Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

8x8 Bounty - HackerOne Reports

View on HackerOne

18

Total Reports

1

Critical

8

High

4

Medium

5

Low

admin.8x8.vc: Member users with no permission can integrate email to connect calendar via GET /meet-external/spot-roomkeeper/v1/calendar/auth/init?..

Reported by: emperor | Disclosed:

High

Weakness: Improper Access Control - Generic

Jitsi: Attacker is able to cast a vote using the Victim's name on the Polls

Reported by: xsky | Disclosed:

Low

connect.8x8.com: Users with no permission can track/access restricted details/data via GET /api/v2/support/requests/<ticket number >HTTP/2

Reported by: emperor | Disclosed:

High

Weakness: Information Disclosure

Stored xss at https://█.8x8.com/api/█/ID

Reported by: pentestor | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $1337.00

connect.8x8.com: deactivated users remain access to /api/v1/users/UUID/roles

Reported by: emperor | Disclosed:

High

Weakness: Improper Access Control - Generic

jaas.8x8.vc: Removed users can still have READ/WRITE access to the workspace via different API endpoints

Reported by: emperor | Disclosed:

High

Weakness: Improper Access Control - Generic

Any meeting chat history can be read and modified by an arbitrary user

Reported by: pmnh | Disclosed:

Critical

Weakness: Incorrect Authorization

Bounty: $1337.00

Open Redirect via Non-Latin Subdomain in vcc-*.8x8.com/AGUI/█.php

Reported by: pentestor | Disclosed:

Low

Weakness: Open Redirect

Bounty: $100.00

█.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services

Reported by: abdallasamir12 | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $500.00

Open TURN relay abuse is possible due to lack of peer access control (Critical)

Reported by: sandrogauci | Disclosed:

High

Weakness: Server-Side Request Forgery (SSRF)

Bounty: $700.00

Jitsi Desktop Client RCE By Interacting with Malicious URL Schemes on Windows

Reported by: ex0dus-0x | Disclosed:

High

Weakness: OS Command Injection

Bounty: $777.00

connect.8x8.com: Too much resource consumption of the server due to incorrect date range control via /api/v1/reports?dateFrom=

Reported by: exhandler | Disclosed:

Low

Weakness: Violation of Secure Design Principles

Jitsi: Bridge Message Spoofing due to Improper JSON Handling leads to Prototype Pollution

Reported by: afewgoats | Disclosed:

Medium

Weakness: Command Injection - Generic

connect.8x8.com: Blind SSRF via /api/v2/chats/image-check allows for Internal Ports scan

Reported by: yassinek3ch | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

Dangling DNS Record docs.jitsi.net (unsuccessful GSuite takeover)

Reported by: bababounty99 | Disclosed:

Low

Weakness: Violation of Secure Design Principles

Information Disclosure of metrics fax.wavecell.com/metrics

Reported by: kauenavarro | Disclosed:

Low

Weakness: Information Disclosure

connect.8x8.com: admin user can send invites on behalf of another admin user via POST /api/v1/users/<User ID>/invites

Reported by: emperor | Disclosed:

High

Weakness: Improper Access Control - Generic

Reflected xss on 8x8.vc

Reported by: n0x496n | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Reflected