Mozilla - HackerOne Reports
View on HackerOne70
Total Reports
7
Critical
5
High
35
Medium
18
Low
HTML Injection / Reflected Cross-Site Scripting with CSP on https://accounts.firefox.com/settings
Reported by:
celesian
|
Disclosed:
Medium
Weakness: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Bounty: $1000.00
HTML Injection at https://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net/user/unsubscribe
Reported by:
avram
|
Disclosed:
Low
Weakness: Cross-Site Scripting (XSS)
Bounty: $500.00
Race condition leads to add more than 5 email at Data breaches monitor system at https://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net
Reported by:
sushantd19
|
Disclosed:
Low
Weakness: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Subdomain takeover on one of the subdomain under mozaws.net
Reported by:
holybugx
|
Disclosed:
Medium
Weakness: Misconfiguration
SQL Injection on prod.oidc-proxy.prod.webservices.mozgcp.net via invite_code parameter - Mozilla social inscription
Reported by:
supr4s
|
Disclosed:
Critical
Weakness: SQL Injection
Exposure of account recovery hint by querying by user email
Reported by:
francisconeves97
|
Disclosed:
Low
Weakness: Exposure of Sensitive Information Due to Incompatible Policies
Subdomain takeover on one of the subdomain under mozgcp.net
Reported by:
d0xing
|
Disclosed:
Medium
Weakness: Misconfiguration
Possibility of Deface through translation tool - www.mozilla.com
Reported by:
astrounder
|
Disclosed:
Low
Weakness: Information Disclosure
MozillaVPN: Elevation of Privilege via a Race Condition Vulnerability
Reported by:
northsea
|
Disclosed:
Medium
Weakness: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Email user account in indexacao waybackurl
Reported by:
kauenavarro
|
Disclosed:
Medium
Weakness: Brute Force
Bounty: $1000.00
Bypass "No Links" Restriction in Biography via Protocol-Relative URL (//)
Reported by:
yoyomiski
|
Disclosed:
Low
Weakness: Improper Input Validation
Information disclosure on password cancel endpoint
Reported by:
hackeriron1
|
Disclosed:
Low
Weakness: Information Disclosure
Subdomain takeover on one of the subdomain under mozaws.net
Reported by:
d0xing
|
Disclosed:
Medium
Weakness: Misconfiguration
Remote code execution and exfiltration of secret tokens by poisoning the mozilla/fxa CI build cache
Reported by:
0x90security
|
Disclosed:
Critical
Weakness: Code Injection
Bounty: $8000.00
Netlify Authentication Token Exposed in Public Mozilla CI Logs
Reported by:
samirsec0x01
|
Disclosed:
Critical
Weakness: Information Disclosure
Bounty: $1500.00
Exposing Django Debug Panel and Sensitive Infrastructure Information at https://dev.fxprivaterelay.nonprod.cloudops.mozgcp.net
Reported by:
aliend89
|
Disclosed:
Low
Weakness: Improper Access Control - Generic
Subdomain takeover on one of the subdomain under mozaws.net
Reported by:
mikey96
|
Disclosed:
Medium
Weakness: Improper Resource Shutdown or Release
csrftoken not unique to session or specific user and csrfmiddlewaretoken can be altered
Reported by:
bashbdeer
|
Disclosed:
Low
Weakness: Cross-Site Request Forgery (CSRF)
Bounty: $500.00
Subdomain takeover on one of the subdomain under mozaws.net
Reported by:
holybugx
|
Disclosed:
Medium
Weakness: Misconfiguration
Stored Xss on bugzilla.mozilla.org via comment edit feature from non-admin to admin.
Reported by:
r3dpars3c
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored