A non-exhaustive list of public vulnerabilities and CVEs that I have found. Bug bounties and vulnerabilities released through vulnerability affiliation programs are also listed here.
- Aethra – Multiple Vulnerabilities
- AngularJS – (Angular-CLI) Authentication Bypass
- Avactis – Multiple Vulnerabilities
- British Airways – (awaiting disclosure)
- Cloud at Cost Filex File Uploader – Multiple Vulnerabilities (undisclosed)
- Cloudrino – Multiple Vulnerabilities (undisclosed)
- DJI Phantom 3 – Multiple Vulnerabilities
- DuckDuckGo – WebRTC (CVE-2018-6849) – Metasploit module by: Dhiraj Mishra
- eBay – HTTP Response Splitting, CSRF, Host Header Injection
- Emirates ice Inflight Entertainment System – SQL Injection (undisclosed)
- Facebook Spider – Link Preview Generation (undisclosed)
- Fastweb (Aethra Modem/Router) – Multiple Vulnerabilities
- Fastweb FASTGate – Multiple Vulnerabilities (undisclosed)
- Flickr – Host Header Injection
- Ghost CMS (CVE-2015-1407) – Multiple Vulnerabilities
- Google – Open Redirect (undisclosed – won’t fix)
- HP HPE OpenCall Media Platform (OCMP) (CVE-2017-5799, CVE-2017-5798) – RCE & XSS
- LinkedIn – CSV Excel Formula Injection
- McAfee ePolicy Orchestrator (ePO) Agent Remote Log – DoS/RCE (undisclosed)
- McDonald – Multiple Vulnerabilities
- Minds.com – Multiple Vulnerabilities
- Mura CMS – Multiple Vulnerabilities
- Opera Browser – WebRTC (CVE-2018-6608)
- Oracle JD Edwards EnterpriseOne Tools (CVE-2018-2658, CVE-2018-2659) – Multiple XSS (cpujan2018-3236628)
- Oscommerce – (awaiting disclosure)
- PayPal – Android Mobile APP & API (undisclosed)
- Phorum CMS – Multiple Vulnerabilities
- TIM Telecom Italia – Multiple Vulnerabilities
- Telegram – Exportable Media Files in Secret Chat
- VirIT Explorer – Local Privilege Escalation
- Western Union – Host Header Injection
- Yahoo Messenger – Multiple Vulnerabilities
- ZyXEL NAS – Multiple Vulnerabilities (undisclosed)
