Slack


117 total issues disclosed

$87,700 total paid publicly


Most disclosed (28 disclosures) — Cross-site Scripting (XSS) - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Stored XSS in files.slack.com Cross-site Scripting (XSS) - Stored oskarsv Medium 2021-12-02
Cross-site leak allows attacker to de-anonymize members of his team from another origin Privilege Escalation jub0bs Low 2021-11-11
Misuse of groups feature allows workspace members to join private channels without being invited Improper Access Control - Generic kmap High 2021-10-21
Denial of Service via Hyperlinks in Posts Denial of Service joaovitormaia Medium 2021-10-03
Private application files can be uploaded to Slack via malicious uploader Information Disclosure shell_c0de Medium 2021-08-04
Header modification results in disclosure of Slack infra metadata to unauthorized parties Server-Side Request Forgery (SSRF) showuon Medium 2021-06-09
Team members can trigger arbitrary code execution in Slack Desktop Apps via HTML Notifications Code Injection oskarsv High 2021-05-09
DoS on the Direct Messages Denial of Service cyanpiny Medium 2020-11-11
Access to some Slack workspace metadata and settings available to unauthorized parties Improper Authentication - Generic secalert No rating 2020-11-10
Uninstalling Slack for Windows (64-bit), then reinstalling keeps you logged in without authentication Insufficiently Protected Credentials pclinger Low 2020-11-10
Possibility to freeze/crash the host system of all Slack Desktop users easily Violation of Secure Design Principles bubbounty Low 2020-11-10
Remote Code Execution in Slack desktop apps + bonus Code Injection oskarsv Critical 2020-08-28
Tricking the "Create snippet" feature into displaying the wrong filetype can lead to RCE on Slack users Unrestricted Upload of File with Dangerous Type mcsheehan High 2020-07-01
Tricking the "Create snippet" feature into displaying the wrong filetype can lead to RCE on Slack users Unrestricted Upload of File with Dangerous Type mcsheehan High 2020-07-01
URL link spoofing Phishing akaki Low 2020-04-26
Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation Command Injection - Generic jhancock Medium 2020-04-02
Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies HTTP Request Smuggling defparam Critical 2020-03-12
Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies HTTP Request Smuggling defparam Critical 2020-03-12
TURN server allows TCP and UDP proxying to internal network, localhost and meta-data services Server-Side Request Forgery (SSRF) sandrogauci Critical 2020-03-12
Slack DTLS uses a private key that is in the public domain, which may lead to SRTP stream hijack Use of Hard-coded Cryptographic Key sandrogauci High 2020-03-12
URL filter bypass in Enterprise Grid Phishing akaki Low 2020-02-14
Linux Desktop application slack executable does not use pie / no ASLR Violation of Secure Design Principles hanno Low 2019-11-17
XSS vulnerable parameter in a location hash Cross-site Scripting (XSS) - Generic virtualhunter No rating 2019-10-16
User-assisted RCE in Slack for macOS (from official site) due to improper quarantine meta-attribute handling for downloaded files None supplied metnew High 2019-09-15
XSS in gist integration Cross-site Scripting (XSS) - Generic zemnmez No rating 2019-04-28
Real Time Error Logs Through Debug Information Information Exposure Through Debug Information rubaljain High 2019-04-11
AWS bucket leading to iOS test build code and configuration exposure Information Disclosure kiyell Critical 2019-02-23
HTML Injection inside Slack promotional emails None supplied 0x0luke Low 2018-07-30
HTTP parameter pollution from outdated Greenhouse.io JS dependency Resource Injection irvinlim Medium 2018-07-19
Internal SSRF bypass using slash commands at api.slack.com Server-Side Request Forgery (SSRF) albatraoz Medium 2018-07-12
Shared-channel BETA persists integration after unshare Business Logic Errors oneiroi Medium 2018-04-26
Unauthenticated LFI revealing log information Information Disclosure juji High 2018-01-26
Bypass two-factor authentication Improper Authentication - Generic kamikaze No rating 2017-11-18
Race Condition in account survey Violation of Secure Design Principles cablej No rating 2017-11-12
Many Slack teams can be joined by abusing an improperly configured [email protected] inbox Improper Authentication - Generic securinti No rating 2017-10-21
The Custom Emoji Page has a Reflected XSS Cross-site Scripting (XSS) - Reflected co3k High 2017-09-24
Access of Android protected components via embedded intent Privilege Escalation bagipro Critical 2017-07-18
Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation Command Injection - Generic fbogner No rating 2017-07-14
"a stored xss issue in share post menu" Cross-site Scripting (XSS) - Generic boniao_norwin No rating 2017-06-25
a stored xss issue in https://files.slack.com Cross-site Scripting (XSS) - Generic boniao_norwin No rating 2017-06-25
Bypass to postMessage origin validation via FTP Cross-site Scripting (XSS) - Generic a1kmm- High 2017-04-21
dom xss in https://www.slackatwork.com Cross-site Scripting (XSS) - Generic ba4fe4ca95021d367f8a574 No rating 2017-03-02
Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain Violation of Secure Design Principles fransrosen No rating 2017-03-01
Eavesdropping on private Slack calls Improper Authentication - Generic michiel High 2017-02-08
[Screenhero] Subdomain takeover Violation of Secure Design Principles yassineaboukir No rating 2017-01-21
Subdomain takeover on podcasts.slack-core.com Cross-site Scripting (XSS) - Generic michiel Low 2017-01-04
Store XSS Cross-site Scripting (XSS) - Generic imran_hadid High 2017-01-01
Information Disclosure on stun.screenhero.com Information Disclosure kazan71p Medium 2016-11-30
Rate-limit bypass Improper Authentication - Generic imnarendrabhati No rating 2016-11-28
Stored XSS(Cross Site Scripting) In Slack App Name Cross-site Scripting (XSS) - Generic imnarendrabhati No rating 2016-11-22
RC4 cipher suites detected on status.slack.com Violation of Secure Design Principles linkks No rating 2016-11-18
CSRF in github integration Cross-Site Request Forgery (CSRF) asanso Medium 2016-11-18
Email information leakage for certain addresses Information Disclosure procode701 No rating 2016-10-31
Authentication bypass leads to sensitive data exposure (token+secret) Improper Authentication - Generic secalert No rating 2016-10-20
Open Redirect on slack.com Cross-site Scripting (XSS) - Generic sudotop No rating 2016-10-02
Creating Post on a restricted channel Privilege Escalation thisishrsh No rating 2016-09-29
Generate new Test token Improper Authentication - Generic onidnalbj No rating 2016-09-15
User can start call in a channel of an unpaid account Privilege Escalation jobert No rating 2016-09-15
Bypass of the SSRF protection (Slack commands, Phabricator integration) None supplied agarri_fr No rating 2016-09-14
Snooping into messages via email service Improper Authentication - Generic rijalrojan No rating 2016-09-14
Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs Cross-site Scripting (XSS) - Generic fransrosen No rating 2016-09-01
CSRF - Add optional two factor mobile number Cross-Site Request Forgery (CSRF) nhavis No rating 2016-08-17
Source code leakage through GIT web access at host '52.91.137.42' Improper Authentication - Generic d0znpp No rating 2016-08-15
File upload over private IM channel Privilege Escalation thisishrsh No rating 2016-07-14
OSX slack:// protocol handler javascript injection Command Injection - Generic computerality No rating 2016-06-24
Unauthenticated Access to some old file thumbnails Improper Authentication - Generic mkbb No rating 2016-06-22
a stored xss in slack integration https://onerror.slack.com/services/import Cross-site Scripting (XSS) - Generic boniao_norwin No rating 2016-05-22
Trick make all fixed open redirect links vulnerable again Open Redirect s1ck-sec No rating 2016-05-22
an xss issue in https://hunter22.slack.com/help/requests/793043 Cross-site Scripting (XSS) - Generic boniao_norwin No rating 2016-05-01
Executing scripts on slack-files.com using SVG Cross-site Scripting (XSS) - Generic kamil_hism No rating 2016-02-18
File upload XSS (Java applet) on http://slackatwork.com/ Command Injection - Generic hassham No rating 2015-11-11
Self-XSS in posts by formatting text as code Cross-site Scripting (XSS) - Generic harry_mg No rating 2015-11-10
Stored XSS in Slack (weird, trial and error) Cross-site Scripting (XSS) - Generic harry_mg No rating 2015-11-10
Reflected Self-XSS in Slack Cross-site Scripting (XSS) - Generic harry_mg No rating 2015-11-10
Link vulnerability leads to phishing attacks None supplied scorppy No rating 2015-07-14
Team admin can change unauthorized team setting (allow_message_deletion) Privilege Escalation satishb3 No rating 2015-05-30
Logout any user of same team Cross-Site Request Forgery (CSRF) oldusername No rating 2015-05-05
Team admin can change unauthorized team setting (require_at_for_mention) Privilege Escalation satishb3 No rating 2015-04-30
Team admin can add billing contacts Privilege Escalation satishb3 No rating 2015-04-03
Reflective XSS can be triggered in IE Cross-site Scripting (XSS) - Generic shahmeer-amir No rating 2015-03-15
Stored XSS in Slack.com Cross-site Scripting (XSS) - Generic atom No rating 2015-03-09
Facebook Takeover using Slack using 302 from files.slack.com with access_token Open Redirect fransrosen No rating 2015-01-11
SSRF on https://whitehataudit.slack.com/account/photo Command Injection - Generic 4lemon No rating 2014-12-21
Data exports stored on S3 can be scraped easily Improper Authentication - Generic jobert No rating 2014-12-09
HTTP Strict Transport Policy not enabled on newly made accounts Violation of Secure Design Principles shahmeer-amir No rating 2014-10-04
Password Policy issue (Weak Protect) Violation of Secure Design Principles simon90 No rating 2014-09-04
Content Spoofing all Integrations in https://team.slack.com/services/new/ Violation of Secure Design Principles jaysonzabate No rating 2014-09-03
Broken Authentication (including Slack OAuth bugs) Violation of Secure Design Principles appsecure_in No rating 2014-08-30
URL redirection flaw Open Redirect appsecure_in No rating 2014-08-30
Stored XSS on this link https://sehacure.slack.com/help/requests/ Cross-site Scripting (XSS) - Generic appsecure_in No rating 2014-08-30
Open Redirect login account Open Redirect jaysonzabate No rating 2014-08-25
Content spoofing at Stripe Integrations Violation of Secure Design Principles jaysonzabate No rating 2014-08-25
Deleting Teams implemenation Improper Authentication - Generic eronx No rating 2014-08-21
TLS1/SSLv3 Renegotiation Vulnerability None supplied ashesh No rating 2014-08-14
Content Spoofing Violation of Secure Design Principles eronx No rating 2014-08-11
Stored XSS in username.slack.com Cross-site Scripting (XSS) - Generic prakharprasad No rating 2014-08-07
CSRF vulnerability on https://sehacure.slack.com/account/settings Cross-Site Request Forgery (CSRF) appsecure_in No rating 2014-07-26
Remote file Inclusion - RFI in upload Code Injection coolboss No rating 2014-07-08
Stored XSS Found Cross-site Scripting (XSS) - Generic karshxz7593 No rating 2014-06-01
open redirect in https://slack.com Open Redirect kadaba No rating 2014-05-31
Slack OAuth2 "redirect_uri" Bypass Improper Authentication - Generic prakharprasad No rating 2014-05-30
Stored XSS in slack.com (integrations) Cross-site Scripting (XSS) - Generic derknet No rating 2014-05-29
Stored XSS in www.slack-files.com Cross-site Scripting (XSS) - Generic prakharprasad No rating 2014-05-24
Duplicate of #4550 None supplied prakharprasad No rating 2014-05-21
Open Redirect in Slack Open Redirect prakharprasad No rating 2014-05-21
Stored XSS in Channel Chat Cross-site Scripting (XSS) - Generic prakharprasad No rating 2014-05-21
Reflected Xss Cross-site Scripting (XSS) - Generic niks No rating 2014-05-19
Stored XSS in Slackbot Direct Messages Cross-site Scripting (XSS) - Generic prakharprasad No rating 2014-05-04
CSRF on add comment section Cross-Site Request Forgery (CSRF) appsecure_in No rating 2014-04-12
User impersonation is possible with incoming webhooks Violation of Secure Design Principles pwndizzle No rating 2014-04-10
flash content type sniff vulnerability in api.slack.com Cross-Site Request Forgery (CSRF) netfuzzer No rating 2014-04-09
csrf Cross-Site Request Forgery (CSRF) appsecure_in No rating 2014-04-06
Stored XSS Cross-site Scripting (XSS) - Generic appsecure_in No rating 2014-04-06
State parameter missing on google OAuth Cross-Site Request Forgery (CSRF) appsecure_in No rating 2014-04-06
Open redirect vulnerability Open Redirect appsecure_in No rating 2014-04-06
Email enumeration Information Disclosure anshuman_bh No rating 2014-04-02
Session Fixation disclosing email address Information Disclosure xtross1 No rating 2014-03-31