Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Vimeo - HackerOne Reports

View on HackerOne

24

Total Reports

1

Critical

4

High

1

Medium

0

Low

Can message users without the proper authorization

Reported by: jkjkjk | Disclosed:

Weakness: Improper Authentication - Generic

Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv

Reported by: sp1d3rs | Disclosed:

High

Weakness: Improper Access Control - Generic

Watch any Password Video without password

Reported by: opnsec | Disclosed:

Weakness: Information Disclosure

Reflected File Download (RFD) in download video

Reported by: dphoeniixx | Disclosed:

Medium

Downloading password protected / restricted videos

Reported by: gazza | Disclosed:

XSS in Subtitles of Vimeo Flash Player and Hubnut

Reported by: opnsec | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

XSS on player.vimeo.com without user interaction and vimeo.com with user interaction

Reported by: stefanovettorazzi | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Application XSS filter function Bypass may allow Multiple stored XSS

Reported by: securityidiots | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Disclosure of sensitive information through Google Cloud Storage bucket

Reported by: koenrh | Disclosed:

High

Weakness: Information Disclosure

Securing "Reset password" pages from bots

Reported by: panchocosil | Disclosed:

Weakness: Violation of Secure Design Principles

Domain pointing to vimeo portfolio are prone to takeover using on-demand.

Reported by: bugdiscloseguys | Disclosed:

High

Weakness: Business Logic Errors

[vimeopro.com] CRLF Injection

Reported by: bobrov | Disclosed:

Stored XSS on player.vimeo.com

Reported by: stefanovettorazzi | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Reflected XSS on vimeo.com/musicstore

Reported by: stefanovettorazzi | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Images and Subtitles Leakage from private videos

Reported by: opnsec | Disclosed:

Weakness: Information Disclosure

OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing

Reported by: opnsec | Disclosed:

Weakness: Cross-Site Request Forgery (CSRF)

XSS on mobile version of vimeo.com where the button "Follow" appears

Reported by: stefanovettorazzi | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

XSS when using captions/subtitles on video player based on Flash (requires user interaction)

Reported by: stefanovettorazzi | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

XSS on vimeo.com | "Search within these results" feature (requires user interaction)

Reported by: stefanovettorazzi | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Improper Authentication in Vimeo's API 'versions' endpoint.

Reported by: bugdiscloseguys | Disclosed:

High

Weakness: Improper Authentication - Generic

Page 1 of 2 Next