Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Yelp - HackerOne Reports

View on HackerOne

73

Total Reports

3

Critical

5

High

18

Medium

21

Low

Password reset token not expiring

Reported by: hk755a | Disclosed:

Weakness: Improper Authentication - Generic

no rate limit in forgot password session

Reported by: irfadps | Disclosed:

Medium

Weak Password Policy

Reported by: k4yy1s | Disclosed:

Low

Weakness: Violation of Secure Design Principles

ClickJacking on IMPORTANT Functions of Yelp

Reported by: hk755a | Disclosed:

Low

Weakness: UI Redressing (Clickjacking)

Leaking sensitive information lead to compromise employer API keys

Reported by: xsam | Disclosed:

High

Weakness: Insecure Storage of Sensitive Information

IDOR(indirect object references) on add friend,complement and send message

Reported by: w3b7ricks73r | Disclosed:

Weakness: Violation of Secure Design Principles

Self-XSS via location cookie city field when getting suggestions for a new location

Reported by: haquaman | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot

Reported by: badagent | Disclosed:

Weakness: Information Disclosure

No rate limiting for confirmation email lead to email flooding

Reported by: muhammaddaffa | Disclosed:

Medium

Weakness: Violation of Secure Design Principles

DoS of https://blog.yelp.com/ and other WP instances via CVE-2018-6389

Reported by: muhammaddaffa | Disclosed:

Medium

CVEs: CVE-2018-6389

Server-side request forgery (ssrf)

Reported by: raja404 | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

[engineeringblog.yelp.com] CRLF Injection

Reported by: bobrov | Disclosed:

CORS Misconfiguration on trust.yelp.com

Reported by: ajayjachak | Disclosed:

Medium

IDNs displayed in unicode in messages/about/talk sections (Homograph Attack)

Reported by: hk755a | Disclosed:

Weakness: Violation of Secure Design Principles

Error Page Text Injection

Reported by: r0h17 | Disclosed:

Weakness: Violation of Secure Design Principles

installed.json sensitive file was publicly accessible on your web application which discloses information about authors and admins

Reported by: whitehacker18 | Disclosed:

Low

Weakness: Information Disclosure

Click jacking in delete image of user in Yelp

Reported by: mohamedsherif | Disclosed:

Medium

Weakness: UI Redressing (Clickjacking)

Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values.

Reported by: edoverflow | Disclosed:

Weakness: Cryptographic Issues - Generic

Privilege Escalation - A Low Privilege User who does not have access to the user management module can remove the owner of the business account

Reported by: vijaysimha-reddy | Disclosed:

Low

Weakness: Improper Access Control - Generic

RXSS AT https://proze.yelp.com/tmsubscribe.net/vidsn.aspx

Reported by: 0xold | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Reflected

Page 1 of 4 Next