| Git flag injection leads to arbitrary file write |
Path Traversal |
crownpeanut |
High |
2021-07-25 |
| SSRF in notifications.server configuration |
Server-Side Request Forgery (SSRF) |
codeprivate |
Medium |
2020-05-15 |
| Exposing voting results on the Slowvote application without actually voting |
None supplied |
mishre |
Low |
2018-11-05 |
| The "Download Raw Diff" URL is viewable by everyone |
Information Disclosure |
xiaoyinl |
Low |
2018-05-23 |
| Administrator can create user without entering high security mode |
Improper Authentication - Generic |
ivh |
Low |
2018-05-22 |
| Window.opener fix bypass |
None supplied |
mishre |
Low |
2018-02-18 |
| Window.opener protection Bypass |
None supplied |
ranjit_p |
No rating |
2018-02-17 |
| Command injection on Phabricator instance with an evil hg branch name |
Command Injection - Generic |
pnig0s |
Critical |
2017-11-11 |
| Credential gets exposed |
Information Disclosure |
luke081515 |
Low |
2017-08-02 |
| Hyper Link Injection In email and Space Characters Allowed at Password Field. |
None supplied |
aliashber |
Medium |
2017-07-23 |
| The mailbox verification API interface is unlimited and can be used as a mailbox bomb |
Improper Access Control - Generic |
xifengweiyu |
Medium |
2017-04-26 |
| Autoclose can close any task regardless of policies/spaces |
None supplied |
almanac |
No rating |
2017-04-24 |
| The special code in editor has no Authority control and can lead to Information Disclosure |
Information Disclosure |
xifengweiyu |
Medium |
2017-04-22 |
| IRC-Bot exposes information |
Information Disclosure |
luke081515 |
Medium |
2017-04-21 |
| Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks. |
Missing Required Cryptographic Step |
edoverflow |
Medium |
2017-04-05 |
| An unsafe design practice in the Passphrase may result in Secret being accidentally changed. |
Violation of Secure Design Principles |
kevin_c |
High |
2017-04-04 |
| Differential "Show Raw File" feature exposes generated files to unauthorised users |
Information Disclosure |
calvium |
Medium |
2017-03-16 |
| Restricted file access when it exists in old versions of task or wiki document |
Violation of Secure Design Principles |
denispugachev |
No rating |
2017-02-06 |
| Enumerating emails through "Forgot Password" form |
Violation of Secure Design Principles |
denispugachev |
No rating |
2017-02-06 |
| User with only Viewing Privilege can send message to Room |
Privilege Escalation |
lucasveigaf |
Low |
2017-02-01 |
| Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM) |
None supplied |
e3amn2l |
No rating |
2016-12-29 |
| link reset problem |
None supplied |
pradeepsmehta |
No rating |
2016-08-30 |
| Error page Text Injection. |
Violation of Secure Design Principles |
dhanunjaya |
No rating |
2016-08-25 |
| HTML in Diffusion not escaped in certain circumstances |
Cross-site Scripting (XSS) - Generic |
danny_b |
No rating |
2016-08-01 |
| Full path disclosure |
Information Disclosure |
fnqgpc |
No rating |
2016-06-08 |
| No authentication required to add an email address. |
Improper Authentication - Generic |
apok |
No rating |
2016-05-27 |
| Passphrase credential lock bypass |
Information Disclosure |
vorpal |
No rating |
2016-05-19 |
| Extended policy checks are buggy |
None supplied |
fnqgpc |
No rating |
2016-01-11 |
| libphutil: removing bytes from a PhutilRope does not work as intended |
None supplied |
fnqgpc |
No rating |
2015-12-16 |
| Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases. |
Cross-Site Request Forgery (CSRF) |
superkritisch |
No rating |
2015-10-02 |
| Information leakage through Graphviz blocks |
Information Disclosure |
jbeta |
No rating |
2015-09-13 |
| Dashboard panel embedded onto itself causes a denial of service |
Denial of Service |
jbeta |
No rating |
2015-08-27 |
| XSS with Time-of-Day Format |
Cross-site Scripting (XSS) - Generic |
candux |
No rating |
2015-04-19 |
| SSRF vulnerability (access to metadata server on EC2 and OpenStack) |
Information Disclosure |
agarri_fr |
No rating |
2015-03-26 |
| Server Side Request Forgery in macro creation |
Information Disclosure |
haquaman |
No rating |
2015-03-09 |
| Phabricator Phame Blog Skins Local File Inclusion |
Code Injection |
nullsub |
No rating |
2015-01-14 |
| Phabricator Diffusion application allows unauthorized users to delete mirrors |
Improper Authentication - Generic |
nullsub |
No rating |
2015-01-10 |
| Content injection |
Violation of Secure Design Principles |
hackerone_hacker |
No rating |
2014-12-15 |
| Password Policy issue |
Violation of Secure Design Principles |
shahmeer-amir |
No rating |
2014-10-03 |
| Content Spoofing through URL |
Violation of Secure Design Principles |
shahmeer-amir |
No rating |
2014-09-20 |
| Open redirection on secure.phabricator.com |
Open Redirect |
appsecure_in |
No rating |
2014-09-17 |
| Content spoofing |
Cross-site Scripting (XSS) - Generic |
djadmin |
No rating |
2014-09-11 |
| Forgot Password Issue |
Improper Authentication - Generic |
xtross1 |
No rating |
2014-09-10 |
| Password Reset Links Not Expiring |
Improper Authentication - Generic |
andi_r |
No rating |
2014-09-06 |
| XSS in editor by any user |
Cross-site Scripting (XSS) - Generic |
tunnelshade |
No rating |
2014-08-13 |
| Broken Authentication and Session Management |
Improper Authentication - Generic |
appsecure_in |
No rating |
2014-08-05 |
| Back - Refresh - Attack To Obtain User Credentials |
Information Disclosure |
xtross1 |
No rating |
2014-07-23 |
| CSRF token valid even after the session logout of a particular user |
Cross-Site Request Forgery (CSRF) |
appsecure_in |
No rating |
2014-06-26 |
| Abusing daemon logs for Privilege escalation under certain scenarios |
Privilege Escalation |
tunnelshade |
No rating |
2014-06-18 |
| Abusing VCS control on phabricator |
Privilege Escalation |
tunnelshade |
No rating |
2014-06-13 |
| Persistent XSS: Editor link |
Cross-site Scripting (XSS) - Generic |
tomvg |
No rating |
2014-04-16 |
| OAuth Stealing Attack (New) |
Open Redirect |
goldshlager |
No rating |
2014-04-13 |
| Control character allowed in username |
None supplied |
dawidczagan |
No rating |
2014-04-12 |
| OAuth access_token stealing in Phabricator |
Open Redirect |
goldshlager |
No rating |
2014-04-11 |
| UnAuthorized Editorial Publishing to Blogs |
Improper Authentication - Generic |
mlitchfield |
No rating |
2014-04-06 |
| Bypass auth.email-domains (2) |
Improper Authentication - Generic |
tomvg |
No rating |
2014-03-26 |
| Login CSRF using Twitter OAuth |
Cross-Site Request Forgery (CSRF) |
mathias |
No rating |
2014-03-26 |
| Bypass auth.email-domains |
Improper Authentication - Generic |
tomvg |
No rating |
2014-03-25 |
| Improperly implemented password recovery link functionality |
Improper Authentication - Generic |
dawidczagan |
No rating |
2014-02-27 |
| Log in a user to another account |
Cross-Site Request Forgery (CSRF) |
dawidczagan |
No rating |
2014-02-22 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles