Skip to content

TOPACRONIS.md

Latest commit

 

History

History
130 lines (129 loc) · 17.3 KB

TOPACRONIS.md

File metadata and controls

130 lines (129 loc) · 17.3 KB

Top reports from Acronis program at HackerOne:

  1. SQL Injection in agent-manager to Acronis - 235 upvotes, $0
  2. bypass sql injection #1109311 to Acronis - 162 upvotes, $0
  3. IDOR vulnerability (Price manipulation) to Acronis - 142 upvotes, $0
  4. Ticket Trick at https://account.acronis.com to Acronis - 141 upvotes, $0
  5. [oem.acronis.com] Reflected Cross Site Scripting to Acronis - 131 upvotes, $100
  6. Stored XSS in backup scanning plan name to Acronis - 120 upvotes, $500
  7. IP restriction bypass via X-Forwarded-For header to Acronis - 120 upvotes, $250
  8. SQL injection on admin.acronis.host development web service to Acronis - 117 upvotes, $250
  9. Attacker Can Access to any Ticket Support on https://www.devicelock.com/support/ to Acronis - 107 upvotes, $0
  10. Rate limit bypass on passport.acronis.work using X-Forwarded-For request header to Acronis - 102 upvotes, $250
  11. SQL injection in https://www.acronis.cz/ via the log parameter to Acronis - 100 upvotes, $0
  12. Flash Based Reflected XSS on www.grouplogic.com/jwplayer/player.swf to Acronis - 86 upvotes, $0
  13. Reflected XSS on http://www.grouplogic.com/files/glidownload/verify.asp to Acronis - 83 upvotes, $0
  14. Delete any user's added Email,Telephone,Fax,Address,Skype via csrf in (https://academy.acronis.com/) to Acronis - 80 upvotes, $0
  15. Potential XSS Vulnerability in Acronis Login Callback URL to Acronis - 78 upvotes, $0
  16. PUT Based CSRF via Client Side Path Traversal + Cookie Bomb on Acronis Cloud to Acronis - 76 upvotes, $600
  17. [CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day to Acronis - 75 upvotes, $1000
  18. XSS on https://partners.acronis.com/ to Acronis - 72 upvotes, $0
  19. mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040 to Acronis - 71 upvotes, $1000
  20. [forum.acronis.com] JNDI Code Injection due an outdated log4j component to Acronis - 71 upvotes, $0
  21. Subdomain takeover of main domain of https://www.cyberlynx.lu/ to Acronis - 70 upvotes, $100
  22. Reflected XSS in https://www.acronis.com/products/cyber-protect/trial/ to Acronis - 70 upvotes, $100
  23. Reflected XSS on www.grouplogic.com/video.asp to Acronis - 66 upvotes, $0
  24. Stored Cross-site Scripting on devicelock.com/forum/ to Acronis - 65 upvotes, $0
  25. Blind XSS on admin.acronis.com via delete account form on account.acronis.com to Acronis - 64 upvotes, $0
  26. Stored XSS in Acronis Cyber Protect Console to Acronis - 63 upvotes, $500
  27. Potential XSS in redirect_url Parameter to Acronis - 62 upvotes, $0
  28. IDOR in backup recovery functionality to Acronis - 54 upvotes, $0
  29. Bypassing Recaptcha Protection in https://connect.acronis.com to Acronis - 53 upvotes, $0
  30. DOM Based Cookie Bomb in *.acronis.com via x-clickref GET Parameter to Acronis - 52 upvotes, $200
  31. HTML Injection in E-mail to Acronis - 52 upvotes, $0
  32. Blind SSRF vulnerability on cz.acronis.com to Acronis - 48 upvotes, $0
  33. SQL injection in https://demor.adr.acronis.com/ via the username parameter to Acronis - 47 upvotes, $0
  34. Render content from untrusted sources via web_preview endpoint on Acronis Cloud to Acronis - 46 upvotes, $200
  35. Stored XSS in profile page to Acronis - 45 upvotes, $50
  36. admin password disclosure via log file to Acronis - 44 upvotes, $100
  37. IDOR on www.acronis.com API lead to steal private business user information to Acronis - 42 upvotes, $100
  38. Missing rate limit for current password field (Password Change) Account Takeover to Acronis - 41 upvotes, $0
  39. Reflected XSS via "Error" parameter on https://admin.acronis.com/admin/su/ to Acronis - 39 upvotes, $50
  40. Arbitrary file creation via symlink attack on syncagentsrv (Acronis Sync Agent Service) to Acronis - 38 upvotes, $0
  41. Self XSS on Acronis Cyber Cloud to Acronis - 37 upvotes, $100
  42. Possible LDAP username and password disclosed on Github to Acronis - 36 upvotes, $0
  43. %0A (New line) and limitness URL leads to DoS at all system [Main adress (https://www.acronis.com/)] to Acronis - 36 upvotes, $0
  44. FULL SSRF to Acronis - 36 upvotes, $0
  45. licenses key disclosure to Acronis - 35 upvotes, $50
  46. CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud to Acronis - 35 upvotes, $0
  47. Acronis True Image (Windows) does not validate server certificate on a TLS connection to Acronis - 34 upvotes, $500
  48. Blind Stored XSS in https://partners.acronis.com/admin which lead to sensitive information/PII leakage to Acronis - 33 upvotes, $150
  49. Reflected XSS on www.acronis.com/de-de/my/subscriptions/index.html to Acronis - 32 upvotes, $0
  50. [acronis.secure.force.com] - Insecure Salesforce default/custom object permissions leads to information disclosure to Acronis - 31 upvotes, $0
  51. [CVE-2021-44228] Arbitrary Code Execution on ng01-cloud.acronis.com to Acronis - 31 upvotes, $0
  52. SSRF when configuring Website Backup on Acronis Cloud to Acronis - 30 upvotes, $500
  53. XSS in (Support Requests) : User Cases to Acronis - 30 upvotes, $50
  54. Read-only administrator can change agent update settings to Acronis - 29 upvotes, $0
  55. Local Privilege Escalation and Code Execution when restoring files from Quarantine to Acronis - 28 upvotes, $250
  56. Web cache poisoning at www.acronis.com to Acronis - 28 upvotes, $0
  57. XSS Stored in Cacheable response to Acronis - 28 upvotes, $0
  58. mysql credentials exposed on - https://cz.acronis.com/docker-compose.yml to Acronis - 28 upvotes, $0
  59. Cross Site Scripting (Reflected) on https://www.acronis.cz/ to Acronis - 27 upvotes, $50
  60. Credentials leaked via Github to Acronis - 26 upvotes, $50
  61. Administrative access to development deployment of web service due to auto-filled credentials to Acronis - 25 upvotes, $250
  62. Local privilege escalation via insecure MSI file to Acronis - 25 upvotes, $250
  63. HTML Injection in E-mail Not Resolved () to Acronis - 25 upvotes, $0
  64. CSRF and XSS on www.acronis.com to Acronis - 25 upvotes, $0
  65. Local Privilege Escalation via DLL Search-Order Hijacking with Cyber Protection Agent - systeminfo.exe utility to Acronis - 25 upvotes, $0
  66. Local Privilege Escalation when updating Acronis True Image to Acronis - 24 upvotes, $250
  67. Reflected XSS on my.acronis.com to Acronis - 24 upvotes, $50
  68. Cross Origin Resource Sharing Misconfiguration to Acronis - 24 upvotes, $0
  69. XSS in https://promo.acronis.com/ to Acronis - 24 upvotes, $0
  70. Cross Site Scripting (Reflected) on https://www.acronis.cz/dotaznik/roadshow-2020/ to Acronis - 22 upvotes, $50
  71. Local File Disclosure /Delete On [us-az-vpn.acronis.com] to Acronis - 21 upvotes, $0
  72. unauth mosquitto ( client emails, ips, license keys exposure ) to Acronis - 20 upvotes, $150
  73. Cross-site Scripting (XSS) - Stored | forum.acronis.com to Acronis - 20 upvotes, $0
  74. Self XSS in attachments name to Acronis - 20 upvotes, $0
  75. Local Privilege Escalation via Backup delete to Acronis - 19 upvotes, $250
  76. DOM based XSS in store.acronis.com/<id>/purl-corporate-standard-IT [cfg parameter] to Acronis - 19 upvotes, $50
  77. Clickjacking on cas.acronis.com login page to Acronis - 19 upvotes, $0
  78. Account Takeover on unverified emails in File Sync & Share to Acronis - 19 upvotes, $0
  79. Subdomain Takeover – www.jet.acronis.com pointing to unclaimed Webflow services to Acronis - 19 upvotes, $0
  80. Acronis True Image 2021 (windows) does not validate server hostname on a login TLS connection to Acronis - 18 upvotes, $250
  81. Any expired reset password link can still be used to reset the password to Acronis - 18 upvotes, $100
  82. Broken Access Controls to Acronis - 18 upvotes, $0
  83. CVE-2021-40438 on cp-eu2.acronis.com to Acronis - 18 upvotes, $0
  84. Missing brute force protection on login page on www.acronis.com to Acronis - 16 upvotes, $250
  85. anti_ransomware_service.exe REST API does not require authentication to Acronis - 16 upvotes, $0
  86. HTTP Request Smuggling on https://consumer.acronis.com to Acronis - 16 upvotes, $0
  87. Large Amounts of Back-End Acronis Source Code is Publicly Accessible to Acronis - 15 upvotes, $250
  88. Subdomain Takeover – jet.acronis.com pointing to unclaimed Webflow services to Acronis - 15 upvotes, $0
  89. Stored Cross Site Scripting at http://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode to Acronis - 15 upvotes, $0
  90. Acronis True Image 2020 Build 22510 Nonstop Backup Service Unquoted service path (privilege escalation) to Acronis - 15 upvotes, $0
  91. Acronis True Image Local Privilege Escalation via insecure folder permissions to Acronis - 14 upvotes, $300
  92. Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm to Acronis - 14 upvotes, $250
  93. DLL Hijacking when sending feedback and crash report leading to Privilege Escalation to Acronis - 14 upvotes, $250
  94. Arbitrary Files and Folders Deletion vulnerability with Acronis Managed Machine Service to Acronis - 14 upvotes, $0
  95. TrueImage for Acronis True Image 2020 - Untrusted DLL Search-Ordering lead to Privilege Escalation as Administrative account to Acronis - 13 upvotes, $250
  96. No Rate Limit On Forgot Password Page to Acronis - 13 upvotes, $0
  97. DLL Hijacking when creating Rescue Media Builder leading to Privilege Escalation to Acronis - 12 upvotes, $250
  98. HTTP Request Smuggling on https://promosandbox.acronis.com to Acronis - 12 upvotes, $0
  99. Open redirect at mc-beta-cloud-acronis.com to Acronis - 12 upvotes, $0
  100. Acronis Sync Agent Service - Untrusted DLL Search-Ordering lead to Privilege Escalation to Acronis - 11 upvotes, $250
  101. Local Privilege Escalation when deleting a file from Quarantine to Acronis - 11 upvotes, $250
  102. No brute force protection on web-api-cloud.acronis.com to Acronis - 11 upvotes, $100
  103. Arbitrary DLL injection in mmsminisrv (Acronis Managed Machine Service Mini) to Acronis - 11 upvotes, $0
  104. Get ip and Geo location any user via Clickjacking with inspectlet technology to Acronis - 10 upvotes, $0
  105. Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress to Acronis - 9 upvotes, $0
  106. DLL Hijacking when performing operations in Acronis Secure Zone partition leading to Privilege Escalation to Acronis - 8 upvotes, $250
  107. Content Spoofing to Acronis - 8 upvotes, $0
  108. Denial of Service in anti_ransomware_service.exe via logs files to Acronis - 8 upvotes, $0
  109. No server side check on terms of service page which leads to bypass to Acronis - 8 upvotes, $0
  110. Domain does not Match SSL Certificate to Acronis - 8 upvotes, $0
  111. Acronis True Image Local Privilege Escalation Due To Race Condition In Application Verification to Acronis - 8 upvotes, $0
  112. XSS in Acronis Cloud Manager Admin Portal to Acronis - 7 upvotes, $100
  113. Self-DoS due to template injection via email field in password reset form on access.acronis.com to Acronis - 7 upvotes, $0
  114. Local Privilege Escalation via DLL Search-Order Hijacking with Cyber Protection Agent - tibxread.exe utility to Acronis - 7 upvotes, $0
  115. Local Privilege Escalation via EXE hijacking with Acronis True Image 2021 - Acronis Scheduler2 Service to Acronis - 7 upvotes, $0
  116. Session Fixation on Acronis to Acronis - 6 upvotes, $0
  117. True Image 2021 - LPE via XPC service communication to Acronis - 5 upvotes, $250
  118. Unrestricted file upload vulnerability in IMCE to Acronis - 5 upvotes, $0
  119. Local Privilege Escalation in anti_ransomware_service.exe via quarantine to Acronis - 5 upvotes, $0
  120. Information Disclosure via ZIP file on AWS Bucket [http://acronis.1.s3.amazonaws.com] to Acronis - 5 upvotes, $0
  121. Reflected Cross Site Scripting at http://www.grouplogic.com/files/glidownload/verify3.asp [Uppercase Filter Bypass] to Acronis - 5 upvotes, $0
  122. Local Privilege Escalation via EXE hijacking with Acronis True Image 2021 installer to Acronis - 5 upvotes, $0
  123. Account Confirmation bypass leads to acess some fucntionality to Acronis - 4 upvotes, $0
  124. Reflected Cross Site Scripting at ColdFusion Debugging Panel http://www.grouplogic.com/CFIDE/debug/cf_debugFr.cfm to Acronis - 4 upvotes, $0
  125. CVE-2020-6287 https://redapi2.acronis.com to Acronis - 3 upvotes, $0
  126. Found multiple SAP NetWeaver vulnerable services to Acronis - 2 upvotes, $0
  127. ClickJacking to Acronis - 2 upvotes, $0
  128. Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com to Acronis - 2 upvotes, $0