TOPAPI.md

Top REST API reports from HackerOne:

1. Exposed Kubernetes API - RCE/Exposed Creds to Snapchat - 1102 upvotes, $25000
2. JumpCloud API Key leaked via Open Github Repository. to Starbucks - 711 upvotes, $0
3. Flickr Account Takeover using AWS Cognito API to Flickr - 394 upvotes, $7550
4. Denial of service to WP-JSON API by cache poisoning the CORS allow origin header to Automattic - 387 upvotes, $0
5. [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo to Uber - 281 upvotes, $39999
6. Blind SSRF to internal services in matrix preview_link API to Reddit - 279 upvotes, $6000
7. Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice to Starbucks - 218 upvotes, $0
8. Google API key leaked to Public to FetLife - 206 upvotes, $0
9. Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api to GitHub - 178 upvotes, $20000
10. [IDOR] API endpoint leaking sensitive user information to Razer - 172 upvotes, $375
11. Undocumented fileCopy GraphQL API to Shopify - 140 upvotes, $2000
12. Bug in GraphQL and API integration leads to limited user address disclosure to Starbucks - 136 upvotes, $0
13. Public and secret api key leaked in JavaScript source to Stripo Inc - 134 upvotes, $0
14. Disclose any user's private email through API to HackerOne - 130 upvotes, $0
15. Git flag injection - Search API with scope 'blobs' to GitLab - 125 upvotes, $7000
16. Client secret, server tokens for developer applications returned by internal API to Uber - 117 upvotes, $0
17. "😂" + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/ to Mail.ru - 117 upvotes, $0
18. Apache Flink RCE via GET jar/plan API Endpoint to Aiven Ltd - 116 upvotes, $6000
19. China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint to Starbucks - 112 upvotes, $0
20. Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 102 upvotes, $0
21. Leak ██████████ information in real time through API request to Grab - 96 upvotes, $3000
22. Full access to InDrive jira panel via exposed API token to inDrive - 93 upvotes, $0
23. Support Portal Takeover via Leaked API KEY to AMBER AI - 90 upvotes, $1500
24. Multiple IDORs in family pairing api to TikTok - 87 upvotes, $0
25. Exposed Cortex API at https://cortex-ingest.shopifycloud.com/ to Shopify - 86 upvotes, $6300
26. Privilege Escalation via REST API to Administrator leads to RCE to WordPress - 86 upvotes, $0
27. Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app to Reverb.com - 84 upvotes, $0
28. Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API to LINE - 80 upvotes, $0
29. Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning to Semmle - 75 upvotes, $0
30. Near to Infinite loop when changing Group's name that has API token as Team Member to HackerOne - 72 upvotes, $2500
31. Bumble API exposes read status of chat messages to Bumble - 69 upvotes, $600
32. Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS. to HackerOne - 68 upvotes, $0
33. Internal API endpoint discloses full account name of email address associated with unconfirmed user to New Relic - 61 upvotes, $1500
34. Improper Authentication in Vimeo's API 'versions' endpoint. to Vimeo - 57 upvotes, $0
35. Email addresses exposed in getPersonBySlug API to Semmle - 57 upvotes, $0
36. Google API key leaks and security misconfiguration leads Open Redirect Vulnerability to Clario - 53 upvotes, $300
37. DoS via markdown API from unauthenticated user to GitHub - 49 upvotes, $4000
38. SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X to Kubernetes - 44 upvotes, $1000
39. Insecure Storage and Overly Permissive API Keys in Android App to Zenly - 44 upvotes, $750
40. XSPA on API service endpoint to Polymail, Inc. - 43 upvotes, $0
41. TAMS registration details API for admins open at https://tamsapi.gsa.gov/user/tams/api/usermgmnt/pendingUserDetails/ to U.S. General Services Administration - 43 upvotes, $0
42. API Last Request Date/Time Not Updating to HackerOne - 42 upvotes, $0
43. Выполнение API-методов при открытии сообщества/приложения to VK.com - 41 upvotes, $2000
44. Google Maps API key stored as plain text leading to DOS and financial damage to Zenly - 41 upvotes, $750
45. Stored XSS in blog comments through Shopify API to Shopify - 41 upvotes, $0
46. Unauthenticated Private Messages DIsclosure via wordpress Rest API to Automattic - 41 upvotes, $0
47. Missing authentication in buddy group API of LINE TIMELINE to LINE - 40 upvotes, $3000
48. Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application to PlayStation - 40 upvotes, $1000
49. Milestones leaked via search API to GitLab - 40 upvotes, $0
50. Improper access control for users with expired password, giving the user full access through API and Git to GitLab - 39 upvotes, $950
51. API method at api.my.games allows to enumerate user emails to Mail.ru - 39 upvotes, $400
52. Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API to Reddit - 39 upvotes, $0
53. API key (api.semrush.com) leak in JS-file to Semrush - 38 upvotes, $0
54. Race Conditions in OAuth 2 API implementations to Internet Bug Bounty - 37 upvotes, $2500
55. CSRF on cards API to Twitter - 37 upvotes, $280
56. IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account to EXNESS - 36 upvotes, $0
57. Internal API endpoint is accesible for everyone to WHO COVID-19 Mobile App - 35 upvotes, $0
58. StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts to Shopify - 34 upvotes, $500
59. Users can enable API access for free via mass assignment to New Relic - 34 upvotes, $0
60. Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host to GSA Bounty - 32 upvotes, $0
61. Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header to Snapchat - 32 upvotes, $0
62. API request signature can be reused with other parameters/data than the original in certain cases to Gatecoin - 31 upvotes, $0
63. Improper Access Control in LINE Timeline API that returns a list of hidden friends to LINE - 31 upvotes, $0
64. IDOR in family pairing API to TikTok - 30 upvotes, $0
65. API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers. to Uber - 29 upvotes, $750
66. Public and secret api key leaked via Solana BBP github repo to Solana BBP - 29 upvotes, $0
67. Zero click account Takeover due to Api misconfiguration 🏂🎩 to UPchieve - 29 upvotes, $0
68. Delete any LinkedIn comment on learning API of other users to LinkedIn - 29 upvotes, $0
69. Organization Takeover via invitation API to Helium - 27 upvotes, $100
70. Make API calls on behalf of another user (CSRF protection bypass) to Vimeo - 27 upvotes, $0
71. JSON CSRF on POST Heartbeats API to WakaTime - 27 upvotes, $0
72. Secret API Key is logged in cleartext to Omise - 27 upvotes, $0
73. IDOR in TalentMAP API can be abused to enumerate personal information of all the users to U.S. Department of State - 27 upvotes, $0
74. [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth to Uber - 26 upvotes, $500
75. IDOR on www.acronis.com API lead to steal private business user information to Acronis - 26 upvotes, $100
76. CSRF in all API endpoints when authenticated using HTTP Authentication to Shopify - 26 upvotes, $0
77. API - Amazon S3 bucket misconfiguration to BCM Messenger - 26 upvotes, $0
78. API docs expose an active token for the sample domain theburritobot.com to Cloudflare Public Bug Bounty - 25 upvotes, $500
79. Full Api Access and Run All Functions via Starbucks App to Starbucks - 25 upvotes, $0
80. GitHub API Key for BrewTestBot is publicly exposed to Homebrew - 25 upvotes, $0
81. Api Token Leaked in [shoppers.shipt.com] to Shipt - 24 upvotes, $200
82. Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation to Urban Dictionary - 24 upvotes, $0
83. Open API For Username enumeration to WordPress - 24 upvotes, $0
84. IDOR in API applications (able to see any API token, leads to account takeover) to Automattic - 24 upvotes, $0
85. Stored XSS on PyPi simple API endpoint to GitLab - 23 upvotes, $3000
86. Internal Employee informations Disclosure via TikTok Athena api to TikTok - 23 upvotes, $1000
87. IDOR in "external status check" API leaks data about any status check on the instance to GitLab - 23 upvotes, $610
88. Sensitive information disclosure to shared access user via streamlabs platform api to Logitech - 23 upvotes, $200
89. relap.io/admin/api - административный API доступен без аутентификации to Mail.ru - 22 upvotes, $3000
90. REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details to Mail.ru - 22 upvotes, $1000
91. ████ api key exposed in github.com/███/███ to 8x8 - 22 upvotes, $0
92. Unauthorized Access to Protected Tweets via niche.co API to Twitter - 21 upvotes, $0
93. Privilege Escalation using API->Feature to Ubiquiti Inc. - 21 upvotes, $0
94. Redmin API Key Exposed In GIthub to Mail.ru - 20 upvotes, $0
95. Leak of Google Sheets API credentials to Azbuka Vkusa - 20 upvotes, $0
96. Exposed API-key allows to control nightly builds of firmwares (█████████ & ████████) to Ubiquiti Inc. - 19 upvotes, $0
97. Add a video to favourite list of any user [via YouPorn API / FrontEnd] to Pornhub - 19 upvotes, $0
98. weak protection against brute-forcing on login api leads to account takeover to Palo Alto Software - 19 upvotes, $0
99. Internal machine learning API endpoint for CWE classification is vulnerable to path traversal to HackerOne - 19 upvotes, $0
100. AppLovin API Key hardcoded in a Github repo to Twitter - 18 upvotes, $280
101. Google Maps API key leaked during device pairing to Ping Identity - 18 upvotes, $150
102. User Information Disclosure via the REST API - /?_method=GET to LocalTapiola - 18 upvotes, $50
103. [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool to h1-ctf - 18 upvotes, $0
104. XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki) to Mail.ru - 18 upvotes, $0
105. CSRF in attach phone API endpoint on delivery-club.ru to Mail.ru - 17 upvotes, $0
106. CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218] to Mail.ru - 17 upvotes, $0
107. Leaking Rockset API key on Github to Rockset - 17 upvotes, $0
108. Invalid Phabricator API token revealed through error message when escalating a report to HackerOne - 16 upvotes, $500
109. Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed. to Algolia - 16 upvotes, $400
110. Race condition on the Federalist API endpoints can lead to the Denial of Service attack to GSA Bounty - 16 upvotes, $0
111. jaas.8x8.vc: Removed users can still have READ/WRITE access to the workspace via different API endpoints to 8x8 Bounty - 16 upvotes, $0
112. Users querying dim_hacker_reports table through Analytics API can determine data from dim_reports table using WHERE or HAVING query to HackerOne - 16 upvotes, $0
113. anti_ransomware_service.exe REST API does not require authentication to Acronis - 15 upvotes, $200
114. Full Path Disclosure in Wordpress Rest API Response to Showmax - 15 upvotes, $50
115. https://zest.co.th/zestlinepay/checkproduct API endpoint suffers from Boolean-based SQL injection to Razer - 15 upvotes, $0
116. Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo to Stripo Inc - 15 upvotes, $0
117. Public and secret api key leaked in JavaScript source to Top Echelon Software - 15 upvotes, $0
118. Public Postman Api Collection Leaks Internal access to https://assets-paris-dev.codefi.network/ to Consensys - 14 upvotes, $500
119. MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more to h1-5411-CTF - 14 upvotes, $0
120. IDOR - setAttribute action of user object in API to Open-Xchange - 13 upvotes, $400
121. Open API - AWS S3 GET Bucket (List Objects) Version 1 to ecobee - 13 upvotes, $0
122. Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token. to HackerOne - 13 upvotes, $0
123. Akismet API keys are exposed by authentication method to Automattic - 13 upvotes, $0
124. Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture. to Rocket.Chat - 13 upvotes, $0
125. Chat room member disclosure via autocomplete API to Nextcloud - 13 upvotes, $0
126. SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens. to Basecamp - 12 upvotes, $350
127. Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage() to Mail.ru - 12 upvotes, $200
128. Remote attacker can impersonate Social users via ActivityPub API to Nextcloud - 12 upvotes, $50
129. API Keys Hardcoded in Github repository to Rocket.Chat - 12 upvotes, $0
130. Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result to GitLab - 12 upvotes, $0
131. User personal data disclosure via API to Vercel - 12 upvotes, $0
132. vidyard api auth_token exposed to 8x8 - 12 upvotes, $0
133. DOM XSS at https://adobedocs.github.io/indesign-api-docs/?configUrl={site} due to outdated Swagger UI to Adobe - 12 upvotes, $0
134. Full name of other accounts exposed through NR API Explorer (another workaround of #476958) to New Relic - 11 upvotes, $750
135. IDOR- Activate Mopub on different organizations- steal api token- Fabric.io to Twitter - 11 upvotes, $0
136. Secret API Key Leakage via Query String to Zendesk - 11 upvotes, $0
137. Private API key leakage due to lack of access control to Cloudflare Vulnerability Disclosure - 11 upvotes, $0
138. No rate limit in stats api token endpoint to Chaturbate - 11 upvotes, $0
139. H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret to Shopify - 11 upvotes, $0
140. Non-revoked API Key Information disclosure via Stripo_report() to Stripo Inc - 11 upvotes, $0
141. Bypassing creation of API tokens without email verification to Cloudflare Public Bug Bounty - 11 upvotes, $0
142. Facebook App API credentials leaked in the APK to GlassWire - 11 upvotes, $0
143. Хранимая XSS ( API ) to Mail.ru - 10 upvotes, $500
144. Отправка произвольных запросов к API с правами любого установленного у пользователя iframe/miniapp to VK.com - 10 upvotes, $500
145. DOS: out of memory from gif through upload api to Mattermost - 10 upvotes, $150
146. Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action to Moneybird - 10 upvotes, $0
147. Group admin can remove user from all his groups via API to Nextcloud - 10 upvotes, $0
148. Publicy accessible IDRAC instance at api-m.inapp.pushwoosh.com to Pushwoosh - 10 upvotes, $0
149. Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= to Starbucks - 10 upvotes, $0
150. Leaking sensitive information lead to compromise employer API keys to Yelp - 10 upvotes, $0
151. Insecure Storage and Overly Permissive Google Maps API Key in Android App to Mail.ru - 10 upvotes, $0
152. Hard-coded API keys at NordVpn Android App to Nord Security - 10 upvotes, $0
153. Git repo on https://██████.mil/ discloses API password to U.S. Dept Of Defense - 10 upvotes, $0
154. api keys leaked to Reddit - 10 upvotes, $0
155. No brute force protection on web-api-cloud.acronis.com to Acronis - 9 upvotes, $100
156. Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution to Rocket.Chat - 9 upvotes, $0
157. Campaign Account Balance and History Disclosed in API Response to LinkedIn - 9 upvotes, $0
158. Authenticated but unauthorized users may enumerate Application names via the API to Internet Bug Bounty - 8 upvotes, $2400
159. Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter to New Relic - 8 upvotes, $2000
160. Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object to Phabricator - 8 upvotes, $300
161. User Information Disclosure via REST API to Nextcloud - 8 upvotes, $0
162. API Webhooks Fire And Are Unlisted After Permissions Removed to Shopify - 8 upvotes, $0
163. Revoked User can still view the Merge Request created by him via API to GitLab - 7 upvotes, $1500
164. User Information Disclosure via REST API to ownCloud - 7 upvotes, $0
165. Stored XSS in content when Graph is created via API to Infogram - 7 upvotes, $0
166. Disclosure of Users Information On Wordpress Api [https://jitsi.org/] to 8x8 - 7 upvotes, $0
167. I found some api keys in js files ,huge leak of token addresses and huge amount of js files are not forbidden to AMBER AI - 7 upvotes, $0
168. Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content to Shopify - 6 upvotes, $2000
169. API: Bug in method auth.signup , дающий возможность бесконечно звонить to VK.com - 6 upvotes, $500
170. CSRF : Reset API to Weblate - 6 upvotes, $0
171. Insecure Cache-Control Leading to API key Retrieval to ThisData - 6 upvotes, $0
172. Api token exposed in Reverb.com's public github repository to Reverb.com - 6 upvotes, $0
173. Public and secret api key leaked via omise github repo(owned by omise) to Omise - 6 upvotes, $0
174. Sending trusted ████ and ██████████ emails through public API endpoint in ███████ site to U.S. Dept Of Defense - 6 upvotes, $0
175. Improper authorization on /api/as/v1/credentials/ allows any App Search user to access all API keys and escalate privileges to Elastic - 6 upvotes, $0
176. Google Maps API Key Leakage to Uber - 6 upvotes, $0
177. Insecure Storage and Overly Permissive API Keys to Stripo Inc - 6 upvotes, $0
178. API Key added for one Indices works for all other indices too. to Algolia - 5 upvotes, $1000
179. [NR Infrastructure] Restricted user can update integration provider account name via integrations API to New Relic - 5 upvotes, $750
180. [NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions to New Relic - 5 upvotes, $750
181. Deprecated owners.query API bypasses object view policy to Phabricator - 5 upvotes, $300
182. API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass to Vimeo - 5 upvotes, $0
183. No Rate Limitation on Regenerate Api Key to Weblate - 5 upvotes, $0
184. Wordpress.com REST API oauth bypass via Cross Site Flashing to Automattic - 5 upvotes, $0
185. Private account causes displayed through API to Staging.every.org - 5 upvotes, $0
186. Acessed internal api documentation and information to Mail.ru - 5 upvotes, $0
187. HTML injection in API response including request url to Reddit - 5 upvotes, $0
188. Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем. to VK.com - 4 upvotes, $200
189. Conversation API Leaks Details Of UnAuthorized Conversations to Vanilla - 4 upvotes, $150
190. Disclosure of Users Information via Wordpress API (?rest_route) to LocalTapiola - 4 upvotes, $50
191. Private snippets in public / internal projects leaked though GitLab API to GitLab - 4 upvotes, $0
192. API OAuth Public Key disclosure in mobile app to Instacart - 4 upvotes, $0
193. Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form to Weblate - 4 upvotes, $0
194. [api.data.gov] Leak Valid API With out Verification - to GSA Bounty - 4 upvotes, $0
195. API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation. to Dropcontact - 4 upvotes, $0
196. Getting API access key Through Introspection query Graphql to New Relic - 4 upvotes, $0
197. API Key reported in #1465145 not rotated and thus is still valid and can be used by anyone to Adobe - 4 upvotes, $0
198. Логирование ответов запросов VK API в приложении Клевер to VK.com - 3 upvotes, $300
199. Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) to Twitter - 3 upvotes, $280
200. Stored XSS in api key of operator wallet to Enter - 3 upvotes, $0
201. The mailbox verification API interface is unlimited and can be used as a mailbox bomb to Phabricator - 3 upvotes, $0
202. API Does Not Apply Access Controls to Translations to Weblate - 3 upvotes, $0
203. Insecure Direct Object Reference on API without API key to Semrush - 3 upvotes, $0
204. twitter api access token leaked on github to Liberapay - 3 upvotes, $0
205. Unprotected Api EndPoints to Semmle - 3 upvotes, $0
206. Cross-Site Request Forgery (CSRF) in my.games API to Mail.ru - 3 upvotes, $0
207. hardcoded api secret & api key in com.reddit.frontpage to Reddit - 3 upvotes, $0
208. Mapbox API Access Token with No Scope Can Read Styles to Mapbox - 2 upvotes, $200
209. Unauthenticated Stored XSS in API Panel to WePay - 2 upvotes, $100
210. API keys being cached to Kadira - 2 upvotes, $0
211. Timing Attack Side-Channel on API Token Verification to joola.io - 2 upvotes, $0
212. Header Misconfiguration - PHP API to Shopify - 2 upvotes, $0
213. Cross site scripting On api Calculator API requests to ok.ru - 2 upvotes, $0
214. Abuse of Api that causes spamming users and possible DOS due to missing rate limit to Weblate - 2 upvotes, $0
215. CRLF Injection in legacy url API (url.parse().hostname) to Node.js - 2 upvotes, $0
216. [api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет. to Mail.ru - 2 upvotes, $0
217. Google API Key is not restricted for specific application package name and signature [Mail.ru Cloud for Android] to Mail.ru - 2 upvotes, $0
218. API Server DoS (crash?) if many large resources (~1MB each) are concurrently/repeatedly sent to an external Validating WebHook endpoint to Kubernetes - 2 upvotes, $0
219. API route chat.getThreadsList leaks private message content to Rocket.Chat - 2 upvotes, $0
220. User information disclosed via API to U.S. General Services Administration - 2 upvotes, $0
221. Bypass access restrictions from API to Shopify - 1 upvotes, $1000
222. API: Bug in method auth.validatePhone to VK.com - 1 upvotes, $500
223. Apps can access 'channels' beta api to Shopify - 1 upvotes, $500
224. User Enumeration, Information Disclosure and Lack of Rate Limitation on API to Coinbase - 1 upvotes, $0
225. Reflected XSS on Zomato API to Zomato - 1 upvotes, $0
226. CSRF - Regenerate all admin api keys to New Relic - 1 upvotes, $0
227. The email API to reset password is unlimited and can be used as a email bomb to Nextcloud - 1 upvotes, $0
228. The email API to test email-server settings is unlimited and can be used as a email bomb to Nextcloud - 1 upvotes, $0
229. Account owner/admin can't actually delete personal users' API keys to New Relic - 1 upvotes, $0
230. Unprotected ██████ and Test site API Exposes Documents, Credentials, and Emails in ██████████ Proposal System to U.S. Dept Of Defense - 1 upvotes, $0
231. REST API gets query as parameter and executes it to Rocket.Chat - 1 upvotes, $0
232. Inadequate input validation on API endpoint leading to self denial of service and increased system load. to IRCCloud - 0 upvotes, $500
233. Legacy API exposes private video titles to Vimeo - 0 upvotes, $0
234. Create Api Key is not working to Legal Robot - 0 upvotes, $0
235. SSRF in login page using fetch API exposes victims IP address to attacker controled server to U.S. Dept Of Defense - 0 upvotes, $0