| 5204 | Arbitary File Upload Vulnerability in Google Nest (Write Up) |
Unrestricted file upload
Stored XSS |
Google |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2015-12-21 | 2023-06-13 |
| 5203 | Local File XSS Vulnerability in Wordpress.com (Write Up) |
XSS |
WordPress |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2015-12-21 | 2023-06-13 |
| 5133 | XSS Vulnerability in Twitter [https://twitter.com] (Write Up) |
XSS |
Twitter |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2016-09-26 | 2023-06-13 |
| 4853 | [RCE] Remote Code Execution in Wordpress iOS Application (version 9.3) |
RCE
iOS |
WordPress |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2018-02-21 | 2023-06-13 |
| 4661 | Blind-XSS in Chrome Experiments - Google (Write Up) |
Blind XSS |
Google |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2018-08-03 | 2023-06-13 |
| 4659 | Blind-XSS in Chrome Experiments - Google (Write Up) |
Blind XSS |
Google |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2018-08-03 | 2023-06-13 |
| 4022 | Not a fancy bug, just HTML Injection in Clause - clause.io (Write Up) |
HTML injection |
Clause |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2019-07-21 | 2023-06-13 |
| 4017 | Disclose any main and 3rd party contributors email address and movie local path thru XML file in Plex TV - plex.tv (Write Up) |
Information disclosure
Internal path disclosure |
Plex |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2019-07-24 | 2023-06-13 |
| 3982 | Read other user support tickets in https://support..com (Write Up) |
IDOR |
NA |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2019-08-09 | 2023-06-13 |
| 3980 | Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up) |
Application-level DoS |
NA |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2019-08-10 | 2023-06-13 |
| 3977 | SSRF Vulnerability in https://app.[REDACTED].com |
SSRF |
NA |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2019-08-13 | 2023-06-13 |
| 3796 | HTML Injection to XSS bypass in [REDACTED.com] |
Reflected XSS |
NA |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2019-12-07 | 2023-06-13 |
| 3677 | Popping Alerts in Mixmax Chrome Extension (Write Up) |
XSS |
Mixmax |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2020-02-06 | 2023-06-13 |
| 3526 | XSS in Peerio 2 Windows Application (Write Up) |
XSS |
Peerio |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2020-04-24 | 2023-06-13 |
| 2983 | [CVE-2019-17674 & CVE-2020-11025] Stored XSS through navigation menu item edited in Customizer in Wordpress (Write Up) |
Stored XSS |
WordPress |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2020-12-06 | 2023-06-13 |
| 2811 | Changing other users Episode title & description - IDOR Vulnerability in [REDACTED] (Write Up) |
IDOR |
NA |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2021-02-13 | 2023-06-13 |
| 2770 | Hijacking Reset Password Link in https://www.niteflirt.com/ via Host Header Poising (Write Up) |
Host header injection
Account takeover
Password reset |
Niteflirt |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2021-02-25 | 2023-06-13 |
| 2565 | 2FA Verification Bypass in Shapeshift [shapeshift.com] (Write Up) |
MFA bypass |
Shapeshift |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2021-05-10 | 2023-06-13 |
| 2492 | Unexpected IDOR Vulnerability in [REDACTED] - [redacted].net (Write Up) |
IDOR |
NA |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2021-06-10 | 2023-06-13 |
| 2470 | HTML Injection and a dream in Google Chrome for Linux (Write Up) |
HTML injection |
Google |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2021-06-17 | 2023-06-13 |
| 2457 | Generate online votes using Race Condition Vulnerability in Woobox Web Application (Write Up) |
Race condition |
Woobox |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2021-06-23 | 2023-06-13 |
| 113 | IPv6 DNS Takeover via mitm6 (Write Up) |
MiTM
IPv6
DNS takeover
Misconfigured LDAP server
Internal pentest |
NA |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2023-05-08 | 2023-06-13 |
