Mapbox


reports in last 90 days

19

disclosed resolved issues

1

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Critical Admin Panel Accessed (OAuth Bypassed )

Command Injection - Generic aneeskhan Time to triage: 0 Days and 8 hours


Time to close: 0 Days and 21 hours
Resolved

No rating Logging a user into attacker's account using password reset link

Violation of Secure Design Principles shahmeer-amir Time to triage: 4 Days and 7 hours


Time to close: 7 Days and 22 hours
Resolved

No rating Stored xss in editor

Cross-site Scripting (XSS) - Generic ehsahil Time to triage: 2 Days and 11 hours


Time to close: 0 Days and 8 hours
Resolved

No rating Blind XSS in mapbox.com/contact

Cross-site Scripting (XSS) - Generic ehsahil Time to triage: 1 Days and 0 hours


Time to close: 6 Days and 7 hours
Resolved

No rating XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 2 Days and 23 hours


Time to close: 112 Days and 2 hours
Resolved

No rating XSS on www.mapbox.com/authorize

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 3 Days and 1 hours


Time to close: 112 Days and 2 hours
Resolved

Low Node modules path disclosure due to lack of error handling

Information Disclosure apapedulimu Time to triage: 2 Days and 3 hours


Time to close: 0 Days and 0 hours
Resolved

High null pointer dereference and segfault in tile-count-merge

NULL Pointer Dereference geeknik Issue was not triaged


Time to close: 5 Days and 19 hours
Resolved

Medium Public access to objects in AWS S3 bucket

Information Disclosure ehsahil Time to triage: 0 Days and 0 hours


Time to close: 2 Days and 5 hours
Resolved

Medium Open Aws Amazon S3 Buckets

Improper Authentication - Generic saadahmedx Time to triage: 0 Days and 13 hours


Time to close: 2 Days and 3 hours
Resolved

Low Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager

Information Disclosure mishre Time to triage: 0 Days and 19 hours


Time to close: 1 Days and 20 hours
Resolved

No rating target="_blank" Vulnerability Resulting in Critical Phishing Vector

Open Redirect cha5m Issue was not triaged


Time to close: 4 Days and 23 hours
Informative

No rating Reflected cross-site scripting (XSS) on api.tiles.mapbox.com

Cross-site Scripting (XSS) - Generic dawgyg Time to triage: 0 Days and 3 hours


Time to close: 3 Days and 19 hours
Resolved

No rating Denial of service in account statistics endpoint

Denial of Service apok Time to triage: 1 Days and 8 hours


Time to close: 20 Days and 16 hours
Resolved

No rating Mapbox API Access Token with No Scope Can Read Styles

Improper Authentication - Generic bugs3ra Time to triage: 4 Days and 8 hours


Time to close: 49 Days and 22 hours
Resolved

No rating XSS in L.mapbox.shareControl in mapbox.js

Cross-site Scripting (XSS) - Generic enderun07 Time to triage: 19 Days and 13 hours


Time to close: 42 Days and 1 hours
Resolved

No rating Stored Cross-Site Scripting in Map Share Page

Cross-site Scripting (XSS) - Generic hussain_0x3c Time to triage: 0 Days and 20 hours


Time to close: 1 Days and 0 hours
Resolved

No rating Disclosure of map information

Improper Authentication - Generic hussain_0x3c Time to triage: 13 Days and 11 hours


Time to close: 0 Days and 1 hours
Resolved

No rating Content Spoofing and Local Redirect in Mapbox Studio

Open Redirect hussain_0x3c Time to triage: 8 Days and 23 hours


Time to close: 2 Days and 17 hours
Resolved

No rating Persistent cross-site scripting (XSS) in map attribution

Cross-site Scripting (XSS) - Generic ph3t Time to triage: 0 Days and 17 hours


Time to close: 6 Days and 22 hours
Resolved