| 5250 | Facebook – Send Notifications to any User Exploit |
Logic flaw |
Meta / Facebook |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2014-04-07 | 2023-06-13 |
| 5244 | Facebook – Stored Cross-Site Scripting (XSS) – Badges |
Stored XSS |
Meta / Facebook |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2014-06-16 | 2023-06-13 |
| 5227 | Yahoo – Root Access SQL Injection – tw.yahoo.com |
SQL injection |
Yahoo! / Verizon Media |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2015-01-15 | 2023-06-13 |
| 5225 | admin.google.com Reflected Cross-Site Scripting (XSS) |
Reflected XSS |
Google |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2015-01-21 | 2023-06-13 |
| 5224 | Flickr API Explorer – Force users to execute any API request. |
CSRF |
Flickr |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2015-02-03 | 2023-06-13 |
| 5223 | Google.com – Mobile Feedback URL Redirect Regex/Validation Flaw |
Open redirect |
Google |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2015-02-03 | 2023-06-13 |
| 5184 | Yahoo Login Protection Seal – Stored CSS Injection |
CSS injection |
Yahoo! / Verizon Media |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2016-04-18 | 2023-06-13 |
| 5183 | ESEA Server-Side Request Forgery and Querying AWS Meta Data |
SSRF |
ESEA |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2016-04-18 | 2023-06-13 |
| 5092 | Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities |
XSS
CSP bypass |
Airbnb |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2017-03-08 | 2023-06-13 |
| 5091 | Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat |
Open redirect
SSRF
Path traversal |
Airbnb |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2017-03-09 | 2023-06-13 |
| 5088 | Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution |
RCE |
Airbnb |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2017-03-13 | 2023-06-13 |
| 5082 | Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages |
IDOR |
Airbnb |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2017-03-31 | 2023-06-13 |
| 5048 | Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read |
XSS
SSRF
LFI |
NA |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2017-06-29 | 2023-06-13 |
| 3875 | A Tale of Exploitation in Spreadsheet File Conversions |
Local file disclosure (LFD)
SSRF |
Slack |
Brett Buerhaus (@bbuerhaus) |
Bug Bounty | 2019-10-18 | 2023-06-13 |
