To report a vulnerability, please send us an email. The reported issues usually will be addressed within the next 90 days. Updates will be provided when available, status requests may be ignored2.
| Event ID | CVSS1 | Details | Contributors2 |
|---|---|---|---|
| MVR-2023-0045 | 4.7 | Web server misconfiguration. | Ofir Moskovitch |
| MVR-2023-0044 | 5.3 | DNS misconfiguration. | Suryaprakash Palanisamy (@gpsurya) |
| MVR-2023-0043 | 5.3 | Web server misconfiguration. | Mehmet Ali UMUCU (@denizkarasenbeyaz) |
| MVR-2023-0007 | 7.5 | DNS misconfiguration. | Suaib S (@felcity) |
| MVR-2023-0002 | 5.3 | Unauthenticated data listing. | Foysal Ahmed Fahim |
| MVR-2022-0017 | 5.3 | Unauthenticated data listing. | Youssef Muhammad (@yosef0x1) |
| MVR-2022-0016 | 5.3 | Unauthenticated data listing. | Youssef Muhammad (@yosef0x1) |
| MVR-2022-0015 | 5.3 | Web server misconfiguration. | Keyur Maheta (@keyur03) |
| MVR-2022-0014 | 6.5 | Web server misconfiguration. | Zeyad Azima |
| MVR-2022-0013 | 5.3 | Web service brute force attack. | InfoziantSecurity (@InfoziantSecurity) |
| MVR-2022-0010 | 5.9 | Potential subdomain takeover. | Siddhesh Parab (@sidxparab) |
| MVR-2021-0098 | 5.3 | Web server misconfiguration. | Jebarson Immanuel J (@jebarson_007) |
| MVR-2021-0097 | 5.3 | Web server misconfiguration. | Gaurang Maheta (@gaurang883) |
| MVR-2021-0096 | 4.3 | Insecure URI handling. | Mehedi Hasan Remon (@remonsec) |
| MVR-2021-0095 | 8.7 | Webservice privilege escalation. | Yuan Chang (@yuawn) |
| MVR-2021-0093 | 5.3 | Pre-authorization arbitrary file read. | Chau Minh Khanh (@khanhchauminh) |
| MVR-2021-0092 | 9.8 | Webservice buffer overflow. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0091 | 5.3 | Website directory enumeration. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0089 | 7.5 | DNS misconfiguration. | Husain Murabbi, Mansoor Rangwala (Cyber_HUMANS) |
| MVR-2021-0088 | 5.3 | Unrestricted web access. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0086 | 6.6 | Insecure URI handling. | ZW Cai (@x43x61x69) |
| MVR-2021-0085 | 9.8 | Web service RCE. | ZW Cai (@x43x61x69) |
| MVR-2021-0083 | 9.8 | Web service RCE. | ZW Cai (@x43x61x69) |
| MVR-2021-0082 | 9.8 | Web service RCE. | yabeow, peterjson (RedTeam@VNG Corporation) |
| MVR-2021-0081 | 5.3 | Insecure URI handling. | Dileep Achuthan |
| MVR-2021-0079 | 7.7 | Service DoS. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0078 | 5.3 | Arbitrary directories enumeration. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0075 | 6.5 | Unrestricted web access. | ZW Cai (@x43x61x69) |
| MVR-2021-0074 | 6.5 | Unauthenticated data listing. | ZW Cai (@x43x61x69) |
| MVR-2021-0073 | 4.3 | Unrestricted web access. | ZW Cai (@x43x61x69) |
| MVR-2021-0072 | 9.3 | Shell misconfiguration. | ZW Cai (@x43x61x69) |
| MVR-2021-0069 | 5.8 | (Subsidiary) Web server misconfiguration. | Mohammed Adam (@iam_amdadam) |
| MVR-2021-0067 | 3.5 | Website reflected-XSS. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0065 | 8.8 | Web service RCE. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0064 | 4.3 | Website XSS. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0063 | 5.3 | Website directory enumeration. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0062 | 8.8 | Website SQL injection. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0061 | 7.5 | Website information leakage. | Panno Chuang (@NotSurprisedLoL) |
| MVR-2021-0060 | 7.3 | Website arbitrary entry deletion. | Yu-Cheng Lin |
| MVR-2021-0059 | 5.3 | Unauthenticated data listing. | Mohammed Adam (@iam_amdadam) |
| MVR-2021-0058 | 4.3 | Insecure URI handling. | Gaurang Maheta (@gaurang883) |
| MVR-2021-0051 | 3.1 | Website XSS. | John Fiel Brosas (@r00t.ssh) |
| MVR-2021-0050 | 8.8 | Web service arbitrary access origin. | ZW Cai (@x43x61x69) |
| MVR-2021-0049 | 4.3 | Web server arbitrary debug message. | RAAJESH G (@RaajeshOffical) |
| MVR-2021-0048 | 5.8 | Web server misconfiguration. | Gaurang Maheta (@gaurang883) |
| MVR-2021-0047 | 7.5 | Website XSS. | Nam HaBach |
| MVR-2021-0046 | 9.8 | Website SQL injection. | Nam HaBach |
| MVR-2021-0045 | 6.6 | Insecure URI handling. | ZW Cai (@x43x61x69) |
| MVR-2021-0044 | 6.6 | Insecure URI handling. | Yu-Cheng Lin |
| MVR-2021-0043 | 6.8 | Potential sub-domain takeover. | Chirag Naresh Soni (@Chirag0x22) |
| MVR-2021-0041 | 3.5 | (Subsidiary) Website improper form validation. | Nitin Gavhane (@Nitin34627556) |
| MVR-2021-0040 | 5.3 | Web API improper access control. | Santosh Bobade (@Santosh88267387) |
| MVR-2021-0039 | 5.3 | (Subsidiary) Website potential DoS. | Nitin Gavhane (@Nitin34627556) |
| MVR-2021-0038 | 5.3 | (Subsidiary) Insecure website policy. | Nitin Gavhane (@Nitin34627556) |
| MVR-2021-0037 | 6.5 | 3rd-party services improper access control. | Mohammed Israil (@mdisrail2468) |
| MVR-2021-0036 | 7.4 | Web service without access control. | ZW Cai (@x43x61x69) |
| MVR-2021-0035 | 5.9 | Potential subdomain takeover. | Shoeb Raseed Shaikh (@official_shoeb) |
| MVR-2021-0034 | 7.5 | Web server misconfiguration. | Blacksolo (@MBlacksolo) |
| MVR-2021-0033 | 9.8 | Web services RCE. | RedTeam@ISO from VNG Corporation |
| MVR-2021-0032 | 4.3 | Website configuration vulnerability. | Santosh Bobade (@Santosh88267387) |
| MVR-2021-0031 | 9.8 | Web services RCE. | Tuan Anh Nguyen (@haxor31337) |
| MVR-2021-0030 | 9.1 | Web services unauthenticated arbitrary file deletion. | Raisul Islam Reyad (@m4m4r4i5ul) |
| MVR-2021-0029 | 7.5 | Web services read-only path traversal. | Raisul Islam Reyad (@m4m4r4i5ul) |
| MVR-2021-0028 | 5.3 | Website directory listing. | Aswin Krishna (@733n_wolf) |
| MVR-2021-0027 | 5.3 | Website Improper error handling | Siddhesh Sonje |
| MVR-2021-0026 | 7.5 | Web form security measure bypass. | Anmol K Sachan (@FR13ND0x7F) |
| MVR-2021-0025 | 3.1 | Web server misconfiguration. | Ravindra Dagale |
| MVR-2021-0024 | 5.3 | Web server misconfiguration. | Siddhesh Sonje |
| MVR-2021-2023 | 5.3 | Website directory listing. | Kabeer Saxena (@iTheKabeer) |
| MVR-2021-0022 | 7.5 | Arbitrary denial of service attack. | Yu-Cheng Lin |
| MVR-2021-0021 | 5.3 | Website user enumeration. | Gourab Sadhukhan |
| MVR-2021-0020 | 4.3 | Website configuration vulnerability. | Gourab Sadhukhan (@gourab-sadhukhan-71158216a) |
| MVR-2021-0019 | 7.4 | Insecure URI handling. | Prajwal Khante (@khanteprajwal) |
| MVR-2021-0018 | 5.8 | Insecure web form design. | Ayushi Poreddiwar |
| MVR-2021-0017 | 4.3 | Website configuration vulnerability. | Ayushi Poreddiwar |
| MVR-2021-0016 | 3.1 | Insecure cookie configuration. | Amit Kumar |
| MVR-2021-0015 | 4.3 | Website configuration vulnerability. | ZW Cai (@x43x61x69) |
| MVR-2021-0014 | 5.5 | Insecure session handling. | VIVEK PANDAY |
| MVR-2021-0013 | 6.5 | Website form design flaw. | Ankit Jeetendra Bhanushali |
| MVR-2021-0012 | 4.3 | Website configuration vulnerability. | Pritam Mukherjee (@pritam-mukherjee-urvil) |
| MVR-2021-0011 | 4.3 | Website configuration vulnerability. | Jasmeet Singh (@jasmeetsingh01) |
| MVR-2021-0010 | 4.3 | Website configuration vulnerability. | Akash Rajendra Patil (@skypatil98) |
| MVR-2021-0009 | 3.0 | Website insecure referer handling. | Vikas Srivastava (@007vikaxh) |
| MVR-2021-0008 | 4.3 | Website configuration vulnerability. | Girish Khamkar |
| MVR-2021-0007 | 6.5 | Website CSP bypass. | Zeyad Azima |
| MVR-2021-0006 | 6.5 | Improper authentication scope and website configuration vulnerability. | ZW Cai (@x43x61x69) |
| MVR-2021-0005 | 6.6 | Broken authentication and session management. | Ashwin V |
| MVR-2021-0004 | 6.4 | Improper session token handling. | Ashwin V |
| MVR-2021-0003 | 7.5 | Website session hijacking. | Ashwin V |
| MVR-2021-0002 | 4.3 | Website configuration vulnerability. | Sakshi Patil |
| MVR-2020-0003 | 6.8 | Upload filetype limitation bypass. | Celebrimbor |
| MVR-2020-0002 | 6.1 | Website XSS. | Alan Abhilash (@alan_abhilash) |
| MVR-2020-0001 | 5.3 | Web server misconfiguration. | Ahmed Salah Abdalhfaz (@mazoka777) |
1Scores were based on Common Vulnerability Scoring System (CVSS).
2Due to company policies, only the name and handle of the researchers are allowed. Other information, including but not limited to hyperlinks and email addresses, which could potentially lead to security, legal, or political issues, were not allowed. Duplicate reports without any previously unknown information will not be acknowledged. Demanding for acknowledgement is subject to disqualification.
All submissions must undergo scrutiny and credits would only be given if they were determined eligible.
MediaTek reserves the right, at its discretion, to change, modify, add, or remove portions of the terms of eligibility or information on this page at any time.