Skip to content

Latest commit

 

History

History
77 lines (73 loc) · 8.93 KB

TOPVIMEO.md

File metadata and controls

77 lines (73 loc) · 8.93 KB

Back

Top reports from Vimeo program at HackerOne:

  1. SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] to Vimeo - 225 upvotes, $5000
  2. Domain pointing to vimeo portfolio are prone to takeover using on-demand. to Vimeo - 69 upvotes, $1500
  3. Improper Authentication in Vimeo's API 'versions' endpoint. to Vimeo - 52 upvotes, $2000
  4. Reflected File Download (RFD) in download video to Vimeo - 52 upvotes, $700
  5. Watch any Password Video without password to Vimeo - 41 upvotes, $500
  6. Downloading password protected / restricted videos to Vimeo - 40 upvotes, $600
  7. OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing to Vimeo - 28 upvotes, $1000
  8. All Vimeo Private videos disclosure via Authorization Bypass to Vimeo - 28 upvotes, $600
  9. Make API calls on behalf of another user (CSRF protection bypass) to Vimeo - 21 upvotes, $1000
  10. Disclosure of sensitive information through Google Cloud Storage bucket to Vimeo - 21 upvotes, $500
  11. XSS on vimeo.com/home after other user follows you to Vimeo - 16 upvotes, $1500
  12. Images and Subtitles Leakage from private videos to Vimeo - 16 upvotes, $125
  13. CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public to Vimeo - 14 upvotes, $750
  14. URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io to Vimeo - 12 upvotes, $100
  15. Vimeo.com Insecure Direct Object References Reset Password to Vimeo - 7 upvotes, $5000
  16. [vimeopro.com] CRLF Injection to Vimeo - 6 upvotes, $500
  17. Stored XSS on player.vimeo.com to Vimeo - 6 upvotes, $500
  18. XSS when using captions/subtitles on video player based on Flash (requires user interaction) to Vimeo - 6 upvotes, $200
  19. Application XSS filter function Bypass may allow Multiple stored XSS to Vimeo - 6 upvotes, $100
  20. Securing "Reset password" pages from bots to Vimeo - 6 upvotes, $0
  21. Adding profile picture to anyone on Vimeo to Vimeo - 5 upvotes, $1000
  22. XSS on vimeo.com | "Search within these results" feature (requires user interaction) to Vimeo - 5 upvotes, $100
  23. Error page Text Injection. to Vimeo - 5 upvotes, $0
  24. XSS on mobile version of vimeo.com where the button "Follow" appears to Vimeo - 5 upvotes, $0
  25. XSS on player.vimeo.com without user interaction and vimeo.com with user interaction to Vimeo - 4 upvotes, $250
  26. API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass to Vimeo - 3 upvotes, $500
  27. Invite any user to your group without even following him to Vimeo - 3 upvotes, $250
  28. Can message users without the proper authorization to Vimeo - 3 upvotes, $100
  29. Reflected XSS on vimeo.com/musicstore to Vimeo - 3 upvotes, $100
  30. Poodle bleed vulnerability in cloud sub domain to Vimeo - 3 upvotes, $0
  31. Insecure Direct Object References in https://vimeo.com/forums to Vimeo - 2 upvotes, $500
  32. subdomain takeover 1511493148.cloud.vimeo.com to Vimeo - 2 upvotes, $250
  33. A user can add videos to other user's private groups to Vimeo - 2 upvotes, $250
  34. Insecure Direct Object References that allows to read any comment (even if it should be private) to Vimeo - 2 upvotes, $150
  35. CRITICAL full source code/config disclosure for Cameo to Vimeo - 2 upvotes, $100
  36. Missing rate limit on private videos password to Vimeo - 2 upvotes, $0
  37. XSS in Subtitles of Vimeo Flash Player and Hubnut to Vimeo - 2 upvotes, $0
  38. XSS on any site that includes the moogaloop flash player | deprecated embed code to Vimeo - 1 upvotes, $1000
  39. abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video to Vimeo - 1 upvotes, $1000
  40. A user can post comments on other user's private videos to Vimeo - 1 upvotes, $500
  41. Buying ondemand videos that 0.1 and sometimes for free to Vimeo - 1 upvotes, $260
  42. Ability to Download Music Tracks Without Paying (Missing permission check on/musicstore/download) to Vimeo - 1 upvotes, $250
  43. A user can edit comments even after video comments are disabled to Vimeo - 1 upvotes, $250
  44. CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to Videos of Channel whose privacy is set to Private. to Vimeo - 1 upvotes, $250
  45. Vimeo + & Vimeo PRO Unautorised Tax bypass to Vimeo - 1 upvotes, $250
  46. Post in private groups after getting removed to Vimeo - 1 upvotes, $250
  47. A user can enhance their videos with paid tracks without buying the track to Vimeo - 1 upvotes, $250
  48. Stored XSS on vimeo.com and player.vimeo.com to Vimeo - 1 upvotes, $200
  49. Vimeo Search - XSS Vulnerability [http://vimeo.com/search] to Vimeo - 1 upvotes, $100
  50. XSS on Vimeo to Vimeo - 1 upvotes, $100
  51. Private, embeddable videos leaks data through Facebook & Open Graph to Vimeo - 1 upvotes, $100
  52. USER PRIVACY VIOLATED (PRIVATE DATA GETTING TRANSFER OVER INSECURE CHANNEL ) to Vimeo - 1 upvotes, $0
  53. Full account takeover via Add a New Email to account without email verified and without password confirmation. to Vimeo - 1 upvotes, $0
  54. No Limitation on Following allows user to follow people automatically! to Vimeo - 1 upvotes, $0
  55. [URGENT ISSUE] Add or Delete the videos in watch later list of any user . to Vimeo - 0 upvotes, $250
  56. Share your channel to any user on vimeo without following him to Vimeo - 0 upvotes, $250
  57. APIs for channels allow HTML entities that may cause XSS issue to Vimeo - 0 upvotes, $100
  58. ftp upload of video allows naming that is not sanitized as the manual naming to Vimeo - 0 upvotes, $100
  59. Vimeo.com - reflected xss vulnerability to Vimeo - 0 upvotes, $100
  60. player.vimeo.com - Reflected XSS Vulnerability to Vimeo - 0 upvotes, $100
  61. Vimeo.com - Reflected XSS Vulnerability to Vimeo - 0 upvotes, $100
  62. Legacy API exposes private video titles to Vimeo - 0 upvotes, $100
  63. unvalid open authentication with facebook to Vimeo - 0 upvotes, $0
  64. CSRF bypass to Vimeo - 0 upvotes, $0
  65. Brute force on "vimeo" cookie to Vimeo - 0 upvotes, $0
  66. Misconfigured crossdomain.xml - vimeo.com to Vimeo - 0 upvotes, $0
  67. profile photo update bypass to Vimeo - 0 upvotes, $0
  68. Bypassing Email verification to Vimeo - 0 upvotes, $0
  69. May cause account take over (Via invitation page) to Vimeo - 0 upvotes, $0
  70. Open Redirection Security Filter bypassed to Vimeo - 0 upvotes, $0

Back