Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Elastic - HackerOne Reports

View on HackerOne

20

Total Reports

6

Critical

8

High

5

Medium

1

Low

blind Server-Side Request Forgery (SSRF) allows scanning internal ports

Reported by: lu3ky-13 | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

[Swiftype] - Stored XSS via document field `url` triggers on `https://app.swiftype.com/engines/<engine>/document_types/<type>/documents/<id>`

Reported by: superman85 | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Synthetics Recorder: Code injection when recording website with malicious content

Reported by: dee-see | Disclosed:

High

Weakness: Code Injection

CVE-2021-40870 on [52.204.160.31]

Reported by: fdeleite | Disclosed:

Critical

Weakness: Code Injection

CVEs: CVE-2021-40870

Critical || Unrestricted access to private Github repos and properties of Elastic through leaked token of Elastic employee

Reported by: prateek_0490 | Disclosed:

Critical

Weakness: Cleartext Storage of Sensitive Information

Stored XSS in Elastic App Search

Reported by: iamnoooob | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $2000.00

Remote Code Execution on Cloud via latest Kibana 7.6.2

Reported by: alexbrasetvik | Disclosed:

Critical

Weakness: Privilege Escalation

Bounty: $10000.00

Over-Privileged API Credentials for Elastic Agent

Reported by: captaingeech | Disclosed:

Medium

Weakness: Violation of Secure Design Principles

Bounty: $1300.00

Async search stores authorization headers in clear text

Reported by: alexbrasetvik | Disclosed:

Medium

Weakness: Cleartext Storage of Sensitive Information

Bounty: $1000.00

Stored XSS in TSVB Visualizations Markdown Panel

Reported by: jeremybuis | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows

Reported by: dee-see | Disclosed:

Low

Weakness: Path Traversal

CVEs: CVE-2021-22151

Remote Code Execution in coming Kibana 7.7.0

Reported by: alexbrasetvik | Disclosed:

Critical

Weakness: Privilege Escalation

Bounty: $5000.00

Improper authorization on `/api/as/v1/credentials/` allows any App Search user to access all API keys and escalate privileges

Reported by: dee-see | Disclosed:

High

Weakness: Improper Access Control - Generic

RCE hazard in reporting (via Chromium)

Reported by: alexbrasetvik | Disclosed:

Critical

Weakness: Privilege Escalation

Bounty: $10000.00

Default password on 34.120.209.175

Reported by: newspaper | Disclosed:

Medium

Weakness: Weak Cryptography for Passwords

Prototype Pollution leads to XSS on https://blog.swiftype.com/#proto[asd]=alert(document.domain)

Reported by: s1r1u5 | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - DOM

Improper authorization on `/api/as/v1/credentials/` for Dev Role User with Limited Engine Access

Reported by: superman85 | Disclosed:

High

Weakness: Improper Access Control - Generic

CSRF in AppSearch allows creation of "curations"

Reported by: dee-see | Disclosed:

Medium

Weakness: Cross-Site Request Forgery (CSRF)

XXE in Enterprise Search's App Search web crawler

Reported by: dee-see | Disclosed:

Critical

Weakness: XML External Entities (XXE)

Create an account on auth-sandbox.elastic.co with email @elastic.co or any other @domain.com

Reported by: superman85 | Disclosed:

High

Weakness: Improper Access Control - Generic