Starbucks - HackerOne Reports
View on HackerOne128
Total Reports
20
Critical
39
High
41
Medium
21
Low
CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments)
Reported by:
faisalahmed
|
Disclosed:
Medium
Weakness: Cross-Site Request Forgery (CSRF)
CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard)
Reported by:
codequick
|
Disclosed:
Low
Weakness: Cross-Site Request Forgery (CSRF)
CSRF: add item to victim's cart automatically (starbucks.com - updatecart)
Reported by:
bughuntermate
|
Disclosed:
Medium
Weakness: Cross-Site Request Forgery (CSRF)
Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments)
Reported by:
faisalahmed
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Generic
unuse domain still in using at wechat by Starbucks East China
Reported by:
k3mlol
|
Disclosed:
Critical
Weakness: Improper Access Control - Generic
Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter
Reported by:
gnux
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Reflected
Subdomain takeover on svcgatewayus.starbucks.com
Reported by:
0xpatrik
|
Disclosed:
Critical
Weakness: Privilege Escalation
Account take over of 'light' starbuckscardb2b users
Reported by:
zude
|
Disclosed:
High
Weakness: Improper Authentication - Generic
Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml
Reported by:
jackb898
|
Disclosed:
High
Weakness: Cross-Site Request Forgery (CSRF)
Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number
Reported by:
nnez
|
Disclosed:
Low
Weakness: Insecure Direct Object Reference (IDOR)
CRLF injection on www.starbucks.com
Reported by:
x3n0nn3p
|
Disclosed:
Medium
Weakness: CRLF Injection
SQL injection in partner id field on https://www.teavana.com (Sign-up form)
Reported by:
bigbug
|
Disclosed:
Medium
Weakness: SQL Injection
China - Open redirect at trackinghub.starbucks.com.cn
Reported by:
m82a1
|
Disclosed:
Low
Weakness: Open Redirect
Bulgaria - Subdomain takeover of mail.starbucks.bg
Reported by:
nukedx
|
Disclosed:
High
Weakness: Privilege Escalation
JumpCloud API Key leaked via Open Github Repository.
Reported by:
vinothkumar
|
Disclosed:
Critical
Weakness: Use of Hard-coded Credentials
WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass)
Reported by:
laszaro
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Reflected
Thailand – a small number of alarm system portals accessible with the default credentials
Reported by:
radosec
|
Disclosed:
High
Weakness: Improper Authentication - Generic
Subdomain takeover on wfmnarptpc.starbucks.com
Reported by:
0xpatrik
|
Disclosed:
High
Weakness: Privilege Escalation
Subdomain takeover on developer.openapi.starbucks.com
Reported by:
dpgribkov
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome
Reported by:
elber
|
Disclosed:
High
Weakness: Cross-Site Request Forgery (CSRF)