Top Authorization Bypass reports from HackerOne:
- Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - 1840 upvotes, $16000
- [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 877 upvotes, $15000
- Ability to reset password for account to Upserve - 605 upvotes, $0
- Request smuggling on admin-official.line.me could lead to account takeover to LY Corporation - 556 upvotes, $0
- Privilege Escalation From user to SYSTEM via unauthenticated command execution to Ubiquiti Inc. - 541 upvotes, $0
- Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation to Shopify - 537 upvotes, $0
- Able to Become Admin for Any LINE Official Account to LY Corporation - 487 upvotes, $4750
- H1514 Ability to MiTM Shopify PoS Session to Takeover Communications to Shopify - 365 upvotes, $0
- Attacker is able to access commit title and team member comments which are supposed to be private to GitLab - 338 upvotes, $0
- [Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted to Razer - 311 upvotes, $1000
- Shopify admin authentication bypass using partners.shopify.com to Shopify - 298 upvotes, $20000
- Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) to LocalTapiola - 263 upvotes, $18000
- Team member with Program permission only can escalate to Admin permission to HackerOne - 258 upvotes, $2500
- Linux privilege escalation via trusted $PATH in keybase-redirector to Keybase - 245 upvotes, $5000
- Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain to GitLab - 239 upvotes, $3000
- Ability to bypass partner email confirmation to take over any store given an employee email to Shopify - 234 upvotes, $15250
- Privilege escalation from any user (including external) to gitlab admin when admin impersonates you to GitLab - 233 upvotes, $0
- Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties to GitLab - 228 upvotes, $3000
- Ability to DOS any organization's SSO and open up the door to account takeovers to Grammarly - 225 upvotes, $10500
- Unauthenticated blind SSRF in OAuth Jira authorization controller to GitLab - 222 upvotes, $4000
- Ability To Delete User(s) Account Without User Interaction to GitLab - 215 upvotes, $0
- [www.zomato.com] Blind XSS on one of the Admin Dashboard to Zomato - 214 upvotes, $750
- Incorrect authorization to the intelbot service leading to ticket information to TikTok - 203 upvotes, $15000
- Privilege escalation in workers container to Semmle - 202 upvotes, $1500
- Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell to Razer - 199 upvotes, $200
- Ability to create own account UUID leads to stored XSS to Upserve - 198 upvotes, $1500
- Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system. to Uber - 197 upvotes, $4500
- HackerOne SAML signup domain enforcement bypass results in unauthorized access to HackerOne PullRequest organization to HackerOne - 197 upvotes, $0
- HackerOne Jira integration plugin Leaked JWT to unauthorized jira users to HackerOne - 196 upvotes, $3000
- Stealing Users OAuth authorization code via redirect_uri to pixiv - 193 upvotes, $2000
- Unauthorized access to metadata of undisclosed reports that were retested to HackerOne - 181 upvotes, $0
- Ability To Takeover any account by Emaill. to Radancy - 168 upvotes, $0
- GraphQL AdminGenerateSessionPayload is leaked to staff with no permission to Shopify - 168 upvotes, $0
- Able to approve admin approval and change effective status without adding payment details . to Reddit - 162 upvotes, $5000
- RCE as Admin defeats WordPress hardening and file permissions to WordPress - 161 upvotes, $0
- Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application. to Reddit - 160 upvotes, $0
- Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts to Stripo Inc - 152 upvotes, $0
- Absence of Token expiry leads to Unauthorized login Access to Affirm - 145 upvotes, $0
- inDriver Job - Admin Approval Bypass to inDrive - 140 upvotes, $1000
- Unauthorized user can obtain
report_sources
attribute through Team GraphQL object to HackerOne - 137 upvotes, $2500 - [blog.makerdao.com] Multiple Vulnerabilities - Leads to leakage user admin sensitive exposure to BlockDev Sp. Z o.o - 136 upvotes, $0
- Admin Panel Accessed (OAuth Bypassed ) to Mapbox - 123 upvotes, $4000
- SQL injection in Razer Gold List Admin at /lists/index.php via the
list[]
parameter. to Razer - 122 upvotes, $2000 - Apache HTTP [2.4.17-2.4.38] Local Root Privilege Escalation to Internet Bug Bounty - 119 upvotes, $1500
- Privilege Escalation via Keybase Helper to Keybase - 115 upvotes, $0
- Leak of authorization urls leads to account takeover to Bumble - 105 upvotes, $0
- Unauthorized User can View Subscribers of Other Users Newsletters to LinkedIn - 102 upvotes, $0
- Ubuntu Linux privilege escalation (dirty_sock) to Internet Bug Bounty - 101 upvotes, $0
- Ability to perform actions (Tweet, Retweet, DM) and other actions, unauthenticated, on any account with SMS enabled. to X (Formerly Twitter) - 99 upvotes, $0
- Unauthorized access to resumes stored on LinkedIn to LinkedIn - 99 upvotes, $0
- [www.zomato.com] Blind XSS in one of the admin dashboard to Zomato - 97 upvotes, $500
- Ability to join an arbitrary workspace by utilizing a proxy to manipulate invite links to Slack - 96 upvotes, $0
- connect.8x8.com: admin user can send invites on behalf of another admin user via POST /api/v1/users/<User ID>/invites to 8x8 Bounty - 94 upvotes, $0
- Admin panel Exposure without credential at https://plus-website.shopifycloud.com/admin.php to Shopify - 91 upvotes, $2900
- Header modification results in disclosure of Slack infra metadata to unauthorized parties to Slack - 90 upvotes, $0
- Multiple Vulnerabilities in (*www.yoti.com) - Leads to Leakage user admin Sensitive Exposure to Yoti - 88 upvotes, $0
- Privilege Escalation via REST API to Administrator leads to RCE to WordPress - 88 upvotes, $0
- Github app Privilege Escalation to Administrator/Owner of the Organization to GitHub - 87 upvotes, $0
- capsula.mail.ru - Admin blind stored XSS to Mail.ru - 86 upvotes, $1500
- CORS misconfiguration allows to steal client's "password", Authorization token and the customer details e.g. names, SSN, bank account etc. to LocalTapiola - 86 upvotes, $0
- Unauthorized access to https://shipit.analogpond.com/ to DigitalOcean - 86 upvotes, $0
- Add new development stores without permission to Shopify - 84 upvotes, $1900
- Ability to link a Google account to another staff account/store owner that isn't linked yet to Shopify - 83 upvotes, $0
- Ability to publish a paid theme without purchasing it. to Shopify - 81 upvotes, $2000
- Privilege-0 to Root Privilege Escalation on EdgeSwitch to Ubiquiti Inc. - 81 upvotes, $0
- Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API to LY Corporation - 81 upvotes, $0
- Complete Admin account takeover due to PhpDebugBar turned on in Uber's production server to Uber - 80 upvotes, $2750
- Admin Authentication Bypass Lead to Admin Account Takeover to UPS VDP - 80 upvotes, $0
- [Hubs] - Broken access control in placing objects in hubs room to Mozilla - 80 upvotes, $0
- User automatically logged in as Sys Admin user on https://███/Administration/Administration.aspx to U.S. Dept Of Defense - 79 upvotes, $0
- latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users to HackerOne - 76 upvotes, $0
- Improper authorization allows disclosing users' notification data in Notification channel server to LY Corporation - 75 upvotes, $2000
- [Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge to Mail.ru - 75 upvotes, $0
- Incorrect details on OAuth permissions screen allows DMs to be read without permission to X (Formerly Twitter) - 73 upvotes, $2940
- Ability to verify any email address you don't own - accounts.shopify.com to Shopify - 73 upvotes, $0
- Unauthorized access to GovSlack to Slack - 71 upvotes, $1500
- The request tells the number of private programs, the new system of authorization /invite/token to HackerOne - 69 upvotes, $2000
- Authorization Token on PlayStation Network Leaks via postMessage function to PlayStation - 66 upvotes, $1000
- CSRF on Periscope Web OAuth authorization endpoint to X (Formerly Twitter) - 66 upvotes, $0
- Able to see Twitter Circle tweets due to improper access control on the "FavoriteTweet" endpoint to X (Formerly Twitter) - 65 upvotes, $0
- CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes to Kubernetes - 64 upvotes, $5000
- Able to access private picture/video/writing when requesting for their JSON response to FetLife - 64 upvotes, $0
- User able to access company details in yrityspalvelu without proper permissions to LocalTapiola - 63 upvotes, $2000
- Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation to New Relic - 63 upvotes, $0
- Mssing Authorization on Private Message replies (BuddyPress) to WordPress - 63 upvotes, $0
- IDOR the ability to view support tickets of any user on seller platform to TikTok - 61 upvotes, $2500
- A non-privileged user may create an admin account in Stocky to Shopify - 61 upvotes, $1600
- Privilege escalation of "external user" (with maintainer privilege) to internal access through project token to GitLab - 61 upvotes, $1020
- Authorization issue in Google G Suite allows DoS through HTTP redirect to Uber - 61 upvotes, $0
- Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent) to X (Formerly Twitter) - 61 upvotes, $0
- Ability to getting Twitter Blue verified badge without purchase it to X (Formerly Twitter) - 61 upvotes, $0
- [www.zomato.com] Blind XSS in one of the Admin Dashboard to Zomato - 60 upvotes, $0
- Brute Force of fabric-ca server admin account to Hyperledger - 60 upvotes, $0
- Improper Access Control + Financial fraud allows attacker to disclose + add arbitrary products to another's user's order to Shipt - 59 upvotes, $3900
- [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs) to Pornhub - 58 upvotes, $1500
- Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App to Grab - 58 upvotes, $1000
- Ability to Disable the Login Attempt of any Shopify Owner for 24 hrs (Zero_Click) to Shopify - 58 upvotes, $900
- Ability to access all user authentication tokens, leads to RCE to GitLab - 57 upvotes, $0
- Privilege Escalation by abusing non-existent path. (Windows) to PortSwigger Web Security - 57 upvotes, $0
- [affiliates.udemy.com] Wordpress user admin information discloure to Udemy - 57 upvotes, $0
- Access to some Slack workspace metadata and settings available to unauthorized parties to Slack - 55 upvotes, $7000
- Ability to see hidden likes to X (Formerly Twitter) - 54 upvotes, $0
- Sensitive Clickjacking on admin login page. to Shipt - 53 upvotes, $0
- staff can able to extend shopify trial period without admin permission to Shopify - 53 upvotes, $0
- [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name to Uber - 53 upvotes, $0
- Ability to log in as any user without authentication if █████████ is empty to Ubiquiti Inc. - 52 upvotes, $0
- Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co to X (Formerly Twitter) - 52 upvotes, $0
- Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link) to Shopify - 51 upvotes, $1600
- Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques} to X (Formerly Twitter) - 51 upvotes, $420
- Privilege Escalation in kOps using GCE/GCP Provider to Kubernetes - 50 upvotes, $2500
- Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission to Shopify - 50 upvotes, $0
- Inject page in admin panel via Shopify.API.pushState to Shopify - 49 upvotes, $500
- Privilege Escalation: Read-Only to Admin to Inflection - 49 upvotes, $0
- SQL Injection in IBM access control panel & Broken access in admin panel to IBM - 49 upvotes, $0
- Privilege Escalation on TikTok for Business to TikTok - 49 upvotes, $0
- CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags to Internet Bug Bounty - 48 upvotes, $540
- Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks to Discourse - 48 upvotes, $512
- XSS within Shopify Email App - Admin to Shopify - 48 upvotes, $0
- ability to install paid themes for free to Shopify - 46 upvotes, $0
- informations disclosure(Email,Numbers,Agreements, admin Sessions and more ...) through a PostgreSQL database belongs to (legium-back.corp.mail.ru) to Mail.ru - 46 upvotes, $0
- Bypassing Collaborator Restrictions: Retaining Admin Access Post-Repository Transfer to GitHub - 45 upvotes, $4000
- Unauthorized access to jiratest.starbucks.com to Starbucks - 45 upvotes, $0
- [h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege to Shopify - 45 upvotes, $0
- macOS privilege escalation to Keybase - 44 upvotes, $0
- A malicious admin can be able to permanently disable a Owner(Admin) to access his account to Linktree - 43 upvotes, $600
- Admin Command Injection via username in user_archive ExportCsvFile to Discourse - 43 upvotes, $512
- Privilege Escalation удаляем все созданные ссылки с okl.lt to ok.ru - 43 upvotes, $0
- blog/wp-json/wp/v2/users FILE is enable it will used for bruteforce attack the admin panel at blog/wp-login.php to Mail.ru - 43 upvotes, $0
- 2M Reports on HackerOne Celebration! - Ability to bulk-submit many reports. to HackerOne - 43 upvotes, $0
- Privilege escalation - Support-Contributor to Support and Product Admin via
/api/v2/██████
. No ADMIN PRIVILEGE required. to Zendesk - 43 upvotes, $0 - Privilege Escalation via Keybase Helper (incomplete security fix) to Keybase - 42 upvotes, $0
- Non privileged user is able to approve his own app himself leading to mass privilege escalations. to Lark Technologies - 42 upvotes, $0
- Unauthenticated Access to Admin Panel Functions at https://██████████/████████ to U.S. Dept Of Defense - 42 upvotes, $0
- Exposure Of Admin Username & Password to MTN Group - 42 upvotes, $0
- Unauthorized Access to Offline Publication Cover Pages via SOURCE_DOCUMENT_ID to Publitas - 42 upvotes, $0
- RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention to GitHub - 41 upvotes, $4000
- Improper access control on easytopup.in.th transaction page leads to user's information disclosure and may lead to account hijacking to Razer - 41 upvotes, $1000
- admin password disclosure via log file to Acronis - 41 upvotes, $100
- Blind XSS Stored On Admin Panel Through Name Parameter In [ https://technoatom.mail.ru/] to Mail.ru - 41 upvotes, $0
- Unauthorized Access To Admin panel to Mail.ru - 41 upvotes, $0
- Privilege Escalation leading to post in channel without having privilege to Mattermost - 41 upvotes, $0
- Ability to change permissions across seller platform to TikTok - 41 upvotes, $0
- Improper access control for users with expired password, giving the user full access through API and Git to GitLab - 40 upvotes, $950
- User with privilege to maintain External Programs can update certain churned HackerOne programs to HackerOne - 40 upvotes, $500
- Improper Authorization at https://api-my.pay.razer.com/v1/trxDetail?trxId=[Id] allowing unauthorised access to other user's transaction details to Razer - 40 upvotes, $500
- Ability to bypass social OAuth and take over any account [d2c-api] to Genasys Technologies - 40 upvotes, $0
- Endpoint without access control leads to order informations and status changes to Azbuka Vkusa - 40 upvotes, $0
- Attacker can Add itself as admin user and can also change privileges of Existing Users [█████████] to U.S. Dept Of Defense - 40 upvotes, $0
- Persistent Unauthorized Administrative Access on All Organization Repositories via RC in User Conversion to Organization to GitHub - 39 upvotes, $4000
- Permission model improperly protects against path traversal in Node.js 20 to Internet Bug Bounty - 39 upvotes, $2330
- Blind XSS - Report review - Admin panel to Zomato - 39 upvotes, $350
- unauthorized Access To Elastic DB to Mail.ru - 39 upvotes, $150
- Vulnerabilities chain leading to privilege escalation to Nord Security - 39 upvotes, $0
- admin.8x8.vc: Member users with no permission can integrate email to connect calendar via GET /meet-external/spot-roomkeeper/v1/calendar/auth/init?.. to 8x8 Bounty - 39 upvotes, $0
- CSP Bypass and escalation of https://hackerone.com/reports/2279346 to PortSwigger Web Security - 39 upvotes, $0
- Inject page in admin panel via Shopify.API.pushState with protocol invalid to Shopify - 38 upvotes, $500
- H1514 Removed Staff members who had "Apps" permission can still modify flow app connections to Shopify - 38 upvotes, $0
- View Only to Root Privilege Escalation on UniFi Protect to Ubiquiti Inc. - 38 upvotes, $0
- Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts to New Relic - 37 upvotes, $1500
- Removed staff members who had "Manage shops" permission can still create development stores to Shopify - 37 upvotes, $0
- Exposed Slinky Instance Admin Panel to Shopify - 37 upvotes, $0
- Ability to invite a new member on Sandbox Program to HackerOne - 37 upvotes, $0
- Accessing unauthorized administration pages and seeing admin password - speakerkit.state.gov to U.S. Department of State - 37 upvotes, $0
- Unauthorized Access to Deleted Interviews on Glassdoor Platform to Glassdoor - 37 upvotes, $0
- NordVPN Linux Client - Unsafe service file permissions leads to Local Privilege Escalation to Nord Security - 36 upvotes, $0
- Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com] to Logitech - 35 upvotes, $0
- Privilege Escalation - "Analyst" Role Can View Email Domains of a Company - [GET /voyager/api/voyagerOrganizationDashEmailDomainMappings] to LinkedIn - 35 upvotes, $0
- Stored XSS on developer.uber.com via admin account compromise to Uber - 34 upvotes, $5000
- HackerOne reports escalation to JIRA is CSRF vulnerable to HackerOne - 34 upvotes, $500
- User has Sender permission can Get Team information to Dropbox - 34 upvotes, $216
- Authorization Bypass in Delivery Chat Logs to Instacart - 34 upvotes, $100
- [api-site.city-mobil.ru] Improper access control leads to information disclosure to Mail.ru - 34 upvotes, $0
- Bypass the reverse proxy. Request admin to Mail.ru - 34 upvotes, $0
- Stored XSS Deleting Menu Links in the Shopify Admin to Shopify - 33 upvotes, $0
- CSRF on launchpad.37signals.com OAuth2 authorization endpoint to Basecamp - 33 upvotes, $0
- Low privileged user can create high privileged user's KITCRM authorization token and can read and write message to KIT to Shopify - 33 upvotes, $0
- [HTA2] Authorization Bypass on https://██████ leaks confidential aircraft/missile information to U.S. Dept Of Defense - 33 upvotes, $0
- Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com to Shopify - 32 upvotes, $2900
- All Vimeo Private videos disclosure via Authorization Bypass to Vimeo - 32 upvotes, $0
- Improper Access Control in LINE Timeline API that returns a list of hidden friends to LY Corporation - 31 upvotes, $1346
- Privilege escalation allows to use iframe functionality w/o upgrade to Infogram - 31 upvotes, $0
- [api-site.city-mobil.ru] Improper access control leads to information disclosure (bypass of #977597 fix) to Mail.ru - 31 upvotes, $0
- Group admins can remove arbitrary data from "data" directory (including admin data) to Nextcloud - 30 upvotes, $0
- Authentication CSRF resulting in unauthorized account access on Krisp app to Krisp - 30 upvotes, $0
- [PATs] Ability to leak comments from issues without ANY "Issues" repo permissions by utilizing "Pull Request" permissions to GitHub - 30 upvotes, $0
- IBM Maximo Asset Management could allow a remote attacker to bypass authentication due to improper access controls to IBM - 30 upvotes, $0
- [Privilege Escalation] Shopify Admin -- Permission from Settings to Customer to Shopify - 29 upvotes, $500
- Admin Access to a domain used for development and admin access to internal dashboards on that domain to Zomato - 29 upvotes, $0
- Privilege escalation due to insecure use of logrotate to GitLab - 29 upvotes, $0
- Broken access control to UPS VDP - 29 upvotes, $0
- Member role which doesn't have permission to send message can send by executing channel commands to Mattermost - 29 upvotes, $0
- Changing the administrator password via admin console does not invalidate other sessions to PortSwigger Web Security - 29 upvotes, $0
- Add new managed stores without permission to Shopify - 28 upvotes, $1900
- Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020) to Shopify - 28 upvotes, $1500
- OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing to Vimeo - 28 upvotes, $0
- any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store to Shopify - 28 upvotes, $0
- Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card to Starbucks - 28 upvotes, $0
- connect.8x8.com: Users with no permission can track/access restricted details/data via GET /api/v2/support/requests/<ticket number >HTTP/2 to 8x8 Bounty - 28 upvotes, $0
- Ability to read any emails through IDOR on Nextcloud Mail to Nextcloud - 28 upvotes, $0
- Improper Access Control allows OTP bypass to Lark Technologies - 28 upvotes, $0
- CVE-2023-40611: Apache Airflow Dag Runs Broken Access Control Vulnerability to Internet Bug Bounty - 28 upvotes, $0
- Improper Access Control on Onelogin in multi-layered architecture to Uber - 27 upvotes, $500
- Bypassing authorization of linked Instagram account to TikTok - 27 upvotes, $170
- Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees to Uber - 27 upvotes, $0
- [hta3] Remote Code Execution on https://███ via improper access control to SCORM Zip upload/import to U.S. Dept Of Defense - 27 upvotes, $0
- WooCommerce Blacklist in 'map_meta_cap' leads to Privilege Escalation of Shopmanagers to Automattic - 26 upvotes, $0
- Access control issue on invoice documents downloading feature. to Moneybird - 26 upvotes, $0
- Local Privilege Escalation during execution of VeraCryptExpander.exe (UAC bypass) to Internet Bug Bounty - 25 upvotes, $1250
- Proxy-Authorization header is not cleared in cross-domain redirect in undici to Internet Bug Bounty - 25 upvotes, $405
- [www.zomato.com] Privilege Escalation - /php/restaurant_menus_handler.php to Zomato - 25 upvotes, $200
- [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users to Ubiquiti Inc. - 25 upvotes, $0
- A team member of the program with Report rights can ban the Admin to HackerOne - 25 upvotes, $0
- Improper Access Control on Lark Footer Feature to Lark Technologies - 25 upvotes, $0
- [Bypass] Ability to invite a new member in sandbox Organization to HackerOne - 25 upvotes, $0
- [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement to Shopify - 25 upvotes, $0
- Ability to escape database transaction through SQL injection, leading to arbitrary code execution to HackerOne - 25 upvotes, $0
- Incorrect Authorization leads to see other users Documents Uploaded to Tennessee Valley Authority - 25 upvotes, $0
- Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account to Shopify - 24 upvotes, $900
- Apache Airflow: Bypass permission verification to read code of other dags to Internet Bug Bounty - 24 upvotes, $540
- Read Access to all comments on unauthorized forums' discussions! IDOR! to Valve - 24 upvotes, $500
- None permission staff member can identify installed application and products attached to it to Shopify - 24 upvotes, $500
- Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections to Shopify - 24 upvotes, $0
- Unauthorized User Can Delete Any User Account to Nord Security - 24 upvotes, $0
- Readonly to Root Privilege Escalation on EdgeSwitch to Ubiquiti Inc. - 24 upvotes, $0
- Default credentials lead to Spring Boot Admin dashboard access to 8x8 - 24 upvotes, $0
- Deny Admin from Editing LinkedIn Company Page using Gen Form Visibility via POST /voyager/api/voyagerOrganizationDashCompanies/{id} to LinkedIn - 24 upvotes, $0
- REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details to Mail.ru - 23 upvotes, $1000
- Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data to Stripe - 23 upvotes, $1000
- File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed to Files.com - 23 upvotes, $600
- user with no draft order permission can still perform action on draft order's in stocky app (idor) to Shopify - 23 upvotes, $500
- CVE-2019-5443: Windows Privilege Escalation: Malicious OpenSSL Engine to curl - 23 upvotes, $200
- Ability to enumerate private programs using SAML to HackerOne - 23 upvotes, $0
- Privilege Escalation to Admin-level Account to Legal Robot - 23 upvotes, $0
- A user can comment in private discussions without having permission to access the discussion to Vanilla - 23 upvotes, $0
- Local privilege escalation bug using Keybase redirector on macOS to Keybase - 23 upvotes, $0
- Last build status and coverage leaked to unauthorized users to GitLab - 23 upvotes, $0
- Unauthorized access to private project security dashboard to GitLab - 23 upvotes, $0
- Default Admin Username and Password on █████ Server at █████████mil to U.S. Dept Of Defense - 23 upvotes, $0
- Ability to connect an external login service for unverified emails/accounts at accounts.shopify.com to Shopify - 22 upvotes, $1600
- Unauthorized packages modification or secrets exfiltration via GitHub actions to Hyperledger - 22 upvotes, $1500
- Local privilege escalation via insecure MSI file to Acronis - 22 upvotes, $250
- Mirror of https://city-mobil.ru admin interface to Mail.ru - 22 upvotes, $150
- Bypass password confirmation via Context-dependent access control (CDCA) to Nextcloud - 22 upvotes, $100
- Admin bar: Incomplete message origin validation results in XSS to Shopify - 22 upvotes, $0
- Unauthorized users may be able to view almost all informations related to Private projects. to GitLab - 22 upvotes, $0
- CPP: Out of order Linux permission dropping without checking return codes to GitHub Security Lab - 22 upvotes, $0
- Django Debug=True Leaks admin email addresss and serval system information to Mail.ru - 22 upvotes, $0
- Anonymous access control - Payments Status to Omise - 21 upvotes, $100
- Unauthorized Access to Protected Tweets via niche.co API to X (Formerly Twitter) - 21 upvotes, $0
- Privilege Escalation using API->Feature to Ubiquiti Inc. - 21 upvotes, $0
- Unauthorized command execution in Web protection component of Anti-Virus products family [IE] to Kaspersky - 21 upvotes, $0
- Multiple Vulnerabilities in (*.blog.yelp.com) - Leakage user admin Sensitive Exposure to Yelp - 21 upvotes, $0
- unpermitted user can change the device name of admin account to Helium - 21 upvotes, $0
- Ability to generate shipping labels in another store orders to Shopify - 21 upvotes, $0
- [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole to Shopify - 21 upvotes, $0
- [PATs] Token with Read-Only permissions on Issues able to modify issue comments using content write permission to GitHub - 21 upvotes, $0
- [h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only to Shopify - 20 upvotes, $1900
- Open TURN relay abuse is possible due to lack of peer access control (Critical) to 8x8 Bounty - 20 upvotes, $700
- Unauthorized access to a system used for CI/CD processes to Starbucks - 20 upvotes, $0
- LFI on Accounting server and RCE on FliteThermostat admin server to 50m-ctf - 20 upvotes, $0
- Ability to manipulate price with a max threshold of
\<1 Rupee
in support rider parameter to Zomato - 20 upvotes, $0 - Unauthorized updates to extended_info properties in /store/ajaxpackagesave to Valve - 20 upvotes, $0
- Ability to potentially hit internal NGINX locations on *.myshopify.com by making use of the
X-Accel-Redirect
header via a configured App Proxy to Shopify - 20 upvotes, $0 - Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation to Valve - 20 upvotes, $0
- Access control vulnerability (read-only) to EXNESS - 20 upvotes, $0
- Non-admin users can reset app allowlist to the default to Nextcloud - 20 upvotes, $0
- Code injection and privilege escalation through Linux capabilities to Node.js - 20 upvotes, $0
- Privilege Esacalation at Apache Airflow 2.5.1 to Internet Bug Bounty - 19 upvotes, $2400
- IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop to Shopify - 19 upvotes, $500
- User to Admin privilege escalation in Infrastructure Conditions - /v2/accounts/1835740/alerts/conditions to New Relic - 19 upvotes, $500
- Inject page in admin panel via Shopify.API.pushState [New Payload] to Shopify - 19 upvotes, $500
- Cleartext password exposure allows access to the desafio5estrelas.com admin panel to Uber - 19 upvotes, $500
- Direct Access To admin Dashboard to Shopify - 19 upvotes, $500
- staffOrderNotificationSubscriptionDelete Could Be Used By Staff Member With Settings Permission to Shopify - 19 upvotes, $500
- Missing Access Control(IDOR) To Know LinkedAccounts to Dashlane - 19 upvotes, $0
- Missing Certificate Authority Authorization rule to HackerOne - 19 upvotes, $0
- Admin Macro Description Stored XSS to Zendesk - 19 upvotes, $0
- Order Creation Webhooks can be edited/deleted by STAFF with
Settings
only permission to Shopify - 19 upvotes, $0 - Admin Reseller Account Disclosure to 8x8 - 19 upvotes, $0
- Users Without Permission Can Download Restricted Files to Lark Technologies - 19 upvotes, $0
- CVE-2023-47037: Airflow Broken Access Control Vulnerability to Internet Bug Bounty - 19 upvotes, $0
- Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin to Uber - 18 upvotes, $5000
- Java: CWE-939 - Address improper URL authorization to GitHub Security Lab - 18 upvotes, $1500
- Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 to Shopify - 18 upvotes, $1000
- staffOrderNotificationSubscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission to Shopify - 18 upvotes, $900
- Ability to add address without being an admin or staff in the store via wholesale store to Shopify - 18 upvotes, $500
- [www.zomato.com] Privilege Escalation - Control reviews - /████dashboard_handler.php to Zomato - 18 upvotes, $300
- [Broken Access Control ] Unauthorized Linking accounts & Linked Accounts info DIsclosure to Stripe - 18 upvotes, $250
- IDOR - Ability to view unlisted products to Reverb.com - 18 upvotes, $0
- Clickjacking in the admin page to Rocket.Chat - 18 upvotes, $0
- [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool to h1-ctf - 18 upvotes, $0
- [Bypass #870709] Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/ to Palo Alto Software - 18 upvotes, $0
- Privilege Escalation to All-staff group to Lark Technologies - 18 upvotes, $0
- [user_oidc] Stored XSS via Authorization Endpoint - Safari-Only to Nextcloud - 18 upvotes, $0
- Privilege Escalation through Keybase Installer via Helper to Keybase - 17 upvotes, $2500
- Staff can create workflows in Shopify Admin without apps permission to Shopify - 17 upvotes, $1600
- [IMP] - Blind XSS in the admin panel for reviewing comments to Rockstar Games - 17 upvotes, $650
- Proxy-Authorization header not cleared on cross-origin redirect in undici.request to Internet Bug Bounty - 17 upvotes, $420
- Corrupted Authorization header can cause logs not to be ingested properly in ████████ to HackerOne - 17 upvotes, $0
- Improper Authorization to Stripo Inc - 17 upvotes, $0
- User with single department permission can view applicant list of all department's to Lark Technologies - 17 upvotes, $0
- Unauthorized access to GitLab - 17 upvotes, $0
- Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... to GitLab - 16 upvotes, $5000
- CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature to Internet Bug Bounty - 16 upvotes, $540
- Renderers can obtain access to random bluetooth device without permission to Internet Bug Bounty - 16 upvotes, $480
- Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed. to Algolia - 16 upvotes, $400
- Access control missing while viewing the attachments in the "All boards" to Nextcloud - 16 upvotes, $150
- Access control issue -- [Allow file system access not validated when using session auth] to Nextcloud - 16 upvotes, $100
- Privilege escalation to access all private groups and repositories to GitLab - 16 upvotes, $0
- Ability to monitor reports' submission in real time to HackerOne - 16 upvotes, $0
- Missing access control exposing detailed information on all users to WP API - 16 upvotes, $0
- Privilege Escalation. to Inflection - 16 upvotes, $0
- Privilege Escalation: From operator to ubnt (and root) with non-interactive Session Hijacking to Ubiquiti Inc. - 16 upvotes, $0
- brute force attack allowed on admin page https://www.stellar.org/wp-admin/ to Stellar.org - 16 upvotes, $0
- Access control vulnerability (read/write) to EXNESS - 16 upvotes, $0
- Response Manipulation leads to Admin Panel Login Bypass at https://██████/ to Sony - 16 upvotes, $0
- Default Admin Username and Password on ███ to U.S. Dept Of Defense - 16 upvotes, $0
- Ability to publish a paid theme without purchasing it. to Shopify - 15 upvotes, $2000
- [NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894 to New Relic - 15 upvotes, $1500
- Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure to Stripe - 15 upvotes, $500
- Double Stored Cross-Site scripting in the admin panel to GSA Bounty - 15 upvotes, $300
- CSRF to add admin [wordpress] to WordPress - 15 upvotes, $0
- Race condition (TOCTOU) in NordVPN can result in local privilege escalation to Nord Security - 15 upvotes, $0
- Unsafe cors sharing of admin users to MTN Group - 15 upvotes, $0
- Non-admin users can trigger writes to memcached by entering a malicious server as a share URL to Nextcloud - 15 upvotes, $0
- Multiple permission model bypasses due to improper path traversal sequence sanitization to Node.js - 15 upvotes, $0
- Leftover back-end system on www.zest.co.th allows an unauthorized attacker to generate Razer Gold Pin for free to Razer - 14 upvotes, $375
- User with only Viewing Privilege can send message to Room to Phabricator - 14 upvotes, $300
- Able to remove the admin access of my program to HackerOne - 14 upvotes, $0
- Missing authorization checks leading to the exposure of ubernihao.com administrator accounts to Uber - 14 upvotes, $0
- Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation to Slack - 14 upvotes, $0
- Organization Admin Privilege Escalation To Owner to Bitwarden - 14 upvotes, $0
- Ability to login to the Nexus Repo Manager from https://nexus.imgur.com/ to Imgur - 14 upvotes, $0
- █████████ on CRM server without authorization to Unikrn - 14 upvotes, $0
- Missing Certificate Authority Authorization rule to HackerOne - 14 upvotes, $0
- Nextcloud 10.0 privilege escalation issue - Normal user can mask external storage shared by admin to Nextcloud - 14 upvotes, $0
- CPP: Out of order Linux permission dropping without checking return codes to GitHub Security Lab - 14 upvotes, $0
- Improper authorization on
/api/as/v1/credentials/
for Dev Role User with Limited Engine Access to Elastic - 14 upvotes, $0 - Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure to MTN Group - 14 upvotes, $0
- Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture. to Rocket.Chat - 14 upvotes, $0
- Proxy-Authorization header is not cleared in cross-domain redirect in undici to Node.js - 14 upvotes, $0
- Add signature to transactions without any permission to Shopify - 13 upvotes, $500
- Acronis True Image Local Privilege Escalation via insecure folder permissions to Acronis - 13 upvotes, $300
- Unauthorized read access to Invoices by PM (Access control Issues) to Harvest - 13 upvotes, $150
- PM can delete payment of any invoice in company (Access control Issue) to Harvest - 13 upvotes, $100
- Inadequate access controls in "Vote" functionality??? to HackerOne - 13 upvotes, $0
- Privilege escalation-User who does not have access is able to add notes to the contact to Mixmax - 13 upvotes, $0
- Unauthenticated Reflected XSS in admin dashboard to Deconf - 13 upvotes, $0
- Any user can completely delete their own account without authorization and/or going through any kind of membership cancellation protocol. to Shipt - 13 upvotes, $0
- 3rd party shop admin panel blind XSS to Mail.ru - 13 upvotes, $0
- Delete permission can be added on reshare to Nextcloud - 13 upvotes, $0
- [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/ to U.S. Dept Of Defense - 13 upvotes, $0
- Unauthorized command execution in Web protection component of Anti-Virus products family to Kaspersky - 13 upvotes, $0
- WordPress admin is accessible without HTTP authentication to Showmax - 13 upvotes, $0
- Access Control: Inject tasks into other users decks to Nextcloud - 13 upvotes, $0
- [dubmash] Lack of authorization checks - Update Sound Titles to Reddit - 13 upvotes, $0
- All user password hash can be seen from admin panel to UPchieve - 13 upvotes, $0
- Reference caching can leak data to unauthorized users to Nextcloud - 13 upvotes, $0
- [h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only to Shopify - 12 upvotes, $1900
- macOS privilege escalation via keybase install to Keybase - 12 upvotes, $1250
- Ability to perform various POST requests on quantopian.com as a different user - insecure by design. to Quantopian - 12 upvotes, $1050
- PM can delete the company logo image (Vertical Privilege Escalation ) to Harvest - 12 upvotes, $100
- Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru] to Mail.ru - 12 upvotes, $0
- Privilege escalation in the client impersonation functionality to Ubiquiti Inc. - 12 upvotes, $0
- Redirect on authorization allows account compromise to GSA Bounty - 12 upvotes, $0
- [h1-2102] Partner's team member with no permission can retrieve services financial data to Shopify - 12 upvotes, $0
- Improper access control in place for "member only" groups via root.YUI_config.flickr.api.site_key to Flickr - 12 upvotes, $0
- Improper Sanitization leads to XSS Fire on admin panel to Informatica - 12 upvotes, $0
- Unauthorized access to employee panel with default credentials. to U.S. General Services Administration - 12 upvotes, $0
- [Transportation Management Services Solution 2.0] Improper authorization at tmss.gsa.gov leads to data exposure of all registered users to U.S. General Services Administration - 12 upvotes, $0
- Ability to View Non-Permitted Admin Log to Lark Technologies - 12 upvotes, $0
- [Java] CWE-939 - Address improper URL authorization to GitHub Security Lab - 11 upvotes, $1800
- Ability to bypass locked Cloudflare WARP on wifi networks. to Cloudflare Public Bug Bounty - 11 upvotes, $1000
- H1514 Lack of access control on edit packing slip template to Shopify - 11 upvotes, $500
- Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information to Uber - 11 upvotes, $500
- Missing authorization allows sales only user to record payment. to Visma Public - 11 upvotes, $250
- Privilege escalation..., or not?! to HackerOne - 11 upvotes, $0
- Unauthorized Team members viewing to HackerOne - 11 upvotes, $0
- Unauthorized update of merchants' information via /php/merchant_details.php to Zomato - 11 upvotes, $0
- Paragonie Airship Admin CSRF on Extensions Pages to Paragon Initiative Enterprises - 11 upvotes, $0
- Information Disclosure and Privilege Escalation in app.goodhire.com/member/developers/api-settings to Inflection - 11 upvotes, $0
- Privilege escalation allows any user to add an administrator to Node.js third-party modules - 11 upvotes, $0
- Private API key leakage due to lack of access control to Cloudflare Vulnerability Disclosure - 11 upvotes, $0
- Password protected rooms total number of viewers disclosure to unauthorized members to Chaturbate - 11 upvotes, $0
- Vulnerability Report - Missing Certificate Authority Authorization rule to MariaDB - 11 upvotes, $0
- "Test target" of the "HTTP target" extension can unintentionally send username and password in the Authorization header to Zendesk - 11 upvotes, $0
- Staff member with no permission can delete POS staff from account settings to Shopify - 11 upvotes, $0
- Broken Access Controls to Acronis - 11 upvotes, $0
- Blind Stored XSS on ███████ leads to takeover admin account to U.S. Dept Of Defense - 11 upvotes, $0
- Unauthorized Kubernetes to RCE (root) and found TEAMTNT Crypto Miner on it to IBM - 11 upvotes, $0
- User with no Develop apps permission can Uninstall Custom App to Shopify - 11 upvotes, $0
- Reflected XSS on Admin Login Page to TD Bank - 11 upvotes, $0
- PM with can Set up email for invoices and estimates (Access control Issue) to Harvest - 10 upvotes, $250
- Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm to Acronis - 10 upvotes, $250
- Record payment for any invoice by PM (Access control Issue) to Harvest - 10 upvotes, $100
- leaking Digits OAuth authorization to third party websites to X (Formerly Twitter) - 10 upvotes, $0
- Group admin can remove user from all his groups via API to Nextcloud - 10 upvotes, $0
- Password reset access control to Legal Robot - 10 upvotes, $0
- Improper access control on adding a Register to an Outlet to Vend VDP - 10 upvotes, $0
- Homebrew privilege escalation vulnerability to Homebrew - 10 upvotes, $0
- In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access to Nextcloud - 10 upvotes, $0
- India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance to Starbucks - 10 upvotes, $0
- Head pipeline leaked to unauthorized users via blocking merge request feature to GitLab - 10 upvotes, $0
- unauthorized access to add admin endpoint to Mail.ru - 10 upvotes, $0
- [h1-415 2020] Chain of vulnerabilities leading to account takeover and unauthorized access of sensitive internal resources to h1-ctf - 10 upvotes, $0
- Improper Access Control - Generic on https://████ to U.S. Dept Of Defense - 10 upvotes, $0
- Unauthorized access to admin panel of the Questionmark Perception system at https://██████████ to U.S. Dept Of Defense - 10 upvotes, $0
- Admin audit is not properly logging unsetting of expiration date to Nextcloud - 10 upvotes, $0
- Ability to subscribe to inactive Post+ creators to Automattic - 10 upvotes, $0
- Unauthenticated Access to Admin Panel Functions at https://███████/███ to U.S. Dept Of Defense - 10 upvotes, $0
- [AWC-Pune] - User can download files deleted by Admin using shortcuts to Lark Technologies - 10 upvotes, $0
- Golang : Add Query To Detect PAM Authorization Bugs to GitHub Security Lab - 10 upvotes, $0
- OAuth authorization page vulnerable to clickjacking to Coinbase - 9 upvotes, $5000
- Authenticated but unauthorized users may enumerate Application names via the API to Internet Bug Bounty - 9 upvotes, $2400
- [h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management to Shopify - 9 upvotes, $1900
- Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation to Slack - 9 upvotes, $750
- Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation) to Harvest - 9 upvotes, $300
- Ability to add pishing links in discusion ," Bypassing uneductional Links add " to Udemy - 9 upvotes, $0
- Uploading files to a folder where invited user don't have any EDIT privilege to Nextcloud - 9 upvotes, $0
- http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script to ok.ru - 9 upvotes, $0
- Privilege Escalation on a DoD Website to U.S. Dept Of Defense - 9 upvotes, $0
- Privilege escalation - Normal user can somehow make admin to delete shared folders to Nextcloud - 9 upvotes, $0
- Wordpress Vulnerable to Potential Unauthorized Password Reset to Nextcloud - 9 upvotes, $0
- Restricted User is able to edit Alert Conditions of Synthetics Monitors even if Synthetics Permissions is enabled by an admin to New Relic - 9 upvotes, $0
- UniFi Video Server - Broken access control on system configuration to Ubiquiti Inc. - 9 upvotes, $0
- Unauthorized access of Monero wallet by an unprivileged process to Monero - 9 upvotes, $0
- Stored XSS (Hexo-admin plugin) to Node.js third-party modules - 9 upvotes, $0
- UniFi Video Server web interface admin user Firmware Update path traversal leading to local system compromise to Ubiquiti Inc. - 9 upvotes, $0
- Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/ to Palo Alto Software - 9 upvotes, $0
- Unauthorized user is able to access schedule pipeline variables and values to GitLab - 9 upvotes, $0
- Server Side Request Forgery in 'Jabber settings' in Admin Control Panel to phpBB - 9 upvotes, $0
- Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress to Acronis - 9 upvotes, $0
- Node Installer Local Privilege Escalation to Node.js - 9 upvotes, $0
- Ability to use premium templates as free user via https://stripo.email/templates/?utm_source=viewstripo&utm_medium=referral to Stripo Inc - 9 upvotes, $0
- Unauthorized access to Argo dashboard on █████ to U.S. Dept Of Defense - 9 upvotes, $0
- Airflow Daemon Mode Insecure Umask Privilege Escalation to Internet Bug Bounty - 8 upvotes, $2400
- Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter to New Relic - 8 upvotes, $2000
- Unauthorized access to all the actions of invoices by PM (Access control Issues) to Harvest - 8 upvotes, $150
- Project Manager can approve pending reports(Access control Issue) to Harvest - 8 upvotes, $150
- Possibility to force an admin to install recommended applications to Nextcloud - 8 upvotes, $100
- Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic to Nextcloud - 8 upvotes, $100
- Ability to see common response titles of other teams (limited) to HackerOne - 8 upvotes, $0
- Users with member privilege are able to see emails and membership information of other users to WakaTime - 8 upvotes, $0
- Improper access control lead To delete anyone comment to Paragon Initiative Enterprises - 8 upvotes, $0
- Bypass of my two other reports #267636 + #255894 - (IDOR) Ability to see full name associated with other New Relic accounts to New Relic - 8 upvotes, $0
- Drupal admin takeover via install.php not being performed prior to install. to New Relic - 8 upvotes, $0
- Stored self-xss and its escalation to a victim account in e.mail.ru to Mail.ru - 8 upvotes, $0
- H1514 Wholesale customer without checkout permission can complete purchases to Shopify - 8 upvotes, $0
- Broken access control on apps to Rocket.Chat - 8 upvotes, $0
- Access control bypass leads to domain information disclosure to Vercel - 8 upvotes, $0
- Container scanning and Dependency scanning report leaked to unauthorized users to GitLab - 8 upvotes, $0
- UniFi Video v3.10.1 (Windows) Local Privileges Escalation to SYSTEM from arbitrary filedelete and DLL hijack vulnerabilities. to Ubiquiti Inc. - 8 upvotes, $0
- UniFi Video web interface Configuration Restore user privilege escalation to Ubiquiti Inc. - 8 upvotes, $0
- Stocky App Administrator can create a backdoor admin account by using an existing POS User to Shopify - 8 upvotes, $0
- [api.my.games/social/chat/multi/add] Privilege escalation on adding new members to group chat to Mail.ru - 8 upvotes, $0
- Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner to Shopify - 8 upvotes, $0
- [Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service to Kaspersky - 8 upvotes, $0
- Unauthorized Access to Internal Server Panel without Authentication to U.S. Dept Of Defense - 8 upvotes, $0
- Unauthenticated phpinfo()files could lead to ability file read at █████████ [HtUS] to U.S. Dept Of Defense - 8 upvotes, $0
- Stored XSS in drive.uber.com WordPress admin panel to Uber - 7 upvotes, $2000
- [idor] Profile Admin can pin any other user's post on his stream wall to Pornhub - 7 upvotes, $750
- H1514 Ability to Edit Packaging Slip Templates and View Product & Shipping Information by a low privileged staff in a Sandbox Store to Shopify - 7 upvotes, $500
- Improper access control allows sales only user to view bank balance of company accounts. to Visma Public - 7 upvotes, $100
- XSS in Acronis Cloud Manager Admin Portal to Acronis - 7 upvotes, $100
- Weird Bug - Ability to see partial of other user's notification to HackerOne - 7 upvotes, $0
- XSS in Draft Orders in Timeline i SHOPIFY Admin Site! to Shopify - 7 upvotes, $0
- Exposed Access Control Data Backup Files on DoD Website to U.S. Dept Of Defense - 7 upvotes, $0
- Bypass file access control vulnerability on a DoD website to U.S. Dept Of Defense - 7 upvotes, $0
- Extract Billing admin email address using random team id to Dashlane - 7 upvotes, $0
- Bypassing Access control, changing owner's name in a private leaderboard to WakaTime - 7 upvotes, $0
- Stored XSS on Admin Access Page - Email field to Revive Adserver - 7 upvotes, $0
- Authorization issue on 'valtakirjat' (/e2/verkkopalvelu/) to LocalTapiola - 7 upvotes, $0
- Authorization Token is Not expiring After Logout to Passit - 7 upvotes, $0
- Weak credentials, Blind SQLi, Timing attack, that leads to web admin access to 50m-ctf - 7 upvotes, $0
- Unauthorized command execution in Web protection component of Anti-Virus products family [FF, Chrome] to Kaspersky - 7 upvotes, $0
- Privilege escalation from member user ( editor ) to admin user to Qulture.Rocks - 7 upvotes, $0
- [H1-2006 2020] From multiple vulnerabilities to complete ATO on any customer account and staff admin to h1-ctf - 7 upvotes, $0
- Local Privilege Escalation on Dropbox Desktop for Windows to Dropbox - 7 upvotes, $0
- Improper authorization on
/api/as/v1/credentials/
allows any App Search user to access all API keys and escalate privileges to Elastic - 7 upvotes, $0 - Unauthorized access to choice.av.ru control panel to Azbuka Vkusa - 7 upvotes, $0
- Improper Access Control in Ali Express Importer to Judge.me - 7 upvotes, $0
- Upload and delete files in debug page without access control. to U.S. Dept Of Defense - 7 upvotes, $0
- Python : Add query to detect PAM authorization bypass to GitHub Security Lab - 7 upvotes, $0
- The use of proto in process.mainModule.proto.require() bypasses the permission system in Node v19.6.1 to Node.js - 7 upvotes, $0
- Privilege Escalation - A
MEMBER
with no ACCESS toORDERS
can still access the orders by usingOrder Printer APP
to Shopify - 6 upvotes, $1000 - ability to retrieve a user's phone-number/email for a given inviteCode to Uber - 6 upvotes, $1000
- Privilege escalation possible in dovecot when similar passdbs are used to Open-Xchange - 6 upvotes, $900
- An administrator without any permission is able to get order notifications using his APNS Token. to Shopify - 6 upvotes, $500
- Staff members with no permission can access to the files, uploaded by the administrator to Shopify - 6 upvotes, $500
- Ability to post comments to a crew even after getting kicked out to Rockstar Games - 6 upvotes, $500
- [Razer Pay] Broken Access Control at /v1/verifyPhone/ allows enumeration of usernames and ID information to Razer - 6 upvotes, $500
- User is able to access and create private synthetics locations without upgrading (regression of #276157) to New Relic - 6 upvotes, $500
- Privilege escalation to root in Pages build image v2 to Cloudflare Public Bug Bounty - 6 upvotes, $350
- Fabric.io: Ex-admin of an organization can delete team members to X (Formerly Twitter) - 6 upvotes, $280
- By pass admin panel [seminars.mail.ru] to Mail.ru - 6 upvotes, $150
- Ability to edit the address of any company by its id on [corporate.city-mobil.ru] to Mail.ru - 6 upvotes, $150
- Access admin interface via bad credentials to Mail.ru - 6 upvotes, $150
- API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass to Vimeo - 6 upvotes, $0
- Ability to collect users' ids that have visited a specific web page with malicious code to Bumble - 6 upvotes, $0
- Missing access control at password change to Legal Robot - 6 upvotes, $0
- Business Logic Flaw allowing Privilege Escalation to Inflection - 6 upvotes, $0
- Privilege Escalation with Session Hijacking Having a Non-privileged Valid User to Ubiquiti Inc. - 6 upvotes, $0
- File access control rules not enforced on image files to Nextcloud - 6 upvotes, $0
- [express-cart] Customer and admin email enumeration through MongoDB injection to Node.js third-party modules - 6 upvotes, $0
- Default page exposes admin functions and all metods and classes available. on https://██████/█████/dwr/index.html to U.S. Dept Of Defense - 6 upvotes, $0
- Admin Salt Leakage on DoD site. to U.S. Dept Of Defense - 6 upvotes, $0
- Authorization for wp-admin directory are vulnerable to brute force. to Stripo Inc - 6 upvotes, $0
- [Critical] Insufficient Access Control On Registration Page of Webapps Website Allows Privilege Escalation to Administrator to U.S. Dept Of Defense - 6 upvotes, $0
- Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values) to New Relic - 6 upvotes, $0
- access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify- to Shopify - 6 upvotes, $0
- Unauthorized Use of Victim Credit Card to Yelp - 6 upvotes, $0
- Admin web sessions remain active after logout of Shopify ID to Shopify - 6 upvotes, $0
- The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values to Internet Bug Bounty - 6 upvotes, $0
- Acronis True Image Local Privilege Escalation Due To Race Condition In Application Verification to Acronis - 6 upvotes, $0
- CPP: Pam Authorization Bypass to GitHub Security Lab - 6 upvotes, $0
- Adobe ColdFusion Access Control Bypass - CVE-2023-38205 to U.S. Dept Of Defense - 6 upvotes, $0
- Proxy-Authorization header not cleared on cross-origin redirect in undici.request to Node.js - 6 upvotes, $0
- Unauthorized access to all collections, products, pages from other stores to Shopify - 5 upvotes, $2500
- CPP: Add query for CWE-266 Incorrect Privilege Assignment to GitHub Security Lab - 5 upvotes, $1800
- Admin panel access restrictions bypass [poll.mail.ru/admin/] to Mail.ru - 5 upvotes, $500
- Ability to delete projects from Archived companies (Read only version) to Visma Public - 5 upvotes, $100
- Stored XSS from ticket messages in admin table in SupportFlow to Ian Dunn - 5 upvotes, $50
- Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants to HackerOne - 5 upvotes, $0
- Can message users without the proper authorization to Vimeo - 5 upvotes, $0
- Privilege Escalation in Default Notification Preferences to New Relic - 5 upvotes, $0
- Incorrect Permission Assignment for Critical Resource to MariaDB - 5 upvotes, $0
- [██████████] Unauthorized access to admin panel to U.S. Dept Of Defense - 5 upvotes, $0
- Improper Access Control in Buddypress core allows reply,delete any user's activity to WordPress - 5 upvotes, $0
- Default Creds Spring Boot Admin to 8x8 - 5 upvotes, $0
- Improper Access Controls Allow PII Leak via ████ to U.S. Dept Of Defense - 5 upvotes, $0
- Misconfigured AWS S3 bucket leaks senstive data such of admin, Prdouction,beta, localhost and many more directories.... to U.S. Dept Of Defense - 5 upvotes, $0
- Local Privilege Escalation in anti_ransomware_service.exe via quarantine to Acronis - 5 upvotes, $0
- Privilege Escalation leads to trash other users comment without having admin rights. to Basecamp - 5 upvotes, $0
- Improper Access Control on Media Wiki allows an attackers to restart installation on DoD asset to U.S. Dept Of Defense - 5 upvotes, $0
- Ability to control the filename when uploading a logo or favicon on theming to Nextcloud - 5 upvotes, $0
- Mute User can disclose private channel members to unauthorized users to Rocket.Chat - 5 upvotes, $0
- UnAuthorized Editorial Publishing to Blogs to Phabricator - 4 upvotes, $300
- Restricted user is able to delete filter sets of admin users in https://infrastructure.newrelic.com/accounts/{{ACC#}}/settings/filterSets to New Relic - 4 upvotes, $250
- Unauthorized access to attachments details of Private Calendar appointments (Access control issue) to Open-Xchange - 4 upvotes, $200
- Conversation API Leaks Details Of UnAuthorized Conversations to Vanilla - 4 upvotes, $150
- Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly to Mail.ru - 4 upvotes, $0
- No authorization required in iOS device web-application to Coinbase - 4 upvotes, $0
- Privilege Escalation In Moniter to New Relic - 4 upvotes, $0
- Admin panel take over | User info leakage | Mass Comprimise to U.S. Dept Of Defense - 4 upvotes, $0
- Privilege Escalation in BuddyPress core allows Moderate to Administrator to WordPress - 4 upvotes, $0
- app.lemlist.com : Admin Panel Access to lemlist - 4 upvotes, $0
- Ability to buy PRO subscriptions by arbitrary reduced prices to New Relic - 4 upvotes, $0
- Grafana Improper authorization to Kubernetes - 4 upvotes, $0
- [mattermost.com] CORS Misconfiguration leakage of admin users to Mattermost - 4 upvotes, $0
- DoS due to improper input validation can break the admin access into the user data will disallow him from editing that user's data. to Nextcloud - 4 upvotes, $0
- Man in the middle leading to root privilege escalation using hostNetwork=true (CAP_NET_RAW considered harmful) to Kubernetes - 4 upvotes, $0
- A member-member privilege could access the https://console.rockset.com/billing?tab=payment page even though the billing page is hidden from the menu. to Rockset - 4 upvotes, $0
- Broken access control, can lead to legitimate user data loss to U.S. Dept Of Defense - 4 upvotes, $0
- Unauthorized Access - downgraded admin roles to none can still edit projects through brupsuite to Omise - 4 upvotes, $0
- fabric.io - app member can make himself an admin to X (Formerly Twitter) - 3 upvotes, $1400
- Shop admin can change external login services to Shopify - 3 upvotes, $1000
- Get analytics token using only apps permission to Shopify - 3 upvotes, $1000
- User Access Control Bypass Via Razer elevated service ( RzKLService.exe ) which loads exe in misconfigured way. to Razer - 3 upvotes, $750
- Twitter Ads Campaign information disclosure through admin without any authentication. to X (Formerly Twitter) - 3 upvotes, $560
- Unauthorized access to any Store Admin's First & Last name to Shopify - 3 upvotes, $500
- First & Last Name Disclosure of any Shopify Store Admin to Shopify - 3 upvotes, $500
- Missing authorization check on dashboard overviews to Shopify - 3 upvotes, $500
- An administrator without the 'Settings' permission is able to see payment gateways to Shopify - 3 upvotes, $500
- Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation) to Open-Xchange - 3 upvotes, $200
- By pass admin panel [conference.mail.ru] to Mail.ru - 3 upvotes, $150
- Access control on https://eaccounting.stage.vismaonline.com/ to Visma Public - 3 upvotes, $100
- privilege escalation to Automattic - 3 upvotes, $0
- Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails to QIWI - 3 upvotes, $0
- CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to
Videos
of Channel whose privacy is set toPrivate
. to Vimeo - 3 upvotes, $0 - The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. to Shopify - 3 upvotes, $0
- Staff members with no permission to access domains can access them. to Shopify - 3 upvotes, $0
- Privilege escalation and circumvention of permission to limited access user to Shopify - 3 upvotes, $0
- Missing Function Level Access Control in /cindex.php/widget/customize/ to Bookfresh - 3 upvotes, $0
- Business/Functional logic bypass: Remove admins from admin group. to Nextcloud - 3 upvotes, $0
- No authorization required in Windows phone web-application to Coinbase - 3 upvotes, $0
- Basic Authorization over HTTP to New Relic - 3 upvotes, $0
- xss for admin of https://newsletter.nextcloud.com to Nextcloud - 3 upvotes, $0
- API Does Not Apply Access Controls to Translations to Weblate - 3 upvotes, $0
- UniFi Video v3.2.2 (Windows) Local Privileges Escalation due to weak default install directory ACLs to Ubiquiti Inc. - 3 upvotes, $0
- Privilage escalation with malicious .npmrc to Node.js third-party modules - 3 upvotes, $0
- Unauthorized admission to any team in zeit.co to Vercel - 3 upvotes, $0
- Admin panel of https://www.stellar.org/wp-admin/ to Stellar.org - 3 upvotes, $0
- China - Leaked credentials permitted a limited ability to create Starbucks coupons and cards to Starbucks - 3 upvotes, $0
- Ability to find out the name of the database table and its columns to Mail.ru - 3 upvotes, $0
- Vertical Privilege Escalation on {target.my.com} to Mail.ru - 3 upvotes, $0
- Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin to New Relic - 3 upvotes, $0
- User Access Control in Community Plan to Doppler - 3 upvotes, $0
- Clickjacking on profile page leading to unauthorized changes to UPchieve - 3 upvotes, $0
- No admin audit entry for enabling/disabling 2FA to Nextcloud - 3 upvotes, $0
- No admin audit log for auth tokens to Nextcloud - 3 upvotes, $0
- Unauthorized access to PII leads to MASS account Takeover to U.S. Dept Of Defense - 3 upvotes, $0
- Incorrect Authorization Checks in /include/findusers.php to ImpressCMS - 3 upvotes, $0
- Default Admin Username and Password on remedysso.mtncameroon.net to MTN Group - 3 upvotes, $0
- Improper Access Control - Generic to Rocket.Chat - 3 upvotes, $0
- OpenSSL engines can be used to bypass and/or disable the permission model to Node.js - 3 upvotes, $0
- fs.openAsBlob() bypasses permission system to Node.js - 3 upvotes, $0
- unauthorized access to all customers first and last name to Shopify - 2 upvotes, $2500
- unauthorized access to all collections name to Shopify - 2 upvotes, $2000
- Fabric.io - an app admin can delete team members from other user apps to X (Formerly Twitter) - 2 upvotes, $1120
- Unauthorized Tweeting on behalf of Account Owners to X (Formerly Twitter) - 2 upvotes, $420
- Possibly big authorization problem in Lähitapiola´s varainhoito to LocalTapiola - 2 upvotes, $400
- Phabricator Diffusion application allows unauthorized users to delete mirrors to Phabricator - 2 upvotes, $300
- Team admin can add billing contacts to Slack - 2 upvotes, $200
- Team admin can change unauthorized team setting (require_at_for_mention) to Slack - 2 upvotes, $200
- Team admin can change unauthorized team setting (allow_message_deletion) to Slack - 2 upvotes, $100
- Abusing daemon logs for Privilege escalation under certain scenarios to Phabricator - 2 upvotes, $0
- privilege escalation to Mavenlink - 2 upvotes, $0
- Creating Unauthorized Audience Lists to X (Formerly Twitter) - 2 upvotes, $0
- Ability to Download Music Tracks Without Paying (Missing permission check on
/musicstore/download
) to Vimeo - 2 upvotes, $0 - iOS App can establish Facetime calls without user's permission to X (Formerly Twitter) - 2 upvotes, $0
- XSS in myshopify.com Admin site in TAX Overrides to Shopify - 2 upvotes, $0
- Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS to Shopify - 2 upvotes, $0
- XSS in Myshopify Admin Site in DISCOUNTS to Shopify - 2 upvotes, $0
- Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App to Shopify - 2 upvotes, $0
- Privilege escalation vulnerability to Shopify - 2 upvotes, $0
- Login Hints on Admin Panel to Nextcloud - 2 upvotes, $0
- Missing function level access controls allowing attacker to abuse file access controls. Multiple vulnerabilities to Zendesk - 2 upvotes, $0
- Unauthorized Access to New Relic - 2 upvotes, $0
- Improper access control when an added email address is deleted from authentication to Weblate - 2 upvotes, $0
- Session Duplication due to Broken Access Control to WakaTime - 2 upvotes, $0
- Brave: Admin Panel Access to Brave Software - 2 upvotes, $0
- Missing Certificate Authority Authorization rule to Gratipay - 2 upvotes, $0
- Privilege Escalation in Share Report to New Relic - 2 upvotes, $0
- [babel.mail.ru] Admin Page Found to Mail.ru - 2 upvotes, $0
- Roundcube virtualmin privilege escalation (CVE-2017-8114) to Internet Bug Bounty - 2 upvotes, $0
- Bruteforce in admin panel to Nextcloud - 2 upvotes, $0
- Admin Login Credential Leak for DoD Gitlab EE instance to U.S. Dept Of Defense - 2 upvotes, $0
- Improper access control leading to deletion of Greeting videos on {https://smtp.8mar.mail.ru/} to Mail.ru - 2 upvotes, $0
- Secure credentials values disclosure to regular users due to access control issue in monitor creating function to New Relic - 2 upvotes, $0
- Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation to Shopify - 2 upvotes, $0
- Improper access control to messages of Social app to Nextcloud - 2 upvotes, $0
- Authorization bypass -> IDOR -> PII Leakage to U.S. Dept Of Defense - 2 upvotes, $0
- Privilege Escalation at invite feature @hackpad.com to Dropbox Acquisitions - 1 upvotes, $729
- Unauthorized Access via Join Email Link to WePay - 1 upvotes, $100
- Deleting groups in any project without permission to Localize - 1 upvotes, $0
- Making groups in any project without permission to Localize - 1 upvotes, $0
- Authorization issue on creative.yahoo.com to Yahoo! - 1 upvotes, $0
- Infrastructure and Application Admin Interfaces (OWASP‐CM‐007) to Yahoo! - 1 upvotes, $0
- Injection via CSV Export feature in Admin Orders to Shopify - 1 upvotes, $0
- Privilege escalation to allow non activated users to login and use uber partner ios app to Uber - 1 upvotes, $0
- Unauthorized file (invoice) download to Uber - 1 upvotes, $0
- No permission set on Activities [Android App] to Nextcloud - 1 upvotes, $0
- User enumeration in wp-admin to Ian Dunn - 1 upvotes, $0
- CSRF - Regenerate all admin api keys to New Relic - 1 upvotes, $0
- BruteForce in to Admin Account to Nextcloud - 1 upvotes, $0
- Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat to Gratipay - 1 upvotes, $0
- Missing Certificate Authority Authorization rule to Gratipay - 1 upvotes, $0
- Reflected XSS in admin settings to Deconf - 1 upvotes, $0
- No Access Control to Lob - 1 upvotes, $0
- [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure to Node.js third-party modules - 1 upvotes, $0
- Proxy-Authorization header carried to a new host on a redirect to curl - 1 upvotes, $0
- Horizontal Privilege Escalation to WePay - 0 upvotes, $350
- [https://test1.owncloud.com/owncloud6/] Guessable password used for admin user to ownCloud - 0 upvotes, $0
- Ubuntu 12.04 Privilege Escalation to Nextcloud - 0 upvotes, $0
- Limited access to billing dashboard by Admin and Collaborator in conflict with user role permissions. to Doppler - 0 upvotes, $0
- Misconfiguration Certificate Authority Authorization Rule to Sifchain - 0 upvotes, $0