| SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] |
Server-Side Request Forgery (SSRF) |
dphoeniixx |
Critical |
2019-12-13 |
| SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] |
Server-Side Request Forgery (SSRF) |
dphoeniixx |
Critical |
2019-12-13 |
| Reflected File Download (RFD) in download video |
None supplied |
dphoeniixx |
Medium |
2019-08-23 |
| Domain pointing to vimeo portfolio are prone to takeover using on-demand. |
Business Logic Errors |
bugdiscloseguys |
High |
2018-08-27 |
| Improper Authentication in Vimeo's API 'versions' endpoint. |
Improper Authentication - Generic |
bugdiscloseguys |
High |
2018-05-15 |
| Watch any Password Video without password |
Information Disclosure |
opnsec |
No rating |
2017-10-18 |
| OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing |
Cross-Site Request Forgery (CSRF) |
opnsec |
No rating |
2017-10-18 |
| Images and Subtitles Leakage from private videos |
Information Disclosure |
opnsec |
No rating |
2017-10-18 |
| Disclosure of sensitive information through Google Cloud Storage bucket |
Information Disclosure |
koenrh |
High |
2017-09-29 |
| Reflected XSS on vimeo.com/musicstore |
Cross-site Scripting (XSS) - Generic |
stefanofinding |
No rating |
2017-08-31 |
| Stored XSS on player.vimeo.com |
Cross-site Scripting (XSS) - Generic |
stefanofinding |
No rating |
2017-08-31 |
| XSS when using captions/subtitles on video player based on Flash (requires user interaction) |
Cross-site Scripting (XSS) - Generic |
stefanofinding |
No rating |
2017-08-31 |
| XSS on vimeo.com | "Search within these results" feature (requires user interaction) |
Cross-site Scripting (XSS) - Generic |
stefanofinding |
No rating |
2017-08-31 |
| XSS on vimeo.com/home after other user follows you |
Cross-site Scripting (XSS) - Generic |
stefanofinding |
No rating |
2017-08-31 |
| XSS on player.vimeo.com without user interaction and vimeo.com with user interaction |
Cross-site Scripting (XSS) - Generic |
stefanofinding |
No rating |
2017-08-31 |
| XSS on mobile version of vimeo.com where the button "Follow" appears |
Cross-site Scripting (XSS) - Generic |
stefanofinding |
No rating |
2017-08-31 |
| Securing "Reset password" pages from bots |
Violation of Secure Design Principles |
panchocosil |
No rating |
2017-01-31 |
| [vimeopro.com] CRLF Injection |
None supplied |
bobrov |
No rating |
2016-10-24 |
| XSS in Subtitles of Vimeo Flash Player and Hubnut |
Cross-site Scripting (XSS) - Generic |
opnsec |
No rating |
2016-09-14 |
| Downloading password protected / restricted videos |
None supplied |
gazza |
No rating |
2016-09-05 |
| Invite any user to your group without even following him |
Privilege Escalation |
vijay_kumar1110 |
No rating |
2016-08-26 |
| Error page Text Injection. |
Violation of Secure Design Principles |
h4rsh4d |
No rating |
2016-08-02 |
| CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public |
Cross-Site Request Forgery (CSRF) |
opnsec |
No rating |
2016-07-29 |
| All Vimeo Private videos disclosure via Authorization Bypass |
Information Disclosure |
opnsec |
No rating |
2016-07-29 |
| Private, embeddable videos leaks data through Facebook & Open Graph |
Information Disclosure |
tomash |
No rating |
2016-05-21 |
| No Limitation on Following allows user to follow people automatically! |
Cross-Site Request Forgery (CSRF) |
optimus_prime |
No rating |
2016-05-02 |
| Missing rate limit on private videos password |
Privilege Escalation |
saeedhashem |
No rating |
2016-03-22 |
| Legacy API exposes private video titles |
Information Disclosure |
nathonsecurity |
No rating |
2016-02-10 |
| Stored XSS on vimeo.com and player.vimeo.com |
Cross-site Scripting (XSS) - Generic |
stefanofinding |
No rating |
2015-11-30 |
| A user can enhance their videos with paid tracks without buying the track |
Privilege Escalation |
satishb3 |
No rating |
2015-10-14 |
| Share your channel to any user on vimeo without following him |
Privilege Escalation |
vijay_kumar1110 |
No rating |
2015-09-28 |
| Open Redirection Security Filter bypassed |
Open Redirect |
securityidiots |
No rating |
2015-06-28 |
| Application XSS filter function Bypass may allow Multiple stored XSS |
Cross-site Scripting (XSS) - Generic |
securityidiots |
No rating |
2015-06-28 |
| API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass |
Improper Authentication - Generic |
dor1s |
No rating |
2015-05-31 |
| May cause account take over (Via invitation page) |
Violation of Secure Design Principles |
dia2diab |
No rating |
2015-05-20 |
| CRITICAL full source code/config disclosure for Cameo |
Information Disclosure |
avlidienbrunn |
No rating |
2015-05-11 |
| Insecure Direct Object References that allows to read any comment (even if it should be private) |
Improper Authentication - Generic |
patrik |
No rating |
2015-05-04 |
| Insecure Direct Object References in https://vimeo.com/forums |
Improper Authentication - Generic |
patrik |
No rating |
2015-05-04 |
| [URGENT ISSUE] Add or Delete the videos in watch later list of any user . |
Cross-Site Request Forgery (CSRF) |
ckmk44 |
No rating |
2015-05-01 |
| Post in private groups after getting removed |
Privilege Escalation |
niyaax |
No rating |
2015-05-01 |
| A user can add videos to other user's private groups |
Privilege Escalation |
satishb3 |
No rating |
2015-04-23 |
| Vimeo + & Vimeo PRO Unautorised Tax bypass |
None supplied |
michelgaschet |
No rating |
2015-04-18 |
| URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io |
Cross-Site Request Forgery (CSRF) |
avlidienbrunn |
No rating |
2015-04-18 |
| Vimeo.com - Reflected XSS Vulnerability |
Cross-site Scripting (XSS) - Generic |
dekeeu |
No rating |
2015-04-08 |
| abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video |
Privilege Escalation |
adrianbelen |
No rating |
2015-04-03 |
| Can message users without the proper authorization |
Improper Authentication - Generic |
jkjkjk |
No rating |
2015-04-01 |
| Bypassing Email verification |
None supplied |
localpwn |
No rating |
2015-03-29 |
| CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`. |
Privilege Escalation |
coolboss |
No rating |
2015-03-18 |
| subdomain takeover 1511493148.cloud.vimeo.com |
Violation of Secure Design Principles |
shahmeer-amir |
No rating |
2015-03-13 |
| A user can post comments on other user's private videos |
Privilege Escalation |
satishb3 |
No rating |
2015-03-11 |
| A user can edit comments even after video comments are disabled |
Privilege Escalation |
satishb3 |
No rating |
2015-03-11 |
| player.vimeo.com - Reflected XSS Vulnerability |
Cross-site Scripting (XSS) - Generic |
dekeeu |
No rating |
2015-03-09 |
| Vimeo.com - reflected xss vulnerability |
Cross-site Scripting (XSS) - Generic |
dekeeu |
No rating |
2015-03-09 |
| Full account takeover via Add a New Email to account without email verified and without password confirmation. |
Violation of Secure Design Principles |
a7medel-ma7alawy |
No rating |
2015-03-06 |
| Poodle bleed vulnerability in cloud sub domain |
Cryptographic Issues - Generic |
shahmeer-amir |
No rating |
2015-03-05 |
| Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`) |
Improper Authentication - Generic |
wkcaj |
No rating |
2015-03-02 |
| Serious Vulnerability Found |
Improper Authentication - Generic |
dotspoted |
No rating |
2015-02-27 |
| Adding profile picture to anyone on Vimeo |
Violation of Secure Design Principles |
avlidienbrunn |
No rating |
2015-02-26 |
| Vimeo.com Insecure Direct Object References Reset Password |
Improper Authentication - Generic |
toufikairane |
No rating |
2015-02-26 |
| XSS on any site that includes the moogaloop flash player | deprecated embed code |
Cross-site Scripting (XSS) - Generic |
batram |
No rating |
2015-02-22 |
| profile photo update bypass |
Privilege Escalation |
defmax |
No rating |
2015-02-17 |
| Buying ondemand videos that 0.1 and sometimes for free |
Privilege Escalation |
defmax |
No rating |
2015-02-13 |
| Misconfigured crossdomain.xml - vimeo.com |
Cryptographic Issues - Generic |
balag_py |
No rating |
2015-02-09 |
| Brute force on "vimeo" cookie |
Improper Authentication - Generic |
ba4fe4ca95021d367f8a574 |
No rating |
2015-02-02 |
| CSRF bypass |
Cross-Site Request Forgery (CSRF) |
shubham |
No rating |
2015-01-30 |
| ftp upload of video allows naming that is not sanitized as the manual naming |
Violation of Secure Design Principles |
ba4fe4ca95021d367f8a574 |
No rating |
2015-01-29 |
| XSS on Vimeo |
Cross-site Scripting (XSS) - Generic |
niyaax |
No rating |
2015-01-29 |
| Vimeo Search - XSS Vulnerability [http://vimeo.com/search] |
Cross-site Scripting (XSS) - Generic |
shamrocksu88 |
No rating |
2015-01-23 |
| Make API calls on behalf of another user (CSRF protection bypass) |
Cross-Site Request Forgery (CSRF) |
avlidienbrunn |
No rating |
2015-01-22 |
| unvalid open authentication with facebook |
Improper Authentication - Generic |
ckmk44 |
No rating |
2015-01-21 |
| USER PRIVACY VIOLATED (PRIVATE DATA GETTING TRANSFER OVER INSECURE CHANNEL ) |
Violation of Secure Design Principles |
geekboy |
No rating |
2015-01-21 |
| APIs for channels allow HTML entities that may cause XSS issue |
Cross-site Scripting (XSS) - Generic |
artem |
No rating |
2015-01-08 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles