Mapbox


23 total issues disclosed

$28,800 total paid publicly


Most disclosed (8 disclosures) — Cross-site Scripting (XSS) - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Test-scripts for postgis in mason-repository using unsafe unzip of content from unclaimed bucket creates potential RCE-issues Command Injection - Generic fransrosen Critical 2020-07-28
Reflected XSS via XML Namespace URI on https://go.mapbox.com/index.php/soap/ Cross-site Scripting (XSS) - Reflected h4ck3d Medium 2020-04-15
Stored XSS | api.mapbox.com | IE 11 | Styles name Cross-site Scripting (XSS) - Stored renekroka Medium 2020-01-21
Admin Panel Accessed (OAuth Bypassed ) Command Injection - Generic aneeskhan Critical 2017-12-21
Logging a user into attacker's account using password reset link Violation of Secure Design Principles shahmeer-amir No rating 2017-10-20
Stored xss in editor Cross-site Scripting (XSS) - Generic ehsahil No rating 2017-08-18
Blind XSS in mapbox.com/contact Cross-site Scripting (XSS) - Generic ehsahil No rating 2017-08-15
XSS on www.mapbox.com/authorize Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-14
XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-14
Public access to objects in AWS S3 bucket Information Disclosure ehsahil Medium 2017-07-12
null pointer dereference and segfault in tile-count-merge NULL Pointer Dereference geeknik High 2017-07-11
Node modules path disclosure due to lack of error handling Information Disclosure apapedulimu Low 2017-07-11
Open Aws Amazon S3 Buckets Improper Authentication - Generic saadahmedx Medium 2017-04-25
Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager Information Disclosure mishre Low 2017-03-21
target="_blank" Vulnerability Resulting in Critical Phishing Vector Open Redirect cha5m No rating 2016-09-07
Reflected cross-site scripting (XSS) on api.tiles.mapbox.com Cross-site Scripting (XSS) - Generic dawgyg No rating 2016-06-02
Mapbox API Access Token with No Scope Can Read Styles Improper Authentication - Generic bugs3ra No rating 2016-06-01
Denial of service in account statistics endpoint Denial of Service apok No rating 2016-05-31
XSS in L.mapbox.shareControl in mapbox.js Cross-site Scripting (XSS) - Generic enderun07 No rating 2016-05-04
Content Spoofing and Local Redirect in Mapbox Studio Open Redirect hussain_0x3c No rating 2016-04-20
Disclosure of map information Improper Authentication - Generic hussain_0x3c No rating 2016-04-19
Stored Cross-Site Scripting in Map Share Page Cross-site Scripting (XSS) - Generic hussain_0x3c No rating 2016-04-19
Persistent cross-site scripting (XSS) in map attribution Cross-site Scripting (XSS) - Generic ph3t No rating 2016-03-30