Yelp Program Statistics

View program

68 total issues disclosed

$26,900 total paid publicly

Most disclosed (9 disclosures) — Information Disclosure

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
RXSS AT https://proze.yelp.com/tmsubscribe.net/vidsn.aspx Cross-site Scripting (XSS) - Reflected 0xold Medium 2025-06-30
Unauthorized Reservation Cancellation Through IDOR Vulnerability Insecure Direct Object Reference (IDOR) no-need High 2025-01-29
Privilege Escalation - A Non Owner User Who Does not Have access to the user management can invite other users to the restaurant page Improper Access Control - Generic vijaysimha-reddy Low 2025-01-29
Privilege Escalation - A Low Privilege User who does not have access to the user management module can remove the owner of the business account Improper Access Control - Generic vijaysimha-reddy Low 2025-01-28
Object Level access control leads to reading user's full requests, sessions, and error messages Improper Access Control - Generic mester_x Medium 2025-01-18
yelp.com and biz.yelp.com ATO via XSS + Cookie Bridge Cross-site Scripting (XSS) - Generic lil_endian Medium 2023-09-08
yelp.com XSS ATO (via login keylogger, link Google account) Cross-site Scripting (XSS) - Generic lil_endian High 2023-08-15
Direct access to tox.ini file which is contain configuration details Insecure Storage of Sensitive Information xn--pple-43d Low 2023-03-02
Fraudulent claim of business. None supplied ilpadrino High 2023-02-06
PURGE is not authenticated Improper Authentication - Generic rac_fckscty Low 2023-01-19
Robots.txt file with potentially sensitive content. Privacy Violation ethack1886 Low 2023-01-13
If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposur None supplied shubhangirathore836 Low 2022-11-30
Subdomain Takeover on delivey.yelp.com Phishing racersaravanaa05 Low 2022-11-12
Public Github Repo Leaking Internal Credentials None supplied xinfohuggerx Critical 2022-11-07
installed.json sensitive file was publicly accessible on your web application which discloses information about authors and admins Information Disclosure whitehacker18 Low 2022-10-22
Autofill/Autosave password on login Insufficiently Protected Credentials ishwar-kumar-777 Medium 2022-10-11
CORS Misconfiguration on trust.yelp.com None supplied ajayjachak Medium 2022-10-10
No rate limit on subscribe form Business Logic Errors happykira0x1 Medium 2022-10-05
no rate limit in forgot password session None supplied irfadps Medium 2022-09-29
Server-side request forgery (ssrf) Server-Side Request Forgery (SSRF) raja404 Medium 2022-09-28
CORS Misconfiguration on Yelp None supplied qualw1n Medium 2022-09-28
password field autocomplete enabled Insecure Storage of Sensitive Information er_salil Medium 2022-09-27
xmlrpc file enabled Information Disclosure happykira0x1 Low 2022-06-16
RCE on build server via misconfigured pip install Download of Code Without Integrity Check alexbirsan Critical 2021-02-09
X-Forward-For Header allows to bypass access restrictions Improper Access Control - Generic parzel Medium 2020-10-26
IDOR in locid parameter allowing to view others accounts Profile Locations Business Logic Errors cocoh__23 Low 2020-09-02
Clickjacking lead to remove review None supplied alaayousef Medium 2020-09-01
Unauthorized Use of Victim Credit Card Privacy Violation hk755a Low 2020-08-21
CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse. Improper Access Control - Generic hk755a Medium 2020-08-21
ClickJacking on IMPORTANT Functions of Yelp UI Redressing (Clickjacking) hk755a Low 2020-08-21
I.D.O.R TO EDIT ALL USER'S CREDIT CARD INFORMATION+(Partial credit card info disclosure) Insecure Direct Object Reference (IDOR) hk755a Medium 2020-08-19
I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD) Insecure Direct Object Reference (IDOR) hk755a Critical 2020-08-19
CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card Privacy Violation hk755a High 2020-08-19
Nginx version disclosure via forbidden page Information Disclosure overlax Low 2017-11-21
ClickJacking UI Redressing (Clickjacking) jessepinkman None 2017-11-09
Clickjacking @ Main Domain[www.yelp.com] UI Redressing (Clickjacking) h4ck3r0ne Low 2017-11-09
[Yelp Blog] Backslash in search string causes JS error Violation of Secure Design Principles denispugachev None 2017-11-09
Research papers on yelp are getting indexed by google bots. Information Disclosure us111 No rating 2017-11-09
One of yelp.com url is redirecting to domain which is not yet purchased Open Redirect us111 No rating 2017-11-09
User can be fooled to Bookmark any restaurant by clickjacking UI Redressing (Clickjacking) na5ne3t Low 2017-11-09
ClickJacking in editing business name UI Redressing (Clickjacking) mohammad_obaid Low 2017-11-09
IDNs displayed in unicode in messages/about/talk sections (Homograph Attack) Violation of Secure Design Principles hk755a No rating 2017-11-09
Password reset token not expiring Improper Authentication - Generic hk755a No rating 2017-11-09
Leaking sensitive information lead to compromise employer API keys Insecure Storage of Sensitive Information xsam High 2017-11-09
Yelp.com is vulnerable to SWEET32 attack Cryptographic Issues - Generic pkkothawade No rating 2017-11-09
Content spoofing on yelp.onelogin Open Redirect japz Low 2017-11-09
Missing X-Frame-Options header UI Redressing (Clickjacking) abdul_r3hman No rating 2017-11-09
Click jacking in delete image of user in Yelp UI Redressing (Clickjacking) mohamedsherif Medium 2017-11-09
Weak Password Policy Violation of Secure Design Principles k4yy1s Low 2017-11-09
Ngnix Server version disclosure 404 Page! Information Disclosure babayaga_ No rating 2017-11-09
IDOR(indirect object references) on add friend,complement and send message Violation of Secure Design Principles w3b7ricks73r No rating 2017-11-09
[engineeringblog.yelp.com] CRLF Injection None supplied bobrov No rating 2017-11-09
Error Page Text Injection Violation of Secure Design Principles r0h17 None 2017-11-09
Possible content spoofing due to missing error page Violation of Secure Design Principles pisarenko Low 2017-11-09
Nginx server version disclosure on engineeringblog Information Disclosure japz None 2017-11-09
Clickjacking: X-Frame Header Missing UI Redressing (Clickjacking) vaxo No rating 2017-11-09
Verification of email addresses possible through https://www.yelp.com/signup/facebook Information Disclosure coder13 No rating 2017-09-16
Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values. Cryptographic Issues - Generic edoverflow None 2017-07-10
Clickjacking Vulnerability found on Yelp Cross-Site Request Forgery (CSRF) hckyguy77 Low 2017-05-12
Information disclosure - emails disclosed in response > staging.seatme.us Cross-Site Request Forgery (CSRF) quistertow No rating 2017-05-11
CSRF on signup endpoint (auto-api.yelp.com) Cross-Site Request Forgery (CSRF) denispugachev No rating 2017-03-01
Able to download arbitrary PHP files at yelpblog.com Privilege Escalation ret2got None 2017-02-06
X.509 certificate validation fails on international vanity domains Violation of Secure Design Principles tk0 None 2017-02-06
Self-XSS via location cookie city field when getting suggestions for a new location Cross-site Scripting (XSS) - Generic haquaman No rating 2016-11-30
Requesting Show CheckIn Alert for Non Friend User Information Disclosure vinesh1989 Low 2016-10-27
Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot Information Disclosure badagent No rating 2016-10-27
Bybass The Closing of the account and logged again to your account Improper Authentication - Generic youssefmahmoud No rating 2016-10-21
Access to internal CMS containing private Data Improper Authentication - Generic nahamsec No rating 2016-10-07