Skip to content

Latest commit

 

History

History
248 lines (247 loc) · 35.3 KB

TOPAPI.md

File metadata and controls

248 lines (247 loc) · 35.3 KB

Top REST API reports from HackerOne:

  1. Exposed Kubernetes API - RCE/Exposed Creds to Snapchat - 1134 upvotes, $25000
  2. JumpCloud API Key leaked via Open Github Repository. to Starbucks - 715 upvotes, $0
  3. Flickr Account Takeover using AWS Cognito API to Flickr - 403 upvotes, $0
  4. Denial of service to WP-JSON API by cache poisoning the CORS allow origin header to Automattic - 389 upvotes, $0
  5. [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo to Uber - 331 upvotes, $39999
  6. Blind SSRF to internal services in matrix preview_link API to Reddit - 301 upvotes, $6000
  7. Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice to Starbucks - 219 upvotes, $0
  8. Google API key leaked to Public to FetLife - 209 upvotes, $0
  9. Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api to GitHub - 185 upvotes, $20000
  10. [IDOR] API endpoint leaking sensitive user information to Razer - 172 upvotes, $375
  11. Undocumented fileCopy GraphQL API to Shopify - 140 upvotes, $2000
  12. Bug in GraphQL and API integration leads to limited user address disclosure to Starbucks - 136 upvotes, $0
  13. Public and secret api key leaked in JavaScript source to Stripo Inc - 136 upvotes, $0
  14. Disclose any user's private email through API to HackerOne - 131 upvotes, $0
  15. Git flag injection - Search API with scope 'blobs' to GitLab - 126 upvotes, $7000
  16. Apache Flink RCE via GET jar/plan API Endpoint to Aiven Ltd - 118 upvotes, $6000
  17. Client secret, server tokens for developer applications returned by internal API to Uber - 118 upvotes, $0
  18. "😂" + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/ to Mail.ru - 118 upvotes, $0
  19. China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint to Starbucks - 112 upvotes, $0
  20. Full access to InDrive jira panel via exposed API token to inDrive - 109 upvotes, $0
  21. Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 102 upvotes, $0
  22. Leak ██████████ information in real time through API request to Grab - 96 upvotes, $3000
  23. Support Portal Takeover via Leaked API KEY to AMBER AI - 90 upvotes, $1500
  24. Multiple IDORs in family pairing api to TikTok - 89 upvotes, $0
  25. Exposed Cortex API at https://cortex-ingest.shopifycloud.com/ to Shopify - 88 upvotes, $6300
  26. Privilege Escalation via REST API to Administrator leads to RCE to WordPress - 88 upvotes, $0
  27. Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app to Reverb.com - 85 upvotes, $0
  28. Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API to LY Corporation - 81 upvotes, $0
  29. Bypass report submit restriction/ban using the API key to HackerOne - 78 upvotes, $0
  30. Creation of bounties through Customer API leads to private email disclosure to HackerOne - 77 upvotes, $0
  31. Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning to Semmle - 76 upvotes, $0
  32. Near to Infinite loop when changing Group's name that has API token as Team Member to HackerOne - 73 upvotes, $2500
  33. Bumble API exposes read status of chat messages to Bumble - 70 upvotes, $600
  34. Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS. to HackerOne - 68 upvotes, $0
  35. Internal API endpoint discloses full account name of email address associated with unconfirmed user to New Relic - 63 upvotes, $1500
  36. Improper Authentication in Vimeo's API 'versions' endpoint. to Vimeo - 58 upvotes, $0
  37. Email addresses exposed in getPersonBySlug API to Semmle - 57 upvotes, $500
  38. Google API key leaks and security misconfiguration leads Open Redirect Vulnerability to Clario - 54 upvotes, $300
  39. DoS via markdown API from unauthenticated user to GitHub - 50 upvotes, $4000
  40. SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X to Kubernetes - 46 upvotes, $1000
  41. Insecure Storage and Overly Permissive API Keys in Android App to Zenly - 45 upvotes, $0
  42. TAMS registration details API for admins open at https://tamsapi.gsa.gov/user/tams/api/usermgmnt/pendingUserDetails/ to U.S. General Services Administration - 44 upvotes, $0
  43. XSPA on API service endpoint to Polymail, Inc. - 43 upvotes, $0
  44. Unauthenticated Private Messages DIsclosure via wordpress Rest API to Automattic - 43 upvotes, $0
  45. IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account to EXNESS - 43 upvotes, $0
  46. Mozilla FuzzManager API Token Exposed in Git Commit to Mozilla - 43 upvotes, $0
  47. Google Maps API key stored as plain text leading to DOS and financial damage to Zenly - 42 upvotes, $750
  48. API Last Request Date/Time Not Updating to HackerOne - 42 upvotes, $0
  49. API key (api.semrush.com) leak in JS-file to Semrush - 42 upvotes, $0
  50. RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention to GitHub - 41 upvotes, $4000
  51. Missing authentication in buddy group API of LINE TIMELINE to LY Corporation - 41 upvotes, $3000
  52. Stored XSS in blog comments through Shopify API to Shopify - 41 upvotes, $0
  53. Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API to Reddit - 41 upvotes, $0
  54. Выполнение API-методов при открытии сообщества/приложения to VK.com - 41 upvotes, $0
  55. Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application to PlayStation - 40 upvotes, $1000
  56. Improper access control for users with expired password, giving the user full access through API and Git to GitLab - 40 upvotes, $950
  57. Milestones leaked via search API to GitLab - 40 upvotes, $0
  58. API method at api.my.games allows to enumerate user emails to Mail.ru - 39 upvotes, $400
  59. CSRF on cards API to X (Formerly Twitter) - 38 upvotes, $0
  60. Race Conditions in OAuth 2 API implementations to Internet Bug Bounty - 38 upvotes, $0
  61. Revocation API Token by Bypassing The XSRF Token to Enjin - 37 upvotes, $1500
  62. Internal API endpoint is accesible for everyone to WHO COVID-19 Mobile App - 35 upvotes, $0
  63. Delete any LinkedIn comment on learning API of other users to LinkedIn - 35 upvotes, $0
  64. Datadog api keys exposed can be used to do all the read and write access to the instance to Mars - 35 upvotes, $0
  65. Users can enable API access for free via mass assignment to New Relic - 34 upvotes, $0
  66. StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts to Shopify - 34 upvotes, $0
  67. IDOR in family pairing API to TikTok - 33 upvotes, $0
  68. Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host to GSA Bounty - 32 upvotes, $0
  69. Bypass Rate Limits on app.snapchat.com API Endpoint via X-Forwarded-For Header to Snapchat - 32 upvotes, $0
  70. Web API key registration allows registering multiple keys by reusing request_id to Valve - 32 upvotes, $0
  71. Improper Access Control in LINE Timeline API that returns a list of hidden friends to LY Corporation - 31 upvotes, $1346
  72. API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers. to Uber - 31 upvotes, $750
  73. API request signature can be reused with other parameters/data than the original in certain cases to Gatecoin - 31 upvotes, $0
  74. Zero click account Takeover due to Api misconfiguration 🏂🎩 to UPchieve - 30 upvotes, $0
  75. PATCH method manipulation allowing the users to escalate their functionalities and edit (upgrade/downgrade) API Keys settings which is not allowed to Frontegg - 30 upvotes, $0
  76. Public and secret api key leaked via Solana BBP github repo to Solana BBP - 29 upvotes, $0
  77. IDOR in TalentMAP API can be abused to enumerate personal information of all the users to U.S. Department of State - 29 upvotes, $0
  78. [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth to Uber - 28 upvotes, $500
  79. Organization Takeover via invitation API to Helium - 28 upvotes, $100
  80. Make API calls on behalf of another user (CSRF protection bypass) to Vimeo - 28 upvotes, $0
  81. JSON CSRF on POST Heartbeats API to WakaTime - 28 upvotes, $0
  82. Secret API Key is logged in cleartext to Omise - 28 upvotes, $0
  83. API docs expose an active token for the sample domain theburritobot.com to Cloudflare Public Bug Bounty - 27 upvotes, $500
  84. IDOR on www.acronis.com API lead to steal private business user information to Acronis - 27 upvotes, $100
  85. API - Amazon S3 bucket misconfiguration to BCM Messenger - 27 upvotes, $0
  86. IDOR in API applications (able to see any API token, leads to account takeover) to Automattic - 27 upvotes, $0
  87. CSRF in all API endpoints when authenticated using HTTP Authentication to Shopify - 26 upvotes, $0
  88. Full Api Access and Run All Functions via Starbucks App to Starbucks - 26 upvotes, $0
  89. Facebook App API credentials leaked in the APK to GlassWire - 26 upvotes, $0
  90. Sensitive information disclosure to shared access user via streamlabs platform api to Logitech - 25 upvotes, $200
  91. Api Token Leaked in [shoppers.shipt.com] to Shipt - 25 upvotes, $200
  92. GitHub API Key for BrewTestBot is publicly exposed to Homebrew - 25 upvotes, $0
  93. Internal Employee informations Disclosure via TikTok Athena api to TikTok - 24 upvotes, $1000
  94. IDOR in "external status check" API leaks data about any status check on the instance to GitLab - 24 upvotes, $610
  95. Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation to Urban Dictionary - 24 upvotes, $0
  96. Open API For Username enumeration to WordPress - 24 upvotes, $0
  97. Internal machine learning API endpoint for CWE classification is vulnerable to path traversal to HackerOne - 24 upvotes, $0
  98. Stored XSS on PyPi simple API endpoint to GitLab - 23 upvotes, $3000
  99. REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details to Mail.ru - 23 upvotes, $1000
  100. relap.io/admin/api - административный API доступен без аутентификации to Mail.ru - 23 upvotes, $0
  101. ████ api key exposed in github.com/███/███ to 8x8 - 23 upvotes, $0
  102. weak protection against brute-forcing on login api leads to account takeover to Palo Alto Software - 22 upvotes, $0
  103. Unauthorized Access to Protected Tweets via niche.co API to X (Formerly Twitter) - 21 upvotes, $0
  104. Privilege Escalation using API->Feature to Ubiquiti Inc. - 21 upvotes, $0
  105. Leak of Google Sheets API credentials to Azbuka Vkusa - 21 upvotes, $0
  106. Google Maps API key leaked during device pairing to Ping Identity - 20 upvotes, $150
  107. Redmin API Key Exposed In GIthub to Mail.ru - 20 upvotes, $0
  108. Exposed API-key allows to control nightly builds of firmwares (█████████ & ████████) to Ubiquiti Inc. - 19 upvotes, $0
  109. User Information Disclosure via the REST API - /?_method=GET to LocalTapiola - 19 upvotes, $0
  110. Add a video to favourite list of any user [via YouPorn API / FrontEnd] to Pornhub - 19 upvotes, $0
  111. Missing brute force protection on OAuth2 API controller to Nextcloud - 18 upvotes, $500
  112. AppLovin API Key hardcoded in a Github repo to X (Formerly Twitter) - 18 upvotes, $280
  113. [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool to h1-ctf - 18 upvotes, $0
  114. XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki) to Mail.ru - 18 upvotes, $0
  115. jaas.8x8.vc: Removed users can still have READ/WRITE access to the workspace via different API endpoints to 8x8 Bounty - 18 upvotes, $0
  116. CSRF in attach phone API endpoint on delivery-club.ru to Mail.ru - 17 upvotes, $0
  117. CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218] to Mail.ru - 17 upvotes, $0
  118. Leaking Rockset API key on Github to Rockset - 17 upvotes, $0
  119. Users querying dim_hacker_reports table through Analytics API can determine data from dim_reports table using WHERE or HAVING query to HackerOne - 17 upvotes, $0
  120. Flickr API key leaked in GitHub commit to Mozilla - 17 upvotes, $0
  121. Invalid Phabricator API token revealed through error message when escalating a report to HackerOne - 16 upvotes, $500
  122. Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed. to Algolia - 16 upvotes, $400
  123. Race condition on the Federalist API endpoints can lead to the Denial of Service attack to GSA Bounty - 16 upvotes, $150
  124. Public and secret api key leaked in JavaScript source to Top Echelon Software - 16 upvotes, $0
  125. Public Postman Api Collection Leaks Internal access to https://assets-paris-dev.codefi.network/ to Consensys - 15 upvotes, $500
  126. Full Path Disclosure in Wordpress Rest API Response to Showmax - 15 upvotes, $50
  127. https://zest.co.th/zestlinepay/checkproduct API endpoint suffers from Boolean-based SQL injection to Razer - 15 upvotes, $0
  128. Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo to Stripo Inc - 15 upvotes, $0
  129. anti_ransomware_service.exe REST API does not require authentication to Acronis - 15 upvotes, $0
  130. Full name of other accounts exposed through NR API Explorer (another workaround of #476958) to New Relic - 14 upvotes, $750
  131. MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more to h1-5411-CTF - 14 upvotes, $0
  132. Akismet API keys are exposed by authentication method to Automattic - 14 upvotes, $0
  133. Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture. to Rocket.Chat - 14 upvotes, $0
  134. Chat room member disclosure via autocomplete API to Nextcloud - 14 upvotes, $0
  135. IDOR - setAttribute action of user object in API to Open-Xchange - 13 upvotes, $400
  136. Open API - AWS S3 GET Bucket (List Objects) Version 1 to ecobee - 13 upvotes, $0
  137. Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token. to HackerOne - 13 upvotes, $0
  138. DOM XSS at https://adobedocs.github.io/indesign-api-docs/?configUrl={site} due to outdated Swagger UI to Adobe - 13 upvotes, $0
  139. Bypassing creation of API tokens without email verification to Cloudflare Public Bug Bounty - 13 upvotes, $0
  140. Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage() to Mail.ru - 12 upvotes, $200
  141. IDOR- Activate Mopub on different organizations- steal api token- Fabric.io to X (Formerly Twitter) - 12 upvotes, $0
  142. Secret API Key Leakage via Query String to Zendesk - 12 upvotes, $0
  143. Remote attacker can impersonate Social users via ActivityPub API to Nextcloud - 12 upvotes, $0
  144. API Keys Hardcoded in Github repository to Rocket.Chat - 12 upvotes, $0
  145. Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result to GitLab - 12 upvotes, $0
  146. User personal data disclosure via API to Vercel - 12 upvotes, $0
  147. SSL expired subdomain leads to API swap with main and flagged cookies. Unable to log device ids and certain session tokens. to Basecamp - 12 upvotes, $0
  148. vidyard api auth_token exposed to 8x8 - 12 upvotes, $0
  149. Non-revoked API Key Information disclosure via Stripo_report() to Stripo Inc - 12 upvotes, $0
  150. Campaign Account Balance and History Disclosed in API Response to LinkedIn - 12 upvotes, $0
  151. DOS: out of memory from gif through upload api to Mattermost - 11 upvotes, $150
  152. Private API key leakage due to lack of access control to Cloudflare Vulnerability Disclosure - 11 upvotes, $0
  153. No rate limit in stats api token endpoint to Chaturbate - 11 upvotes, $0
  154. H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret to Shopify - 11 upvotes, $0
  155. Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action to Moneybird - 10 upvotes, $0
  156. Group admin can remove user from all his groups via API to Nextcloud - 10 upvotes, $0
  157. Publicy accessible IDRAC instance at api-m.inapp.pushwoosh.com to Pushwoosh - 10 upvotes, $0
  158. Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= to Starbucks - 10 upvotes, $0
  159. Leaking sensitive information lead to compromise employer API keys to Yelp - 10 upvotes, $0
  160. Хранимая XSS ( API ) to Mail.ru - 10 upvotes, $0
  161. Insecure Storage and Overly Permissive Google Maps API Key in Android App to Mail.ru - 10 upvotes, $0
  162. Hard-coded API keys at NordVpn Android App to Nord Security - 10 upvotes, $0
  163. Отправка произвольных запросов к API с правами любого установленного у пользователя iframe/miniapp to VK.com - 10 upvotes, $0
  164. Git repo on https://██████.mil/ discloses API password to U.S. Dept Of Defense - 10 upvotes, $0
  165. Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution to Rocket.Chat - 10 upvotes, $0
  166. api keys leaked to Reddit - 10 upvotes, $0
  167. Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo to Stripo Inc - 10 upvotes, $0
  168. Authenticated but unauthorized users may enumerate Application names via the API to Internet Bug Bounty - 9 upvotes, $2400
  169. No brute force protection on web-api-cloud.acronis.com to Acronis - 9 upvotes, $100
  170. Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter to New Relic - 8 upvotes, $2000
  171. Revoked User can still view the Merge Request created by him via API to GitLab - 8 upvotes, $1500
  172. Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object to Phabricator - 8 upvotes, $300
  173. User Information Disclosure via REST API to Nextcloud - 8 upvotes, $0
  174. User Information Disclosure via REST API to ownCloud - 8 upvotes, $0
  175. API Webhooks Fire And Are Unlisted After Permissions Removed to Shopify - 8 upvotes, $0
  176. Disclosure of Users Information On Wordpress Api [https://jitsi.org/] to 8x8 - 8 upvotes, $0
  177. Disclosure of Users Information via Wordpress API (?rest_route) to LocalTapiola - 7 upvotes, $50
  178. Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content to Shopify - 7 upvotes, $0
  179. Insecure Cache-Control Leading to API key Retrieval to ThisData - 7 upvotes, $0
  180. Stored XSS in content when Graph is created via API to Infogram - 7 upvotes, $0
  181. Improper authorization on /api/as/v1/credentials/ allows any App Search user to access all API keys and escalate privileges to Elastic - 7 upvotes, $0
  182. Insecure Storage and Overly Permissive API Keys to Stripo Inc - 7 upvotes, $0
  183. I found some api keys in js files ,huge leak of token addresses and huge amount of js files are not forbidden to AMBER AI - 7 upvotes, $0
  184. HTML injection in API response including request url to Reddit - 7 upvotes, $0
  185. [NR Infrastructure] Restricted user can update integration provider account name via integrations API to New Relic - 6 upvotes, $750
  186. [NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions to New Relic - 6 upvotes, $750
  187. API: Bug in method auth.signup , дающий возможность бесконечно звонить to VK.com - 6 upvotes, $500
  188. API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass to Vimeo - 6 upvotes, $0
  189. CSRF : Reset API to Weblate - 6 upvotes, $0
  190. Api token exposed in Reverb.com's public github repository to Reverb.com - 6 upvotes, $0
  191. Public and secret api key leaked via omise github repo(owned by omise) to Omise - 6 upvotes, $0
  192. Sending trusted ████ and ██████████ emails through public API endpoint in ███████ site to U.S. Dept Of Defense - 6 upvotes, $0
  193. Google Maps API Key Leakage to Uber - 6 upvotes, $0
  194. API Key added for one Indices works for all other indices too. to Algolia - 5 upvotes, $1000
  195. Deprecated owners.query API bypasses object view policy to Phabricator - 5 upvotes, $300
  196. No Rate Limitation on Regenerate Api Key to Weblate - 5 upvotes, $0
  197. Wordpress.com REST API oauth bypass via Cross Site Flashing to Automattic - 5 upvotes, $0
  198. Private account causes displayed through API to Staging.every.org - 5 upvotes, $0
  199. Acessed internal api documentation and information to Mail.ru - 5 upvotes, $0
  200. Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) to X (Formerly Twitter) - 4 upvotes, $280
  201. Conversation API Leaks Details Of UnAuthorized Conversations to Vanilla - 4 upvotes, $150
  202. Stored XSS in api key of operator wallet to Enter - 4 upvotes, $0
  203. Private snippets in public / internal projects leaked though GitLab API to GitLab - 4 upvotes, $0
  204. API OAuth Public Key disclosure in mobile app to Instacart - 4 upvotes, $0
  205. Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form to Weblate - 4 upvotes, $0
  206. Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем. to VK.com - 4 upvotes, $0
  207. [api.data.gov] Leak Valid API With out Verification - to GSA Bounty - 4 upvotes, $0
  208. API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation. to Dropcontact - 4 upvotes, $0
  209. Getting API access key Through Introspection query Graphql to New Relic - 4 upvotes, $0
  210. hardcoded api secret & api key in com.reddit.frontpage to Reddit - 4 upvotes, $0
  211. API Key reported in #1465145 not rotated and thus is still valid and can be used by anyone to Adobe - 4 upvotes, $0
  212. Apps can access 'channels' beta api to Shopify - 3 upvotes, $500
  213. API keys being cached to Kadira - 3 upvotes, $0
  214. Timing Attack Side-Channel on API Token Verification to joola.io - 3 upvotes, $0
  215. Header Misconfiguration - PHP API to Shopify - 3 upvotes, $0
  216. Cross site scripting On api Calculator API requests to ok.ru - 3 upvotes, $0
  217. The mailbox verification API interface is unlimited and can be used as a mailbox bomb to Phabricator - 3 upvotes, $0
  218. API Does Not Apply Access Controls to Translations to Weblate - 3 upvotes, $0
  219. Insecure Direct Object Reference on API without API key to Semrush - 3 upvotes, $0
  220. twitter api access token leaked on github to Liberapay - 3 upvotes, $0
  221. Unprotected Api EndPoints to Semmle - 3 upvotes, $0
  222. Логирование ответов запросов VK API в приложении Клевер to VK.com - 3 upvotes, $0
  223. Cross-Site Request Forgery (CSRF) in my.games API to Mail.ru - 3 upvotes, $0
  224. API route chat.getThreadsList leaks private message content to Rocket.Chat - 3 upvotes, $0
  225. User information disclosed via API to U.S. General Services Administration - 3 upvotes, $0
  226. Bypass access restrictions from API to Shopify - 2 upvotes, $1000
  227. Mapbox API Access Token with No Scope Can Read Styles to Mapbox - 2 upvotes, $200
  228. Unauthenticated Stored XSS in API Panel to WePay - 2 upvotes, $100
  229. User Enumeration, Information Disclosure and Lack of Rate Limitation on API to Coinbase - 2 upvotes, $0
  230. API: Bug in method auth.validatePhone to VK.com - 2 upvotes, $0
  231. Abuse of Api that causes spamming users and possible DOS due to missing rate limit to Weblate - 2 upvotes, $0
  232. CRLF Injection in legacy url API (url.parse().hostname) to Node.js - 2 upvotes, $0
  233. Account owner/admin can't actually delete personal users' API keys to New Relic - 2 upvotes, $0
  234. [api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет. to Mail.ru - 2 upvotes, $0
  235. SSRF in login page using fetch API exposes victims IP address to attacker controled server to U.S. Dept Of Defense - 2 upvotes, $0
  236. Google API Key is not restricted for specific application package name and signature [Mail.ru Cloud for Android] to Mail.ru - 2 upvotes, $0
  237. API Server DoS (crash?) if many large resources (~1MB each) are concurrently/repeatedly sent to an external Validating WebHook endpoint to Kubernetes - 2 upvotes, $0
  238. Inadequate input validation on API endpoint leading to self denial of service and increased system load. to IRCCloud - 1 upvotes, $500
  239. Reflected XSS on Zomato API to Zomato - 1 upvotes, $0
  240. CSRF - Regenerate all admin api keys to New Relic - 1 upvotes, $0
  241. The email API to reset password is unlimited and can be used as a email bomb to Nextcloud - 1 upvotes, $0
  242. The email API to test email-server settings is unlimited and can be used as a email bomb to Nextcloud - 1 upvotes, $0
  243. Unprotected ██████ and Test site API Exposes Documents, Credentials, and Emails in ██████████ Proposal System to U.S. Dept Of Defense - 1 upvotes, $0
  244. REST API gets query as parameter and executes it to Rocket.Chat - 1 upvotes, $0
  245. Legacy API exposes private video titles to Vimeo - 0 upvotes, $0
  246. Create Api Key is not working to Legal Robot - 0 upvotes, $0