Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Basecamp - HackerOne Reports

View on HackerOne

41

Total Reports

6

Critical

11

High

13

Medium

10

Low

RCE via exposed JMX server on jabber.37signals.com/jabber.basecamp.com

Reported by: ian | Disclosed:

Low

Weakness: Deserialization of Untrusted Data

Bounty: $100.00

HTTP request smuggling on Basecamp 2 allows web cache poisoning

Reported by: hazimaslam | Disclosed:

Critical

Weakness: HTTP Request Smuggling

Remote code execution on Basecamp.com

Reported by: gammarex | Disclosed:

Critical

Weakness: Command Injection - Generic

Bounty: $5000.00

CVEs: CVE-2017-8291

Error Page Content Spoofing or Text Injection

Reported by: princej_76 | Disclosed:

Low

Weakness: Violation of Secure Design Principles

Bounty: $100.00

com.basecamp.bc3 Webview Javascript Injection and JS bridge takeover

Reported by: fr4via | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - DOM

Improper Cache Handling Allows Access to Post-Logout Pages

Reported by: victim_of_life | Disclosed:

Low

Weakness: Improper Access Control - Generic

a very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service

Reported by: tw4v3sx | Disclosed:

High

Weakness: Uncontrolled Resource Consumption

Bounty: $1000.00

SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens.

Reported by: babykeem | Disclosed:

Medium

Weakness: Improper Restriction of Authentication Attempts

Bypass of image rewriting / tracking blocker via srcset

Reported by: foobar7 | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $1000.00

Path traversal in deeplink query parameter can expose any user's private info to a public directory (one click)

Reported by: fr4via | Disclosed:

Medium

Weakness: Path Traversal

Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org

Reported by: zofrex | Disclosed:

High

Weakness: Command Injection - Generic

Bounty: $5000.00

Information Disclosure .htaccess accesible for public

Reported by: aloneh1 | Disclosed:

Low

Privilege Escalation leads to trash other users comment without having admin rights.

Reported by: fuzzsqlb0f | Disclosed:

Low

Weakness: Privilege Escalation

Lack of quarantine macOS attribute(com.apple.quarantine) leads multiple issues including RCE

Reported by: hensis | Disclosed:

Medium

Bounty: $250.00

Mutation Based Stored XSS on Trix Editor version latest (2.1.8)

Reported by: sudi | Disclosed:

Critical

HTTP Request Smuggling via HTTP/2

Reported by: neex | Disclosed:

Critical

Weakness: HTTP Request Smuggling

Bounty: $7500.00

Information Disclosure of Garbage Collection Cycle

Reported by: ahmd_halabi | Disclosed:

Low

Weakness: Information Disclosure

DNS Setup allows sending mail on behalf of other customers

Reported by: aisforarray | Disclosed:

Medium

Weakness: Violation of Secure Design Principles

Stored XSS on trix editor version 2.1.1

Reported by: thwin_htet | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $1000.00

CVEs: CVE-2024-34341

User can upload files even after closing his account

Reported by: h4x0r_dz | Disclosed:

Weakness: Improper Authentication - Generic

Page 1 of 3 Next