漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,262

关联 CVE

1,866

参与项目数

343

近 7 天新增

0

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

项目筛选：rocket_chat✕

Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution

Rocket.Chat CVE-2021-22910

High

2021-07-31

Post-Auth Stored XSS with User Interaction leads to Remote Code Execution

Rocket.Chat Cross-site Scripting (XSS) - Stored (CWE-79)

High

2021-06-30

Pre-Auth Blind NoSQL Injection leading to Remote Code Execution

Rocket.Chat CVE-2021-22911

Critical

2021-05-18

Hi! Security Team Rocket.Chat, It's possible to get information about the users emails without authentication

Rocket.Chat Information Disclosure (CWE-200)CVE-2021-22892

Low

2021-04-29

Account takeover via XSS

Rocket.Chat Cross-site Scripting (XSS) - Stored (CWE-79)

Critical

2021-03-31

Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app)

Rocket.Chat Cross-site Scripting (XSS) - DOM (CWE-79)CVE-2021-22886

High

2021-03-25

Android App Crashes while sending message to users/ on channel

Rocket.Chat Classic Buffer Overflow (CWE-120)

High

2021-03-18

XSS in message attachment fileds.

Rocket.Chat Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2020-8288

Critical

2021-01-17

Session Hijack via Self-XSS

Rocket.Chat Cross-site Scripting (XSS) - DOM (CWE-79)CVE-2020-8292

Medium

2021-01-17

SAML authentication bypass through unauthenticated `addSamlProvider` Meteor Call

Rocket.Chat Improper Access Control - Generic (CWE-284)CVE-2020-29594

Critical

2021-01-08

XSS leads to RCE on the RocketChat desktop client.

Rocket.Chat OS Command Injection (CWE-78)

Critical

2021-01-01

Remote Code Execution in Rocket.Chat-Desktop

Critical

2020-11-07

Desktop app RCE (#276031 bypass)

Rocket.Chat Code Injection (CWE-94)

High

2020-11-05

[Security Vulnerability Rocket.chat] HTML Injection into Email via Signup

Rocket.Chat Code Injection (CWE-94)

Medium

2020-06-24

SAML authentication bypass

Rocket.Chat Improper Authentication - Generic (CWE-287)

High

2020-06-18

account takeover on 3.0.1 version

Rocket.Chat Insecure Direct Object Reference (IDOR) (CWE-639)

Critical

2020-06-14

API Keys Hardcoded in Github repository

Rocket.Chat Use of Hard-coded Credentials (CWE-798)

Medium

2020-04-01

XSS (leads to arbitrary file read in Rocket.Chat-Desktop)

Rocket.Chat Cross-site Scripting (XSS) - Stored (CWE-79)

Low

2020-01-02

Clickjacking in the admin page

Rocket.Chat UI Redressing (Clickjacking) (CAPEC-103)

Low

2020-01-02

Open redirect open.rocket.chat/file-upload/ID/filename.svg

Rocket.Chat Open Redirect (CWE-601)

Medium

2019-10-31

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	$2,257
HackerOne	609	—
Nextcloud	584	—
Shopify	465	—
curl	464	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$7,000
Uber	239	—