Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

inDrive - HackerOne Reports

View on HackerOne

18

Total Reports

3

Critical

3

High

7

Medium

3

Low

#2 XSS on watchdocs.indriverapp.com

Reported by: maxdha | Disclosed:

Weakness: Cross-site Scripting (XSS) - Reflected

Host Header Injection - internal.qa.delivery.indrive.com

Reported by: sid_x95 | Disclosed:

Low

Full access to InDrive jira panel via exposed API token

Reported by: bogdantcaciuc | Disclosed:

Critical

Weakness: Information Disclosure

# Drivers can access the customers phone number, current location without getting their offer accepted!

Reported by: bugsv2 | Disclosed:

Medium

Weakness: Information Disclosure

#1 XSS on watchdocs.indriverapp.com

Reported by: maxdha | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - Reflected

#3 XSS on watchdocs.indriverapp.com

Reported by: maxdha | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - Reflected

Bypassing Garbage Collection with Uppercase Endpoint

Reported by: h1xploit | Disclosed:

Change phone number OTP flaw leads to any phone number takeover

Reported by: polem4rch | Disclosed:

Critical

Weakness: Business Logic Errors

Bounty: $2000.00

inDriver Job - Admin Approval Bypass

Reported by: mikejohnson_1 | Disclosed:

Medium

Weakness: Incorrect Authorization

Bounty: $1000.00

SSRF in https://couriers.indrive.com/api/file-storage

Reported by: cypher-28 | Disclosed:

High

Weakness: Server-Side Request Forgery (SSRF)

Unlimited fake rate to the passenger in city to city, Affected endpoint `/api/v1/reviews/ride/<ID>/driver`

Reported by: bugsv2 | Disclosed:

Medium

Weakness: Business Logic Errors

Disclosure of users' ip address whenever they view my fright offer on image preview (Without interaction)

Reported by: bugsv2 | Disclosed:

Medium

Weakness: Information Disclosure

Blind SQL injection on id.indrive.com

Reported by: kristoferent | Disclosed:

Critical

Weakness: Blind SQL Injection

Bounty: $4134.00

Stored XSS on promo.indrive.com

Reported by: kristoferent | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $284.00

Rider can forcefully get passenger's order accepted resulting in multiple impacts including PII reveal and more mentioned in the report.

Reported by: spongebhav | Disclosed:

High

Weakness: Improper Access Control - Generic

Reflected XSS of media.indrive.com

Reported by: zxwo | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Reflected

XSS on terra-6.indriverapp.com

Reported by: maxdha | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Reflected

the domain is truck-admin.eu-east-1.indriverapp.com and Enter the management system of the blasting mobile phone verification code

Reported by: trustworthy | Disclosed:

High

Weakness: Business Logic Errors