MTN Group Program Statistics

View program

125 total issues disclosed

$0 total paid publicly

Most disclosed (22 disclosures) — Cross-site Scripting (XSS) - Reflected

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
SQLi | in URL paths SQL Injection almuntadhar0x01 Critical 2025-03-06
Ability to Add and Verify Uncontrolled Mobile Numbers Leading to Account Takeover (ATO) Authentication Bypass Using an Alternate Path or Channel trev0ck Critical 2025-03-04
Broken Access Control leads to disclosure of transaction history via /v2/rechargeTransactionHistory endpoint None supplied hafiz-ng High 2025-03-02
Admin Dashboard Access Leads to Updating Merchant Info Improper Access Control - Generic tinopreter Critical 2025-03-02
Information disclosure due to debug mode enabled at Laravel instance https://mpos.mtn.co.sz/ Information Disclosure odaysec Medium 2025-02-23
CVE-2023-41763 Business Elevation of Privilege vulnerability on [.mtn.com] Command Injection - Generic h0w High 2025-02-22
Unauthorized access to PII leads to Administrator account Takeover Privilege Escalation h0w Critical 2025-02-22
Unauthenticated phpinfo()files could lead to ability file read at h2f54.n1.ips.mtn.co.ug [/dashboard/] Violation of Secure Design Principles odaysec Medium 2025-02-20
Cisco IOS XE instance at ████ vulnerable to CVE-██████ Command Injection - Generic odaysec Critical 2025-02-19
Improper Access Controls(Admin Path) Improper Access Control - Generic aliyueka High 2025-01-31
Broken Access Control(Horizontal Privilege Escalation). Improper Access Control - Generic aliyueka Medium 2025-01-31
Insecure direct Object Reference(Horizontal Escalation) Insecure Direct Object Reference (IDOR) aliyueka Medium 2025-01-31
Yet Another OTP code Leaked in the API Response Improper Authentication - Generic tinopreter Critical 2025-01-08
SQL injection in URL path leads to Database Access SQL Injection tinopreter Critical 2025-01-08
OTP code Leaked in API Response Improper Access Control - Generic tinopreter Critical 2025-01-08
DOM Based Reflected Cross Site Scripting Cross-site Scripting (XSS) - DOM nhx1 High 2024-12-25
Information disclosure via enabled Django Debug Mode Information Disclosure nhx1 Medium 2024-12-25
CVE-2017-9822 DotNetNuke Cookie Deserialization Remote Code Execution (RCE) on lonidoor.mtn.ci Code Injection odaysec Critical 2024-11-16
Unauthenticated phpinfo()files could lead to ability file read at █████████ Improper Access Control - Generic odaysec Medium 2024-11-15
Social media account takeover Externally Controlled Reference to a Resource in Another Sphere haythem02 Low 2024-11-03
Reflected - XSS Cross-site Scripting (XSS) - Reflected vidaamuyarchi High 2024-10-21
No rate limit in OTP code sending None supplied vidaamuyarchi Medium 2024-10-21
Remote code execution [CVE-2023-36845] None supplied m4lc0lmx Critical 2024-10-09
IDOR at mtnmobad.mtnbusiness.com.ng leads to PII leakage. Insecure Direct Object Reference (IDOR) hazemhussien99 Critical 2024-10-05
Reflected XSS in https://nin.mtn.ng/nin/success?message=lol&nin=<VULNERABLE> Cross-site Scripting (XSS) - Reflected hazemhussien99 Critical 2024-10-05
SSRF Keycloak before 13.0.0 - CVE-2020-10770 on https://sponsoredata.mtn.ci Server-Side Request Forgery (SSRF) renzi Medium 2024-09-26
IDOR Leads To User Profile Modification https://mtnmobad.mtnbusiness.com.ng/app/updateUser Incorrect Authorization reachaxis Critical 2024-09-18
Authentication Bypass Leads To Complete Account TakeveOver on ██████████ Authentication Bypass Using an Alternate Path or Channel reachaxis Critical 2024-09-14
cross site scripting reflected Cross-site Scripting (XSS) - Reflected alitoni224 Medium 2024-09-09
Reflected cross site scripting (XSS) attacks Reflected XSS attacks, Cross-site Scripting (XSS) - Reflected 0xmr_b4rayz Medium 2024-08-30
PHP info page disclosure in ██████████ None supplied 0xmr_b4rayz Medium 2024-08-30
CVE-2018-0296 Cisco ASA Denial of Service & Path Traversal vulnerable on [mtn.co.ug] Path Traversal: '.../...//' deb0con Critical 2024-08-30
CVE-2010-1429 JBoss Insecure Storage of Sensitive Information on ips.mtn.co.ug Insecure Storage of Sensitive Information deb0con High 2024-08-30
Remote code injection in Log4j on https://mymtn.mtncongo.net - CVE-2021-44228 OS Command Injection renzi Critical 2024-08-24
Remote code injection in Log4j on http://mtn1app.mtncameroon.net - CVE-2021-44228 OS Command Injection renzi Critical 2024-08-24
Cross-site Scripting (XSS) - Reflected on https://api.mtn.sd/carbon/admin/login.jsp via `msgId` parameter - CVE-2020-17453 Cross-site Scripting (XSS) - Reflected renzi Medium 2024-08-24
Cross-site Scripting (XSS) - Reflected on http://callertunez.mtn.com.gh/wap/noauth/sharedetail.ftl via `callback` parameter Cross-site Scripting (XSS) - Reflected renzi Medium 2024-08-24
Cross-site Scripting (XSS) - Reflected on http://h1b4e.n2.ips.mtn.co.ug:8080 via Nginx-module Cross-site Scripting (XSS) - Reflected renzi Medium 2024-08-24
Reflected Cross Site Scripting Cisco ASA on myvpn.mtncameroon.net CVE-2020-3580 Cross-site Scripting (XSS) - Reflected renzi Medium 2024-08-23
FULL ACCOUNT TAKEOVER None supplied impozzible Critical 2024-08-17
Leaking usernames through endpoints Wordpress Information Disclosure alitoni224 High 2024-08-10
Remote code execution via crafted pentaho report uploaded using default credentials for pentaho business server Code Injection zer0code Critical 2023-12-31
Wordpress users Disclosure [ /wp-json/wp/v2/users/ ] Not Resolved () Information Disclosure thewikiii Critical 2022-12-28
Developer Mistake None supplied coyemerald None 2022-12-25
Exposure Of Admin Username & Password Insecure Storage of Sensitive Information coyemerald Critical 2022-12-25
Information Disclosure Leads To User Data Leak Information Disclosure netboy No rating 2022-12-24
Firebase credentials leak None supplied jimmisimon No rating 2022-12-15
Authentication bypass in ████████ Authentication Bypass Using an Alternate Path or Channel roland_hack Critical 2022-12-02
Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure Insecure Direct Object Reference (IDOR) wallotry Critical 2022-12-01
Unprotected Direct Object Reference Insecure Direct Object Reference (IDOR) coyemerald Critical 2022-12-01
Firebase Database Takeover in https://pulseradio.mtn.co.ug/ Insecure Storage of Sensitive Information shuvam321 Critical 2022-12-01
Wordpress users Disclosure [ /wp-json/wp/v2/users/ ] Information Disclosure shubham_srt Critical 2022-11-27
Reflected XSS in chatbot Cross-site Scripting (XSS) - Reflected roland_hack Medium 2022-11-19
Cross-Site Request Forgery (CSRF) to xss Cross-Site Request Forgery (CSRF) lu3ky-13 Medium 2022-10-30
Cross-site Scripting (XSS) - Reflected Cross-site Scripting (XSS) - Reflected lu3ky-13 Medium 2022-10-30
Otp bypass in verifying nin Improper Authentication - Generic mr_sparrow High 2022-10-17
IDOR [mtnmobad.mtnbusiness.com.ng] None supplied insomnia_hax Critical 2022-10-13
Reflected xss on videostore.mtnonline.com Cross-site Scripting (XSS) - Reflected possowski High 2022-09-25
There is no rate limit for SME REGISTRATION PORTAL Improper Authentication - Generic sachinrajput No rating 2022-09-19
String length restriction byepass at https://callerfeel.mtnonline.com/profile/feedback.html Violation of Secure Design Principles aliyugombe High 2022-09-07
No password length restriction in reset password endpoint at http://suppliers.mtn.cm None supplied aliyugombe Critical 2022-09-05
firebase credentials leaks @ ███████ Information Disclosure aliyugombe Medium 2022-09-05
firebase credentials leaks @ https://mpulse.mtnonline.com Information Disclosure aliyugombe Medium 2022-09-05
CVE-2021-38314 @ https://www.mtn.ci None supplied aliyugombe Medium 2022-09-05
CVE-2021-38314 @ https://www.mtn.co.rw None supplied aliyugombe No rating 2022-09-05
Exposed gitlab repo at https://adammanco.mtn.com/api/v4/projects Information Disclosure aliyugombe Low 2022-09-05
Information disclosure through django debug mode Information Exposure Through Debug Information aliyugombe Medium 2022-09-05
IDOR Leads To Account Takeover Without User Interaction Insecure Direct Object Reference (IDOR) theranger Critical 2022-09-04
path traversal vulnerability in Grafana 8.x allows " local file read " None supplied malagham Critical 2022-09-03
Weak/Auto Fill Password Insufficiently Protected Credentials harris0ft Critical 2022-09-03
Wordpress users disclosure from json and xml file Information Disclosure drak3hft7 Low 2022-09-02
Sensitive Information Disclosure Through Config File Cleartext Storage of Sensitive Information dh0pe High 2022-09-01
Default Admin Username and Password on remedysso.mtncameroon.net None supplied dh0pe High 2022-09-01
Password reset token leak on third party website via Referer header [██████████] None supplied ibrahimatix0x01 Medium 2022-09-01
Remote code execution due to unvalidated file upload Improper Input Validation aliyugombe Critical 2022-09-01
Default Login Credentials on https://broadbandmaps.mtn.com.gh/ Improper Access Control - Generic theranger Critical 2022-08-25
Blind SSRF External Interaction on ████████ Server-Side Request Forgery (SSRF) error201 High 2022-08-21
cross site scripting in : mtn.bj Cross-site Scripting (XSS) - Reflected alimanshester High 2022-08-06
Open redirection at https://smartreports.mtncameroon.net Open Redirect vulnera Low 2022-07-30
POST BASED REFLECTED XSS IN dailydeals.mtn.co.za Cross-site Scripting (XSS) - Reflected shuvam321 High 2022-07-15
Download full backup [Mtn.co.rw] None supplied ibrahimatix0x01 Critical 2022-05-14
XSS at http://nextapps.mtnonline.com/search/suggest/q/{xss payload} Cross-site Scripting (XSS) - Reflected homosec Medium 2022-05-01
XSS at videostore.mtnonline.com/GL/*.aspx via all parameters Cross-site Scripting (XSS) - Reflected homosec Medium 2022-05-01
xss on [developers.mtn.com] Cross-site Scripting (XSS) - Reflected pisarenko Medium 2022-04-19
Insecure Storage of Sensitive Information on lonestarcell.com server Insecure Storage of Sensitive Information q9m Critical 2022-04-09
Insecure crossdomain.xml on https://vdc.mtnonline.com/ Information Disclosure xlife High 2022-03-20
Exposed .bash_history at http://21days2017.mtncameroon.net/.bash_history Information Disclosure xlife Medium 2022-03-20
PHP Info Exposing Secrets at https://radio.mtn.bj/info Information Disclosure pudsec High 2022-03-08
Reflected XSS on dailydeals.mtn.co.za Cross-site Scripting (XSS) - Reflected musab_alharany Medium 2021-12-24
Reflected XSS at dailydeals.mtn.co.za Cross-site Scripting (XSS) - Reflected musab_alharany Medium 2021-12-24
HTML injection in email content during registration via FirstName/LastName parameter Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) ibrahimatix0x01 Medium 2021-12-18
RXSS - http://macademy.mtnonline.com Cross-site Scripting (XSS) - Reflected 0xelkomy Medium 2021-12-11
Missing captcha and rate limit protection in help form Improper Input Validation aliyugombe Medium 2021-12-11
[mtn.com.af] Multiple vulnerabilities allow to Application level DoS Business Logic Errors andridev_ High 2021-09-28
Reflected Cross-Site scripting in : mtn.bj Cross-site Scripting (XSS) - Reflected alimanshester High 2021-09-26
[play.mtn.co.za] Application level DoS via xmlrpc.php Business Logic Errors lmhu Medium 2021-09-10
SQL injection [futexpert.mtngbissau.com] SQL Injection pisarenko High 2021-09-09
blind sql on [selfcare.mtn.com.af] SQL Injection pisarenko Medium 2021-09-09
RCE Apache Struts2 remote command execution (S2-045) on [wifi-partner.mtn.com.gh] Code Injection pisarenko High 2021-09-09
Unauthenticated Arbitrary File Deletion (CVE-2020-3187) Path Traversal 3mm3 High 2021-08-29
information discloure via logs files at ==> https://ihelp.mtnbusiness.com/logfiles/Log_21-06-2021.txt Information Disclosure zero_or_1 High 2021-08-20
Email verification bypassed during sing up (https://developers.mtn.com/profile) Violation of Secure Design Principles ibrahimauwal__ Medium 2021-08-19
2x Remote file inclusion within your VMware Instances Remote File Inclusion 0x0luke Critical 2021-08-19
CVE-2018-6389 exploitation - using scripts loader Business Logic Errors devhug High 2021-08-18
No rate limit lead to otp brute forcing Brute Force aliyugombe High 2021-08-16
No rate limit in otp code sending Violation of Secure Design Principles aliyugombe Medium 2021-08-16
Blind SQL Injection SQL Injection lu3ky-13 Critical 2021-08-14
Reflected XSS on play.mtn.co.za Cross-site Scripting (XSS) - Reflected lu3ky-13 Medium 2021-08-14
Disclosure of internal information using hidden NTLM authentication leading to an exploit server External Control of Critical State Data z3lox High 2021-08-04
SQL Injection on the administrator panel SQL Injection z3lox Critical 2021-07-29
XMLRPC, Enabling XPSA and Bruteforce and DOS + A file disclosing installer-logs. Denial of Service tandav High 2021-06-14
Cross-Site Scripting through search form on mtnplay.co.zm Cross-site Scripting (XSS) - Generic droop3r Low 2021-06-08
Reflected XSS on gamesclub.mtn.com.g Cross-site Scripting (XSS) - Generic lu3ky-13 Medium 2021-05-24
Reflected XSS on mtnhottseat.mtn.com.gh Cross-site Scripting (XSS) - Reflected lu3ky-13 Medium 2021-05-24
Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-10271] OS Command Injection tounsi_007 Critical 2021-04-25
Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506] OS Command Injection tounsi_007 Critical 2021-04-25
Java Debug Console Provides Command Injection Without Privellage Esclation Code Injection rpbeast33 Critical 2020-07-23
Accessible Restricted directory on [bcm-bcaw.mtn.cm] Information Exposure Through Directory Listing tounsi_007 Medium 2020-07-15
SharePoint exposed web services in a subdomain Improper Access Control - Generic miguel_santareno Medium 2020-05-16
Week Passwords generated by password reset function Weak Password Recovery Mechanism for Forgotten Password tp9222 Low 2020-05-09
SQL Injection on cookie parameter SQL Injection w31rd0 High 2020-05-03
Unsafe cors sharing of admin users None supplied newbipath12 Medium 2020-05-01
OTP bypass - Unintended disclosure of OTP to client allows attacker to manage users' subscriptions Incorrect Authorization kcz Medium 2020-04-11
Information Disclosure Microsoft IIS Server service.cnf in a mtn website Information Disclosure miguel_santareno Medium 2020-04-03
Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/ Improper Access Control - Generic miguel_santareno Medium 2020-04-03