Vimeo


reports in last 90 days

60

disclosed resolved issues

8

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium Reflected File Download (RFD) in download video

None supplied dphoeniixx Time to triage: 5 Days and 0 hours


Time to close: 195 Days and 23 hours
Resolved

High Domain pointing to vimeo portfolio are prone to takeover using on-demand.

Business Logic Errors bugdiscloseguys Time to triage: 1 Days and 15 hours


Time to close: 18 Days and 7 hours
Resolved

High Improper Authentication in Vimeo's API 'versions' endpoint.

Improper Authentication - Generic bugdiscloseguys Time to triage: 0 Days and 21 hours


Time to close: 0 Days and 1 hours
Resolved

No rating Images and Subtitles Leakage from private videos

Information Disclosure opnsec Issue was not triaged


Time to close: 14 Days and 2 hours
Resolved

No rating OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing

Cross-Site Request Forgery (CSRF) opnsec Issue was not triaged


Time to close: 3 Days and 23 hours
Resolved

No rating Watch any Password Video without password

Information Disclosure opnsec Issue was not triaged


Time to close: 1 Days and 2 hours
Resolved

High Disclosure of sensitive information through Google Cloud Storage bucket

Information Disclosure koenrh Time to triage: 54 Days and 0 hours


Time to close: 7 Days and 4 hours
Resolved

No rating XSS on mobile version of vimeo.com where the button "Follow" appears

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 23 Days and 13 hours


Time to close: 0 Days and 1 hours
Resolved

No rating XSS on player.vimeo.com without user interaction and vimeo.com with user interaction

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 5 Days and 14 hours


Time to close: 2 Days and 0 hours
Resolved

No rating XSS on vimeo.com/home after other user follows you

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 1 Days and 4 hours


Time to close: 35 Days and 0 hours
Resolved

No rating XSS on vimeo.com | "Search within these results" feature (requires user interaction)

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 33 Days and 15 hours


Time to close: 0 Days and 18 hours
Resolved

No rating XSS when using captions/subtitles on video player based on Flash (requires user interaction)

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 5 Days and 22 hours


Time to close: 14 Days and 22 hours
Resolved

No rating Stored XSS on player.vimeo.com

Cross-site Scripting (XSS) - Generic stefanofinding Time to triage: 5 Days and 5 hours


Time to close: 0 Days and 5 hours
Resolved

No rating Reflected XSS on vimeo.com/musicstore

Cross-site Scripting (XSS) - Generic stefanofinding Issue was not triaged


Time to close: 2 Days and 10 hours
Resolved

No rating Securing "Reset password" pages from bots

Violation of Secure Design Principles panchocosil Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

No rating URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io

Cross-Site Request Forgery (CSRF) avlidienbrunn Issue was not triaged


Time to close: 1 Days and 22 hours
Resolved

No rating Can message users without the proper authorization

Improper Authentication - Generic jkjkjk Time to triage: 23 Days and 16 hours


Time to close: 0 Days and 12 hours
Resolved

No rating Application XSS filter function Bypass may allow Multiple stored XSS

Cross-site Scripting (XSS) - Generic securityidiots Issue was not triaged


Time to close: 38 Days and 17 hours
Resolved

No rating [vimeopro.com] CRLF Injection

None supplied bobrov Issue was not triaged


Time to close: 0 Days and 1 hours
Resolved

No rating XSS in Subtitles of Vimeo Flash Player and Hubnut

Cross-site Scripting (XSS) - Generic opnsec Issue was not triaged


Time to close: 4 Days and 0 hours
Duplicate

No rating Downloading password protected / restricted videos

None supplied gazza Time to triage: 12 Days and 23 hours


Time to close: 0 Days and 1 hours
Resolved

No rating Invite any user to your group without even following him

Privilege Escalation vijay_kumar1110 Time to triage: 40 Days and 8 hours


Time to close: 1 Days and 2 hours
Resolved

No rating CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public

Cross-Site Request Forgery (CSRF) opnsec Issue was not triaged


Time to close: 4 Days and 4 hours
Resolved

No rating All Vimeo Private videos disclosure via Authorization Bypass

Information Disclosure opnsec Issue was not triaged


Time to close: 0 Days and 1 hours
Resolved

No rating Error page Text Injection.

Violation of Secure Design Principles h4rsh4d Issue was not triaged


Time to close: 82 Days and 21 hours
Duplicate