Starbucks - HackerOne Reports
View on HackerOne128
Total Reports
20
Critical
39
High
41
Medium
21
Low
Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter
Reported by:
gnux
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Reflected
Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication.
Reported by:
radosec
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Unable to register in starbucks IN app
Reported by:
ashishag29
|
Disclosed:
Low
Weakness: Uncontrolled Resource Consumption
PHPinfo page
Reported by:
linkks
|
Disclosed:
Low
Weakness: Information Disclosure
Time-based Blind SQLi on news.starbucks.com
Reported by:
toctou
|
Disclosed:
High
Weakness: SQL Injection
csrf blogs.starbucks.com
Reported by:
w2w
|
Disclosed:
Weakness: Cross-Site Request Forgery (CSRF)
Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud
Reported by:
kylecolson
|
Disclosed:
High
Bug in GraphQL and API integration leads to limited user address disclosure
Reported by:
loxiran
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Singapore - IDOR in campaign.starbucks.com.sg
Reported by:
bytebunny
|
Disclosed:
Medium
Weakness: Insecure Direct Object Reference (IDOR)
Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages
Reported by:
cdl
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Generic
Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE
Reported by:
b006e4ea768a5d1b5340969
|
Disclosed:
Medium
Weakness: OS Command Injection
DOM XSS on teavana.com via "pr_zip_location" parameter
Reported by:
fizhimchik
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Generic
svcardproxydevus.starbucks.com Subdomain take over
Reported by:
txt3rob
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Password Change not notified when changed from settings
Reported by:
karthik87mit
|
Disclosed:
Medium
Weakness: Unverified Password Change
Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload
Reported by:
ko2sec
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
athome.starbucks.com - URL parameter tampering of review forms permitted possible content injection
Reported by:
jackb898
|
Disclosed:
Medium
Weakness: Improper Input Validation
Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions.
Reported by:
meals
|
Disclosed:
Weakness: Improper Authentication - Generic
Parameter Manipulation allowed for viewing of other user’s teavana.com orders
Reported by:
meals
|
Disclosed:
Weakness: Improper Authentication - Generic
Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/
Reported by:
iampuky
|
Disclosed:
Critical
Weakness: Path Traversal
Open Redirect on Greater Asia domains
Reported by:
l00ph0le
|
Disclosed:
Low
Weakness: Open Redirect
Page 1 of 7
Next