Phabricator


reports in last 90 days

40

disclosed resolved issues

17

disclosed informative issues

5

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

No rating IDOR bug to See hidden slowvote of any user even when you dont have access right

Insecure Direct Object Reference (IDOR) ranjit_p Time to triage: 1 Days and 19 hours


Time to close: 1 Days and 4 hours
Resolved

High Issue:Form does not contain an anti-CSRF token

Cross-Site Request Forgery (CSRF) saidulmursalinkhan Issue was not triaged


Time to close: 0 Days and 0 hours
Not-applicable

High Request vulnerable to CSRF

Cross-Site Request Forgery (CSRF) saidulmursalinkhan Issue was not triaged


Time to close: 0 Days and 0 hours
Not-applicable

None TOTP Key is shorter than RFC 4226 recommended minimum

Cryptographic Issues - Generic insufficiententropy Issue was not triaged


Time to close: 0 Days and 3 hours
Resolved

Low Exposing voting results on the Slowvote application without actually voting

None supplied mishre Issue was not triaged


Time to close: 0 Days and 20 hours
Resolved

Low Administrator can create user without entering high security mode

Improper Authentication - Generic ivh Issue was not triaged


Time to close: 0 Days and 11 hours
Resolved

Low The "Download Raw Diff" URL is viewable by everyone

Information Disclosure xiaoyinl Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

No rating Window.opener protection Bypass

None supplied ranjit_p Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

Low Window.opener fix bypass

None supplied mishre Issue was not triaged


Time to close: 0 Days and 2 hours
Resolved

Critical Command injection on Phabricator instance with an evil hg branch name

Command Injection - Generic pnig0s Issue was not triaged


Time to close: 1 Days and 7 hours
Resolved

Low Credential gets exposed

Information Disclosure luke081515 Time to triage: 0 Days and 2 hours


Time to close: 0 Days and 2 hours
Informative

Medium Hyper Link Injection In email and Space Characters Allowed at Password Field.

None supplied aliashber Issue was not triaged


Time to close: 0 Days and 5 hours
Informative

Medium IRC-Bot exposes information

Information Disclosure luke081515 Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

Medium The special code in editor has no Authority control and can lead to Information Disclosure

Information Disclosure xifengweiyu Issue was not triaged


Time to close: 0 Days and 20 hours
Informative

No rating Autoclose can close any task regardless of policies/spaces

None supplied almanac Issue was not triaged


Time to close: 1 Days and 9 hours
Resolved

Medium The mailbox verification API interface is unlimited and can be used as a mailbox bomb

Improper Access Control - Generic xifengweiyu Issue was not triaged


Time to close: 0 Days and 0 hours
Not-applicable

High An unsafe design practice in the Passphrase may result in Secret being accidentally changed.

Violation of Secure Design Principles kevin_c Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

Medium Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks.

Missing Required Cryptographic Step edoverflow Time to triage: 2 Days and 0 hours


Time to close: 6 Days and 1 hours
Resolved

Medium Differential "Show Raw File" feature exposes generated files to unauthorised users

Information Disclosure calvium Issue was not triaged


Time to close: 0 Days and 1 hours
Resolved

Low User with only Viewing Privilege can send message to Room

Privilege Escalation lucasveigaf Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

No rating Enumerating emails through "Forgot Password" form

Violation of Secure Design Principles denispugachev Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

No rating Restricted file access when it exists in old versions of task or wiki document

Violation of Secure Design Principles denispugachev Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

No rating Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM)

None supplied e3amn2l Issue was not triaged


Time to close: 0 Days and 7 hours
Resolved

No rating link reset problem

None supplied pradeepsmehta Issue was not triaged


Time to close: 0 Days and 0 hours
Not-applicable

No rating Error page Text Injection.

Violation of Secure Design Principles dhanunjaya Issue was not triaged


Time to close: 0 Days and 10 hours
Not-applicable