Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Lark Technologies - HackerOne Reports

View on HackerOne

38

Total Reports

4

Critical

6

High

26

Medium

2

Low

In orginization stored xss using location (Larksuite survey app)

Reported by: imran_nisar | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Stored xss on helpdesk using user's city

Reported by: imran_nisar | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

[IDOR] Modify other team's reminders via reminderId parameter

Reported by: imran_nisar | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

Able to steal private files by manipulating response using Auto Reply function of Lark

Reported by: imran_nisar | Disclosed:

High

Weakness: Insecure Direct Object Reference (IDOR)

Reflected XSS on Lark Suite

Reported by: jin0ne | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - DOM

Access to private file's of helpdesk.

Reported by: imran_nisar | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Ability to View Non-Permitted Admin Log

Reported by: imran_nisar | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Viewer is able to leak the previous versions of the file

Reported by: imran0x01 | Disclosed:

Medium

Weakness: Improper Access Control - Generic

IDOR Allows Viewer to Delete Bin's Files

Reported by: imran0x01 | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Privilege Escalation to All-staff group

Reported by: imran0x01 | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Improper generating of access link at go.larksuite.com leads to access to other organizations/users' private data

Reported by: w2w | Disclosed:

Medium

Accessing/Editing Folders of Other Users in the Orginisation.

Reported by: imran0x01 | Disclosed:

High

Weakness: Improper Access Control - Generic

Stored xss in larksuite internal helpdesk and other user's helpdesk.

Reported by: imran_nisar | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

RPC Implementation allows unauthenticated remote calls

Reported by: mike12 | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - DOM

Bounty: $1250.00

User with single department permission can view applicant list of all department's

Reported by: imran_nisar | Disclosed:

Medium

Weakness: Privilege Escalation

Full read SSRF via Lark Docs `import as docs` feature

Reported by: sirleeroyjenkins | Disclosed:

Critical

Weakness: Server-Side Request Forgery (SSRF)

Bounty: $5000.00

Non privileged user is able to approve his own app himself leading to mass privilege escalations.

Reported by: imran_nisar | Disclosed:

High

Weakness: Privilege Escalation

Attacker is able to join any tenant on larksuite and view personal files/chats.

Reported by: imran_nisar | Disclosed:

Critical

Weakness: Privilege Escalation

Previous Page 2 of 2