TOPAUTHORIZATION.md

Top Authorization Bypass reports from HackerOne:

1. Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - 1840 upvotes, $16000
2. [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 877 upvotes, $15000
3. Ability to reset password for account to Upserve - 605 upvotes, $0
4. Request smuggling on admin-official.line.me could lead to account takeover to LY Corporation - 556 upvotes, $0
5. Privilege Escalation From user to SYSTEM via unauthenticated command execution to Ubiquiti Inc. - 541 upvotes, $0
6. Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation to Shopify - 537 upvotes, $0
7. Able to Become Admin for Any LINE Official Account to LY Corporation - 487 upvotes, $4750
8. H1514 Ability to MiTM Shopify PoS Session to Takeover Communications to Shopify - 365 upvotes, $0
9. Attacker is able to access commit title and team member comments which are supposed to be private to GitLab - 338 upvotes, $0
10. [Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted to Razer - 311 upvotes, $1000
11. Shopify admin authentication bypass using partners.shopify.com to Shopify - 298 upvotes, $20000
12. Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) to LocalTapiola - 263 upvotes, $18000
13. Team member with Program permission only can escalate to Admin permission to HackerOne - 258 upvotes, $2500
14. Linux privilege escalation via trusted $PATH in keybase-redirector to Keybase - 245 upvotes, $5000
15. Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain to GitLab - 239 upvotes, $3000
16. Ability to bypass partner email confirmation to take over any store given an employee email to Shopify - 234 upvotes, $15250
17. Privilege escalation from any user (including external) to gitlab admin when admin impersonates you to GitLab - 233 upvotes, $0
18. Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties to GitLab - 228 upvotes, $3000
19. Ability to DOS any organization's SSO and open up the door to account takeovers to Grammarly - 225 upvotes, $10500
20. Unauthenticated blind SSRF in OAuth Jira authorization controller to GitLab - 222 upvotes, $4000
21. Ability To Delete User(s) Account Without User Interaction to GitLab - 215 upvotes, $0
22. [www.zomato.com] Blind XSS on one of the Admin Dashboard to Zomato - 214 upvotes, $750
23. Incorrect authorization to the intelbot service leading to ticket information to TikTok - 203 upvotes, $15000
24. Privilege escalation in workers container to Semmle - 202 upvotes, $1500
25. Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell to Razer - 199 upvotes, $200
26. Ability to create own account UUID leads to stored XSS to Upserve - 198 upvotes, $1500
27. Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system. to Uber - 197 upvotes, $4500
28. HackerOne SAML signup domain enforcement bypass results in unauthorized access to HackerOne PullRequest organization to HackerOne - 197 upvotes, $0
29. HackerOne Jira integration plugin Leaked JWT to unauthorized jira users to HackerOne - 196 upvotes, $3000
30. Stealing Users OAuth authorization code via redirect_uri to pixiv - 193 upvotes, $2000
31. Unauthorized access to metadata of undisclosed reports that were retested to HackerOne - 181 upvotes, $0
32. Ability To Takeover any account by Emaill. to Radancy - 168 upvotes, $0
33. GraphQL AdminGenerateSessionPayload is leaked to staff with no permission to Shopify - 168 upvotes, $0
34. Able to approve admin approval and change effective status without adding payment details . to Reddit - 162 upvotes, $5000
35. RCE as Admin defeats WordPress hardening and file permissions to WordPress - 161 upvotes, $0
36. Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application. to Reddit - 160 upvotes, $0
37. Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts to Stripo Inc - 152 upvotes, $0
38. Absence of Token expiry leads to Unauthorized login Access to Affirm - 145 upvotes, $0
39. inDriver Job - Admin Approval Bypass to inDrive - 140 upvotes, $1000
40. Unauthorized user can obtain report_sources attribute through Team GraphQL object to HackerOne - 137 upvotes, $2500
41. [blog.makerdao.com] Multiple Vulnerabilities - Leads to leakage user admin sensitive exposure to BlockDev Sp. Z o.o - 136 upvotes, $0
42. Admin Panel Accessed (OAuth Bypassed ) to Mapbox - 123 upvotes, $4000
43. SQL injection in Razer Gold List Admin at /lists/index.php via the list[] parameter. to Razer - 122 upvotes, $2000
44. Apache HTTP [2.4.17-2.4.38] Local Root Privilege Escalation to Internet Bug Bounty - 119 upvotes, $1500
45. Privilege Escalation via Keybase Helper to Keybase - 115 upvotes, $0
46. Leak of authorization urls leads to account takeover to Bumble - 105 upvotes, $0
47. Unauthorized User can View Subscribers of Other Users Newsletters to LinkedIn - 102 upvotes, $0
48. Ubuntu Linux privilege escalation (dirty_sock) to Internet Bug Bounty - 101 upvotes, $0
49. Ability to perform actions (Tweet, Retweet, DM) and other actions, unauthenticated, on any account with SMS enabled. to X (Formerly Twitter) - 99 upvotes, $0
50. Unauthorized access to resumes stored on LinkedIn to LinkedIn - 99 upvotes, $0
51. [www.zomato.com] Blind XSS in one of the admin dashboard to Zomato - 97 upvotes, $500
52. Ability to join an arbitrary workspace by utilizing a proxy to manipulate invite links to Slack - 96 upvotes, $0
53. connect.8x8.com: admin user can send invites on behalf of another admin user via POST /api/v1/users/<User ID>/invites to 8x8 Bounty - 94 upvotes, $0
54. Admin panel Exposure without credential at https://plus-website.shopifycloud.com/admin.php to Shopify - 91 upvotes, $2900
55. Header modification results in disclosure of Slack infra metadata to unauthorized parties to Slack - 90 upvotes, $0
56. Multiple Vulnerabilities in (*www.yoti.com) - Leads to Leakage user admin Sensitive Exposure to Yoti - 88 upvotes, $0
57. Privilege Escalation via REST API to Administrator leads to RCE to WordPress - 88 upvotes, $0
58. Github app Privilege Escalation to Administrator/Owner of the Organization to GitHub - 87 upvotes, $0
59. capsula.mail.ru - Admin blind stored XSS to Mail.ru - 86 upvotes, $1500
60. CORS misconfiguration allows to steal client's "password", Authorization token and the customer details e.g. names, SSN, bank account etc. to LocalTapiola - 86 upvotes, $0
61. Unauthorized access to https://shipit.analogpond.com/ to DigitalOcean - 86 upvotes, $0
62. Add new development stores without permission to Shopify - 84 upvotes, $1900
63. Ability to link a Google account to another staff account/store owner that isn't linked yet to Shopify - 83 upvotes, $0
64. Ability to publish a paid theme without purchasing it. to Shopify - 81 upvotes, $2000
65. Privilege-0 to Root Privilege Escalation on EdgeSwitch to Ubiquiti Inc. - 81 upvotes, $0
66. Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API to LY Corporation - 81 upvotes, $0
67. Complete Admin account takeover due to PhpDebugBar turned on in Uber's production server to Uber - 80 upvotes, $2750
68. Admin Authentication Bypass Lead to Admin Account Takeover to UPS VDP - 80 upvotes, $0
69. [Hubs] - Broken access control in placing objects in hubs room to Mozilla - 80 upvotes, $0
70. User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx to U.S. Dept Of Defense - 79 upvotes, $0
71. latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users to HackerOne - 76 upvotes, $0
72. Improper authorization allows disclosing users' notification data in Notification channel server to LY Corporation - 75 upvotes, $2000
73. [Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge to Mail.ru - 75 upvotes, $0
74. Incorrect details on OAuth permissions screen allows DMs to be read without permission to X (Formerly Twitter) - 73 upvotes, $2940
75. Ability to verify any email address you don't own - accounts.shopify.com to Shopify - 73 upvotes, $0
76. Unauthorized access to GovSlack to Slack - 71 upvotes, $1500
77. The request tells the number of private programs, the new system of authorization /invite/token to HackerOne - 69 upvotes, $2000
78. Authorization Token on PlayStation Network Leaks via postMessage function to PlayStation - 66 upvotes, $1000
79. CSRF on Periscope Web OAuth authorization endpoint to X (Formerly Twitter) - 66 upvotes, $0
80. Able to see Twitter Circle tweets due to improper access control on the "FavoriteTweet" endpoint to X (Formerly Twitter) - 65 upvotes, $0
81. CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes to Kubernetes - 64 upvotes, $5000
82. Able to access private picture/video/writing when requesting for their JSON response to FetLife - 64 upvotes, $0
83. User able to access company details in yrityspalvelu without proper permissions to LocalTapiola - 63 upvotes, $2000
84. Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation to New Relic - 63 upvotes, $0
85. Mssing Authorization on Private Message replies (BuddyPress) to WordPress - 63 upvotes, $0
86. IDOR the ability to view support tickets of any user on seller platform to TikTok - 61 upvotes, $2500
87. A non-privileged user may create an admin account in Stocky to Shopify - 61 upvotes, $1600
88. Privilege escalation of "external user" (with maintainer privilege) to internal access through project token to GitLab - 61 upvotes, $1020
89. Authorization issue in Google G Suite allows DoS through HTTP redirect to Uber - 61 upvotes, $0
90. Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent) to X (Formerly Twitter) - 61 upvotes, $0
91. Ability to getting Twitter Blue verified badge without purchase it to X (Formerly Twitter) - 61 upvotes, $0
92. [www.zomato.com] Blind XSS in one of the Admin Dashboard to Zomato - 60 upvotes, $0
93. Brute Force of fabric-ca server admin account to Hyperledger - 60 upvotes, $0
94. Improper Access Control + Financial fraud allows attacker to disclose + add arbitrary products to another's user's order to Shipt - 59 upvotes, $3900
95. [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs) to Pornhub - 58 upvotes, $1500
96. Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App to Grab - 58 upvotes, $1000
97. Ability to Disable the Login Attempt of any Shopify Owner for 24 hrs (Zero_Click) to Shopify - 58 upvotes, $900
98. Ability to access all user authentication tokens, leads to RCE to GitLab - 57 upvotes, $0
99. Privilege Escalation by abusing non-existent path. (Windows) to PortSwigger Web Security - 57 upvotes, $0
100. [affiliates.udemy.com] Wordpress user admin information discloure to Udemy - 57 upvotes, $0
101. Access to some Slack workspace metadata and settings available to unauthorized parties to Slack - 55 upvotes, $7000
102. Ability to see hidden likes to X (Formerly Twitter) - 54 upvotes, $0
103. Sensitive Clickjacking on admin login page. to Shipt - 53 upvotes, $0
104. staff can able to extend shopify trial period without admin permission to Shopify - 53 upvotes, $0
105. [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name to Uber - 53 upvotes, $0
106. Ability to log in as any user without authentication if █████████ is empty to Ubiquiti Inc. - 52 upvotes, $0
107. Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co to X (Formerly Twitter) - 52 upvotes, $0
108. Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link) to Shopify - 51 upvotes, $1600
109. Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques} to X (Formerly Twitter) - 51 upvotes, $420
110. Privilege Escalation in kOps using GCE/GCP Provider to Kubernetes - 50 upvotes, $2500
111. Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission to Shopify - 50 upvotes, $0
112. Inject page in admin panel via Shopify.API.pushState to Shopify - 49 upvotes, $500
113. Privilege Escalation: Read-Only to Admin to Inflection - 49 upvotes, $0
114. SQL Injection in IBM access control panel & Broken access in admin panel to IBM - 49 upvotes, $0
115. Privilege Escalation on TikTok for Business to TikTok - 49 upvotes, $0
116. CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags to Internet Bug Bounty - 48 upvotes, $540
117. Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks to Discourse - 48 upvotes, $512
118. XSS within Shopify Email App - Admin to Shopify - 48 upvotes, $0
119. ability to install paid themes for free to Shopify - 46 upvotes, $0
120. informations disclosure(Email,Numbers,Agreements, admin Sessions and more ...) through a PostgreSQL database belongs to (legium-back.corp.mail.ru) to Mail.ru - 46 upvotes, $0
121. Bypassing Collaborator Restrictions: Retaining Admin Access Post-Repository Transfer to GitHub - 45 upvotes, $4000
122. Unauthorized access to jiratest.starbucks.com to Starbucks - 45 upvotes, $0
123. [h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege to Shopify - 45 upvotes, $0
124. macOS privilege escalation to Keybase - 44 upvotes, $0
125. A malicious admin can be able to permanently disable a Owner(Admin) to access his account to Linktree - 43 upvotes, $600
126. Admin Command Injection via username in user_archive ExportCsvFile to Discourse - 43 upvotes, $512
127. Privilege Escalation удаляем все созданные ссылки с okl.lt to ok.ru - 43 upvotes, $0
128. blog/wp-json/wp/v2/users FILE is enable it will used for bruteforce attack the admin panel at blog/wp-login.php to Mail.ru - 43 upvotes, $0
129. 2M Reports on HackerOne Celebration! - Ability to bulk-submit many reports. to HackerOne - 43 upvotes, $0
130. Privilege escalation - Support-Contributor to Support and Product Admin via /api/v2/██████ . No ADMIN PRIVILEGE required. to Zendesk - 43 upvotes, $0
131. Privilege Escalation via Keybase Helper (incomplete security fix) to Keybase - 42 upvotes, $0
132. Non privileged user is able to approve his own app himself leading to mass privilege escalations. to Lark Technologies - 42 upvotes, $0
133. Unauthenticated Access to Admin Panel Functions at https://██████████/████████ to U.S. Dept Of Defense - 42 upvotes, $0
134. Exposure Of Admin Username & Password to MTN Group - 42 upvotes, $0
135. Unauthorized Access to Offline Publication Cover Pages via SOURCE_DOCUMENT_ID to Publitas - 42 upvotes, $0
136. RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention to GitHub - 41 upvotes, $4000
137. Improper access control on easytopup.in.th transaction page leads to user's information disclosure and may lead to account hijacking to Razer - 41 upvotes, $1000
138. admin password disclosure via log file to Acronis - 41 upvotes, $100
139. Blind XSS Stored On Admin Panel Through Name Parameter In [ https://technoatom.mail.ru/] to Mail.ru - 41 upvotes, $0
140. Unauthorized Access To Admin panel to Mail.ru - 41 upvotes, $0
141. Privilege Escalation leading to post in channel without having privilege to Mattermost - 41 upvotes, $0
142. Ability to change permissions across seller platform to TikTok - 41 upvotes, $0
143. Improper access control for users with expired password, giving the user full access through API and Git to GitLab - 40 upvotes, $950
144. User with privilege to maintain External Programs can update certain churned HackerOne programs to HackerOne - 40 upvotes, $500
145. Improper Authorization at https://api-my.pay.razer.com/v1/trxDetail?trxId=[Id] allowing unauthorised access to other user's transaction details to Razer - 40 upvotes, $500
146. Ability to bypass social OAuth and take over any account [d2c-api] to Genasys Technologies - 40 upvotes, $0
147. Endpoint without access control leads to order informations and status changes to Azbuka Vkusa - 40 upvotes, $0
148. Attacker can Add itself as admin user and can also change privileges of Existing Users [█████████] to U.S. Dept Of Defense - 40 upvotes, $0
149. Persistent Unauthorized Administrative Access on All Organization Repositories via RC in User Conversion to Organization to GitHub - 39 upvotes, $4000
150. Permission model improperly protects against path traversal in Node.js 20 to Internet Bug Bounty - 39 upvotes, $2330
151. Blind XSS - Report review - Admin panel to Zomato - 39 upvotes, $350
152. unauthorized Access To Elastic DB to Mail.ru - 39 upvotes, $150
153. Vulnerabilities chain leading to privilege escalation to Nord Security - 39 upvotes, $0
154. admin.8x8.vc: Member users with no permission can integrate email to connect calendar via GET /meet-external/spot-roomkeeper/v1/calendar/auth/init?.. to 8x8 Bounty - 39 upvotes, $0
155. CSP Bypass and escalation of https://hackerone.com/reports/2279346 to PortSwigger Web Security - 39 upvotes, $0
156. Inject page in admin panel via Shopify.API.pushState with protocol invalid to Shopify - 38 upvotes, $500
157. H1514 Removed Staff members who had "Apps" permission can still modify flow app connections to Shopify - 38 upvotes, $0
158. View Only to Root Privilege Escalation on UniFi Protect to Ubiquiti Inc. - 38 upvotes, $0
159. Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts to New Relic - 37 upvotes, $1500
160. Removed staff members who had "Manage shops" permission can still create development stores to Shopify - 37 upvotes, $0
161. Exposed Slinky Instance Admin Panel to Shopify - 37 upvotes, $0
162. Ability to invite a new member on Sandbox Program to HackerOne - 37 upvotes, $0
163. Accessing unauthorized administration pages and seeing admin password - speakerkit.state.gov to U.S. Department of State - 37 upvotes, $0
164. Unauthorized Access to Deleted Interviews on Glassdoor Platform to Glassdoor - 37 upvotes, $0
165. NordVPN Linux Client - Unsafe service file permissions leads to Local Privilege Escalation to Nord Security - 36 upvotes, $0
166. Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com] to Logitech - 35 upvotes, $0
167. Privilege Escalation - "Analyst" Role Can View Email Domains of a Company - [GET /voyager/api/voyagerOrganizationDashEmailDomainMappings] to LinkedIn - 35 upvotes, $0
168. Stored XSS on developer.uber.com via admin account compromise to Uber - 34 upvotes, $5000
169. HackerOne reports escalation to JIRA is CSRF vulnerable to HackerOne - 34 upvotes, $500
170. User has Sender permission can Get Team information to Dropbox - 34 upvotes, $216
171. Authorization Bypass in Delivery Chat Logs to Instacart - 34 upvotes, $100
172. [api-site.city-mobil.ru] Improper access control leads to information disclosure to Mail.ru - 34 upvotes, $0
173. Bypass the reverse proxy. Request admin to Mail.ru - 34 upvotes, $0
174. Stored XSS Deleting Menu Links in the Shopify Admin to Shopify - 33 upvotes, $0
175. CSRF on launchpad.37signals.com OAuth2 authorization endpoint to Basecamp - 33 upvotes, $0
176. Low privileged user can create high privileged user's KITCRM authorization token and can read and write message to KIT to Shopify - 33 upvotes, $0
177. [HTA2] Authorization Bypass on https://██████ leaks confidential aircraft/missile information to U.S. Dept Of Defense - 33 upvotes, $0
178. Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com to Shopify - 32 upvotes, $2900
179. All Vimeo Private videos disclosure via Authorization Bypass to Vimeo - 32 upvotes, $0
180. Improper Access Control in LINE Timeline API that returns a list of hidden friends to LY Corporation - 31 upvotes, $1346
181. Privilege escalation allows to use iframe functionality w/o upgrade to Infogram - 31 upvotes, $0
182. [api-site.city-mobil.ru] Improper access control leads to information disclosure (bypass of #977597 fix) to Mail.ru - 31 upvotes, $0
183. Group admins can remove arbitrary data from "data" directory (including admin data) to Nextcloud - 30 upvotes, $0
184. Authentication CSRF resulting in unauthorized account access on Krisp app to Krisp - 30 upvotes, $0
185. [PATs] Ability to leak comments from issues without ANY "Issues" repo permissions by utilizing "Pull Request" permissions to GitHub - 30 upvotes, $0
186. IBM Maximo Asset Management could allow a remote attacker to bypass authentication due to improper access controls to IBM - 30 upvotes, $0
187. [Privilege Escalation] Shopify Admin -- Permission from Settings to Customer to Shopify - 29 upvotes, $500
188. Admin Access to a domain used for development and admin access to internal dashboards on that domain to Zomato - 29 upvotes, $0
189. Privilege escalation due to insecure use of logrotate to GitLab - 29 upvotes, $0
190. Broken access control to UPS VDP - 29 upvotes, $0
191. Member role which doesn't have permission to send message can send by executing channel commands to Mattermost - 29 upvotes, $0
192. Changing the administrator password via admin console does not invalidate other sessions to PortSwigger Web Security - 29 upvotes, $0
193. Add new managed stores without permission to Shopify - 28 upvotes, $1900
194. Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020) to Shopify - 28 upvotes, $1500
195. OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing to Vimeo - 28 upvotes, $0
196. any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store to Shopify - 28 upvotes, $0
197. Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card to Starbucks - 28 upvotes, $0
198. connect.8x8.com: Users with no permission can track/access restricted details/data via GET /api/v2/support/requests/<ticket number >HTTP/2 to 8x8 Bounty - 28 upvotes, $0
199. Ability to read any emails through IDOR on Nextcloud Mail to Nextcloud - 28 upvotes, $0
200. Improper Access Control allows OTP bypass to Lark Technologies - 28 upvotes, $0
201. CVE-2023-40611: Apache Airflow Dag Runs Broken Access Control Vulnerability to Internet Bug Bounty - 28 upvotes, $0
202. Improper Access Control on Onelogin in multi-layered architecture to Uber - 27 upvotes, $500
203. Bypassing authorization of linked Instagram account to TikTok - 27 upvotes, $170
204. Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees to Uber - 27 upvotes, $0
205. [hta3] Remote Code Execution on https://███ via improper access control to SCORM Zip upload/import to U.S. Dept Of Defense - 27 upvotes, $0
206. WooCommerce Blacklist in 'map_meta_cap' leads to Privilege Escalation of Shopmanagers to Automattic - 26 upvotes, $0
207. Access control issue on invoice documents downloading feature. to Moneybird - 26 upvotes, $0
208. Local Privilege Escalation during execution of VeraCryptExpander.exe (UAC bypass) to Internet Bug Bounty - 25 upvotes, $1250
209. Proxy-Authorization header is not cleared in cross-domain redirect in undici to Internet Bug Bounty - 25 upvotes, $405
210. [www.zomato.com] Privilege Escalation - /php/restaurant_menus_handler.php to Zomato - 25 upvotes, $200
211. [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users to Ubiquiti Inc. - 25 upvotes, $0
212. A team member of the program with Report rights can ban the Admin to HackerOne - 25 upvotes, $0
213. Improper Access Control on Lark Footer Feature to Lark Technologies - 25 upvotes, $0
214. [Bypass] Ability to invite a new member in sandbox Organization to HackerOne - 25 upvotes, $0
215. [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement to Shopify - 25 upvotes, $0
216. Ability to escape database transaction through SQL injection, leading to arbitrary code execution to HackerOne - 25 upvotes, $0
217. Incorrect Authorization leads to see other users Documents Uploaded to Tennessee Valley Authority - 25 upvotes, $0
218. Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account to Shopify - 24 upvotes, $900
219. Apache Airflow: Bypass permission verification to read code of other dags to Internet Bug Bounty - 24 upvotes, $540
220. Read Access to all comments on unauthorized forums' discussions! IDOR! to Valve - 24 upvotes, $500
221. None permission staff member can identify installed application and products attached to it to Shopify - 24 upvotes, $500
222. Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections to Shopify - 24 upvotes, $0
223. Unauthorized User Can Delete Any User Account to Nord Security - 24 upvotes, $0
224. Readonly to Root Privilege Escalation on EdgeSwitch to Ubiquiti Inc. - 24 upvotes, $0
225. Default credentials lead to Spring Boot Admin dashboard access to 8x8 - 24 upvotes, $0
226. Deny Admin from Editing LinkedIn Company Page using Gen Form Visibility via POST /voyager/api/voyagerOrganizationDashCompanies/{id} to LinkedIn - 24 upvotes, $0
227. REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details to Mail.ru - 23 upvotes, $1000
228. Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data to Stripe - 23 upvotes, $1000
229. File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed to Files.com - 23 upvotes, $600
230. user with no draft order permission can still perform action on draft order's in stocky app (idor) to Shopify - 23 upvotes, $500
231. CVE-2019-5443: Windows Privilege Escalation: Malicious OpenSSL Engine to curl - 23 upvotes, $200
232. Ability to enumerate private programs using SAML to HackerOne - 23 upvotes, $0
233. Privilege Escalation to Admin-level Account to Legal Robot - 23 upvotes, $0
234. A user can comment in private discussions without having permission to access the discussion to Vanilla - 23 upvotes, $0
235. Local privilege escalation bug using Keybase redirector on macOS to Keybase - 23 upvotes, $0
236. Last build status and coverage leaked to unauthorized users to GitLab - 23 upvotes, $0
237. Unauthorized access to private project security dashboard to GitLab - 23 upvotes, $0
238. Default Admin Username and Password on █████ Server at █████████mil to U.S. Dept Of Defense - 23 upvotes, $0
239. Ability to connect an external login service for unverified emails/accounts at accounts.shopify.com to Shopify - 22 upvotes, $1600
240. Unauthorized packages modification or secrets exfiltration via GitHub actions to Hyperledger - 22 upvotes, $1500
241. Local privilege escalation via insecure MSI file to Acronis - 22 upvotes, $250
242. Mirror of https://city-mobil.ru admin interface to Mail.ru - 22 upvotes, $150
243. Bypass password confirmation via Context-dependent access control (CDCA) to Nextcloud - 22 upvotes, $100
244. Admin bar: Incomplete message origin validation results in XSS to Shopify - 22 upvotes, $0
245. Unauthorized users may be able to view almost all informations related to Private projects. to GitLab - 22 upvotes, $0
246. CPP: Out of order Linux permission dropping without checking return codes to GitHub Security Lab - 22 upvotes, $0
247. Django Debug=True Leaks admin email addresss and serval system information to Mail.ru - 22 upvotes, $0
248. Anonymous access control - Payments Status to Omise - 21 upvotes, $100
249. Unauthorized Access to Protected Tweets via niche.co API to X (Formerly Twitter) - 21 upvotes, $0
250. Privilege Escalation using API->Feature to Ubiquiti Inc. - 21 upvotes, $0
251. Unauthorized command execution in Web protection component of Anti-Virus products family [IE] to Kaspersky - 21 upvotes, $0
252. Multiple Vulnerabilities in (*.blog.yelp.com) - Leakage user admin Sensitive Exposure to Yelp - 21 upvotes, $0
253. unpermitted user can change the device name of admin account to Helium - 21 upvotes, $0
254. Ability to generate shipping labels in another store orders to Shopify - 21 upvotes, $0
255. [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole to Shopify - 21 upvotes, $0
256. [PATs] Token with Read-Only permissions on Issues able to modify issue comments using content write permission to GitHub - 21 upvotes, $0
257. [h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only to Shopify - 20 upvotes, $1900
258. Open TURN relay abuse is possible due to lack of peer access control (Critical) to 8x8 Bounty - 20 upvotes, $700
259. Unauthorized access to a system used for CI/CD processes to Starbucks - 20 upvotes, $0
260. LFI on Accounting server and RCE on FliteThermostat admin server to 50m-ctf - 20 upvotes, $0
261. Ability to manipulate price with a max threshold of \<1 Rupee in support rider parameter to Zomato - 20 upvotes, $0
262. Unauthorized updates to extended_info properties in /store/ajaxpackagesave to Valve - 20 upvotes, $0
263. Ability to potentially hit internal NGINX locations on *.myshopify.com by making use of the X-Accel-Redirect header via a configured App Proxy to Shopify - 20 upvotes, $0
264. Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation to Valve - 20 upvotes, $0
265. Access control vulnerability (read-only) to EXNESS - 20 upvotes, $0
266. Non-admin users can reset app allowlist to the default to Nextcloud - 20 upvotes, $0
267. Code injection and privilege escalation through Linux capabilities to Node.js - 20 upvotes, $0
268. Privilege Esacalation at Apache Airflow 2.5.1 to Internet Bug Bounty - 19 upvotes, $2400
269. IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop to Shopify - 19 upvotes, $500
270. User to Admin privilege escalation in Infrastructure Conditions - /v2/accounts/1835740/alerts/conditions to New Relic - 19 upvotes, $500
271. Inject page in admin panel via Shopify.API.pushState [New Payload] to Shopify - 19 upvotes, $500
272. Cleartext password exposure allows access to the desafio5estrelas.com admin panel to Uber - 19 upvotes, $500
273. Direct Access To admin Dashboard to Shopify - 19 upvotes, $500
274. staffOrderNotificationSubscriptionDelete Could Be Used By Staff Member With Settings Permission to Shopify - 19 upvotes, $500
275. Missing Access Control(IDOR) To Know LinkedAccounts to Dashlane - 19 upvotes, $0
276. Missing Certificate Authority Authorization rule to HackerOne - 19 upvotes, $0
277. Admin Macro Description Stored XSS to Zendesk - 19 upvotes, $0
278. Order Creation Webhooks can be edited/deleted by STAFF with Settings only permission to Shopify - 19 upvotes, $0
279. Admin Reseller Account Disclosure to 8x8 - 19 upvotes, $0
280. Users Without Permission Can Download Restricted Files to Lark Technologies - 19 upvotes, $0
281. CVE-2023-47037: Airflow Broken Access Control Vulnerability to Internet Bug Bounty - 19 upvotes, $0
282. Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin to Uber - 18 upvotes, $5000
283. Java: CWE-939 - Address improper URL authorization to GitHub Security Lab - 18 upvotes, $1500
284. Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 to Shopify - 18 upvotes, $1000
285. staffOrderNotificationSubscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission to Shopify - 18 upvotes, $900
286. Ability to add address without being an admin or staff in the store via wholesale store to Shopify - 18 upvotes, $500
287. [www.zomato.com] Privilege Escalation - Control reviews - /████dashboard_handler.php to Zomato - 18 upvotes, $300
288. [Broken Access Control ] Unauthorized Linking accounts & Linked Accounts info DIsclosure to Stripe - 18 upvotes, $250
289. IDOR - Ability to view unlisted products to Reverb.com - 18 upvotes, $0
290. Clickjacking in the admin page to Rocket.Chat - 18 upvotes, $0
291. [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool to h1-ctf - 18 upvotes, $0
292. [Bypass #870709] Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/ to Palo Alto Software - 18 upvotes, $0
293. Privilege Escalation to All-staff group to Lark Technologies - 18 upvotes, $0
294. [user_oidc] Stored XSS via Authorization Endpoint - Safari-Only to Nextcloud - 18 upvotes, $0
295. Privilege Escalation through Keybase Installer via Helper to Keybase - 17 upvotes, $2500
296. Staff can create workflows in Shopify Admin without apps permission to Shopify - 17 upvotes, $1600
297. [IMP] - Blind XSS in the admin panel for reviewing comments to Rockstar Games - 17 upvotes, $650
298. Proxy-Authorization header not cleared on cross-origin redirect in undici.request to Internet Bug Bounty - 17 upvotes, $420
299. Corrupted Authorization header can cause logs not to be ingested properly in ████████ to HackerOne - 17 upvotes, $0
300. Improper Authorization to Stripo Inc - 17 upvotes, $0
301. User with single department permission can view applicant list of all department's to Lark Technologies - 17 upvotes, $0
302. Unauthorized access to GitLab - 17 upvotes, $0
303. Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... to GitLab - 16 upvotes, $5000
304. CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature to Internet Bug Bounty - 16 upvotes, $540
305. Renderers can obtain access to random bluetooth device without permission to Internet Bug Bounty - 16 upvotes, $480
306. Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed. to Algolia - 16 upvotes, $400
307. Access control missing while viewing the attachments in the "All boards" to Nextcloud - 16 upvotes, $150
308. Access control issue -- [Allow file system access not validated when using session auth] to Nextcloud - 16 upvotes, $100
309. Privilege escalation to access all private groups and repositories to GitLab - 16 upvotes, $0
310. Ability to monitor reports' submission in real time to HackerOne - 16 upvotes, $0
311. Missing access control exposing detailed information on all users to WP API - 16 upvotes, $0
312. Privilege Escalation. to Inflection - 16 upvotes, $0
313. Privilege Escalation: From operator to ubnt (and root) with non-interactive Session Hijacking to Ubiquiti Inc. - 16 upvotes, $0
314. brute force attack allowed on admin page https://www.stellar.org/wp-admin/ to Stellar.org - 16 upvotes, $0
315. Access control vulnerability (read/write) to EXNESS - 16 upvotes, $0
316. Response Manipulation leads to Admin Panel Login Bypass at https://██████/ to Sony - 16 upvotes, $0
317. Default Admin Username and Password on ███ to U.S. Dept Of Defense - 16 upvotes, $0
318. Ability to publish a paid theme without purchasing it. to Shopify - 15 upvotes, $2000
319. [NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894 to New Relic - 15 upvotes, $1500
320. Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure to Stripe - 15 upvotes, $500
321. Double Stored Cross-Site scripting in the admin panel to GSA Bounty - 15 upvotes, $300
322. CSRF to add admin [wordpress] to WordPress - 15 upvotes, $0
323. Race condition (TOCTOU) in NordVPN can result in local privilege escalation to Nord Security - 15 upvotes, $0
324. Unsafe cors sharing of admin users to MTN Group - 15 upvotes, $0
325. Non-admin users can trigger writes to memcached by entering a malicious server as a share URL to Nextcloud - 15 upvotes, $0
326. Multiple permission model bypasses due to improper path traversal sequence sanitization to Node.js - 15 upvotes, $0
327. Leftover back-end system on www.zest.co.th allows an unauthorized attacker to generate Razer Gold Pin for free to Razer - 14 upvotes, $375
328. User with only Viewing Privilege can send message to Room to Phabricator - 14 upvotes, $300
329. Able to remove the admin access of my program to HackerOne - 14 upvotes, $0
330. Missing authorization checks leading to the exposure of ubernihao.com administrator accounts to Uber - 14 upvotes, $0
331. Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation to Slack - 14 upvotes, $0
332. Organization Admin Privilege Escalation To Owner to Bitwarden - 14 upvotes, $0
333. Ability to login to the Nexus Repo Manager from https://nexus.imgur.com/ to Imgur - 14 upvotes, $0
334. █████████ on CRM server without authorization to Unikrn - 14 upvotes, $0
335. Missing Certificate Authority Authorization rule to HackerOne - 14 upvotes, $0
336. Nextcloud 10.0 privilege escalation issue - Normal user can mask external storage shared by admin to Nextcloud - 14 upvotes, $0
337. CPP: Out of order Linux permission dropping without checking return codes to GitHub Security Lab - 14 upvotes, $0
338. Improper authorization on /api/as/v1/credentials/ for Dev Role User with Limited Engine Access to Elastic - 14 upvotes, $0
339. Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure to MTN Group - 14 upvotes, $0
340. Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture. to Rocket.Chat - 14 upvotes, $0
341. Proxy-Authorization header is not cleared in cross-domain redirect in undici to Node.js - 14 upvotes, $0
342. Add signature to transactions without any permission to Shopify - 13 upvotes, $500
343. Acronis True Image Local Privilege Escalation via insecure folder permissions to Acronis - 13 upvotes, $300
344. Unauthorized read access to Invoices by PM (Access control Issues) to Harvest - 13 upvotes, $150
345. PM can delete payment of any invoice in company (Access control Issue) to Harvest - 13 upvotes, $100
346. Inadequate access controls in "Vote" functionality??? to HackerOne - 13 upvotes, $0
347. Privilege escalation-User who does not have access is able to add notes to the contact to Mixmax - 13 upvotes, $0
348. Unauthenticated Reflected XSS in admin dashboard to Deconf - 13 upvotes, $0
349. Any user can completely delete their own account without authorization and/or going through any kind of membership cancellation protocol. to Shipt - 13 upvotes, $0
350. 3rd party shop admin panel blind XSS to Mail.ru - 13 upvotes, $0
351. Delete permission can be added on reshare to Nextcloud - 13 upvotes, $0
352. [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/ to U.S. Dept Of Defense - 13 upvotes, $0
353. Unauthorized command execution in Web protection component of Anti-Virus products family to Kaspersky - 13 upvotes, $0
354. WordPress admin is accessible without HTTP authentication to Showmax - 13 upvotes, $0
355. Access Control: Inject tasks into other users decks to Nextcloud - 13 upvotes, $0
356. [dubmash] Lack of authorization checks - Update Sound Titles to Reddit - 13 upvotes, $0
357. All user password hash can be seen from admin panel to UPchieve - 13 upvotes, $0
358. Reference caching can leak data to unauthorized users to Nextcloud - 13 upvotes, $0
359. [h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only to Shopify - 12 upvotes, $1900
360. macOS privilege escalation via keybase install to Keybase - 12 upvotes, $1250
361. Ability to perform various POST requests on quantopian.com as a different user - insecure by design. to Quantopian - 12 upvotes, $1050
362. PM can delete the company logo image (Vertical Privilege Escalation ) to Harvest - 12 upvotes, $100
363. Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru] to Mail.ru - 12 upvotes, $0
364. Privilege escalation in the client impersonation functionality to Ubiquiti Inc. - 12 upvotes, $0
365. Redirect on authorization allows account compromise to GSA Bounty - 12 upvotes, $0
366. [h1-2102] Partner's team member with no permission can retrieve services financial data to Shopify - 12 upvotes, $0
367. Improper access control in place for "member only" groups via root.YUI_config.flickr.api.site_key to Flickr - 12 upvotes, $0
368. Improper Sanitization leads to XSS Fire on admin panel to Informatica - 12 upvotes, $0
369. Unauthorized access to employee panel with default credentials. to U.S. General Services Administration - 12 upvotes, $0
370. [Transportation Management Services Solution 2.0] Improper authorization at tmss.gsa.gov leads to data exposure of all registered users to U.S. General Services Administration - 12 upvotes, $0
371. Ability to View Non-Permitted Admin Log to Lark Technologies - 12 upvotes, $0
372. [Java] CWE-939 - Address improper URL authorization to GitHub Security Lab - 11 upvotes, $1800
373. Ability to bypass locked Cloudflare WARP on wifi networks. to Cloudflare Public Bug Bounty - 11 upvotes, $1000
374. H1514 Lack of access control on edit packing slip template to Shopify - 11 upvotes, $500
375. Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information to Uber - 11 upvotes, $500
376. Missing authorization allows sales only user to record payment. to Visma Public - 11 upvotes, $250
377. Privilege escalation..., or not?! to HackerOne - 11 upvotes, $0
378. Unauthorized Team members viewing to HackerOne - 11 upvotes, $0
379. Unauthorized update of merchants' information via /php/merchant_details.php to Zomato - 11 upvotes, $0
380. Paragonie Airship Admin CSRF on Extensions Pages to Paragon Initiative Enterprises - 11 upvotes, $0
381. Information Disclosure and Privilege Escalation in app.goodhire.com/member/developers/api-settings to Inflection - 11 upvotes, $0
382. Privilege escalation allows any user to add an administrator to Node.js third-party modules - 11 upvotes, $0
383. Private API key leakage due to lack of access control to Cloudflare Vulnerability Disclosure - 11 upvotes, $0
384. Password protected rooms total number of viewers disclosure to unauthorized members to Chaturbate - 11 upvotes, $0
385. Vulnerability Report - Missing Certificate Authority Authorization rule to MariaDB - 11 upvotes, $0
386. "Test target" of the "HTTP target" extension can unintentionally send username and password in the Authorization header to Zendesk - 11 upvotes, $0
387. Staff member with no permission can delete POS staff from account settings to Shopify - 11 upvotes, $0
388. Broken Access Controls to Acronis - 11 upvotes, $0
389. Blind Stored XSS on ███████ leads to takeover admin account to U.S. Dept Of Defense - 11 upvotes, $0
390. Unauthorized Kubernetes to RCE (root) and found TEAMTNT Crypto Miner on it to IBM - 11 upvotes, $0
391. User with no Develop apps permission can Uninstall Custom App to Shopify - 11 upvotes, $0
392. Reflected XSS on Admin Login Page to TD Bank - 11 upvotes, $0
393. PM with can Set up email for invoices and estimates (Access control Issue) to Harvest - 10 upvotes, $250
394. Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm to Acronis - 10 upvotes, $250
395. Record payment for any invoice by PM (Access control Issue) to Harvest - 10 upvotes, $100
396. leaking Digits OAuth authorization to third party websites to X (Formerly Twitter) - 10 upvotes, $0
397. Group admin can remove user from all his groups via API to Nextcloud - 10 upvotes, $0
398. Password reset access control to Legal Robot - 10 upvotes, $0
399. Improper access control on adding a Register to an Outlet to Vend VDP - 10 upvotes, $0
400. Homebrew privilege escalation vulnerability to Homebrew - 10 upvotes, $0
401. In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access to Nextcloud - 10 upvotes, $0
402. India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance to Starbucks - 10 upvotes, $0
403. Head pipeline leaked to unauthorized users via blocking merge request feature to GitLab - 10 upvotes, $0
404. unauthorized access to add admin endpoint to Mail.ru - 10 upvotes, $0
405. [h1-415 2020] Chain of vulnerabilities leading to account takeover and unauthorized access of sensitive internal resources to h1-ctf - 10 upvotes, $0
406. Improper Access Control - Generic on https://████ to U.S. Dept Of Defense - 10 upvotes, $0
407. Unauthorized access to admin panel of the Questionmark Perception system at https://██████████ to U.S. Dept Of Defense - 10 upvotes, $0
408. Admin audit is not properly logging unsetting of expiration date to Nextcloud - 10 upvotes, $0
409. Ability to subscribe to inactive Post+ creators to Automattic - 10 upvotes, $0
410. Unauthenticated Access to Admin Panel Functions at https://███████/███ to U.S. Dept Of Defense - 10 upvotes, $0
411. [AWC-Pune] - User can download files deleted by Admin using shortcuts to Lark Technologies - 10 upvotes, $0
412. Golang : Add Query To Detect PAM Authorization Bugs to GitHub Security Lab - 10 upvotes, $0
413. OAuth authorization page vulnerable to clickjacking to Coinbase - 9 upvotes, $5000
414. Authenticated but unauthorized users may enumerate Application names via the API to Internet Bug Bounty - 9 upvotes, $2400
415. [h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management to Shopify - 9 upvotes, $1900
416. Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation to Slack - 9 upvotes, $750
417. Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation) to Harvest - 9 upvotes, $300
418. Ability to add pishing links in discusion ," Bypassing uneductional Links add " to Udemy - 9 upvotes, $0
419. Uploading files to a folder where invited user don't have any EDIT privilege to Nextcloud - 9 upvotes, $0
420. http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script to ok.ru - 9 upvotes, $0
421. Privilege Escalation on a DoD Website to U.S. Dept Of Defense - 9 upvotes, $0
422. Privilege escalation - Normal user can somehow make admin to delete shared folders to Nextcloud - 9 upvotes, $0
423. Wordpress Vulnerable to Potential Unauthorized Password Reset to Nextcloud - 9 upvotes, $0
424. Restricted User is able to edit Alert Conditions of Synthetics Monitors even if Synthetics Permissions is enabled by an admin to New Relic - 9 upvotes, $0
425. UniFi Video Server - Broken access control on system configuration to Ubiquiti Inc. - 9 upvotes, $0
426. Unauthorized access of Monero wallet by an unprivileged process to Monero - 9 upvotes, $0
427. Stored XSS (Hexo-admin plugin) to Node.js third-party modules - 9 upvotes, $0
428. UniFi Video Server web interface admin user Firmware Update path traversal leading to local system compromise to Ubiquiti Inc. - 9 upvotes, $0
429. Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/ to Palo Alto Software - 9 upvotes, $0
430. Unauthorized user is able to access schedule pipeline variables and values to GitLab - 9 upvotes, $0
431. Server Side Request Forgery in 'Jabber settings' in Admin Control Panel to phpBB - 9 upvotes, $0
432. Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress to Acronis - 9 upvotes, $0
433. Node Installer Local Privilege Escalation to Node.js - 9 upvotes, $0
434. Ability to use premium templates as free user via https://stripo.email/templates/?utm_source=viewstripo&utm_medium=referral to Stripo Inc - 9 upvotes, $0
435. Unauthorized access to Argo dashboard on █████ to U.S. Dept Of Defense - 9 upvotes, $0
436. Airflow Daemon Mode Insecure Umask Privilege Escalation to Internet Bug Bounty - 8 upvotes, $2400
437. Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter to New Relic - 8 upvotes, $2000
438. Unauthorized access to all the actions of invoices by PM (Access control Issues) to Harvest - 8 upvotes, $150
439. Project Manager can approve pending reports(Access control Issue) to Harvest - 8 upvotes, $150
440. Possibility to force an admin to install recommended applications to Nextcloud - 8 upvotes, $100
441. Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic to Nextcloud - 8 upvotes, $100
442. Ability to see common response titles of other teams (limited) to HackerOne - 8 upvotes, $0
443. Users with member privilege are able to see emails and membership information of other users to WakaTime - 8 upvotes, $0
444. Improper access control lead To delete anyone comment to Paragon Initiative Enterprises - 8 upvotes, $0
445. Bypass of my two other reports #267636 + #255894 - (IDOR) Ability to see full name associated with other New Relic accounts to New Relic - 8 upvotes, $0
446. Drupal admin takeover via install.php not being performed prior to install. to New Relic - 8 upvotes, $0
447. Stored self-xss and its escalation to a victim account in e.mail.ru to Mail.ru - 8 upvotes, $0
448. H1514 Wholesale customer without checkout permission can complete purchases to Shopify - 8 upvotes, $0
449. Broken access control on apps to Rocket.Chat - 8 upvotes, $0
450. Access control bypass leads to domain information disclosure to Vercel - 8 upvotes, $0
451. Container scanning and Dependency scanning report leaked to unauthorized users to GitLab - 8 upvotes, $0
452. UniFi Video v3.10.1 (Windows) Local Privileges Escalation to SYSTEM from arbitrary filedelete and DLL hijack vulnerabilities. to Ubiquiti Inc. - 8 upvotes, $0
453. UniFi Video web interface Configuration Restore user privilege escalation to Ubiquiti Inc. - 8 upvotes, $0
454. Stocky App Administrator can create a backdoor admin account by using an existing POS User to Shopify - 8 upvotes, $0
455. [api.my.games/social/chat/multi/add] Privilege escalation on adding new members to group chat to Mail.ru - 8 upvotes, $0
456. Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner to Shopify - 8 upvotes, $0
457. [Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service to Kaspersky - 8 upvotes, $0
458. Unauthorized Access to Internal Server Panel without Authentication to U.S. Dept Of Defense - 8 upvotes, $0
459. Unauthenticated phpinfo()files could lead to ability file read at █████████ [HtUS] to U.S. Dept Of Defense - 8 upvotes, $0
460. Stored XSS in drive.uber.com WordPress admin panel to Uber - 7 upvotes, $2000
461. [idor] Profile Admin can pin any other user's post on his stream wall to Pornhub - 7 upvotes, $750
462. H1514 Ability to Edit Packaging Slip Templates and View Product & Shipping Information by a low privileged staff in a Sandbox Store to Shopify - 7 upvotes, $500
463. Improper access control allows sales only user to view bank balance of company accounts. to Visma Public - 7 upvotes, $100
464. XSS in Acronis Cloud Manager Admin Portal to Acronis - 7 upvotes, $100
465. Weird Bug - Ability to see partial of other user's notification to HackerOne - 7 upvotes, $0
466. XSS in Draft Orders in Timeline i SHOPIFY Admin Site! to Shopify - 7 upvotes, $0
467. Exposed Access Control Data Backup Files on DoD Website to U.S. Dept Of Defense - 7 upvotes, $0
468. Bypass file access control vulnerability on a DoD website to U.S. Dept Of Defense - 7 upvotes, $0
469. Extract Billing admin email address using random team id to Dashlane - 7 upvotes, $0
470. Bypassing Access control, changing owner's name in a private leaderboard to WakaTime - 7 upvotes, $0
471. Stored XSS on Admin Access Page - Email field to Revive Adserver - 7 upvotes, $0
472. Authorization issue on 'valtakirjat' (/e2/verkkopalvelu/) to LocalTapiola - 7 upvotes, $0
473. Authorization Token is Not expiring After Logout to Passit - 7 upvotes, $0
474. Weak credentials, Blind SQLi, Timing attack, that leads to web admin access to 50m-ctf - 7 upvotes, $0
475. Unauthorized command execution in Web protection component of Anti-Virus products family [FF, Chrome] to Kaspersky - 7 upvotes, $0
476. Privilege escalation from member user ( editor ) to admin user to Qulture.Rocks - 7 upvotes, $0
477. [H1-2006 2020] From multiple vulnerabilities to complete ATO on any customer account and staff admin to h1-ctf - 7 upvotes, $0
478. Local Privilege Escalation on Dropbox Desktop for Windows to Dropbox - 7 upvotes, $0
479. Improper authorization on /api/as/v1/credentials/ allows any App Search user to access all API keys and escalate privileges to Elastic - 7 upvotes, $0
480. Unauthorized access to choice.av.ru control panel to Azbuka Vkusa - 7 upvotes, $0
481. Improper Access Control in Ali Express Importer to Judge.me - 7 upvotes, $0
482. Upload and delete files in debug page without access control. to U.S. Dept Of Defense - 7 upvotes, $0
483. Python : Add query to detect PAM authorization bypass to GitHub Security Lab - 7 upvotes, $0
484. The use of proto in process.mainModule.proto.require() bypasses the permission system in Node v19.6.1 to Node.js - 7 upvotes, $0
485. Privilege Escalation - A MEMBER with no ACCESS to ORDERS can still access the orders by using Order Printer APP to Shopify - 6 upvotes, $1000
486. ability to retrieve a user's phone-number/email for a given inviteCode to Uber - 6 upvotes, $1000
487. Privilege escalation possible in dovecot when similar passdbs are used to Open-Xchange - 6 upvotes, $900
488. An administrator without any permission is able to get order notifications using his APNS Token. to Shopify - 6 upvotes, $500
489. Staff members with no permission can access to the files, uploaded by the administrator to Shopify - 6 upvotes, $500
490. Ability to post comments to a crew even after getting kicked out to Rockstar Games - 6 upvotes, $500
491. [Razer Pay] Broken Access Control at /v1/verifyPhone/ allows enumeration of usernames and ID information to Razer - 6 upvotes, $500
492. User is able to access and create private synthetics locations without upgrading (regression of #276157) to New Relic - 6 upvotes, $500
493. Privilege escalation to root in Pages build image v2 to Cloudflare Public Bug Bounty - 6 upvotes, $350
494. Fabric.io: Ex-admin of an organization can delete team members to X (Formerly Twitter) - 6 upvotes, $280
495. By pass admin panel [seminars.mail.ru] to Mail.ru - 6 upvotes, $150
496. Ability to edit the address of any company by its id on [corporate.city-mobil.ru] to Mail.ru - 6 upvotes, $150
497. Access admin interface via bad credentials to Mail.ru - 6 upvotes, $150
498. API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass to Vimeo - 6 upvotes, $0
499. Ability to collect users' ids that have visited a specific web page with malicious code to Bumble - 6 upvotes, $0
500. Missing access control at password change to Legal Robot - 6 upvotes, $0
501. Business Logic Flaw allowing Privilege Escalation to Inflection - 6 upvotes, $0
502. Privilege Escalation with Session Hijacking Having a Non-privileged Valid User to Ubiquiti Inc. - 6 upvotes, $0
503. File access control rules not enforced on image files to Nextcloud - 6 upvotes, $0
504. [express-cart] Customer and admin email enumeration through MongoDB injection to Node.js third-party modules - 6 upvotes, $0
505. Default page exposes admin functions and all metods and classes available. on https://██████/█████/dwr/index.html to U.S. Dept Of Defense - 6 upvotes, $0
506. Admin Salt Leakage on DoD site. to U.S. Dept Of Defense - 6 upvotes, $0
507. Authorization for wp-admin directory are vulnerable to brute force. to Stripo Inc - 6 upvotes, $0
508. [Critical] Insufficient Access Control On Registration Page of Webapps Website Allows Privilege Escalation to Administrator to U.S. Dept Of Defense - 6 upvotes, $0
509. Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values) to New Relic - 6 upvotes, $0
510. access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify- to Shopify - 6 upvotes, $0
511. Unauthorized Use of Victim Credit Card to Yelp - 6 upvotes, $0
512. Admin web sessions remain active after logout of Shopify ID to Shopify - 6 upvotes, $0
513. The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values to Internet Bug Bounty - 6 upvotes, $0
514. Acronis True Image Local Privilege Escalation Due To Race Condition In Application Verification to Acronis - 6 upvotes, $0
515. CPP: Pam Authorization Bypass to GitHub Security Lab - 6 upvotes, $0
516. Adobe ColdFusion Access Control Bypass - CVE-2023-38205 to U.S. Dept Of Defense - 6 upvotes, $0
517. Proxy-Authorization header not cleared on cross-origin redirect in undici.request to Node.js - 6 upvotes, $0
518. Unauthorized access to all collections, products, pages from other stores to Shopify - 5 upvotes, $2500
519. CPP: Add query for CWE-266 Incorrect Privilege Assignment to GitHub Security Lab - 5 upvotes, $1800
520. Admin panel access restrictions bypass [poll.mail.ru/admin/] to Mail.ru - 5 upvotes, $500
521. Ability to delete projects from Archived companies (Read only version) to Visma Public - 5 upvotes, $100
522. Stored XSS from ticket messages in admin table in SupportFlow to Ian Dunn - 5 upvotes, $50
523. Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants to HackerOne - 5 upvotes, $0
524. Can message users without the proper authorization to Vimeo - 5 upvotes, $0
525. Privilege Escalation in Default Notification Preferences to New Relic - 5 upvotes, $0
526. Incorrect Permission Assignment for Critical Resource to MariaDB - 5 upvotes, $0
527. [██████████] Unauthorized access to admin panel to U.S. Dept Of Defense - 5 upvotes, $0
528. Improper Access Control in Buddypress core allows reply,delete any user's activity to WordPress - 5 upvotes, $0
529. Default Creds Spring Boot Admin to 8x8 - 5 upvotes, $0
530. Improper Access Controls Allow PII Leak via ████ to U.S. Dept Of Defense - 5 upvotes, $0
531. Misconfigured AWS S3 bucket leaks senstive data such of admin, Prdouction,beta, localhost and many more directories.... to U.S. Dept Of Defense - 5 upvotes, $0
532. Local Privilege Escalation in anti_ransomware_service.exe via quarantine to Acronis - 5 upvotes, $0
533. Privilege Escalation leads to trash other users comment without having admin rights. to Basecamp - 5 upvotes, $0
534. Improper Access Control on Media Wiki allows an attackers to restart installation on DoD asset to U.S. Dept Of Defense - 5 upvotes, $0
535. Ability to control the filename when uploading a logo or favicon on theming to Nextcloud - 5 upvotes, $0
536. Mute User can disclose private channel members to unauthorized users to Rocket.Chat - 5 upvotes, $0
537. UnAuthorized Editorial Publishing to Blogs to Phabricator - 4 upvotes, $300
538. Restricted user is able to delete filter sets of admin users in https://infrastructure.newrelic.com/accounts/{{ACC#}}/settings/filterSets to New Relic - 4 upvotes, $250
539. Unauthorized access to attachments details of Private Calendar appointments (Access control issue) to Open-Xchange - 4 upvotes, $200
540. Conversation API Leaks Details Of UnAuthorized Conversations to Vanilla - 4 upvotes, $150
541. Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly to Mail.ru - 4 upvotes, $0
542. No authorization required in iOS device web-application to Coinbase - 4 upvotes, $0
543. Privilege Escalation In Moniter to New Relic - 4 upvotes, $0
544. Admin panel take over | User info leakage | Mass Comprimise to U.S. Dept Of Defense - 4 upvotes, $0
545. Privilege Escalation in BuddyPress core allows Moderate to Administrator to WordPress - 4 upvotes, $0
546. app.lemlist.com : Admin Panel Access to lemlist - 4 upvotes, $0
547. Ability to buy PRO subscriptions by arbitrary reduced prices to New Relic - 4 upvotes, $0
548. Grafana Improper authorization to Kubernetes - 4 upvotes, $0
549. [mattermost.com] CORS Misconfiguration leakage of admin users to Mattermost - 4 upvotes, $0
550. DoS due to improper input validation can break the admin access into the user data will disallow him from editing that user's data. to Nextcloud - 4 upvotes, $0
551. Man in the middle leading to root privilege escalation using hostNetwork=true (CAP_NET_RAW considered harmful) to Kubernetes - 4 upvotes, $0
552. A member-member privilege could access the https://console.rockset.com/billing?tab=payment page even though the billing page is hidden from the menu. to Rockset - 4 upvotes, $0
553. Broken access control, can lead to legitimate user data loss to U.S. Dept Of Defense - 4 upvotes, $0
554. Unauthorized Access - downgraded admin roles to none can still edit projects through brupsuite to Omise - 4 upvotes, $0
555. fabric.io - app member can make himself an admin to X (Formerly Twitter) - 3 upvotes, $1400
556. Shop admin can change external login services to Shopify - 3 upvotes, $1000
557. Get analytics token using only apps permission to Shopify - 3 upvotes, $1000
558. User Access Control Bypass Via Razer elevated service ( RzKLService.exe ) which loads exe in misconfigured way. to Razer - 3 upvotes, $750
559. Twitter Ads Campaign information disclosure through admin without any authentication. to X (Formerly Twitter) - 3 upvotes, $560
560. Unauthorized access to any Store Admin's First & Last name to Shopify - 3 upvotes, $500
561. First & Last Name Disclosure of any Shopify Store Admin to Shopify - 3 upvotes, $500
562. Missing authorization check on dashboard overviews to Shopify - 3 upvotes, $500
563. An administrator without the 'Settings' permission is able to see payment gateways to Shopify - 3 upvotes, $500
564. Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation) to Open-Xchange - 3 upvotes, $200
565. By pass admin panel [conference.mail.ru] to Mail.ru - 3 upvotes, $150
566. Access control on https://eaccounting.stage.vismaonline.com/ to Visma Public - 3 upvotes, $100
567. privilege escalation to Automattic - 3 upvotes, $0
568. Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails to QIWI - 3 upvotes, $0
569. CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to Videos of Channel whose privacy is set to Private. to Vimeo - 3 upvotes, $0
570. The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. to Shopify - 3 upvotes, $0
571. Staff members with no permission to access domains can access them. to Shopify - 3 upvotes, $0
572. Privilege escalation and circumvention of permission to limited access user to Shopify - 3 upvotes, $0
573. Missing Function Level Access Control in /cindex.php/widget/customize/ to Bookfresh - 3 upvotes, $0
574. Business/Functional logic bypass: Remove admins from admin group. to Nextcloud - 3 upvotes, $0
575. No authorization required in Windows phone web-application to Coinbase - 3 upvotes, $0
576. Basic Authorization over HTTP to New Relic - 3 upvotes, $0
577. xss for admin of https://newsletter.nextcloud.com to Nextcloud - 3 upvotes, $0
578. API Does Not Apply Access Controls to Translations to Weblate - 3 upvotes, $0
579. UniFi Video v3.2.2 (Windows) Local Privileges Escalation due to weak default install directory ACLs to Ubiquiti Inc. - 3 upvotes, $0
580. Privilage escalation with malicious .npmrc to Node.js third-party modules - 3 upvotes, $0
581. Unauthorized admission to any team in zeit.co to Vercel - 3 upvotes, $0
582. Admin panel of https://www.stellar.org/wp-admin/ to Stellar.org - 3 upvotes, $0
583. China - Leaked credentials permitted a limited ability to create Starbucks coupons and cards to Starbucks - 3 upvotes, $0
584. Ability to find out the name of the database table and its columns to Mail.ru - 3 upvotes, $0
585. Vertical Privilege Escalation on {target.my.com} to Mail.ru - 3 upvotes, $0
586. Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin to New Relic - 3 upvotes, $0
587. User Access Control in Community Plan to Doppler - 3 upvotes, $0
588. Clickjacking on profile page leading to unauthorized changes to UPchieve - 3 upvotes, $0
589. No admin audit entry for enabling/disabling 2FA to Nextcloud - 3 upvotes, $0
590. No admin audit log for auth tokens to Nextcloud - 3 upvotes, $0
591. Unauthorized access to PII leads to MASS account Takeover to U.S. Dept Of Defense - 3 upvotes, $0
592. Incorrect Authorization Checks in /include/findusers.php to ImpressCMS - 3 upvotes, $0
593. Default Admin Username and Password on remedysso.mtncameroon.net to MTN Group - 3 upvotes, $0
594. Improper Access Control - Generic to Rocket.Chat - 3 upvotes, $0
595. OpenSSL engines can be used to bypass and/or disable the permission model to Node.js - 3 upvotes, $0
596. fs.openAsBlob() bypasses permission system to Node.js - 3 upvotes, $0
597. unauthorized access to all customers first and last name to Shopify - 2 upvotes, $2500
598. unauthorized access to all collections name to Shopify - 2 upvotes, $2000
599. Fabric.io - an app admin can delete team members from other user apps to X (Formerly Twitter) - 2 upvotes, $1120
600. Unauthorized Tweeting on behalf of Account Owners to X (Formerly Twitter) - 2 upvotes, $420
601. Possibly big authorization problem in Lähitapiola´s varainhoito to LocalTapiola - 2 upvotes, $400
602. Phabricator Diffusion application allows unauthorized users to delete mirrors to Phabricator - 2 upvotes, $300
603. Team admin can add billing contacts to Slack - 2 upvotes, $200
604. Team admin can change unauthorized team setting (require_at_for_mention) to Slack - 2 upvotes, $200
605. Team admin can change unauthorized team setting (allow_message_deletion) to Slack - 2 upvotes, $100
606. Abusing daemon logs for Privilege escalation under certain scenarios to Phabricator - 2 upvotes, $0
607. privilege escalation to Mavenlink - 2 upvotes, $0
608. Creating Unauthorized Audience Lists to X (Formerly Twitter) - 2 upvotes, $0
609. Ability to Download Music Tracks Without Paying (Missing permission check on/musicstore/download) to Vimeo - 2 upvotes, $0
610. iOS App can establish Facetime calls without user's permission to X (Formerly Twitter) - 2 upvotes, $0
611. XSS in myshopify.com Admin site in TAX Overrides to Shopify - 2 upvotes, $0
612. Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS to Shopify - 2 upvotes, $0
613. XSS in Myshopify Admin Site in DISCOUNTS to Shopify - 2 upvotes, $0
614. Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App to Shopify - 2 upvotes, $0
615. Privilege escalation vulnerability to Shopify - 2 upvotes, $0
616. Login Hints on Admin Panel to Nextcloud - 2 upvotes, $0
617. Missing function level access controls allowing attacker to abuse file access controls. Multiple vulnerabilities to Zendesk - 2 upvotes, $0
618. Unauthorized Access to New Relic - 2 upvotes, $0
619. Improper access control when an added email address is deleted from authentication to Weblate - 2 upvotes, $0
620. Session Duplication due to Broken Access Control to WakaTime - 2 upvotes, $0
621. Brave: Admin Panel Access to Brave Software - 2 upvotes, $0
622. Missing Certificate Authority Authorization rule to Gratipay - 2 upvotes, $0
623. Privilege Escalation in Share Report to New Relic - 2 upvotes, $0
624. [babel.mail.ru] Admin Page Found to Mail.ru - 2 upvotes, $0
625. Roundcube virtualmin privilege escalation (CVE-2017-8114) to Internet Bug Bounty - 2 upvotes, $0
626. Bruteforce in admin panel to Nextcloud - 2 upvotes, $0
627. Admin Login Credential Leak for DoD Gitlab EE instance to U.S. Dept Of Defense - 2 upvotes, $0
628. Improper access control leading to deletion of Greeting videos on {https://smtp.8mar.mail.ru/} to Mail.ru - 2 upvotes, $0
629. Secure credentials values disclosure to regular users due to access control issue in monitor creating function to New Relic - 2 upvotes, $0
630. Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation to Shopify - 2 upvotes, $0
631. Improper access control to messages of Social app to Nextcloud - 2 upvotes, $0
632. Authorization bypass -> IDOR -> PII Leakage to U.S. Dept Of Defense - 2 upvotes, $0
633. Privilege Escalation at invite feature @hackpad.com to Dropbox Acquisitions - 1 upvotes, $729
634. Unauthorized Access via Join Email Link to WePay - 1 upvotes, $100
635. Deleting groups in any project without permission to Localize - 1 upvotes, $0
636. Making groups in any project without permission to Localize - 1 upvotes, $0
637. Authorization issue on creative.yahoo.com to Yahoo! - 1 upvotes, $0
638. Infrastructure and Application Admin Interfaces (OWASP‐CM‐007) to Yahoo! - 1 upvotes, $0
639. Injection via CSV Export feature in Admin Orders to Shopify - 1 upvotes, $0
640. Privilege escalation to allow non activated users to login and use uber partner ios app to Uber - 1 upvotes, $0
641. Unauthorized file (invoice) download to Uber - 1 upvotes, $0
642. No permission set on Activities [Android App] to Nextcloud - 1 upvotes, $0
643. User enumeration in wp-admin to Ian Dunn - 1 upvotes, $0
644. CSRF - Regenerate all admin api keys to New Relic - 1 upvotes, $0
645. BruteForce in to Admin Account to Nextcloud - 1 upvotes, $0
646. Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat to Gratipay - 1 upvotes, $0
647. Missing Certificate Authority Authorization rule to Gratipay - 1 upvotes, $0
648. Reflected XSS in admin settings to Deconf - 1 upvotes, $0
649. No Access Control to Lob - 1 upvotes, $0
650. [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure to Node.js third-party modules - 1 upvotes, $0
651. Proxy-Authorization header carried to a new host on a redirect to curl - 1 upvotes, $0
652. Horizontal Privilege Escalation to WePay - 0 upvotes, $350
653. [https://test1.owncloud.com/owncloud6/] Guessable password used for admin user to ownCloud - 0 upvotes, $0
654. Ubuntu 12.04 Privilege Escalation to Nextcloud - 0 upvotes, $0
655. Limited access to billing dashboard by Admin and Collaborator in conflict with user role permissions. to Doppler - 0 upvotes, $0
656. Misconfiguration Certificate Authority Authorization Rule to Sifchain - 0 upvotes, $0