(cache)CWE Discovery | HackerOne

Overview CVE Discovery CWE Discovery

CWE Discovery

The Common Weakness Enumeration Discovery Index shows platform-wide data of instances, and severity and remediation time distributions. CWE data extracted every 24 hours.

CWE ID	Name	Number of reports
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	108,451
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	76,229
CWE-284	Improper Access Control	42,753
CWE-639	Authorization Bypass Through User-Controlled Key	25,978
CWE-657	Violation of Secure Design Principles	22,155
CWE-287	Improper Authentication	21,802
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	15,878
CWE-352	Cross-Site Request Forgery (CSRF)	15,586
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	11,223
CWE-94	Improper Control of Generation of Code ('Code Injection')	8,494
CWE-918	Server-Side Request Forgery (SSRF)	8,092
CWE-285	Improper Authorization	6,770
CWE-307	Improper Restriction of Excessive Authentication Attempts	6,686
CWE-400	Uncontrolled Resource Consumption	6,393
CWE-444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')	6,249
CWE-922	Insecure Storage of Sensitive Information	5,604
CWE-20	Improper Input Validation	5,408
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	5,006
CWE-312	Cleartext Storage of Sensitive Information	4,960
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	4,699
CWE-610	Externally Controlled Reference to a Resource in Another Sphere	4,566
CWE-215	Insertion of Sensitive Information Into Debugging Code	4,546
CWE-80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	4,219
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	4,066
CWE-99	Improper Control of Resource Identifiers ('Resource Injection')	3,747

1-25 of 968

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

Report Submissions (12 week)

Submissions
Moving average

Total unique reports (all time)

4,566

Unique reports in last 12 weeks

240

12 week change

+17%

Data from Jan 24, 2025 - Apr 18, 2025

View on cwe.mitre.org

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Reports are from public programs that are marked as closed, disclosed, bounty awarded, and swag awarded.

Externally Controlled Reference to a Resource in Another Sphere

High

Resolved

Subdomain takeover of mydailydev.starbucks.com

Bug reported by

was disclosed

6 years ago

Externally Controlled Reference to a Resource in Another Sphere

Externally Controlled Reference to a Resource in Another Sphere

High

Resolved

Externally Controlled Reference to a Resource in Another Sphere

Low

Resolved

Linkedin Broken Link Hijacking on https://hemi.xyz/about

Bug reported by

was disclosed

2 months ago

Externally Controlled Reference to a Resource in Another Sphere

The LinkedIn account link for a team member on the https://hemi.xyz/about page pointed to a non-existent LinkedIn account. This summary was automatically generated.

Externally Controlled Reference to a Resource in Another Sphere

Low

Resolved

Externally Controlled Reference to a Resource in Another Sphere

High

Resolved

Subdomain takeover of v.zego.com

Bug reported by

was disclosed

4 years ago

Externally Controlled Reference to a Resource in Another Sphere

The subdomain v.zego.com pointed to an AWS EC2 instance that no longer existed, allowing an attacker to take control of the IP address and serve arbitrary/malicious content to any customers or servers pointing to the domain. This could have a high impact, especially if the domain is whitelisted for OAuth or if there are cookies scoped to the entire domain. This summary was automatically generated.

Externally Controlled Reference to a Resource in Another Sphere

High

Resolved

Externally Controlled Reference to a Resource in Another Sphere

None

$500

Resolved

Deprecated Hacker101 coursework repository mentions Heroku App that is susceptible to takeover

Bug reported by

was disclosed

6 years ago

Externally Controlled Reference to a Resource in Another Sphere

Externally Controlled Reference to a Resource in Another Sphere

None

$500

Resolved

Externally Controlled Reference to a Resource in Another Sphere

Low

Resolved

Acquisition on broken link listed on the page "https://docs.doppler.com/docs/removal-deprecated-packages-scripts in [scheduling a call]

Bug reported by

was disclosed

11 months ago

Externally Controlled Reference to a Resource in Another Sphere

The report describes a broken link on the Doppler documentation website. The broken link was located on the page "https://docs.doppler.com/docs/removal-deprecated-packages-scripts" in the "scheduling a call" section. The broken link pointed to "https://calendly.com/doppler-ryan/onsite-install", which returned a 404 error. The reporter created a fake account with the name "Page Acquisition by Joao Gomes" on the broken link in order to demonstrate the issue. This summary was automatically generated.

Externally Controlled Reference to a Resource in Another Sphere

Low

Resolved

Externally Controlled Reference to a Resource in Another Sphere

Low

Resolved

wavecell.com: Broken Link Hijacking / Instagram Takeover @██

Bug reported by

was disclosed

2 years ago

Externally Controlled Reference to a Resource in Another Sphere

Externally Controlled Reference to a Resource in Another Sphere

Low

Resolved

Externally Controlled Reference to a Resource in Another Sphere

Low

Resolved

Social media account takeover

Bug reported by

was disclosed

6 months ago

Externally Controlled Reference to a Resource in Another Sphere

The social media account for https://simfy.africa was taken over, allowing the attacker to redirect visitors to their own Instagram account. This vulnerability was demonstrated through a proof of concept video. This summary was automatically generated.

Externally Controlled Reference to a Resource in Another Sphere

Low

Resolved

Externally Controlled Reference to a Resource in Another Sphere

None

Resolved

Broken X (Twitter) link on hemi.xyz/about

Bug reported by

was disclosed

2 months ago

Externally Controlled Reference to a Resource in Another Sphere

Externally Controlled Reference to a Resource in Another Sphere

None

Resolved

Palo Alto Software

Externally Controlled Reference to a Resource in Another Sphere

Medium

Resolved

Subdomain takeover of www2.growasyouplan.com

Bug reported by

was disclosed

4 years ago

Externally Controlled Reference to a Resource in Another Sphere

The www2.growasyouplan.com subdomain pointed to an AWS EC2 instance that no longer existed, allowing an attacker to take control of the IP address and serve arbitrary/malicious content to any customers or servers pointing to the domain. This could have a high impact, especially if the domain is whitelisted for OAuth or if there are cookies scoped to the entire domain. This summary was automatically generated.

Externally Controlled Reference to a Resource in Another Sphere

Medium

Resolved

1-9 of 9