Vimeo


72 total issues disclosed

$36,585 total paid publicly


Most disclosed (17 disclosures) — Cross-site Scripting (XSS) - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] Server-Side Request Forgery (SSRF) dphoeniixx Critical 2019-12-13
SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] Server-Side Request Forgery (SSRF) dphoeniixx Critical 2019-12-13
Reflected File Download (RFD) in download video None supplied dphoeniixx Medium 2019-08-23
Domain pointing to vimeo portfolio are prone to takeover using on-demand. Business Logic Errors bugdiscloseguys High 2018-08-27
Improper Authentication in Vimeo's API 'versions' endpoint. Improper Authentication - Generic bugdiscloseguys High 2018-05-15
Watch any Password Video without password Information Disclosure opnsec No rating 2017-10-18
OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing Cross-Site Request Forgery (CSRF) opnsec No rating 2017-10-18
Images and Subtitles Leakage from private videos Information Disclosure opnsec No rating 2017-10-18
Disclosure of sensitive information through Google Cloud Storage bucket Information Disclosure koenrh High 2017-09-29
Reflected XSS on vimeo.com/musicstore Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-31
Stored XSS on player.vimeo.com Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-31
XSS when using captions/subtitles on video player based on Flash (requires user interaction) Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-31
XSS on vimeo.com | "Search within these results" feature (requires user interaction) Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-31
XSS on vimeo.com/home after other user follows you Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-31
XSS on player.vimeo.com without user interaction and vimeo.com with user interaction Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-31
XSS on mobile version of vimeo.com where the button "Follow" appears Cross-site Scripting (XSS) - Generic stefanofinding No rating 2017-08-31
Securing "Reset password" pages from bots Violation of Secure Design Principles panchocosil No rating 2017-01-31
[vimeopro.com] CRLF Injection None supplied bobrov No rating 2016-10-24
XSS in Subtitles of Vimeo Flash Player and Hubnut Cross-site Scripting (XSS) - Generic opnsec No rating 2016-09-14
Downloading password protected / restricted videos None supplied gazza No rating 2016-09-05
Invite any user to your group without even following him Privilege Escalation vijay_kumar1110 No rating 2016-08-26
Error page Text Injection. Violation of Secure Design Principles h4rsh4d No rating 2016-08-02
CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public Cross-Site Request Forgery (CSRF) opnsec No rating 2016-07-29
All Vimeo Private videos disclosure via Authorization Bypass Information Disclosure opnsec No rating 2016-07-29
Private, embeddable videos leaks data through Facebook & Open Graph Information Disclosure tomash No rating 2016-05-21
No Limitation on Following allows user to follow people automatically! Cross-Site Request Forgery (CSRF) optimus_prime No rating 2016-05-02
Missing rate limit on private videos password Privilege Escalation saeedhashem No rating 2016-03-22
Legacy API exposes private video titles Information Disclosure nathonsecurity No rating 2016-02-10
Stored XSS on vimeo.com and player.vimeo.com Cross-site Scripting (XSS) - Generic stefanofinding No rating 2015-11-30
A user can enhance their videos with paid tracks without buying the track Privilege Escalation satishb3 No rating 2015-10-14
Share your channel to any user on vimeo without following him Privilege Escalation vijay_kumar1110 No rating 2015-09-28
Open Redirection Security Filter bypassed Open Redirect securityidiots No rating 2015-06-28
Application XSS filter function Bypass may allow Multiple stored XSS Cross-site Scripting (XSS) - Generic securityidiots No rating 2015-06-28
API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass Improper Authentication - Generic dor1s No rating 2015-05-31
May cause account take over (Via invitation page) Violation of Secure Design Principles dia2diab No rating 2015-05-20
CRITICAL full source code/config disclosure for Cameo Information Disclosure avlidienbrunn No rating 2015-05-11
Insecure Direct Object References that allows to read any comment (even if it should be private) Improper Authentication - Generic patrik No rating 2015-05-04
Insecure Direct Object References in https://vimeo.com/forums Improper Authentication - Generic patrik No rating 2015-05-04
[URGENT ISSUE] Add or Delete the videos in watch later list of any user . Cross-Site Request Forgery (CSRF) ckmk44 No rating 2015-05-01
Post in private groups after getting removed Privilege Escalation niyaax No rating 2015-05-01
A user can add videos to other user's private groups Privilege Escalation satishb3 No rating 2015-04-23
Vimeo + & Vimeo PRO Unautorised Tax bypass None supplied michelgaschet No rating 2015-04-18
URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io Cross-Site Request Forgery (CSRF) avlidienbrunn No rating 2015-04-18
Vimeo.com - Reflected XSS Vulnerability Cross-site Scripting (XSS) - Generic dekeeu No rating 2015-04-08
abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video Privilege Escalation adrianbelen No rating 2015-04-03
Can message users without the proper authorization Improper Authentication - Generic jkjkjk No rating 2015-04-01
Bypassing Email verification None supplied localpwn No rating 2015-03-29
CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`. Privilege Escalation coolboss No rating 2015-03-18
subdomain takeover 1511493148.cloud.vimeo.com Violation of Secure Design Principles shahmeer-amir No rating 2015-03-13
A user can post comments on other user's private videos Privilege Escalation satishb3 No rating 2015-03-11
A user can edit comments even after video comments are disabled Privilege Escalation satishb3 No rating 2015-03-11
player.vimeo.com - Reflected XSS Vulnerability Cross-site Scripting (XSS) - Generic dekeeu No rating 2015-03-09
Vimeo.com - reflected xss vulnerability Cross-site Scripting (XSS) - Generic dekeeu No rating 2015-03-09
Full account takeover via Add a New Email to account without email verified and without password confirmation. Violation of Secure Design Principles a7medel-ma7alawy No rating 2015-03-06
Poodle bleed vulnerability in cloud sub domain Cryptographic Issues - Generic shahmeer-amir No rating 2015-03-05
Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`) Improper Authentication - Generic wkcaj No rating 2015-03-02
Serious Vulnerability Found Improper Authentication - Generic dotspoted No rating 2015-02-27
Adding profile picture to anyone on Vimeo Violation of Secure Design Principles avlidienbrunn No rating 2015-02-26
Vimeo.com Insecure Direct Object References Reset Password Improper Authentication - Generic toufikairane No rating 2015-02-26
XSS on any site that includes the moogaloop flash player | deprecated embed code Cross-site Scripting (XSS) - Generic batram No rating 2015-02-22
profile photo update bypass Privilege Escalation defmax No rating 2015-02-17
Buying ondemand videos that 0.1 and sometimes for free Privilege Escalation defmax No rating 2015-02-13
Misconfigured crossdomain.xml - vimeo.com Cryptographic Issues - Generic balag_py No rating 2015-02-09
Brute force on "vimeo" cookie Improper Authentication - Generic ba4fe4ca95021d367f8a574 No rating 2015-02-02
CSRF bypass Cross-Site Request Forgery (CSRF) shubham No rating 2015-01-30
ftp upload of video allows naming that is not sanitized as the manual naming Violation of Secure Design Principles ba4fe4ca95021d367f8a574 No rating 2015-01-29
XSS on Vimeo Cross-site Scripting (XSS) - Generic niyaax No rating 2015-01-29
Vimeo Search - XSS Vulnerability [http://vimeo.com/search] Cross-site Scripting (XSS) - Generic shamrocksu88 No rating 2015-01-23
Make API calls on behalf of another user (CSRF protection bypass) Cross-Site Request Forgery (CSRF) avlidienbrunn No rating 2015-01-22
unvalid open authentication with facebook Improper Authentication - Generic ckmk44 No rating 2015-01-21
USER PRIVACY VIOLATED (PRIVATE DATA GETTING TRANSFER OVER INSECURE CHANNEL ) Violation of Secure Design Principles geekboy No rating 2015-01-21
APIs for channels allow HTML entities that may cause XSS issue Cross-site Scripting (XSS) - Generic artem No rating 2015-01-08