漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,262

关联 CVE

1,866

参与项目数

343

近 7 天新增

0

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Stored XSS in intensedebate.com via the Comments RSS

Medium

2022-11-02

Cross-Site Request Forgery (CSRF) to xss

MTN Group Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2022-10-30

Cross-site Scripting (XSS) - Reflected

MTN Group Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2022-10-30

Privilege Escalation to All-staff group

Lark Technologies Improper Access Control - Generic (CWE-284)

Medium

2022-10-28

Jolokia Reflected XSS

Mars Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2018-1000129

Medium

2022-10-27

CVE-2022-42916: HSTS bypass via IDN

curl Cleartext Transmission of Sensitive Information (CWE-319)CVE-2022-42916

Medium

2022-10-27

Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS

Node.js Cryptographic Issues - Generic (CWE-310)CVE-2022-32222

Medium

2022-10-26

CVE-2022-32213 bypass via obs-fold mechanic

Node.js HTTP Request Smuggling (CWE-444)CVE-2022-32213

Medium

2022-10-26

HTTP Request Smuggling Due to Incorrect Parsing of Header Fields

Node.js HTTP Request Smuggling (CWE-444)CVE-2022-35256

Medium

2022-10-26

HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (improper fix for CVE-2022-32215)

Node.js HTTP Request Smuggling (CWE-444)CVE-2022-32215

Medium

2022-10-26

Business Logic, currency arbitrage - Possibility to pay less than the price in USD

PortSwigger Web Security Business Logic Errors (CWE-840)

Medium

2022-10-26

Reflected Cross site scripting via Swagger UI

Adobe Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2022-10-25

A malicious admin can be able to permanently disable a Owner(Admin) to access his account

Linktree Insecure Direct Object Reference (IDOR) (CWE-639)

Medium

2022-10-25

IDOR Allows Viewer to Delete Bin's Files

Lark Technologies Improper Access Control - Generic (CWE-284)

Medium

2022-10-24

Viewer is able to leak the previous versions of the file

Lark Technologies Improper Access Control - Generic (CWE-284)

Medium

2022-10-24

Removed user can still view comments on the file/documents.

Lark Technologies Improper Access Control - Generic (CWE-284)

Medium

2022-10-20

Ability to View Non-Permitted Admin Log

Lark Technologies Improper Access Control - Generic (CWE-284)

Medium

2022-10-20

[CSRF] No Csrf protection against sending invitation to join the team.

Lark Technologies Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2022-10-20

Tomcat Servlet Examples accessible at https://44.240.33.83:38443 and https://52.36.56.155:38443

Stripe Improper Authorization (CWE-285)

Medium

2022-10-19

Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data

Stripe Improper Access Control - Generic (CWE-284)

Medium

2022-10-19

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	$2,257
HackerOne	609	—
Nextcloud	584	—
Shopify	465	—
curl	464	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$7,000
Uber	239	—