Top reports from Mail.ru program at HackerOne:

Time-Based SQL injection at city-mobil.ru to Mail.ru - 620 upvotes, $15000
touch.mail.ru / e.mail.ru memory content disclosure to Mail.ru - 409 upvotes, $10000
Unrestricted file upload on [ambassador.mail.ru] to Mail.ru - 404 upvotes, $3000
Account Takeover worki.ru to Mail.ru - 390 upvotes, $1700
Cross-organization data access in city-mobil.ru to Mail.ru - 372 upvotes, $8000
SQL injection at fleet.city-mobil.ru to Mail.ru - 369 upvotes, $10000
RCE on shared.mail.ru due to "widget" plugin to Mail.ru - 359 upvotes, $10000
Account TakeOver at my.33slona.ru to Mail.ru - 359 upvotes, $1700
SSRF & LFR via on city-mobil.ru to Mail.ru - 341 upvotes, $6000
[ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File to Mail.ru - 340 upvotes, $4000
[windows10.hi-tech.mail.ru] Blind SQL Injection to Mail.ru - 326 upvotes, $5000
[fleet.city-mobil.ru] Driver balance increasing to Mail.ru - 318 upvotes, $8000
SSRF on fleet.city-mobil.ru leads to local file read to Mail.ru - 272 upvotes, $6000
XXE on pulse.mail.ru to Mail.ru - 263 upvotes, $6000
HTTP request smuggling (?) canpol.deti.mail.ru to Mail.ru - 241 upvotes, $5000
SSRF & LFR on city-mobil.ru to Mail.ru - 237 upvotes, $6000
Boolean-based SQL Injection on relap.io to Mail.ru - 225 upvotes, $2000
Blind SQL Injection in city-mobil.ru domain to Mail.ru - 223 upvotes, $2000
[panel.city-mobil.ru/admin/] Blind XSS into username to Mail.ru - 219 upvotes, $750
file read on MCS servers via supplying a QCOW2 image with external backing file to Mail.ru - 218 upvotes, $15000
SQL LIKE clauses wildcard injection to Mail.ru - 216 upvotes, $8000
Cross application scripting via account.mail.ru to Mail.ru - 205 upvotes, $5000
Debug Mode Leak Critical Information [ AWS Keys , SMTP , Database , Django Secret Key ( RCE ) , Dodoc , Telegram , Twilio .. ] to Mail.ru - 203 upvotes, $7500
read new emails from any inbox IOS APP in notification center to Mail.ru - 182 upvotes, $10000
JMX RMI command injection on 195.211.131.82(Mail.ru Gaming) to Mail.ru - 163 upvotes, $2000
Information disclosure with sensitive data to Mail.ru - 156 upvotes, $1500
SQL Injection [unauthenticated] with direct output at https://news.mail.ru/ to Mail.ru - 155 upvotes, $7500
Access to Tarantool to Mail.ru - 154 upvotes, $4000
Path traversal, SSTI and RCE on a MailRu acquisition to Mail.ru - 152 upvotes, $2000
[mcs.mail.ru] Пользователь с ролью наблюдателя может создавать ключи доступа для очереди сообщений (sqs.mcs.mail.ru) to Mail.ru - 146 upvotes, $15000
[c-api.city-mobil.ru] Client authentication bypass leads to information disclosure to Mail.ru - 143 upvotes, $8000
Account Takeover at worki.ru to Mail.ru - 143 upvotes, $1500
Account Takeover at vseapteki.ru to Mail.ru - 142 upvotes, $2000
Незащищённый экземпляр Zeppelin to Mail.ru - 139 upvotes, $35000
Account TakeOver through password recovery at am.ru to Mail.ru - 139 upvotes, $3000
XSS via message subject - mobile application to Mail.ru - 139 upvotes, $1000
PHP code injection at tz.mail.ru to Mail.ru - 137 upvotes, $3000
worki.ru: SMS code bruteforce to Mail.ru - 136 upvotes, $1657
SSRF in clients.city-mobil.ru to Mail.ru - 132 upvotes, $1500
SSRF in filtering on relap.io to Mail.ru - 129 upvotes, $1700
[api.pandao.ru] IDOR for order delivery address to Mail.ru - 120 upvotes, $3000
"😂" + Unauthenticated Stored XSS in API at https://api.my.games/comments/v1/comments/update/ to Mail.ru - 117 upvotes, $0
web.icq.com XSS in chat message via contact info to Mail.ru - 116 upvotes, $1000
SMS Brute Force Possibility via https://youdrive.today/login/web/code can lead to Account Takeover to Mail.ru - 115 upvotes, $1500
[agent.33slona.ru] Recovery code bruteforce to Mail.ru - 104 upvotes, $1500
[city-mobil.ru] SSRF & limited LFR on /taxiserv/photoeditor/save endpoint via base64 POST parameter to Mail.ru - 94 upvotes, $6000
Open Selenoid instance at 188.93.63.186 leads to LFR/SSRF. to Mail.ru - 93 upvotes, $6000
Blind SSRF in horizon-heat to Mail.ru - 91 upvotes, $2500
turboslim.lady.mail.ru - Blind sql-injection. to Mail.ru - 90 upvotes, $5000
Stored XSS to Mail.ru - 89 upvotes, $500
Avatar upload allows arbitrary file overwriting to Mail.ru - 88 upvotes, $750
capsula.mail.ru - Admin blind stored XSS to Mail.ru - 86 upvotes, $1500
SQL injection on jd.mail.ru to Mail.ru - 86 upvotes, $300
Access User Tickets via IDOR in [widget.support.my.games] to Mail.ru - 85 upvotes, $2000
3igames.mail.ru SQL Injection to Mail.ru - 84 upvotes, $1500
Blind XSS in operator's interface for 33slona.ru to Mail.ru - 83 upvotes, $600
Reflected XSS in https://light.mail.ru/login via page to Mail.ru - 83 upvotes, $500
[app-01.youdrive.club] RCE in CI/CD via dependency confusion to Mail.ru - 82 upvotes, $3000
Возможность зайти на любой аккаунт https://pandao.ru/ to Mail.ru - 76 upvotes, $2600
SQL injection delivery-club.ru (ClickHouse) to Mail.ru - 75 upvotes, $5000
Stored XSS in email to Mail.ru - 75 upvotes, $1000
[Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge to Mail.ru - 75 upvotes, $150
[https://city-mobil.ru/taxiserv] Blind XSS into username to Mail.ru - 74 upvotes, $750
Дюп предметов lootdog и возможность их продавать. to Mail.ru - 73 upvotes, $5000
Path traversal lead to LFR via [CVE-2019-3394] to Mail.ru - 73 upvotes, $1500
XSS via POST request to https://account.mail.ru/signup/ to Mail.ru - 73 upvotes, $1000
Stored XSS that allow an attacker to read victim mailboxes contacts in mail.ru and my.com application to Mail.ru - 71 upvotes, $1000
blind XXE in autodiscover parser to Mail.ru - 70 upvotes, $5000
XSS via Cookie in Mail.ru to Mail.ru - 70 upvotes, $1000
[API] ICQ user's avatar can be manipulated remotely to Mail.ru - 70 upvotes, $1000
[account.mail.ru] XSS-уязвимость в форме авторизации to Mail.ru - 70 upvotes, $1000
Reflected XSS & Open Redirect at mcs main domain to Mail.ru - 68 upvotes, $1000
reflected xss in e.mail.ru to Mail.ru - 67 upvotes, $1000
Account takeover through password reset in cups.mail.ru to Mail.ru - 66 upvotes, $1500
Cross-site Scripting (XSS) - DOM on https://account.mail.ru/user/garage?back_url=https://mail.ru to Mail.ru - 66 upvotes, $1000
web.icq.com XSS in chat message via contact info to Mail.ru - 64 upvotes, $500
SQL Injection at https://lite.r-keeper.ru/site_api/clients/derision/?lang=ru to Mail.ru - 61 upvotes, $1500
[pandao.ru] Возможность списания несуществующих бонусных баллов to Mail.ru - 57 upvotes, $1000
[web.icq.com] Stored XSS in Account Name to Mail.ru - 57 upvotes, $1000
HTML injection at face.city-mobil.ru to Mail.ru - 57 upvotes, $500
Blind SQL in id_locality GET param on [city-mobil.ru/taxiserv] to Mail.ru - 55 upvotes, $3500
[tanks.mail.ru] SSRF + Кража cookie to Mail.ru - 55 upvotes, $750
XXE на webdav.mail.ru - PROPFIND/PROPPATCH to Mail.ru - 54 upvotes, $10000
Blind SSRF in magnum upgrade_params to Mail.ru - 54 upvotes, $2500
XSS account.mail.ru to Mail.ru - 54 upvotes, $1000
Possibility to attach any mobile number to any email to Mail.ru - 52 upvotes, $3000
Error in processing gif images to Mail.ru - 52 upvotes, $250
Blind SQL Injection on news.mail.ru to Mail.ru - 51 upvotes, $3000
BLIND SSRF ON http://jsgames.mail.ru via avaOp parameter to Mail.ru - 49 upvotes, $1200
molotok.m.mail.ru delegated to external entity to Mail.ru - 48 upvotes, $1500
IDOR of users to Mail.ru - 48 upvotes, $500
[my.games, lootdog.io] XSS via MCS Bucket to Mail.ru - 47 upvotes, $1333
Stored XSS on store.my.games to Mail.ru - 47 upvotes, $200
[smena.samokat.ru] Predictable JWT secret to Mail.ru - 46 upvotes, $400
informations disclosure(Email,Numbers,Agreements, admin Sessions and more ...) through a PostgreSQL database belongs to (legium-back.corp.mail.ru) to Mail.ru - 45 upvotes, $150
Stored XSS when you read eamils. <style> to Mail.ru - 44 upvotes, $1000
SSRF to Mail.ru - 44 upvotes, $500
[city-mobil.ru/taxiserv/] SQLi at /taxiserv/tariffs/dictionary at filter{"id_locality"} param to Mail.ru - 43 upvotes, $3500
[https://pandao.ru] - PUT method available to Mail.ru - 43 upvotes, $1000
Cross-site Scripting (XSS) - Stored to Mail.ru - 43 upvotes, $0
Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru] to Mail.ru - 42 upvotes, $2500
DOM XSS on https://biz.mail.ru/domains/goto/mail/ via parameter pollution to Mail.ru - 42 upvotes, $1000
[e.mail.ru] XSS в поиске to Mail.ru - 42 upvotes, $750
Leak Sensetive Data at face.city-mobil.ru to Mail.ru - 42 upvotes, $500
Blind XSS Stored On Admin Panel Through Name Parameter In [ https://technoatom.mail.ru/] to Mail.ru - 41 upvotes, $250
blog/wp-json/wp/v2/users FILE is enable it will used for bruteforce attack the admin panel at blog/wp-login.php to Mail.ru - 41 upvotes, $0
LRF on shared.mail.ru due to "markdown" plugin to Mail.ru - 40 upvotes, $6000
Forgot Password Page SMS Brute Force could lead to Account Takeover using Android/IOS app "About the house" via api.prodom.smart.space to Mail.ru - 40 upvotes, $1500
Multiple SQL Injections and constrained LFI in esk-static.3igames.mail.ru to Mail.ru - 40 upvotes, $1500
[XSS] data-url в письмах to Mail.ru - 40 upvotes, $1000
[geekbrains.ru] CVE-2019-5418 Ruby on Rails File Content Disclosure to Mail.ru - 40 upvotes, $750
Source code disclosure to Mail.ru - 40 upvotes, $500
Stored xss on message reply to Mail.ru - 40 upvotes, $500
Открытый Confluence и доступы к чату операторов в Skype to Mail.ru - 39 upvotes, $1500
[special.mail.ru] Information Disclosure to Mail.ru - 39 upvotes, $500
API method at api.my.games allows to enumerate user emails to Mail.ru - 39 upvotes, $400
unauthorized Access To Elastic DB to Mail.ru - 39 upvotes, $150
CSRF on api.my.games due to improper validation of token allows an attacker to delete other users notifications to Mail.ru - 38 upvotes, $100
Unauthorized Access To Admin panel to Mail.ru - 38 upvotes, $0
CSRF Vulnerability at https://aw.my.com/ to Mail.ru - 37 upvotes, $0
Blind SSRF на calendar.mail.ru при импорте календаря to Mail.ru - 36 upvotes, $5000
Shell upload in http://widget.support.my.com/ to Mail.ru - 36 upvotes, $1000
IDOR в списке пользователей по домену в relap.io to Mail.ru - 36 upvotes, $500
Database read through file attachment [content://] to Mail.ru - 35 upvotes, $1000
[api-site.city-mobil.ru] Improper access control leads to information disclosure to Mail.ru - 34 upvotes, $5000
MCS Graphite SSRF: internal network access to Mail.ru - 34 upvotes, $2500
Grafana SSRF in grafana.instamart.ru to Mail.ru - 34 upvotes, $1200
Full Account Takeover In ****.ru to Mail.ru - 34 upvotes, $500
Disable 2FA via CSRF (Leads to 2FA Bypass) to Mail.ru - 34 upvotes, $0
Bypass the reverse proxy. Request admin to Mail.ru - 34 upvotes, $0
[allods.mail.ru] - WebCache Poisoning Host Header lead to Potential Stored XSS to Mail.ru - 34 upvotes, $0
IDOR смена email пользователя через Ситимобил Бизнес to Mail.ru - 33 upvotes, $2500
SSRF at jira.plazius.ru - CVE-2019-8451 to Mail.ru - 33 upvotes, $1200
api.icq.com / возможность смотреть аватарку и название приватного чата to Mail.ru - 33 upvotes, $1000
[api.pandao.ru] IDOR позволяет изменять адрес любого пользователя to Mail.ru - 33 upvotes, $1000
Blind SSRF on [relap.io] to Mail.ru - 33 upvotes, $1000
OS command injection on seedr.ru to Mail.ru - 33 upvotes, $1000
XSS in biz.mail.ru/error to Mail.ru - 33 upvotes, $500
[XSS] postMessage в jsapi/button to Mail.ru - 33 upvotes, $500
Blind SQL injection [https://honor.hi-tech.mail.ru] to Mail.ru - 33 upvotes, $300
[api-site.city-mobil.ru] Improper access control leads to information disclosure (bypass of #977597 fix) to Mail.ru - 31 upvotes, $5000
Possible access to the car's photo and registration by its ID on [fleet.city-mobil.ru] to Mail.ru - 31 upvotes, $5000
SDC bypass on calendar.mail.ru to Mail.ru - 31 upvotes, $1500
SQL Injection at https://lite.r-keeper.ru/site_api/localize/translate/rklscommon/ru to Mail.ru - 31 upvotes, $1500
XSS in message e.mail.ru to Mail.ru - 31 upvotes, $1000
Code Injection in macOS Desktop Client to Mail.ru - 31 upvotes, $100
[iot-hackathon.geekbrains.ru] Tilda Subdomain Takeover to Mail.ru - 31 upvotes, $0
Blind SQL injection on [city-mobil.ru/taxiserv/] in filter{"id_locality"} to Mail.ru - 30 upvotes, $3500
[o2.mail.ru] nginx alias traversal to Mail.ru - 30 upvotes, $150
[https://seosan.io] Account owner disclosure to Mail.ru - 30 upvotes, $150
[screenshot.mail.ru] CRLF Injection to Mail.ru - 30 upvotes, $0
User session access due to Oauth whitelist host bypass and postMessage to Mail.ru - 30 upvotes, $0
Stored XSS on top.mail.ru to Mail.ru - 30 upvotes, $0
[ii.worki.ru ] emarsys subdomain takeover to Mail.ru - 30 upvotes, $0
Race condition на market.games.mail.ru to Mail.ru - 29 upvotes, $1000
allods.mail.ru sql injection to Mail.ru - 28 upvotes, $2200
o2.mail.ru XSS to Mail.ru - 28 upvotes, $1000
LFI in beta.mail.ru to Mail.ru - 28 upvotes, $150
[play.skillbox.ru] CRLF Injection to Mail.ru - 28 upvotes, $0
[city-mobil.ru/taxiserv/] Disclosure information about drivers to Mail.ru - 27 upvotes, $1500
Account Takeover possibility via https://awards.donationalerts.com using login with twitch.tv to Mail.ru - 27 upvotes, $1000
[web.icq.com] Stored XSS in "О Контакте" to Mail.ru - 27 upvotes, $500
Reflected XSS at city-mobil.ru to Mail.ru - 27 upvotes, $300
IP address can be leaked on Image preview in ICQ for Android chat to Mail.ru - 27 upvotes, $150
Blindy Replace User's Session with Attacker's Session to Mail.ru - 27 upvotes, $150
Mail.Ru Email for Android: Injecting custom screen inside adding new account flow to Mail.ru - 26 upvotes, $750
Account takeover on [support2.ucs.ru] to Mail.ru - 26 upvotes, $150
Subdomain takeover on tilda.geekbrains.ru and fl-change.geekbrains.ru to Mail.ru - 26 upvotes, $0
CSRF + XSS leads to ATO to Mail.ru - 26 upvotes, $0
unclaimed subdomain special.rkeeper.ru to takeover from tilda.cc to Mail.ru - 26 upvotes, $0
cross site scripting bypass session to Mail.ru - 25 upvotes, $1000
Stored xss в пересланном сообщении. to Mail.ru - 25 upvotes, $500
Shell upload in partner service to Mail.ru - 25 upvotes, $500
Un Authencitated Quartz Pannel with Scheduling tasks to Mail.ru - 25 upvotes, $500
Stored XSS in history on [corporate.city-mobil.ru] to Mail.ru - 25 upvotes, $300
CSRF on draft message creation in tel.mail.ru to Mail.ru - 25 upvotes, $250
Blind SSRF [ Sentry Misconfiguraton ] to Mail.ru - 25 upvotes, $250
[geekbrains.ru] Node modules path disclosure due to lack of error handling to Mail.ru - 25 upvotes, $0
[int.ucs.ru] Доступ ко внутренней сети UCS через забытый прокси Fiddler на 217.25.235.214:7459 to Mail.ru - 24 upvotes, $2500
Disk-o Cloud application (Windows) does not validate server certificate on a TLS connection to Mail.ru - 24 upvotes, $2500
uninitilized server memory disclosure via ImageMagick in my.mail.ru and cloud.mail.ru to Mail.ru - 24 upvotes, $750
[e.mail.ru] Stored xss in Mpop cookie to Mail.ru - 24 upvotes, $600
XSS in touch.mail.ru to Mail.ru - 24 upvotes, $500
[XSS] iframe в payments/phones to Mail.ru - 24 upvotes, $500
XSS via the lang parameter in a POST request on light.mail.ru to Mail.ru - 24 upvotes, $500
Stored XSS in api.icq.net to Mail.ru - 24 upvotes, $150
Sensitive information exposure via git commit to Mail.ru - 24 upvotes, $150
JSONP hijacking to Mail.ru - 24 upvotes, $0
Stored XSS in Review Section https://games.mail.ru/ to Mail.ru - 24 upvotes, $0
Account takeover in cups.mail.ru using punycode characters to Mail.ru - 23 upvotes, $1500
[Plazius] SSRF через некорректно сконфигурированный Fiddler 46.148.201.206:10121 to Mail.ru - 23 upvotes, $1200
ICQ Android APP remote DoS to Mail.ru - 23 upvotes, $1000
Blind XXE on my.mail.ru to Mail.ru - 23 upvotes, $800
Apache server-info enabled to Mail.ru - 23 upvotes, $0
Subdomain takeover on "info-edcrunch.skillfactory.ru" to Mail.ru - 23 upvotes, $0
При передаче в ID сообщения нулевого байта, происходит вывод какого-то буфера. to Mail.ru - 22 upvotes, $3500
relap.io/admin/api - административный API доступен без аутентификации to Mail.ru - 22 upvotes, $3000
IDOR widget.support.my.com to Mail.ru - 22 upvotes, $1000
Account Takeover on https://www.delivery-club.ru через партнерский аккаунт. to Mail.ru - 22 upvotes, $1000
REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details to Mail.ru - 22 upvotes, $1000
СКР инжект to Mail.ru - 22 upvotes, $500
Web cache information leakage at sbermarket.ru to Mail.ru - 22 upvotes, $400
Mirror of https://city-mobil.ru admin interface to Mail.ru - 22 upvotes, $150
Django Debug=True Leaks admin email addresss and serval system information to Mail.ru - 22 upvotes, $0
Возможность изменить поле "E-Mail для доступа в личный кабинет" у другого пользователя [corporate.city-mobil.ru] to Mail.ru - 21 upvotes, $2500
[Web ICQ Client] XSS уязвимость в имени пользователя to Mail.ru - 21 upvotes, $1000
Private file read through file attachment to Mail.ru - 21 upvotes, $1000
Stored XSS in e.mail.ru (payload affect multiple users) to Mail.ru - 21 upvotes, $750
Xss Reflected On spgw.terrhq.ru [ url ] to Mail.ru - 21 upvotes, $750
ICQ 10.0.12371 icq: Uri Handler '-testability' URL File Insecure Library Loading Code Execution Vulnerability to Mail.ru - 21 upvotes, $500
XSS web.icq.com double linkify to Mail.ru - 21 upvotes, $250
[icq.im] Reflected XSS via chat invite link to Mail.ru - 21 upvotes, $250
source code leak to Mail.ru - 21 upvotes, $150
ssrf xspa [https://prt.mail.ru/] 2 to Mail.ru - 21 upvotes, $150
XSS in messages on geekbrains.ru to Mail.ru - 21 upvotes, $0
Reflected XSS on https://go.mail.ru/search?fr=mn&q=<payload> to Mail.ru - 21 upvotes, $0
Cross-site Scripting (XSS) - Reflected vseapteki.ru to Mail.ru - 21 upvotes, $0
subdomain takeover disney.samokat.ru to Mail.ru - 21 upvotes, $0
CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru to Mail.ru - 21 upvotes, $0
add class vulnerable Stored XSS to Mail.ru - 21 upvotes, $0
[int.ucs.ru] Атаки на внутреннюю сеть UCS через СУБД Clickhouse to Mail.ru - 20 upvotes, $3000
SDC bypass cloud.mail.ru for every /api/v3/* endpoint. to Mail.ru - 20 upvotes, $1500
слепая XSS в админ панели torg.mail.ru через отзыв to Mail.ru - 20 upvotes, $500
Redmin API Key Exposed In GIthub to Mail.ru - 20 upvotes, $400
Data URI Stored XSS on Donations Page to Mail.ru - 20 upvotes, $200
IDOR in tracking driver logs at city-mobil.ru to Mail.ru - 20 upvotes, $150
[webvpn.city-srv.ru] Path traversal via CVE-2020-3452 to Mail.ru - 20 upvotes, $150
Stored XSS In mlbootcamp.ru to Mail.ru - 20 upvotes, $0
Stored XSS in calendar via UID parameter to Mail.ru - 19 upvotes, $1000
XSS in e.mail.ru to Mail.ru - 19 upvotes, $500
*..my.com open proxy to Mail.ru - 19 upvotes, $300
Path traversal on bank.mail.ru ( CVE-2013-3827 ) to Mail.ru - 19 upvotes, $150
Disclosure of personal support email addresses on 'support-fleet.city-mobil.ru' to Mail.ru - 19 upvotes, $150
URL redirection to Mail.ru - 19 upvotes, $0
XSS at go.mail.ru to Mail.ru - 19 upvotes, $0
Blind XSS Stored and CORS misconfiguration в отчете "События" сервиса top.mail.ru to Mail.ru - 19 upvotes, $0
[Biz] [Mailer] Кроп любых* изображений расположенных на сервере to Mail.ru - 19 upvotes, $0
[pandao.ru] possibility to attach arbitrary phone number to account registered via social network to Mail.ru - 18 upvotes, $750
XSS on https://account.mail.ru/login via postMessage to Mail.ru - 18 upvotes, $500
Account takeover via CORS misconfigutation on https://beta.delivery-club.ru to Mail.ru - 18 upvotes, $250
ОДМИН ТЭСТ to Mail.ru - 18 upvotes, $150
ICQ for macOS: lack of com.apple.quarantine meta-attribute on downloaded files leads to GateKeeper/Quarantine bypass for downloaded executables to Mail.ru - 18 upvotes, $150
Account TakeOver at kvartira.city-mobil.ru to Mail.ru - 18 upvotes, $150
Gitlab search exposing personal data of employees on gitlab-edu.geekbrains.ru to Mail.ru - 18 upvotes, $150
[mobs.mail.ru] nginx path traversal via misconfigured alias to Mail.ru - 18 upvotes, $0
XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki) to Mail.ru - 18 upvotes, $0
Subdomain Takeover to Mail.ru - 18 upvotes, $0
[Web ICQ Client] XSS-inj in polls to Mail.ru - 17 upvotes, $1000
Reflected XSS on https://e.mail.ru/compose/ via Body parameter to Mail.ru - 17 upvotes, $1000
SSRF On [ allods.mail.ru ] to Mail.ru - 17 upvotes, $750
Development configurations file with a sensitive data exposure could be leads to take down the social media accounts and the DB to Mail.ru - 17 upvotes, $500
CVE-2016-6415 on api-staging.plazius.ru [46.148.201.218] to Mail.ru - 17 upvotes, $400
CSRF in attach phone API endpoint on delivery-club.ru to Mail.ru - 17 upvotes, $250
Account Takeover on [ls5-dev.ucs.ru] to Mail.ru - 17 upvotes, $250
An implementation flaw in Mail.ru can be exploited for DKIM signature spoofing and email spoofing to Mail.ru - 17 upvotes, $150
Stored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv] to Mail.ru - 17 upvotes, $150
Web Cache Poisoning to Mail.ru - 17 upvotes, $0
XSS в теле письма. to Mail.ru - 16 upvotes, $1000
Mail.ru for Android - Theft of sensitive data to Mail.ru - 16 upvotes, $1000
Stored XSS on {https://calendar.mail.ru/} to Mail.ru - 16 upvotes, $1000
relap.io IDOR to Mail.ru - 16 upvotes, $750
[la.mail.ru] - SSRF + кража cookie to Mail.ru - 16 upvotes, $750
Blind Stored XSS to Mail.ru - 16 upvotes, $550
XSS in e.mail.ru to Mail.ru - 16 upvotes, $500
Blind SSRF on sentry.dev-my.com due to Sentry misconfiguration to Mail.ru - 16 upvotes, $500
Bypass security fixes by downgrading version of application to Mail.ru - 16 upvotes, $250
[185.30.178.57:8080] - Vulnerable to Jetleak to Mail.ru - 16 upvotes, $250
IDOR of contracts on dictor.mail.ru to Mail.ru - 16 upvotes, $150
Пользователь может изменить номер телефона в профиле без СМС подтверждения to Mail.ru - 16 upvotes, $150
Stored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv] to Mail.ru - 16 upvotes, $150
Deliviry Club Courier app (v. 3.9.25.0); Disclosure phone number of client. to Mail.ru - 16 upvotes, $150
XSS on https://www.delivery-club.ru to Mail.ru - 16 upvotes, $100
Open Redirect to Mail.ru - 16 upvotes, $0
Exposed Golang debugger on tier3.riot.mail.ru:9090, 9080 to Mail.ru - 16 upvotes, $0
Account takeover at geekbrains.ru to Mail.ru - 15 upvotes, $1500
Gain access to random information via group chat "about" property to Mail.ru - 15 upvotes, $1000
SSRF + RCE через fastCGI в POST /api/nr/video to Mail.ru - 15 upvotes, $1000
Same origin policy bypass on e.mail.ru via Cross-Site Flashing to Mail.ru - 15 upvotes, $750
uchi.ru check_lessons Blind SQL Injection to Mail.ru - 15 upvotes, $750
XSS на странице account.mail.ru/recovery to Mail.ru - 15 upvotes, $500
[pulse.mail.ru] Доступ к статистике чужих площадок to Mail.ru - 15 upvotes, $400
Вывод значений переменных Nginx в теле страницы to Mail.ru - 15 upvotes, $300
Cross-site Scripting (XSS) - Stored in ru.mail.mailapp to Mail.ru - 15 upvotes, $150
idor leads to leak order information to Mail.ru - 15 upvotes, $150
Stored XSS на странице "Изменить клиента" [city-mobil.ru/taxiserv] to Mail.ru - 15 upvotes, $150
BruteForce Any [My.com] Account Credentials. to Mail.ru - 15 upvotes, $100
[cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info' to Mail.ru - 15 upvotes, $0
Stored XSS to Mail.ru - 15 upvotes, $0
Cross site scripting vulnerability in JW Player SWF to Mail.ru - 15 upvotes, $0
Reflected XSS on http://info.ucs.ru/settings/check/ to Mail.ru - 15 upvotes, $0
Partner Account Takeover on https://www.delivery-club.ru через пользовательский аккаунт. to Mail.ru - 14 upvotes, $500
Potential SSRF in sales.mail.ru to Mail.ru - 14 upvotes, $300
mailer.i.bizml.ru viber service preprod information disclosure to Mail.ru - 14 upvotes, $300
XSS в нике при запросе в контакты. to Mail.ru - 14 upvotes, $250
XSS при добавлении в чат пользователя to Mail.ru - 14 upvotes, $250
Make user buy items via clickjacking possibility to Mail.ru - 14 upvotes, $200
IDOR on mcs.mail.ru to Mail.ru - 14 upvotes, $150
Local SQL Injection in Content Provider (ru.mail.data.contact.ContactsProvider) of Mail.ru for Android, version 12.2.0.29734 to Mail.ru - 14 upvotes, $150
XSS при Изменения машины на странице "Контроль" [city-mobil.ru/taxiserv] to Mail.ru - 14 upvotes, $150
Reflected XSS on https://www.delivery-club.ru/ to Mail.ru - 14 upvotes, $100
Подмена фотографий автомобиля [city-mobil.ru/taxiserv/] to Mail.ru - 14 upvotes, $100
[element.mail.ru] /.svn/entries to Mail.ru - 14 upvotes, $0
Open Redirect on [My.com] to Mail.ru - 14 upvotes, $0
Bash History file log to Mail.ru - 14 upvotes, $0
RCE Jira(CVE-2019–11581) [my-com.atlassian.net] to Mail.ru - 14 upvotes, $0
Race condition при покупке подарков на games.mail.ru to Mail.ru - 14 upvotes, $0
Reflected XSS on am.ru and subdomains to Mail.ru - 14 upvotes, $0
Subdomain Takeover to Mail.ru - 14 upvotes, $0
Reflected XSS on https://deti.mail.ru to Mail.ru - 14 upvotes, $0
XSS в теле письма, в новой версии почты. to Mail.ru - 13 upvotes, $1000
SSRF на https://target.my.com/ to Mail.ru - 13 upvotes, $800
Attacker can send requests from mail.ru server to Mail.ru - 13 upvotes, $800
[supportlocal.delivery-club.ru] Subdomain Takeover to Mail.ru - 13 upvotes, $500
[http://kiwi.youdrive.today/] Information disclosure via Kiwi TCMS vulnerability to Mail.ru - 13 upvotes, $300
CSRF на calendar.mail.ru to Mail.ru - 13 upvotes, $250
Modifying application settings via clickjacking on o2.mail.ru to Mail.ru - 13 upvotes, $150
Path Traversal When Sharing with Cloud Mail.Ru App via a file with Crated Name to Mail.ru - 13 upvotes, $150
[health.mail.ru] Раскрытие SSI сценариев to Mail.ru - 13 upvotes, $150
MySQL username and password leaked on [2017.russianaicup.ru] to Mail.ru - 13 upvotes, $150
NPM_API_KEY Leak to Mail.ru - 13 upvotes, $150
Stored XSS в профиле водителя [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
Stored XSS на странице "Почты" [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
XSS на странице "Создать водителя" [city-mobil.ru/taxiserv] to Mail.ru - 13 upvotes, $150
lootdog.io XSS to Mail.ru - 13 upvotes, $100
CSRF on lootdog.io to Mail.ru - 13 upvotes, $100
3rd party shop admin panel blind XSS to Mail.ru - 13 upvotes, $0
[3k.mail.ru] - Content spoofing to Mail.ru - 13 upvotes, $0
CSRF на лайк к отзыву (Pandao) to Mail.ru - 13 upvotes, $0
Unrestricted File Upload To Xss Stored [ https://ideas.browser.mail.ru/ ] to Mail.ru - 13 upvotes, $0
HTTP-Response-Splitting leads to information disclosure (email, firstname, lastname) at https://tz.mail.ru to Mail.ru - 13 upvotes, $0
[geekbrains.ru] Reflected XSS via Angular Template Injection to Mail.ru - 13 upvotes, $0
HTML/iframe/XSS injection on https://www.ucs.ru/online/shelter/settings/check/ to Mail.ru - 13 upvotes, $0
IDOR to edit test/poll/quiz on relap.io to Mail.ru - 13 upvotes, $0
[https://geekbrains.ru/profile] - authenticity_token not tied to user session leads to CSRF attacks to Mail.ru - 13 upvotes, $0
Partner's manager can aсccess statistics of all drivers [city-mobil.ru/taxiserv] to Mail.ru - 12 upvotes, $1500
Дубликат: https://hackerone.com/reports/219171 (доступ к аккаунту, через сброс пароля) to Mail.ru - 12 upvotes, $1000
XSS в письме, в поле отправителя. to Mail.ru - 12 upvotes, $1000
[myMail Android] Access to protected app components via RegistrationPhoneActivity to Mail.ru - 12 upvotes, $1000
reflected XSS on healt.mail.ru to Mail.ru - 12 upvotes, $500
Возможность залить шелл на https://widget.operator.mail.ru to Mail.ru - 12 upvotes, $500
Launch Any Activity in MyMail App to Mail.ru - 12 upvotes, $500
OOB XXE to Mail.ru - 12 upvotes, $500
Android MailRu Email: Thirdparty can access private data files with small user interaction to Mail.ru - 12 upvotes, $300
Publicly Accessible Harshi Corp Consul to Mail.ru - 12 upvotes, $300
reflected xss on learn.city-mobil.ru via redirect_url parameter to Mail.ru - 12 upvotes, $300
XSS в названии лайвчата to Mail.ru - 12 upvotes, $250
Раскрытие серии/номера паспорта и снилс пользователя lootdog.io to Mail.ru - 12 upvotes, $250
stored xss путём загрузки вредоносного файла + обход загрузки файлов. to Mail.ru - 12 upvotes, $200
Bypassing SOP with XSS on account.my.games leading to steal CSRF token and user information to Mail.ru - 12 upvotes, $200
Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru] to Mail.ru - 12 upvotes, $150
XSS at af.attachmail.ru to Mail.ru - 12 upvotes, $150
filin.mail.ru user's e-mail address disclosure to Mail.ru - 12 upvotes, $150
warofdragons.my.games: configuration files with database account are accessible to Mail.ru - 12 upvotes, $150
[ICQ] nwwwstg-d01.ops.icq.com check mk agent exposed to public to Mail.ru - 12 upvotes, $150
Account Takeover via Forgot Password Page at https://3k.mail.ru/send_password.php? to Mail.ru - 12 upvotes, $150
Improper Restriction of Excessive Authentication Attempts at http://terrafoot.ru/login.php (Rate Limit bypass via IP Rotation) to Mail.ru - 12 upvotes, $150
api.icq.com / возможность присоединиться к любому чату (даже закрытому). to Mail.ru - 12 upvotes, $100
Найден build.sh в webagent.mail.ru to Mail.ru - 12 upvotes, $100
CRLF injection mcs.mail.ru (leads to XSS) to Mail.ru - 12 upvotes, $0
[rm.mail.ru] Request-Path XSS to Mail.ru - 12 upvotes, $0
XSS to Mail.ru - 12 upvotes, $0
Full Path Disclosure to Mail.ru - 12 upvotes, $0
Stored xss on https://go.mail.ru/ to Mail.ru - 12 upvotes, $0
XSS in [community.my.games] to Mail.ru - 12 upvotes, $0
Reflected XSS to Mail.ru - 12 upvotes, $0
stand.pw.mail.ru xss to Mail.ru - 12 upvotes, $0
XSS в теле письма, в блочных стилях. to Mail.ru - 11 upvotes, $1000
blind XXE when uploading avatar in mymail phone app to Mail.ru - 11 upvotes, $1000
mail.ru/touch xss(r) debug parameter to Mail.ru - 11 upvotes, $1000
Xss в https://e.mail.ru/ to Mail.ru - 11 upvotes, $500
[account.mail.ru] XSS на странице восстановления пароля to Mail.ru - 11 upvotes, $500
Блокированный ящик ( Обход ) to Mail.ru - 11 upvotes, $500
Stored Blind XSS to Mail.ru - 11 upvotes, $500
[dobro.city-mobil.ru] Недостаточная аутентификация (доступ к панели администратора) to Mail.ru - 11 upvotes, $500
Insufficient limitation of web page title leads to DoS against ICQ for Android to Mail.ru - 11 upvotes, $300
[web.icq.com] Stored XSS in link when sending message to Mail.ru - 11 upvotes, $250
Unsafe downloaded file execution to Mail.ru - 11 upvotes, $250
Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage() to Mail.ru - 11 upvotes, $200
Activities are not Protected and able to crash app using other app (Can Malware or third parry app). to Mail.ru - 11 upvotes, $150
[et.mail.ru] ssrf 2 to Mail.ru - 11 upvotes, $150
Race condition на покупке призов за баллы to Mail.ru - 11 upvotes, $150
XSS on https://www.delivery-club.ru/sd/test_330933/info/ to Mail.ru - 11 upvotes, $100
CSRF на покупку товара https://lootdog.io/ to Mail.ru - 11 upvotes, $100
Stored self-XSS pubg.mail.ru в нескольких местах to Mail.ru - 11 upvotes, $0
XSS через подгрузку ссылки. to Mail.ru - 11 upvotes, $0
Disclosure of user email address and Deanonymization [mail.ru] + Blind | Stored XSS pets.mail.ru to Mail.ru - 11 upvotes, $0
[moba.my.com] phpinfo, logs to Mail.ru - 11 upvotes, $0
Open Redirect In passport.maps.me/logout/?next=//fb.com/ to Mail.ru - 11 upvotes, $0
[my.games] Stored XSS via untrusted bucket to Mail.ru - 11 upvotes, $0
Stored self XSS at auto.mail.ru using add_review functionality to Mail.ru - 11 upvotes, $0
xss while uploading a file to Mail.ru - 11 upvotes, $0
HTML Injection at "city-mobil.ru" to Mail.ru - 11 upvotes, $0
Reflected XSS https://tracker.my.com to Mail.ru - 11 upvotes, $0
Угон домена photo-test.gb.ru (возможно) to Mail.ru - 11 upvotes, $0
[city-mobil.ru/taxiserv/] SQLi at /taxiserv/requests path at driver_company param to Mail.ru - 10 upvotes, $3500
XSS в письме, в теле письма. to Mail.ru - 10 upvotes, $2000
Bitbucket public repo leaking credentials from the 1C Enterprise system used by Samokat to Mail.ru - 10 upvotes, $1500
bit.games - sql-inj to Mail.ru - 10 upvotes, $1500
Database read through provider misconfiguration to Mail.ru - 10 upvotes, $1000
[panel.city-mobil.ru/admin/] Blind XSS via partner name (similar to #746505) to Mail.ru - 10 upvotes, $1000
Source code and internal credentials disclosure to Mail.ru - 10 upvotes, $1000
Stored xss in calendar via call link to Mail.ru - 10 upvotes, $1000
[com.icq.mobile.client] Любое стороннее приложение может угнать сессию, а также другие файлы приложения to Mail.ru - 10 upvotes, $1000
Xss в https://e.mail.ru/ to Mail.ru - 10 upvotes, $500
Reflected XSS in https://e.mail.ru/ to Mail.ru - 10 upvotes, $500
Отраженная XSS на cloud.mail.ru в URL в функционале создания и редактировании презентации. to Mail.ru - 10 upvotes, $500
XSS bypass Script execute,Read any file,execute any javascript code--UXSS to Mail.ru - 10 upvotes, $500
Хранимая XSS ( API ) to Mail.ru - 10 upvotes, $500
SSRF на api.icq.net to Mail.ru - 10 upvotes, $500
Users information leak at sbermarket.ru to Mail.ru - 10 upvotes, $400
Server side request forgery to Mail.ru - 10 upvotes, $300
Stored XSS in address on [corporate.city-mobil.ru] to Mail.ru - 10 upvotes, $300
[authdl.mail.ru] Spoofing IP address to Mail.ru - 10 upvotes, $250
SSRF/XSPA [parapa.mail.ru] 2 to Mail.ru - 10 upvotes, $150
Disclosure of the account email by phone number on [corporate.city-mobil.ru] to Mail.ru - 10 upvotes, $150
Exposed Git Repo at https://mini-app.delivery-club.ru to Mail.ru - 10 upvotes, $150
[com.icq.mobile.client] Любое стороннее приложение может отправить произвольное сообщение от имени пользователя to Mail.ru - 10 upvotes, $150
IDOR in tender.mail.ru leading to Information Disclosure to Mail.ru - 10 upvotes, $0
reflected xss on cycloferon.health.mail.ru to Mail.ru - 10 upvotes, $0
Seven DOM-Based XSS Vulnerabilities | Execution in Login Sequence to Mail.ru - 10 upvotes, $0
CSRF на отправку вопроса на [games.mail.ru] to Mail.ru - 10 upvotes, $0
unauthorized access to add admin endpoint to Mail.ru - 10 upvotes, $0
vk.com profile page takeover on https://cabinet.am.ru/ to Mail.ru - 10 upvotes, $0
[samokat.ru] PHP modules path disclosure due to lack of error handling to Mail.ru - 10 upvotes, $0
[https://city-mobil.ru/taxiserv] IDOR leads to information disclosure to Mail.ru - 9 upvotes, $1500
[xss] setTheme в ajax_attach_action to Mail.ru - 9 upvotes, $1000
XSS on https://o2.mail.ru/jsapi/button via PostMessage to Mail.ru - 9 upvotes, $1000
XSS в отправителе, БЕТА-версия почты to Mail.ru - 9 upvotes, $500
XSS account.mail.ru in state JSON script to Mail.ru - 9 upvotes, $500
Stealing Arbitrary Private Files of MyMail App to Mail.ru - 9 upvotes, $500
Full Account Takeover Student Account In https://********.ru/signin/main/student/email to Mail.ru - 9 upvotes, $500
Brute Force due to Weak security credentials lead access to LICENSE SYSTEM Web Server on [l.ucs.ru] to Mail.ru - 9 upvotes, $500
Логи/sql запросы на http://mx36.ucs.ru/ и reflected XSS. to Mail.ru - 9 upvotes, $400
Time-based sql-injection на https://puzzle.mail.ru to Mail.ru - 9 upvotes, $300
Reflected XSS in city-mobil.ru/ to Mail.ru - 9 upvotes, $300
XSS с помощью специально сформированного файла. to Mail.ru - 9 upvotes, $250
easyXDM allows cross domain postmessaging with any origin, leaking sensitive info to Mail.ru - 9 upvotes, $250
XSS на e.mail.ru в мобильном приложении! to Mail.ru - 9 upvotes, $250
XSS https://health.mail.ru/my/ через внешнее имя аккаунта to Mail.ru - 9 upvotes, $150
Чтение системных данных приложения: данные для авторизации, логи, БД, личная переписка to Mail.ru - 9 upvotes, $150
Insecure Storage and Overly Permissive Google Maps API Key in Android App to Mail.ru - 9 upvotes, $150
Sidekiq Dashboard Publicly accessible at http://shopper.staging.instamart.ru/sidekiq/ to Mail.ru - 9 upvotes, $150
Log files Leaked In mcsblog.ru to Mail.ru - 9 upvotes, $150
IDOR zakazaka (состояние заказа и перезаказ) to Mail.ru - 9 upvotes, $150
Открытая админка 1C эмулятора to Mail.ru - 9 upvotes, $150
CSRF на добавление товара на продажу to Mail.ru - 9 upvotes, $100
Cross Site Request Forgery (CSRF) to Mail.ru - 9 upvotes, $0
[realty.mail.ru] XSS, SSI Injection to Mail.ru - 9 upvotes, $0
[pokerist.mail.ru] XSS Request-URI to Mail.ru - 9 upvotes, $0
CSRF Send a message at street-combats.mail.ru to Mail.ru - 9 upvotes, $0
ДОБАВЛЕНИЕ СВОИХ ДАТ В КАЛЕНДАРЬ ПОЛЬЗОВАТЕЛЮ ! to Mail.ru - 9 upvotes, $0
Blind XSS pets.mail.ru/admin/ to Mail.ru - 9 upvotes, $0
CSRF уязвимость позволяет взять беспроцентный кредит пользователю cfire.mail.ru to Mail.ru - 9 upvotes, $0
Content spoofing в http://my.mail.ru/cgi-bin/app/paymentm to Mail.ru - 9 upvotes, $0
Delete images of users with clickjacking in https://pw.mail.ru to Mail.ru - 9 upvotes, $0
Reflected XSS with WAF Bypass https://pw.mail.ru to Mail.ru - 9 upvotes, $0
xss in ub.icq.net to Mail.ru - 9 upvotes, $0
[xss] passrestore на m/touch/tel to Mail.ru - 8 upvotes, $1000
A manager of a determinate group of users still might have access to any user account from any group that he doesn't administrate anymore. to Mail.ru - 8 upvotes, $500
XSS on account.mail.ru/login to Mail.ru - 8 upvotes, $500
[account.mail.ru] XSS на странице удаления аккаунта через backUrl to Mail.ru - 8 upvotes, $500
Stored self-xss and its escalation to a victim account in e.mail.ru to Mail.ru - 8 upvotes, $500
Получение гарантированного дохода и бонусов без фактического исполнения заказов, при этом используя аккаунты не существующих людей. to Mail.ru - 8 upvotes, $500
Improper Restriction of Excessive Authentication Attempts at https://ucs.ru/login to Mail.ru - 8 upvotes, $400
Information Disclosure - Получаем доступ к работам и к приватным презентациям к курсам to Mail.ru - 8 upvotes, $300
XSS when replying / forwarding to a malicious email on iOS to Mail.ru - 8 upvotes, $250
Blind SSRF on http://info.ucs.ru/settings/check/ to Mail.ru - 8 upvotes, $250
[upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References to Mail.ru - 8 upvotes, $160
Possible to Upload Local Arbitrary Private File to the Cloud against User's Will to Mail.ru - 8 upvotes, $150
Http Response Splitting on thumb.cloud.mail.ru to Mail.ru - 8 upvotes, $150
SECRET_KEY Of Django Leaked In maps.me to Mail.ru - 8 upvotes, $150
[api.my.games/social/chat/multi/add] Privilege escalation on adding new members to group chat to Mail.ru - 8 upvotes, $150
Improper Restriction of Excessive Authentication Attempts via https://certification.mail.ru/auth-form/?form=auth_certy (Rate limit Bypass) to Mail.ru - 8 upvotes, $150
HTML injection in an email [delivery.city-mobil.ru] to Mail.ru - 8 upvotes, $150
Improper Restriction of Excessive Authentication Attempts at https://top.mail.ru/edit? for site counter (Rate Limit bypass via IP Rotation) to Mail.ru - 8 upvotes, $150
CVE-2020-3187 на ip адресе 91.231.115.30 to Mail.ru - 8 upvotes, $150
CSRF Delete chat invitation link. to Mail.ru - 8 upvotes, $100
[tanks.mail.ru] Internet Explorer XSS via Request-URI to Mail.ru - 8 upvotes, $0
XSS in delivery club to Mail.ru - 8 upvotes, $0
Double authentication bypass to Mail.ru - 8 upvotes, $0
Full account takeover am.ru to Mail.ru - 8 upvotes, $0
[lk-cdn.3igames.mail.ru] apc.php to Mail.ru - 8 upvotes, $0
Reflected cross site scripting at https://auto.mail.ru/reviews/add_review/ via problems_text parameter. to Mail.ru - 8 upvotes, $0
XSS при загрузке изображения на [games.mail.ru] to Mail.ru - 8 upvotes, $0
XSS via HTTP request version in account.my.games to Mail.ru - 8 upvotes, $0
CSRF on https://market.my.games to Mail.ru - 8 upvotes, $0
Subdomain Takeover at blog.instamart.ru to Mail.ru - 8 upvotes, $0
Broken twitter link hijacking at https://games.mail.ru/pc/search/ to Mail.ru - 8 upvotes, $0
IDOR to delete test/poll/quiz on relap.io to Mail.ru - 8 upvotes, $0
prometheus server monitoring System publicly accessible to Mail.ru - 8 upvotes, $0
internal path disclosure via error message to Mail.ru - 8 upvotes, $0
[xss] перенаправление со старых url в почте to Mail.ru - 7 upvotes, $1000
[xss] подмена content-type в загрузке лого к почте to Mail.ru - 7 upvotes, $1000
Чтение файлов на сервере и раскрытие директорий mediator.media to Mail.ru - 7 upvotes, $800
touch.mail.ru/messages - Stored XSS to Mail.ru - 7 upvotes, $750
VERY DANGEROUS XSS STORED inside emails to Mail.ru - 7 upvotes, $600
Possibility to view subdepartments for arbitrary domain to Mail.ru - 7 upvotes, $500
XSS on e.mail.ru via postMessage to Mail.ru - 7 upvotes, $500
XSS e.mail.ru fixSpecialSymbols to Mail.ru - 7 upvotes, $500
[https://fleet.city-mobil.ru] Stored XSS into driver mailing to Mail.ru - 7 upvotes, $500
Открытая админка Tarantool to Mail.ru - 7 upvotes, $500
[sso.33slona.ru] Application Messages Error stacktrace PHP. to Mail.ru - 7 upvotes, $400
[https://youdrive.today/] Nginx directory traversal to Mail.ru - 7 upvotes, $400
XSS via Cookie in e.mail.ru to Mail.ru - 7 upvotes, $350
XXE крит to Mail.ru - 7 upvotes, $300
Stored XSS and html injection in biz.mail.ru to Mail.ru - 7 upvotes, $250
Information Disclosure [ https://curious.ru/api/submissions ] to Mail.ru - 7 upvotes, $250
SSRF in www.ucs.ru to Mail.ru - 7 upvotes, $250
Download attachments with traversal path into any sdcard directory (incomplete fix 106097) to Mail.ru - 7 upvotes, $200
[lootdog.io] User phone number disclosure to Mail.ru - 7 upvotes, $200
[cfire.mail.ru] Time Based SQL Injection 2 to Mail.ru - 7 upvotes, $200
Stored Xss to Mail.ru - 7 upvotes, $200
DOM based XSS via postMessage at store.my.games to Mail.ru - 7 upvotes, $200
Cross site scripting to Mail.ru - 7 upvotes, $150
XSS at https://icq.com/people to Mail.ru - 7 upvotes, $150
Improper Restriction of Excessive Authentication Attempts at o2-ac.my.com/token to Mail.ru - 7 upvotes, $150
Возможность создать канал в группе, в которой пользователь не является админом [my.games] to Mail.ru - 7 upvotes, $150
Пользователь может просматривать, удалять и изменять данные любой компании перебирая domain_id [biz.mail.ru] to Mail.ru - 7 upvotes, $150
Брутфорс sms кода подтверждения для смены номера телефона в аккаунте LootDog. to Mail.ru - 7 upvotes, $150
[files.ucs.ru] ProFTPd mod_copy Arbitrary Read/Write to Mail.ru - 7 upvotes, $150
Improper Restriction of Excessive Authentication Attempts at https://mirror.w1.dwar.ru/login.php to Mail.ru - 7 upvotes, $150
[titans.3clans.ru] phpBB 3.0.8 - Захват аккаунта администратора + удалённое выполнение кода. to Mail.ru - 7 upvotes, $150
Загрузка png бомбы, которая начинает DDOS атаку на бота со Стикерами. to Mail.ru - 7 upvotes, $100
[odnoklassniki.ru] XSS via Host to Mail.ru - 7 upvotes, $0
[touch.lady.mail.ru] CRLF Injection to Mail.ru - 7 upvotes, $0
[cooking.lady.mail.ru] Open Redirect to Mail.ru - 7 upvotes, $0
Stored XSS using SVG on subdomain infra.mail.ru to Mail.ru - 7 upvotes, $0
Хранимая XSS в пожертованиях на dobro.mail.ru to Mail.ru - 7 upvotes, $0
[info.tmgame.mail.ru] Apache Server Status to Mail.ru - 7 upvotes, $0
Reflected XSS in delivery-club.ru to Mail.ru - 7 upvotes, $0
CSRF на загрузку изображения Pandao to Mail.ru - 7 upvotes, $0
CSRF on /subscription_manage.php endpoint at allods.mail.ru to Mail.ru - 7 upvotes, $0
Reference to external uncontrolled resource in terrhq.ru to Mail.ru - 7 upvotes, $0
PHP-FPM Status Page to Mail.ru - 7 upvotes, $0
astrumnival.com subdomain to Mail.ru - 7 upvotes, $0
Brute-force any email account through allods.mail.ru to Mail.ru - 7 upvotes, $0
REFLECTED XSS On http://jsgames.mail.ru/bad_browser.php via back_url paramter to Mail.ru - 7 upvotes, $0
the same as #948259 - XSS at jsgames.mail.ru to Mail.ru - 7 upvotes, $0
capsula.mail.ru - reflected xss to Mail.ru - 7 upvotes, $0
Information Disclosure of Garbage Collection Cycle 'Again' to Mail.ru - 7 upvotes, $0
XSS on ub.icq.net to Mail.ru - 7 upvotes, $0
[city-mobil.ru/taxiserv/] IDOR leads to driver account takeover to Mail.ru - 6 upvotes, $8000
[combo.mail.ru] SMS code bruteforce to Mail.ru - 6 upvotes, $6000
XSS уязвимость to Mail.ru - 6 upvotes, $500
XSS touch.mail.ru compose Body to Mail.ru - 6 upvotes, $500
[delivery.city-mobil.ru] Stored XSS into support request comment to Mail.ru - 6 upvotes, $300
[connect.mail.ru] Memory Disclosure / IE XSS to Mail.ru - 6 upvotes, $250
XSS ( Работа с письмами ) to Mail.ru - 6 upvotes, $250
bgplay.mail.ru to Mail.ru - 6 upvotes, $200
[my.mail.ru] CRLF Injection to Mail.ru - 6 upvotes, $160
By pass admin panel [seminars.mail.ru] to Mail.ru - 6 upvotes, $150
XSS в портальной навигации to Mail.ru - 6 upvotes, $150
Unupdated ImageMagic leads to uninitialized server memory disclosure to Mail.ru - 6 upvotes, $150
Mail.Ru Top - Website Counter Bruteforcing to Mail.ru - 6 upvotes, $150
[c-api.city-mobil.ru] IDOR chat messages between driver and customer to Mail.ru - 6 upvotes, $150
Ability to edit the address of any company by its id on [corporate.city-mobil.ru] to Mail.ru - 6 upvotes, $150
Логи на http://login.aa.mail.ru/logs/ to Mail.ru - 6 upvotes, $150
Access admin interface via bad credentials to Mail.ru - 6 upvotes, $150
Наблюдатель может оставновить базу данных [mcs.mail.ru] to Mail.ru - 6 upvotes, $150
Clickjacking Vulnerability via https://profile.my.games/gamecenter/profile/ can lead to sensitive cross site actions (Bypass X-Frame-Options) to Mail.ru - 6 upvotes, $150
The auth token does not expire on logging out and even after logging out all sessions to Mail.ru - 6 upvotes, $100
Раскрытие IP, почты и другой полезной информации lootdog.io to Mail.ru - 6 upvotes, $100
Доступ к аккаунту после смены пароля. to Mail.ru - 6 upvotes, $100
[rabota.mail.ru] Open Redirect to Mail.ru - 6 upvotes, $0
[ml.money.mail.ru] Open Redirect to Mail.ru - 6 upvotes, $0
[qpt.mail.ru] CRLF Injection / Open Redirect to Mail.ru - 6 upvotes, $0
[otus.p.mail.ru] Full Path Disclosure to Mail.ru - 6 upvotes, $0
Open Redirection at https://it.mail.ru/ to Mail.ru - 6 upvotes, $0
Reflected XSS on frag.mail.ru to Mail.ru - 6 upvotes, $0
xss на нескольких форумах игр от mail.ru (Cross-Site Scripting) to Mail.ru - 6 upvotes, $0
CRLF инъекция на https://tz.mail.ru to Mail.ru - 6 upvotes, $0
api.icq.com / возможность написать кому угодно (даже icqsystem) to Mail.ru - 6 upvotes, $0
[hs.mail.ru] XSS play_now.php to Mail.ru - 6 upvotes, $0
[hs.mail.ru] CRLF Injection / XSS to Mail.ru - 6 upvotes, $0
[gamesventures.mail.ru] Publicly accessible GIT directory to Mail.ru - 6 upvotes, $0
[new.wf.mail.ru] XSS Request-URI to Mail.ru - 6 upvotes, $0
[evo2.my.com] Internet Explorer XSS to Mail.ru - 6 upvotes, $0
CSRF при вводе промокода на Pandao to Mail.ru - 6 upvotes, $0
benchmark metrics available at 5.61.239.154 to Mail.ru - 6 upvotes, $0
PHP-FPM Status Page to Mail.ru - 6 upvotes, $0
XSS на сайте https://warofdragons.my.games/. to Mail.ru - 6 upvotes, $0
Stored XSS on go.mail.ru to Mail.ru - 6 upvotes, $0
Open Redirect at "city-mobil.ru" to Mail.ru - 6 upvotes, $0
[self?] XSS в адресе пользователя [sbermarket.ru] to Mail.ru - 6 upvotes, $0
Subdomain Takeover at analyticstest.geekbrains.ru to Mail.ru - 6 upvotes, $0
[aw.mail.ru] XSS on /quiztank page to Mail.ru - 6 upvotes, $0
[MY.GAMES] XSS в мессенджере to Mail.ru - 6 upvotes, $0
Subdomain takeover http://promo.instamart.ru/ to Mail.ru - 6 upvotes, $0
Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru] to Mail.ru - 6 upvotes, $0
Read-only user can edit user segments. to Mail.ru - 6 upvotes, $0
Private files exposed to other apps to Mail.ru - 5 upvotes, $1000
Insecure storage of private files to Mail.ru - 5 upvotes, $1000
[Mail.Ru for Android] Replacing "Add filter" screen by malicious screen to Mail.ru - 5 upvotes, $1000
RCE в .api/nr/report/{id}/download to Mail.ru - 5 upvotes, $1000
Admin panel access restrictions bypass [poll.mail.ru/admin/] to Mail.ru - 5 upvotes, $500
OOB XXE to Mail.ru - 5 upvotes, $500
Public access to Sidekiq dashboard at shopper.sbermarket.ru to Mail.ru - 5 upvotes, $500
В самокате можно просматривать и изменять данные любого заказа без авторизации to Mail.ru - 5 upvotes, $400
Customer domain information disclosure at https://biz.mail.ru/api/domains/* to Mail.ru - 5 upvotes, $350
Uninitilized server memory disclosure via ImageMagick to Mail.ru - 5 upvotes, $300
sql to Mail.ru - 5 upvotes, $300
Mail.ru for Android Content Provider Vulnerability to Mail.ru - 5 upvotes, $250
CSRF. Удаление адресной книги, добавление контактов to Mail.ru - 5 upvotes, $250
tmgame.mail.ru - Blind sql injection to Mail.ru - 5 upvotes, $250
[townwars.mail.ru] Time-Based SQL Injection to Mail.ru - 5 upvotes, $150
invalid handling of redirect_uri at o2.mail.ru/jsapi/button to Mail.ru - 5 upvotes, $150
[parapa.mail.ru] SQL Injection reapet to Mail.ru - 5 upvotes, $150
В самокат имеется возможность просмотра суммы заказа и номера заказа по ID [smart.space] to Mail.ru - 5 upvotes, $150
This Github Repository Seems Leaking "nino.samokat.ru" Source Code to Mail.ru - 5 upvotes, $150
Clickjacking Vulnerability via https://www.donationalerts.com/help/support leads to bypass for widget.support.my.games X-Frame Options to Mail.ru - 5 upvotes, $150
todo.mail.ru open .git to Mail.ru - 5 upvotes, $150
XSS на странице "Платежи водителей" [city-mobil.ru/taxiserv] to Mail.ru - 5 upvotes, $150
restaurant.delivery-club.ru - возможность получить информацию об чужих акциях. to Mail.ru - 5 upvotes, $150
Disclosure of information on static.dl.mail.ru to Mail.ru - 5 upvotes, $0
Open Redirect to Mail.ru - 5 upvotes, $0
[w1.dwar.ru] Core Dump to Mail.ru - 5 upvotes, $0
[gitmm.corp.mail.ru] Auth Bypass, Information Disclosure to Mail.ru - 5 upvotes, $0
Open Redirect to Mail.ru - 5 upvotes, $0
Monitor to Mail.ru - 5 upvotes, $0
Открытое перенапровление на OpenID to Mail.ru - 5 upvotes, $0
api.icq.com / возможность отредактировать текст любого пользователя или группы переслав его. to Mail.ru - 5 upvotes, $0
Открытая информация phpinfo() на сайте https://agent.mail.ru to Mail.ru - 5 upvotes, $0
Local paths disclosure through error message to Mail.ru - 5 upvotes, $0
CSRF на biz.mail.ru to Mail.ru - 5 upvotes, $0
[sj.my.com] Source Code Disclosure /.svn/wc.db to Mail.ru - 5 upvotes, $0
[sputnik.mail.ru] Publicly accessible GIT directory to Mail.ru - 5 upvotes, $0
[FG-VD-17-115] Mail.ru's Amigo Browser DLL Pre-Loading Vulnerability Notification to Mail.ru - 5 upvotes, $0
[auto.mail.ru] IDOR на редактирование поста любого юзера. to Mail.ru - 5 upvotes, $0
Public available Sensitive Information about drivers to Mail.ru - 5 upvotes, $0
[v7lk.relap.io] Sending arbitrary emails to any user to Mail.ru - 5 upvotes, $0
relap.io CSRF bypass on adding domain to use relap widgets to Mail.ru - 5 upvotes, $0
Reflected XSS in "keywords" parameter at "https://sbermarket.ru/metro/search" to Mail.ru - 5 upvotes, $0
xss on [storehouse5.ucs.ru] to Mail.ru - 5 upvotes, $0
CSRF in updating username https://pw.mail.ru/ to Mail.ru - 5 upvotes, $0
subdomain Takeover to Mail.ru - 5 upvotes, $0
Получение локального пути до файла [geekbrains.ru] to Mail.ru - 5 upvotes, $0
Acessed internal api documentation and information to Mail.ru - 5 upvotes, $0
Stored XSS on https://community.my.games/ (Add Post) to Mail.ru - 5 upvotes, $0
XSS via "gp" cookie reflected in source code to Mail.ru - 4 upvotes, $1000
Пользователь может изменить способ оплаты указав чужой corporation ID to Mail.ru - 4 upvotes, $1000
Same Origin Policy bypass to Mail.ru - 4 upvotes, $600
mrgs.my.games account takeover to Mail.ru - 4 upvotes, $500
Self-xss via drag&drop in email form to Mail.ru - 4 upvotes, $300
HTML Injection на e.mail.ru to Mail.ru - 4 upvotes, $250
[s.mail.ru] CRLF Injection to Mail.ru - 4 upvotes, $250
Раскрытие информации о совершенных операциях to Mail.ru - 4 upvotes, $250
Content injection on shared event (calendar.mail.ru) to Mail.ru - 4 upvotes, $150
Clickjacking Vulnerability via https://webagent.mail.ru leading to protection bypass for https://web.icq.com/ end point to Mail.ru - 4 upvotes, $150
OTP bypass on user account deletion to Mail.ru - 4 upvotes, $150
This Github Repository Seems Leaking Samokat Django Project to Mail.ru - 4 upvotes, $150
Theft of Arbitrary file to Mail.ru - 4 upvotes, $150
[my.mail.ru] HTML injection в письмах от myadmin@corp.mail.ru to Mail.ru - 4 upvotes, $100
[online.games.mail.ru] - Sensitive information disclosure to Mail.ru - 4 upvotes, $100
ssl cookkie without secure flag set to Mail.ru - 4 upvotes, $100
Reflected XSS connect.mail.ru (IE6-IE8) to Mail.ru - 4 upvotes, $0
Back Refresh Attack after registration and successful logout to Mail.ru - 4 upvotes, $0
[opensource.mail.ru] system accounts enumeration to Mail.ru - 4 upvotes, $0
Full Path Disclosure to Mail.ru - 4 upvotes, $0
[corp.mail.ru] CRLF Injection / Insecure nginx configuration to Mail.ru - 4 upvotes, $0
[mrgs.mail.ru] Internet Explorer XSS via Request-URI to Mail.ru - 4 upvotes, $0
[3k.mail.ru] Content Spoofing to Mail.ru - 4 upvotes, $0
[allods.my.com] Full Path Disclosure to Mail.ru - 4 upvotes, $0
[otus.p.mail.ru] CRLF Injection to Mail.ru - 4 upvotes, $0
[allods.mail.ru] Cross-Site Request Forgery (Add-Item) to Mail.ru - 4 upvotes, $0
[allods.mail.ru] Reflected XSS to Mail.ru - 4 upvotes, $0
Reflected XSS на https://aw.mail.ru/news/ to Mail.ru - 4 upvotes, $0
Clickjacking Full account takeover and editing the personal information at [account.my.com] to Mail.ru - 4 upvotes, $0
[afisha.mail.ru] HTML-инъекция через XSS на портале виджета to Mail.ru - 4 upvotes, $0
[maps.me] Reflected XSS to Mail.ru - 4 upvotes, $0
api.icq.com / отсутсвие лимита на отправку сообщений удаляя параметр защиты "&r" to Mail.ru - 4 upvotes, $0
[target.my.com] CRLF Injection -> XSS to Mail.ru - 4 upvotes, $0
[beta.tracker.my.com] XSS Request-URI to Mail.ru - 4 upvotes, $0
CSRF на удаление товара из корзины to Mail.ru - 4 upvotes, $0
XSS to Mail.ru - 4 upvotes, $0
xss to Mail.ru - 4 upvotes, $0
Rails application running in development mode to Mail.ru - 4 upvotes, $0
self XSS на странице https://aw.mail.ru/pin/ to Mail.ru - 4 upvotes, $0
Открытые сорцы to Mail.ru - 4 upvotes, $0
mailgun subdomain takeover on "email.mail.geekbrains.ru" to Mail.ru - 4 upvotes, $0
Information Disclosure on {http://pro.tracker.my.com} to Mail.ru - 4 upvotes, $0
[capsula.mail.ru] overriding order info to Mail.ru - 4 upvotes, $0
information disclosure via IDOR on "https://target.my.com/api/v2/coverage/segment.json?id={id}" endpoint to Mail.ru - 4 upvotes, $0
XSS Stored on https://seedr.ru to Mail.ru - 4 upvotes, $0
XXE and SSRF on webmaster.mail.ru to Mail.ru - 3 upvotes, $700
Ошибка фильтрации to Mail.ru - 3 upvotes, $500
[e.mail.ru] XSS на странице отправки денежного перевода to Mail.ru - 3 upvotes, $500
XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use) to Mail.ru - 3 upvotes, $400
Access to git & and configuration files on backtoschool.geekbrains.ru via gitfile to Mail.ru - 3 upvotes, $400
connect.mail.ru: SSRF to Mail.ru - 3 upvotes, $300
OpenSSL HeartBleed (CVE-2014-0160) to Mail.ru - 3 upvotes, $200
By pass admin panel [conference.mail.ru] to Mail.ru - 3 upvotes, $150
SSRF/XSPA [parapa.mail.ru] to Mail.ru - 3 upvotes, $150
Possible tokens leak on ws-app.city-mobil.ru to Mail.ru - 3 upvotes, $150
[icq.com/people/uin/edit] Отсутствует фильтр и проверка на дубли в поле "Никнейм" to Mail.ru - 3 upvotes, $150
Возможность просмотра коментариев к чужим обращениям [corporate.city-mobil.ru] to Mail.ru - 3 upvotes, $150
Improper Restriction of Excessive Authentication Attempts at https://api.warrobots.com/auth (Pixonic Games) to Mail.ru - 3 upvotes, $150
kds.ucs.ru - раскрытие информации. to Mail.ru - 3 upvotes, $150
ICQ Windows Application is Vulnerable to DLL Search Order Hijacking to Mail.ru - 3 upvotes, $100
Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly to Mail.ru - 3 upvotes, $0
https://voip.agent.mail.ru/phpinfo.php to Mail.ru - 3 upvotes, $0
Авторизуюсь от имени любого пользователя parapa.mail.ru to Mail.ru - 3 upvotes, $0
[tz.mail.ru] XSS в функционале авторизации to Mail.ru - 3 upvotes, $0
[support.my.com] Internet Explorer XSS to Mail.ru - 3 upvotes, $0
[torg.mail.ru] CRLF Injection to Mail.ru - 3 upvotes, $0
Stored XSS на street-combats.mail.ru to Mail.ru - 3 upvotes, $0
[api.login.icq.net] Open Redirect to Mail.ru - 3 upvotes, $0
[api.login.icq.net] Reflected XSS to Mail.ru - 3 upvotes, $0
[opensource.mail.ru] Debug Mode to Mail.ru - 3 upvotes, $0
[allods.my.com] Full SQL Disclosure to Mail.ru - 3 upvotes, $0
[it.mail.ru] Open Redirect to Mail.ru - 3 upvotes, $0
Reflected XSS on hi-tech.mail.ru to Mail.ru - 3 upvotes, $0
Reflected XSS. to Mail.ru - 3 upvotes, $0
Apache Server-Status Detected to Mail.ru - 3 upvotes, $0
Logical Vulnerability : REDIRECTING on pw.mail.ru by Parameter Spoofing to Mail.ru - 3 upvotes, $0
[tanks.mail.ru] Open Redirect to Mail.ru - 3 upvotes, $0
Stored XSS на странице pubg.mail.ru/community to Mail.ru - 3 upvotes, $0
Множественные уязвимости приложения Mail.Ru Почта (Android) to Mail.ru - 3 upvotes, $0
Phpinfo to Mail.ru - 3 upvotes, $0
Открытая панель to Mail.ru - 3 upvotes, $0
Settings page in https://support.my.com is vulnerable to clickjacking to Mail.ru - 3 upvotes, $0
Ability to find out the name of the database table and its columns to Mail.ru - 3 upvotes, $0
Cross-Site Request Forgery (CSRF) in my.games API to Mail.ru - 3 upvotes, $0
XSS on https://deti.mail.ru/ to Mail.ru - 3 upvotes, $0
Collected Telegraf Matrics Accessible to Mail.ru - 3 upvotes, $0
Cross-Site Request Forgery (CSRF) in comment update - api.my.games to Mail.ru - 3 upvotes, $0
SMTP Header Injection at http://abonement.ucs.ru to Mail.ru - 3 upvotes, $0
tracker.my.com information disclosure via csrf bypass to Mail.ru - 3 upvotes, $0
Vertical Privilege Escalation on {target.my.com} to Mail.ru - 3 upvotes, $0
looch.tv CORS crossite user information and stream_key access to Mail.ru - 3 upvotes, $0
FLV FILE FORMAT (AUDIOSES.DLL) Out of Bounds to Mail.ru - 2 upvotes, $500
[babel.mail.ru] Admin Page Found to Mail.ru - 2 upvotes, $400
RCE через JDWP to Mail.ru - 2 upvotes, $300
[orsotenslimselfie.lady.mail.ru] SQL Injection to Mail.ru - 2 upvotes, $300
SQL injection update.mail.ru to Mail.ru - 2 upvotes, $250
SQL inj to Mail.ru - 2 upvotes, $150
Clickjacking to Mail.ru - 2 upvotes, $150
SQL to Mail.ru - 2 upvotes, $150
SQL Injection on 11x11.mail.ru to Mail.ru - 2 upvotes, $150
[tidaltrek.mail.ru] SQL Injection to Mail.ru - 2 upvotes, $150
ssrf xspa [https://prt.mail.ru/] to Mail.ru - 2 upvotes, $150
Google API Key is not restricted for specific application package name and signature [Mail.ru Cloud for Android] to Mail.ru - 2 upvotes, $150
No bruteforce protection leads to enumeration of emails in http://e.mail.ru/ to Mail.ru - 2 upvotes, $100
Login without SSL-Protection to Mail.ru - 2 upvotes, $0
Flash XSS in http://go.mail.ru to Mail.ru - 2 upvotes, $0
Flash XSS in http://lingvo.mail.ru to Mail.ru - 2 upvotes, $0
Раскрытие полного серверного пути to Mail.ru - 2 upvotes, $0
tp-demo1.corp.mail.ru: SVN наружу торчит to Mail.ru - 2 upvotes, $0
[start.icq.com] Reflected XSS via Cookies to Mail.ru - 2 upvotes, $0
Vulnerability :- "XSS vulnerability" to Mail.ru - 2 upvotes, $0
[ling.go.mail.ru] Server-Status opened for all users to Mail.ru - 2 upvotes, $0
XSS at forum : to Mail.ru - 2 upvotes, $0
Reflected XSS на games.mail.ru to Mail.ru - 2 upvotes, $0
[sales.mail.ru] CRLF Injection to Mail.ru - 2 upvotes, $0
AXFR на plexus.m.smailru.net работает to Mail.ru - 2 upvotes, $0
BRUTE FORCE ATTACK to Mail.ru - 2 upvotes, $0
Reflected XSS. to Mail.ru - 2 upvotes, $0
Обход basic авторизации [qpt.mail.ru] to Mail.ru - 2 upvotes, $0
Излишние права при авторизации через интерфейс mail.ru to Mail.ru - 2 upvotes, $0
[warofdragons.com] Content Spoofing to Mail.ru - 2 upvotes, $0
[s2.jugger.ru] Content Spoofing to Mail.ru - 2 upvotes, $0
[tanks.mail.ru] Content Spoofing to Mail.ru - 2 upvotes, $0
[aw.my.com] Reflected XSS to Mail.ru - 2 upvotes, $0
Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/ to Mail.ru - 2 upvotes, $0
DNS Misconfiguration to Mail.ru - 2 upvotes, $0
XSS on New contact to Mail.ru - 2 upvotes, $0
ssl cookie without secure flag set to Mail.ru - 2 upvotes, $0
Открытый .htaccess на cookery.zakazaka.ru to Mail.ru - 2 upvotes, $0
xss to Mail.ru - 2 upvotes, $0
Stored XSS at branded site in .mail.ru domain to Mail.ru - 2 upvotes, $0
donationalerts.com limitations bypass to Mail.ru - 2 upvotes, $0
[staging.tarantool.org] Github Pages Subdomain-take-over to Mail.ru - 2 upvotes, $0
CRLF Injection in 301 Redirect allow to Set-Cookies for mail.ru to Mail.ru - 2 upvotes, $0
Improper access control leading to deletion of Greeting videos on {https://smtp.8mar.mail.ru/} to Mail.ru - 2 upvotes, $0
Subdomain takeover at msproject.geekbrains.ru to Mail.ru - 2 upvotes, $0
Bypass OTP on contact back request at https://driver.city-mobil.ru/ to Mail.ru - 2 upvotes, $0
IDOR позволяет изменить информацию о пользователе. to Mail.ru - 2 upvotes, $0
[garnier-olia.lady.mail.ru] Reflected XSS /exp/ bypass "/" to Mail.ru - 2 upvotes, $0
[api.33slona.ru] Доступ к API из за неправильной конфигурации сервера 302 редирет. to Mail.ru - 2 upvotes, $0
Information Disclosure on qa-delivery-srv.plazius.ru to Mail.ru - 2 upvotes, $0
Information Disclosure on www7.promo.plazius.ru to Mail.ru - 2 upvotes, $0
e.mail.ru: File upload "Chapito" circus to Mail.ru - 1 upvotes, $1000
touch.mail.ru XSS via message id to Mail.ru - 1 upvotes, $500
XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо to Mail.ru - 1 upvotes, $500
reflected in xss to Mail.ru - 1 upvotes, $500
e.mail.ru: SMS spam with custom content to Mail.ru - 1 upvotes, $400
store-agent.mail.ru: stacked blind injection to Mail.ru - 1 upvotes, $400
Stored XSS on http://top.mail.ru to Mail.ru - 1 upvotes, $300
Home page reflected XSS to Mail.ru - 1 upvotes, $250
SSRF на element.mail.ru to Mail.ru - 1 upvotes, $250
"blog.skillfactory.ru" Vulnerable to Directory Traversal to Mail.ru - 1 upvotes, $250
tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password to Mail.ru - 1 upvotes, $200
SQL inj to Mail.ru - 1 upvotes, $150
localStorage не чистится после выхода to Mail.ru - 1 upvotes, $150
Stored XSS on http://cards.mail.ru to Mail.ru - 1 upvotes, $150
scfbp.tng.mail.ru: Heartbleed to Mail.ru - 1 upvotes, $150
[parapa.mail.ru] SQL Injection to Mail.ru - 1 upvotes, $150
[allods.my.com] SSRF / XSPA to Mail.ru - 1 upvotes, $150
[3k.mail.ru] SQL Injection to Mail.ru - 1 upvotes, $150
SQL Injection to Mail.ru - 1 upvotes, $150
[tidaltrek.mail.ru] SQL Injection to Mail.ru - 1 upvotes, $150
This Github Repository Seems Leaking Incoming Samokat Project to Mail.ru - 1 upvotes, $150
Exposed Credentials May Leads to Tarantool Infrastructure Leak to Mail.ru - 1 upvotes, $150
Раскрытие номера мобильного телефона при двухфакторной аутентификации to Mail.ru - 1 upvotes, $100
Unproper usage of Mobile Number that will lead to Information Disclosure to Mail.ru - 1 upvotes, $0
Persistent XSS in afisha.mail.ru to Mail.ru - 1 upvotes, $0
Flash XSS - http://hi-tech.mail.ru/ to Mail.ru - 1 upvotes, $0
XSS in "About Video" to Mail.ru - 1 upvotes, $0
Reflected XSS to Mail.ru - 1 upvotes, $0
rs.mail.ru - Flash Based XSS to Mail.ru - 1 upvotes, $0
Version Disclosure (NginX) to Mail.ru - 1 upvotes, $0
Content Spoofing vulnerability in Mail.ru mobile to Mail.ru - 1 upvotes, $0
Перечисление каталогов за счёт уязвимости в IIS to Mail.ru - 1 upvotes, $0
files.mail.ru: XSS to Mail.ru - 1 upvotes, $0
Не уверен, что этому место на периметре: 94.100.180.95, 94.100.180.96, 94.100.180.97, 94.100.180.98 to Mail.ru - 1 upvotes, $0
/surveys/2auth: DOM-based XSS to Mail.ru - 1 upvotes, $0
help2.m.smailru.net: XSS to Mail.ru - 1 upvotes, $0
Reflective Xss on news.mail.ru and admin.news.mail.ru to Mail.ru - 1 upvotes, $0
Выполнение кода PHP через FastCGI to Mail.ru - 1 upvotes, $0
Flash XSS на old.corp.mail.ru to Mail.ru - 1 upvotes, $0
Multiple vulnerabilities in mail.ru subdomains to Mail.ru - 1 upvotes, $0
Insecure cookies without httpOnly flag set to Mail.ru - 1 upvotes, $0
Утечка информации через JSONP (XXSI) to Mail.ru - 1 upvotes, $0
Reflected XSS @ games.mail.ru to Mail.ru - 1 upvotes, $0
[legal.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[allods.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[id.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[furry.aw.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[evo2.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[evo.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[mg.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[support.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[wos.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[account.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[lucky-fields.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[sf.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[games.my.com] Reflected XSS to Mail.ru - 1 upvotes, $0
[dl.beepcar.ru] CRLF Injection to Mail.ru - 1 upvotes, $0
Cross-Site Request Forgery to Mail.ru - 1 upvotes, $0
сервант статус to Mail.ru - 1 upvotes, $0
phpinfo to Mail.ru - 1 upvotes, $0
XSS to Mail.ru - 1 upvotes, $0
[performancemarketing.geekbrains.ru] Tilda Subdomain Takeover to Mail.ru - 1 upvotes, $0
Social Oauth Disconnect CSRF at znakcup.ru to Mail.ru - 1 upvotes, $0
XSS via .eml file to Mail.ru - 0 upvotes, $1337
https://217.69.135.63/rb/: money.mail.ru sources disclosure to Mail.ru - 0 upvotes, $1000
XSS in a file or folder name to Mail.ru - 0 upvotes, $500
e.mail.ru stored XSS in agent via sticker (smile) to Mail.ru - 0 upvotes, $500
auth.mail.ru: XSS in login form to Mail.ru - 0 upvotes, $500
http://fitter1.i.mail.ru/browser/ торчит Graphite в мир to Mail.ru - 0 upvotes, $400
lenta_proxy information disclosure to Mail.ru - 0 upvotes, $400
[api.allodsteam.com] Authentication Data to Mail.ru - 0 upvotes, $300
[afisha.mail.ru] SQL Injection to Mail.ru - 0 upvotes, $300
SQL injection [дырка в движке форума] to Mail.ru - 0 upvotes, $200
Time based sql injection to Mail.ru - 0 upvotes, $200
Possible xWork classLoader RCE: shared.mail.ru to Mail.ru - 0 upvotes, $200
Stored XSS through fileupload to Mail.ru - 0 upvotes, $200
money.mail.ru: Странное поведение SMS to Mail.ru - 0 upvotes, $150
cloud.mail.ru: File upload XSS using Content-Type header to Mail.ru - 0 upvotes, $150
Heartbleed: my.com (185.30.178.33) port 1433 to Mail.ru - 0 upvotes, $150
HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp to Mail.ru - 0 upvotes, $150
Hadoop Node available to public to Mail.ru - 0 upvotes, $150
http://tp-dev1.tp.smailru.net/ to Mail.ru - 0 upvotes, $150
[cfire.mail.ru] Time Based SQL Injection to Mail.ru - 0 upvotes, $150
Time-Based Blind SQL Injection Attacks to Mail.ru - 0 upvotes, $150
Пользователь с правами Менеджер может получить Список сотрудников всех кост центров и Удалять пользователей всех кост центров to Mail.ru - 0 upvotes, $150
m.agent.mail.ru: Подделываем j2me app-descriptor to Mail.ru - 0 upvotes, $100
No CSRF token used in Phone Verification POST to Mail.ru - 0 upvotes, $0
Xss On http://my.mail.ru/ to Mail.ru - 0 upvotes, $0
Clicjacking on Login panel to Mail.ru - 0 upvotes, $0
Reflected XSS to Mail.ru - 0 upvotes, $0
Reflected XSS in User-Agent to Mail.ru - 0 upvotes, $0
(m.mail.ru) Password type input with auto-complete enabled to Mail.ru - 0 upvotes, $0
Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/berserk-online.com/public_html/forum/Themes/berserker/Profile.template.php to Mail.ru - 0 upvotes, $0
Нежелательная информация to Mail.ru - 0 upvotes, $0
XSS Vulnerability in cfire.mail.ru/screen/1/ to Mail.ru - 0 upvotes, $0
XSS in realty.mail.ru to Mail.ru - 0 upvotes, $0
XSS in ad.mail.ru to Mail.ru - 0 upvotes, $0
XSS in touch.sports.mail.ru to Mail.ru - 0 upvotes, $0
api.video.mail.ru: XSS to Mail.ru - 0 upvotes, $0
touch.afisha.mail.ru: XSS to Mail.ru - 0 upvotes, $0
my.mail.ru: HTTP Header Injection to Mail.ru - 0 upvotes, $0
target.mail.ru: XSS через Referer to Mail.ru - 0 upvotes, $0
target.mail.ru: XSS to Mail.ru - 0 upvotes, $0
files.mail.ru: HTTP Header Injection to Mail.ru - 0 upvotes, $0
3k.mail.ru: XSS to Mail.ru - 0 upvotes, $0
http://217.69.136.200/?p=2&c=Fetcher%20cluster&h=fetcher1.mail.ru to Mail.ru - 0 upvotes, $0
GET /surveys/2auth: XSS to Mail.ru - 0 upvotes, $0
[riot.mail.ru] Reflected XSS in debug-mode to Mail.ru - 0 upvotes, $0
Flash XSS on img.mail.ru to Mail.ru - 0 upvotes, $0
Cross Site Scripting to Mail.ru - 0 upvotes, $0
Получаем все домены и поддомены icq с помощью amazonaws.com [config,txt] to Mail.ru - 0 upvotes, $0
пхпинфо to Mail.ru - 0 upvotes, $0
SVN repository to Mail.ru - 0 upvotes, $0
Self XSS via help.mail.ru interface to Mail.ru - 0 upvotes, $0
Information Disclosure to Mail.ru - 0 upvotes, $0
Information Disclosure to Mail.ru - 0 upvotes, $0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TOPMAILRU.md

TOPMAILRU.md

Files

TOPMAILRU.md

Latest commit

History

TOPMAILRU.md

File metadata and controls