Reports in 8x8 program: S.No Title Bounty 1 Access to ██████████████ due to weak credentials $0.0 2 Disclosure of Users Information On Wordpress Api [https://jitsi.org/] $0.0 3 Reflected xss on 8x8.com subdomain $0.0 4 (Critical) Remote Code Execution Through Old TinyMCE upload bypass $0.0 5 Sensitive information disclosure $0.0 6 Insecure OAuth redirection at [admin.8x8.vc] $0.0 7 Outdated Coturn is vulnerable to known vulnerabilities (High) $0.0 8 Xss (cross site scripting) on http://axa.dxi.eu/ $0.0 9 Directory listing of https://get8x8.com/ $0.0 10 Reflected XSS on http://axa.dxi.eu $0.0 11 XSS (Cross site scripting) on https://apimgr.8x8.com $0.0 12 Sensitive data disclosure via exposed phpunit file $0.0 13 Bypass Email activation on http://axa.dxi.eu $0.0 14 Stored XSS agent_status $0.0 15 xmlrpc.php file enabled $0.0 16 [CRITICAL] Remote code execution on http://axa.dxi.eu $0.0 17 [CRITICAL] Sql Injection on http://axa.dxi.eu $0.0 18 Blind Command Injection #1 $0.0 19 Post based XSS (Cross site scripting) on https://apimgr.8x8.com $0.0 20 Hardcoded credentials in Android App $0.0 21 Publicly accessible .svn repository - aastraconf.packet8.net $0.0 22 CRLF injection agentcrm.8x8.com $0.0 23 PHPinfo page on http://█████.callstats.io $0.0 24 Cross-site Scripting (XSS) - Reflected $0.0 25 Stored XSS on Company Logo $0.0 26 Stored Cross Site Scripting. $0.0 27 IDOR: Adding Contacts to Other User Groups $0.0 28 SQL injection (stacked queries) in the export to Excel functionality on Vidyo Server $0.0 29 Send Phishing/Spam email from support@sameroom.io to any email address. $0.0 30 Default Creds Spring Boot Admin $0.0 31 DOM Based XSS at docs.8x8.com $0.0 32 2FA Disable With Wrong Password - Response Tampering. $0.0 33 Open Redirect on [blog.wavecell.com] $0.0 34 vidyard api auth_token exposed $0.0 35 Admin Reseller Account Disclosure $0.0 36 DNS Misconfiguration (Subdomain Takeover) ███████.8x8.com $0.0 37 DNS Misconfiguration (Subdomain Takeover) ███.wavecell.com $0.0 38 DNS Misconfiguration (Subdomain Takeover) █.staging.█.8x8.com $0.0 39 Subdomain takeover of ███.wavecell.com $0.0 40 Subdomain takeover of ████.jitsi.net $0.0 41 DNS Misconfiguration (Subdomain Takeover) - █████████.8x8.com $0.0 42 Exposed PHP dependencies at ██.8x8.com $0.0 43 Authentication Bypass & ApacheTomcat Misconfiguration in [██] $0.0 44 [jitsi-meet] Authentication Bypass when using JWT w/ public keys $0.0 45 Exposed kubernetes dashboard $0.0 46 Default credentials lead to Spring Boot Admin dashboard access $0.0 47 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) $0.0 48 Remote Code Execution on ██.8x8.com via .NET VSTATE Deserialization $0.0 49 ████ api key exposed in github.com/███/███ $0.0 50 Open Redirect on https://██.8x8.com/login?nextPage=%2F $0.0 51 F5 BIG-IP TMUI RCE - CVE-2020-5902 (██.packet8.net) $0.0 52 subdomain takeover (abandoned Zendesk █.easycontactnow.com) $0.0 53 Hardcoded AWS credentials in ███████.msi $0.0 54 8x8pilot.com: Reflected XSS in Apache Tomcat /jsp-examples example directory $0.0 55 Open Redirect ███.8x8.com $0.0 56 Public Apache Tomcat /examples example directory $0.0 57 CVE-2019-11248 on http://█.█.█.█:9100/debug/pprof/goroutine $0.0 58 LFI via Jolokia at https://█.█.█.█:1293 $0.0 59 DLL Search-Order Hijacking Vulnerability in work-64-exe-v7.16.3-1.exe $0.0 60 Directory Listing vulnerability on █.packet8.net/php/include/ $0.0 61 Subdomain Takeover at http://██.get8x8.com/ $0.0 62 Directory Listing at https://█.█.█.█ $0.0 63 Unprotected Atlantis Server at https://152.70.█.█ $0.0 64 wavecell.com: Broken Link Hijacking / Instagram Takeover @██ $0.0 65 speedtest.8x8.com: Enabled Directory Listing $0.0 66 Credential leak on GitHub: https://github.com/█/█/ (Peoplesoft CRM) $0.0 67 xss(r) vcc-na11.8x8.com $0.0 68 Unprotected Atlantis Server at https://132.226.█.█ $0.0 69 Open Redirect - Polycom Company Directory $0.0 70 Unprotected Atlantis Server at https://152.70.█.█ $0.0