漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,245

关联 CVE

1,864

参与项目数

343

近 7 天新增

23

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Stored XSS in https://app.mopub.com

X / xAI Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2019-12-17

Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS

Node.js third-party modules Cross-site Scripting (XSS) - Generic (CWE-79)

Medium

2019-12-15

De-anonymization Attack: Cross Site Information Leakage

Imgur Information Disclosure (CWE-200)

Medium

2019-12-14

Blocked user Git access through CI/CD token

GitLab Improper Access Control - Generic (CWE-284)CVE-2019-15589

Medium

2019-12-13

ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages

HackerOne Uncontrolled Resource Consumption (CWE-400)

Medium

2019-12-13

`rgb2hex` is vulnerable to ReDoS when parsing crafted invalid colors

Node.js third-party modules Uncontrolled Resource Consumption (CWE-400)

Medium

2019-12-13

Container scanning and Dependency scanning report leaked to unauthorized users

GitLab Improper Access Control - Generic (CWE-284)CVE-2019-15591 CVE-2017-18269 CVE-2017-16997 CVE-2018-1000001 CVE-2016-10228 CVE-2018-18520 CVE-2010-4052 CVE-2018-16869 CVE-2018-18311 CVE-2014-3488 CVE-2017-12794 CVE-2018-1000201

Medium

2019-12-13

Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter

Starbucks Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2019-12-12

Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter

Starbucks Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2019-12-12

India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance

Starbucks Insecure Direct Object Reference (IDOR) (CWE-639)

Medium

2019-12-12

Persistent XSS on favorite via filename

Nextcloud Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2019-12-12

Server-Side request forgery in New-Subscription feature of the calendar app

Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2020-8118

Medium

2019-12-12

CSS injection in avito.ru via IE11

Avito Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2019-12-12

Shopify Stocky App OAuth Misconfiguration

Shopify Privilege Escalation (CAPEC-233)

Medium

2019-12-11

Failure to Invalid Session after Password Change

Omise Insufficient Session Expiration (CWE-613)

Medium

2019-12-08

Information Disclosure when /invitations/<token>.json is not yet accepted

HackerOne Information Disclosure (CWE-200)

Medium

2019-12-06

Unauthenticated reflected XSS in preview_as_user function

Concrete CMS Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2019-12-06

Path traversal in https://www.npmjs.com/package/http_server via symlink

Node.js third-party modules Path Traversal (CWE-22)CVE-2019-15600

Medium

2019-12-04

Password Reset Link not expiring after changing the email Leads To Account Takeover

Imgur Improper Authentication - Generic (CWE-287)

Medium

2019-12-03

GraphQL query "namespace" leaks data

GitLab Improper Access Control - Generic (CWE-284)

Medium

2019-12-03

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	$2,257
HackerOne	609	—
Nextcloud	584	—
Shopify	464	—
curl	457	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	—