OtherMedium
2FA requirement bypass when inviting team members
HackerOne disclosed report --> https://hackerone.com/reports/3356149
hackerone-reports0
Mar 3, 2026
CVSS6.4
€0Knowledge base
Writeups
Real vulnerability disclosures from top bug bounty hunters. Filter by type and severity.
Filter:
12 writeups
hackerone-reportsXSSMedium PRO
Stored XSS via SVG Upload Horizontal Tab Character Filter Evasion
Stored Cross-Site Scripting via SVG File Upload Filter Bypass
tonysec1
Mar 2, 2026
CVSS6.1
€850Web Cache DeceptionMedium
[EN] Massive Data Leak via Web Cache Deception
This writeup details a critical Web Cache Deception (CWE-524) vulnerability discovered across the core API endpoints of an IoT/Smart Home device management platform.
pyus3r0
Mar 1, 2026
CVSS4.2
€47Web Cache DeceptionMedium
[ES] Massive Data Leak via Web Cache Deception
Este writeup detalla una vulnerabilidad crítica de Web Cache Deception (CWE-524) descubierta en los endpoints principales de una plataforma de gestión de dispositivos IoT/Smart Home.
pyus3r1
Mar 1, 2026
CVSS4.2
€47Business LogicMedium PRO
[EN] Exploiting Business Logic: Inventory Depletion via Parameter Tampering
This writeup documents a critical Business Logic Error (CWE-840) discovered in the payment flow of an event-driven e-commerce platform.
pyus3r0
Mar 1, 2026
CVSS6.5
€400Business LogicMedium PRO
[ES] Stock Depletion via Ticket Quantity Bypass and Payment-Mode Manipulation (IDOR)
Este writeup documenta un fallo crítico de lógica de negocio (Business Logic Error - CWE-840) descubierto en el flujo de pagos de una plataforma de comercio electrónico orientada a eventos.
pyus3r1
Mar 1, 2026
CVSS6.5
€400Information DisclosureMedium
[EN] Public Exposure of Internal API Models (.smd)
This writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.
pyus3r0
Mar 1, 2026
CVSS5.3
€50Information DisclosureMedium
[ES] Public Exposure of Internal API Models (.smd)
Este writeup detalla una vulnerabilidad de **Exposición de Información (Information Disclosure - CWE-200)** que permitía visualizar el código fuente y el mapeado completo de los modelos de dominio de un backend corporativo.
pyus3r0
Mar 1, 2026
CVSS5.3
€50Information DisclosureHigh
[EN] Sensitive Data Exposure via JSON-RPC (Whistleblowing Channel)
An unprotected endpoint allowed the exfiltration, via a simple unauthenticated POST request, of gigabytes of configurations, structural metadata, and private personal/corporate information belonging to the organizations using the software.
pyus3r0
Mar 1, 2026
CVSS7.5
€200Information DisclosureHigh
[ES] Sensitive Data Exposure via JSON-RPC (Whistleblowing Channel)
Un endpoint desprotegido permitía exfiltrar, a través de una simple petición POST no autenticada, gigabytes de configuraciones, metadatos estructurales e información personal y corporativa privada de las organizaciones que utilizaban el software.
pyus3r0
Mar 1, 2026
CVSS7.5
€200CSRFCritical
[EN] One-Click Account Takeover via OTP Bypass and CSRF
This writeup details a critical business logic vulnerability in the email change flow of a platform. By combining an OTP Bypass and a CSRF, it was possible to arbitrarily replace any user's email address with a single click, resulting in a complete Account Takeover (ATO).
pyus3r0
Mar 1, 2026
CVSS9.6
€56CSRFCritical
[ES] One-Click Account Takeover vía OTP Bypass y CSRF
Este writeup detalla una vulnerabilidad crítica de lógica de negocio en el flujo de cambio de correo electrónico de una plataforma. Mediante la combinación de un OTP Bypass y un CSRF, fue posible reemplazar el correo de cualquier usuario de forma arbitraria con un solo clic, logrando así un Account Takeover (ATO) completo.
pyus3r0
Mar 1, 2026
CVSS9.6
€56