Scripting (XSS) - Generic |
bigbear_ |
No rating |
2015-10-21 |
| [start.icq.com] Reflected XSS via Cookies |
Cross-site Scripting (XSS) - Generic |
bigbear_ |
No rating |
2015-10-21 |
| e.mail.ru: SMS spam with custom content |
None supplied |
isox |
No rating |
2015-09-13 |
| target.mail.ru: XSS |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| files.mail.ru: XSS |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| e.mail.ru: File upload "Chapito" circus |
Memory Corruption - Generic |
isox |
No rating |
2015-09-13 |
| target.mail.ru: XSS через Referer |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| connect.mail.ru: SSRF |
None supplied |
isox |
No rating |
2015-09-13 |
| my.mail.ru: HTTP Header Injection |
None supplied |
isox |
No rating |
2015-09-13 |
| touch.afisha.mail.ru: XSS |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| auth.mail.ru: XSS in login form |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| api.video.mail.ru: XSS |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| https://217.69.135.63/rb/: money.mail.ru sources disclosure |
Information Disclosure |
isox |
No rating |
2015-09-13 |
| http://fitter1.i.mail.ru/browser/ торчит Graphite в мир |
Code Injection |
isox |
No rating |
2015-09-13 |
| Possible xWork classLoader RCE: shared.mail.ru |
Code Injection |
isox |
No rating |
2015-09-13 |
| help2.m.smailru.net: XSS |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| http://tp-dev1.tp.smailru.net/ |
Improper Authentication - Generic |
isox |
No rating |
2015-09-13 |
| tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password |
Code Injection |
isox |
No rating |
2015-09-13 |
| store-agent.mail.ru: stacked blind injection |
SQL Injection |
isox |
No rating |
2015-09-13 |
| https://voip.agent.mail.ru/phpinfo.php |
Information Disclosure |
isox |
No rating |
2015-09-13 |
| Hadoop Node available to public |
Information Disclosure |
isox |
No rating |
2015-09-13 |
| HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp |
None supplied |
isox |
No rating |
2015-09-13 |
| scfbp.tng.mail.ru: Heartbleed |
Information Disclosure |
isox |
No rating |
2015-09-13 |
| RCE через JDWP |
Command Injection - Generic |
isox |
No rating |
2015-09-13 |
| Heartbleed: my.com (185.30.178.33) port 1433 |
None supplied |
isox |
No rating |
2015-09-13 |
| cloud.mail.ru: File upload XSS using Content-Type header |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| GET /surveys/2auth: XSS |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| http://217.69.136.200/?p=2&c=Fetcher%20cluster&h=fetcher1.mail.ru |
None supplied |
isox |
No rating |
2015-09-13 |
| /surveys/2auth: DOM-based XSS |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| 3k.mail.ru: XSS |
Cross-site Scripting (XSS) - Generic |
isox |
No rating |
2015-09-13 |
| files.mail.ru: HTTP Header Injection |
None supplied |
isox |
No rating |
2015-09-13 |
| m.agent.mail.ru: Подделываем j2me app-descriptor |
None supplied |
isox |
No rating |
2015-09-13 |
| money.mail.ru: Странное поведение SMS |
Memory Corruption - Generic |
isox |
No rating |
2015-09-13 |
| tp-demo1.corp.mail.ru: SVN наружу торчит |
None supplied |
isox |
No rating |
2015-09-13 |
| Не уверен, что этому место на периметре: 94.100.180.95, 94.100.180.96, 94.100.180.97, 94.100.180.98 |
None supplied |
isox |
No rating |
2015-09-13 |
| Перечисление каталогов за счёт уязвимости в IIS |
Information Disclosure |
bigbear |
No rating |
2015-06-28 |
| No bruteforce protection leads to enumeration of emails in http://e.mail.ru/ |
Violation of Secure Design Principles |
niyaax |
No rating |
2015-06-28 |
| e.mail.ru stored XSS in agent via sticker (smile) |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2015-06-28 |
| XSS in touch.sports.mail.ru |
Cross-site Scripting (XSS) - Generic |
ddworken |
No rating |
2015-05-21 |
| XSS in ad.mail.ru |
Cross-site Scripting (XSS) - Generic |
ddworken |
No rating |
2015-05-02 |
| XSS in realty.mail.ru |
Cross-site Scripting (XSS) - Generic |
ddworken |
No rating |
2015-05-02 |
| Same Origin Policy bypass |
Cross-Site Request Forgery (CSRF) |
zoczus |
No rating |
2015-03-27 |
| XSS Vulnerability in cfire.mail.ru/screen/1/ |
Cross-site Scripting (XSS) - Generic |
ddworken |
No rating |
2015-03-22 |
| Stored XSS on http://top.mail.ru |
Cross-site Scripting (XSS) - Generic |
4lemon |
No rating |
2015-01-10 |
| localStorage не чистится после выхода |
Information Disclosure |
kamil_hism |
No rating |
2014-12-10 |
| XSS via .eml file |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2014-12-10 |
| Нежелательная информация |
Information Disclosure |
bigbear |
No rating |
2014-12-10 |
| Time based sql injection |
SQL Injection |
psych0tr1a |
No rating |
2014-12-10 |
| touch.mail.ru XSS via message id |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2014-12-10 |
| OpenSSL HeartBleed (CVE-2014-0160) |
None supplied |
c37hun |
No rating |
2014-12-10 |
| Reflected XSS connect.mail.ru (IE6-IE8) |
Cross-site Scripting (XSS) - Generic |
4lemon |
No rating |
2014-12-10 |
| Content Spoofing vulnerability in Mail.ru mobile |
Violation of Secure Design Principles |
mohank |
No rating |
2014-12-10 |
| XXE and SSRF on webmaster.mail.ru |
Command Injection - Generic |
4lemon |
No rating |
2014-12-10 |
| Stored XSS on http://cards.mail.ru |
Cross-site Scripting (XSS) - Generic |
4lemon |
No rating |
2014-12-10 |
| XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use) |
Cross-site Scripting (XSS) - Generic |
4lemon |
No rating |
2014-12-10 |
| SQL injection [дырка в движке форума] |
SQL Injection |
psych0tr1a |
No rating |
2014-11-16 |
| Раскрытие полного серверного пути |
Information Disclosure |
bigbear |
No rating |
2014-10-16 |
| Flash XSS in http://lingvo.mail.ru |
Cross-site Scripting (XSS) - Generic |
quistertow |
No rating |
2014-10-02 |
| Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/berserk-online.com/public_html/forum/Themes/berserker/Profile.template.php |
Information Disclosure |
bigbear |
No rating |
2014-09-27 |
| (m.mail.ru) Password type input with auto-complete enabled |
Information Disclosure |
vineet |
No rating |
2014-09-19 |
| SQL Injection on 11x11.mail.ru |
SQL Injection |
bigbear |
No rating |
2014-09-16 |
| Reflected XSS in User-Agent |
Cross-site Scripting (XSS) - Generic |
bigbear |
No rating |
2014-09-16 |
| SQL inj |
SQL Injection |
vah13 |
No rating |
2014-09-12 |
| Reflected XSS |
Cross-site Scripting (XSS) - Generic |
chandrakant |
No rating |
2014-09-10 |
| Version Disclosure (NginX) |
Information Disclosure |
stalker |
No rating |
2014-09-10 |
| SQL |
SQL Injection |
vah13 |
No rating |
2014-08-16 |
| rs.mail.ru - Flash Based XSS |
Cross-site Scripting (XSS) - Generic |
quistertow |
No rating |
2014-08-07 |
| Flash XSS in http://go.mail.ru |
Cross-site Scripting (XSS) - Generic |
quistertow |
No rating |
2014-08-07 |
| Reflected XSS |
Cross-site Scripting (XSS) - Generic |
bigbear |
No rating |
2014-08-07 |
| Clicjacking on Login panel |
UI Redressing (Clickjacking) |
chandrakant |
No rating |
2014-07-14 |
| XSS in a file or folder name |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2014-07-09 |
| Xss On http://my.mail.ru/ |
Cross-site Scripting (XSS) - Generic |
chandrakant |
No rating |
2014-07-08 |
| XSS in "About Video" |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2014-07-06 |
| Flash XSS - http://hi-tech.mail.ru/ |
Cross-site Scripting (XSS) - Generic |
quistertow |
No rating |
2014-07-05 |
| No CSRF token used in Phone Verification POST |
Cross-Site Request Forgery (CSRF) |
siddiki |
No rating |
2014-06-11 |
| Home page reflected XSS |
Cross-site Scripting (XSS) - Generic |
bitquark |
No rating |
2014-06-06 |
| Clickjacking |
UI Redressing (Clickjacking) |
ma120320 |
No rating |
2014-06-06 |
| Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly |
Violation of Secure Design Principles |
s3curient |
No rating |
2014-05-30 |
| SQL inj |
SQL Injection |
vah13 |
No rating |
2014-05-30 |
| SQL injection update.mail.ru |
SQL Injection |
vah13 |
No rating |
2014-05-30 |
| Persistent XSS in afisha.mail.ru |
Cross-site Scripting (XSS) - Generic |
4p00rv |
No rating |
2014-05-28 |
| Login without SSL-Protection |
Violation of Secure Design Principles |
redshark1802 |
No rating |
2014-05-27 |
| Unproper usage of Mobile Number that will lead to Information Disclosure |
Cryptographic Issues - Generic |
atom |
No rating |
2014-05-22 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles