IT Security Acknowledgements

The MediaTek Security Team would like to thank the following people and parties for making a responsible disclosure to us and helping to improve MediaTek security.

To report a vulnerability, please send us an email. The reported issues usually will be addressed within the next 90 days. Updates will be provided when available, status requests may be ignored2.

Event IDCVSS1DetailsContributors2
MVR-2021-00975.3Web server misconfiguration.Gaurang Maheta
(@gaurang883)
MVR-2021-00964.3Insecure URI handling.Mehedi Hasan Remon
(@remonsec)
MVR-2021-00958.7Webservice privilege escalation.Yuan Chang
(@yuawn)
MVR-2021-00935.3Pre-authorization arbitrary file read.Chau Minh Khanh
(@khanhchauminh)
MVR-2021-00929.8Webservice buffer overflow.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00915.3Website directory enumeration.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00897.5DNS misconfiguration.Husain Murabbi, Mansoor Rangwala
(Cyber_HUMANS)
MVR-2021-00885.3Unrestricted web access.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00866.6Insecure URI handling.ZW Cai
(@x43x61x69)
MVR-2021-00859.8Web service RCE.ZW Cai
(@x43x61x69)
MVR-2021-00839.8Web service RCE.ZW Cai
(@x43x61x69)
MVR-2021-00829.8Web service RCE.yabeow, peterjson
(RedTeam@VNG Corporation)
MVR-2021-00815.3Insecure URI handling.Dileep Achuthan
MVR-2021-00797.7Service DoS.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00785.3Arbitrary directories enumeration.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00756.5Unrestricted web access.ZW Cai
(@x43x61x69)
MVR-2021-00746.5Unauthenticated data listing.ZW Cai
(@x43x61x69)
MVR-2021-00734.3Unrestricted web access.ZW Cai
(@x43x61x69)
MVR-2021-00729.3Shell misconfiguration.ZW Cai
(@x43x61x69)
MVR-2021-00695.8(Subsidiary) Web server misconfiguration.Mohammed Adam
(@iam_amdadam)
MVR-2021-00673.5Website reflected-XSS.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00658.8Web service RCE.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00644.3Website XSS.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00635.3Website directory enumeration.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00628.8Website SQL injection.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00617.5Website information leakage.Panno Chuang
(@NotSurprisedLoL)
MVR-2021-00607.3Website arbitrary entry deletion.Yu-Cheng Lin
MVR-2021-00595.3Unauthenticated data listing.Mohammed Adam
(@iam_amdadam)
MVR-2021-00584.3Insecure URI handling.Gaurang Maheta
(@gaurang883)
MVR-2021-00513.1Website XSS.John Fiel Brosas
(@r00t.ssh)
MVR-2021-00508.8Web service arbitrary access origin.ZW Cai
(@x43x61x69)
MVR-2021-00494.3Web server arbitrary debug message.RAAJESH G
(@RaajeshOffical)
MVR-2021-00485.8Web server misconfiguration.Gaurang Maheta
(@gaurang883)
MVR-2021-00477.5Website XSS.Nam HaBach
MVR-2021-00469.8Website SQL injection.Nam HaBach
MVR-2021-00456.6Insecure URI handling.ZW Cai
(@x43x61x69)
MVR-2021-00446.6Insecure URI handling.Yu-Cheng Lin
MVR-2021-00436.8Potential sub-domain takeover.Chirag Naresh Soni
(@Chirag0x22)
MVR-2021-00413.5(Subsidiary) Website improper form validation.Nitin Gavhane
(@Nitin34627556)
MVR-2021-00405.3Web API improper access control.Santosh Bobade
(@Santosh88267387)
MVR-2021-00395.3(Subsidiary) Website potential DoS.Nitin Gavhane
(@Nitin34627556)
MVR-2021-00385.3(Subsidiary) Insecure website policy.Nitin Gavhane
(@Nitin34627556)
MVR-2021-00376.53rd-party services improper access control.Mohammed Israil
(@mdisrail2468)
MVR-2021-00367.4Web service without access control.ZW Cai
(@x43x61x69)
MVR-2021-00355.9Potential subdomain takeover.Shoeb Raseed Shaikh
(@official_shoeb)
MVR-2021-00347.5Web server misconfiguration.Blacksolo
(@MBlacksolo)
MVR-2021-00339.8Web services RCE.RedTeam@ISO from VNG Corporation
MVR-2021-00324.3Website configuration vulnerability.Santosh Bobade
(@Santosh88267387)
MVR-2021-00319.8Web services RCE.Tuan Anh Nguyen
(@haxor31337)
MVR-2021-00309.1Web services unauthenticated arbitrary file deletion.Raisul Islam Reyad
(@m4m4r4i5ul)
MVR-2021-00297.5Web services read-only path traversal.Raisul Islam Reyad
(@m4m4r4i5ul)
MVR-2021-00285.3Website directory listing.Aswin Krishna
(@733n_wolf)
MVR-2021-00275.3Website Improper error handlingSiddhesh Sonje
MVR-2021-00267.5Web form security measure bypass.Anmol K Sachan
(@FR13ND0x7F)
MVR-2021-00253.1Web server misconfiguration.Ravindra Dagale
MVR-2021-00245.3Web server misconfiguration.Siddhesh Sonje
MVR-2021-20235.3Website directory listing.Kabeer Saxena
(@iTheKabeer)
MVR-2021-00227.5Arbitrary denial of service attack.Yu-Cheng Lin
MVR-2021-00215.3Website user enumeration.
Gourab Sadhukhan
MVR-2021-00204.3Website configuration vulnerability.Gourab Sadhukhan
(@gourab-sadhukhan-71158216a)
MVR-2021-00197.4Insecure URI handling.Prajwal Khante
(@khanteprajwal)
MVR-2021-00185.8Insecure web form design.Ayushi Poreddiwar
MVR-2021-00174.3Website configuration vulnerability.Ayushi Poreddiwar
MVR-2021-00163.1Insecure cookie configuration.Amit Kumar
MVR-2021-00154.3Website configuration vulnerability.ZW Cai
(@x43x61x69)
MVR-2021-00145.5Insecure session handling.VIVEK PANDAY
MVR-2021-00136.5Website form design flaw.Ankit Jeetendra Bhanushali
MVR-2021-00124.3Website configuration vulnerability.Pritam Mukherjee
(@pritam-mukherjee-urvil)
MVR-2021-00114.3Website configuration vulnerability.Jasmeet Singh
(@jasmeetsingh01)
MVR-2021-00104.3Website configuration vulnerability.Akash Rajendra Patil
(@skypatil98)
MVR-2021-00093.0Website insecure referer handling.Vikas Srivastava
(@007vikaxh)
MVR-2021-00084.3Website configuration vulnerability.Girish Khamkar
MVR-2021-00076.5Website CSP bypass.Zeyad Azima
MVR-2021-00066.5Improper authentication scope and website configuration vulnerability.ZW Cai
(@x43x61x69)
MVR-2021-00056.6Broken authentication and session management.Ashwin V
MVR-2021-00046.4Improper session token handling. Ashwin V
MVR-2021-00037.5Website session hijacking.Ashwin V
MVR-2021-00024.3Website configuration vulnerability.Sakshi Patil
MVR-2020-00036.8Upload filetype limitation bypass.Celebrimbor
MVR-2020-00026.1Website XSS.Alan Abhilash
(@alan_abhilash)
MVR-2020-00015.3Web server misconfiguration.Ahmed Salah Abdalhfaz
(@mazoka777)


1Scores were based on Common Vulnerability Scoring System (CVSS).

2Due to company policies, only the name and handle of the researchers are allowed. Other information, including but not limited to hyperlinks and email addresses, which could potentially lead to security, legal, or political issues, were not allowed. Duplicate reports without any previously unknown information will not be acknowledged. Demanding for acknowledgement is subject to disqualification.

All submissions must undergo scrutiny and credits would only be given if they were determined eligible.
MediaTek reserves the right, at its discretion, to change, modify, add, or remove portions of the terms of eligibility or information on this page at any time.