目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

漏洞赏金情报

数据来源:HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告,按严重程度、漏洞类型或目标项目筛选,关联 CVE 编号。

已披露报告
12,219
关联 CVE
1,854
参与项目数
342
近 7 天新增
14
严重度: All CriticalHighMediumLow
类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
项目筛选:rails
Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
Ruby on Rails Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-32209
Medium
2022-06-14
Subdomain Takeover at https://new.rubyonrails.org/
Ruby on Rails Privilege Escalation (CAPEC-233)
High
2022-03-03
XSS by MathML at Active Storage
Ruby on Rails Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2018-16477
Medium
2021-06-15
HTTP Host injection in redirect_to function
Ruby on Rails Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
Unknown
2021-06-15
Regex Injection from request header (Rack::Sendfile, send_file)
Ruby on Rails Code Injection (CWE-94)
Unknown
2021-06-15
redirect_to(["string"]) remote code execution
Ruby on Rails Information Exposure Through an Error Message (CWE-209)CVE-2021-22885
Low
2021-05-07
Server-side template injection at ujs test server
Ruby on Rails Command Injection - Generic (CWE-77)
None
2021-02-16
HostAuthorization middleware does not suitably sanitize the Host / X-Forwarded-For header allowing redirection.
Ruby on Rails Open Redirect (CWE-601)CVE-2021-22881
Low
2021-02-11
Regular expression denial of service in ActiveRecord's PostgreSQL Money type
Ruby on Rails Uncontrolled Resource Consumption (CWE-400)CVE-2021-22880
Medium
2021-02-11
Open Redirect (6.0.0 < rails < 6.0.3.2)
Ruby on Rails Open Redirect (CWE-601)CVE-2020-8264CVE-2020-8185
High
2020-12-22
XSS by file (Active Storage `Proxying`)
Ruby on Rails Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-09-01
The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes
Ruby on Rails Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2020-8166
Medium
2020-08-27
Untrusted users able to run pending migrations in production
Ruby on Rails Uncontrolled Resource Consumption (CWE-400)CVE-2020-8185
Medium
2020-07-24
File writing by Directory traversal at actionpack-page_caching and RCE by it
Ruby on Rails Path Traversal (CWE-22)CVE-2020-8159
High
2020-07-13
Rack parses encoded cookie names allowing an attacker to send malicious `__Host-` and `__Secure-` prefixed cookies
Ruby on Rails Reliance on Cookies without Validation and Integrity Checking in a Security Decision (CWE-784)CVE-2020-8184
Low
2020-06-16
CSRF header is sent to external websites when using data-remote forms
Ruby on Rails Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2020-8167CVE-2015-1840
Low
2020-05-26
Untrusted strings that are cache fetched with raw option are automatically marshal loaded
Ruby on Rails Deserialization of Untrusted Data (CWE-502)CVE-2020-8165
High
2020-05-26
ActiveStorage direct upload fails to sign content-length header for S3 service
Ruby on Rails Client-Side Enforcement of Server-Side Security (CWE-602)CVE-2020-8162
Medium
2020-05-18
ActionController::Parameters .each returns an unsafe hash
Ruby on Rails CVE-2020-8164
Medium
2020-05-18
XSS due to incomplete JS escaping
Ruby on Rails Cross-site Scripting (XSS) - Generic (CWE-79)
Low
2020-05-14
高频漏洞类型
最活跃项目
项目报告数最高赏金
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895