IT Security Acknowledgements

The MediaTek Security Team would like to thank the following people and parties for making a responsible disclosure to us and helping to improve MediaTek security.

To report a vulnerability, please send us an email. The reported issues usually will be addressed within the next 90 days. Updates will be provided when available, status requests may be ignored2.

CVSS1DetailsContributors2
9.3Website improper data handling.Jorge Eduardo Núñez Pérez
(@lainchxn)
5.3Web server misconfiguration.Biswajeet Ray
(@biswajeetray7)
4.7Web server misconfiguration.Ofir Moskovitch
5.3DNS misconfiguration.Suryaprakash Palanisamy
(@gpsurya)
5.3Web server misconfiguration.Mehmet Ali UMUCU
(@denizkarasenbeyaz)
7.5DNS misconfiguration.Suaib S
(@felcity)
5.3Unauthenticated data listing.Foysal Ahmed Fahim
5.3Unauthenticated data listing.Youssef Muhammad
(@yosef0x1)
5.3Unauthenticated data listing.Youssef Muhammad
(@yosef0x1)
5.3Web server misconfiguration.Keyur Maheta
(@keyur03)
6.5Web server misconfiguration.Zeyad Azima
5.3Web service brute force attack.InfoziantSecurity
(@InfoziantSecurity)
5.9Potential subdomain takeover.Siddhesh Parab
(@sidxparab)
5.3Web server misconfiguration.Jebarson Immanuel J
(@jebarson_007)
5.3Web server misconfiguration.Gaurang Maheta
(@gaurang883)
4.3Insecure URI handling.Mehedi Hasan Remon
(@remonsec)
8.7Webservice privilege escalation.Yuan Chang
(@yuawn)
5.3Pre-authorization arbitrary file read.Chau Minh Khanh
(@khanhchauminh)
9.8Webservice buffer overflow.Panno Chuang
(@NotSurprisedLoL)
5.3Website directory enumeration.Panno Chuang
(@NotSurprisedLoL)
7.5DNS misconfiguration.Husain Murabbi, Mansoor Rangwala
(Cyber_HUMANS)
5.3Unrestricted web access.Panno Chuang
(@NotSurprisedLoL)
6.6Insecure URI handling.ZW Cai
(@x43x61x69)
9.8Web service RCE.ZW Cai
(@x43x61x69)
9.8Web service RCE.ZW Cai
(@x43x61x69)
9.8Web service RCE.yabeow, peterjson
(RedTeam@VNG Corporation)
5.3Insecure URI handling.Dileep Achuthan
7.7Service DoS.Panno Chuang
(@NotSurprisedLoL)
5.3Arbitrary directories enumeration.Panno Chuang
(@NotSurprisedLoL)
6.5Unrestricted web access.ZW Cai
(@x43x61x69)
6.5Unauthenticated data listing.ZW Cai
(@x43x61x69)
4.3Unrestricted web access.ZW Cai
(@x43x61x69)
9.3Shell misconfiguration.ZW Cai
(@x43x61x69)
5.8(Subsidiary) Web server misconfiguration.Mohammed Adam
(@iam_amdadam)
3.5Website reflected-XSS.Panno Chuang
(@NotSurprisedLoL)
8.8Web service RCE.Panno Chuang
(@NotSurprisedLoL)
4.3Website XSS.Panno Chuang
(@NotSurprisedLoL)
5.3Website directory enumeration.Panno Chuang
(@NotSurprisedLoL)
8.8Website SQL injection.Panno Chuang
(@NotSurprisedLoL)
7.5Website information leakage.Panno Chuang
(@NotSurprisedLoL)
7.3Website arbitrary entry deletion.Yu-Cheng Lin
5.3Unauthenticated data listing.Mohammed Adam
(@iam_amdadam)
4.3Insecure URI handling.Gaurang Maheta
(@gaurang883)
3.1Website XSS.John Fiel Brosas
(@r00t.ssh)
8.8Web service arbitrary access origin.ZW Cai
(@x43x61x69)
4.3Web server arbitrary debug message.RAAJESH G
(@RaajeshOffical)
5.8Web server misconfiguration.Gaurang Maheta
(@gaurang883)
7.5Website XSS.Nam HaBach
9.8Website SQL injection.Nam HaBach
6.6Insecure URI handling.ZW Cai
(@x43x61x69)
6.6Insecure URI handling.Yu-Cheng Lin
6.8Potential sub-domain takeover.Chirag Naresh Soni
(@Chirag0x22)
3.5(Subsidiary) Website improper form validation.Nitin Gavhane
(@Nitin34627556)
5.3Web API improper access control.Santosh Bobade
(@Santosh88267387)
5.3(Subsidiary) Website potential DoS.Nitin Gavhane
(@Nitin34627556)
5.3(Subsidiary) Insecure website policy.Nitin Gavhane
(@Nitin34627556)
6.53rd-party services improper access control.Mohammed Israil
(@mdisrail2468)
7.4Web service without access control.ZW Cai
(@x43x61x69)
5.9Potential subdomain takeover.Shoeb Raseed Shaikh
(@official_shoeb)
7.5Web server misconfiguration.Blacksolo
(@MBlacksolo)
9.8Web services RCE.RedTeam@ISO from VNG Corporation
4.3Website configuration vulnerability.Santosh Bobade
(@Santosh88267387)
9.8Web services RCE.Tuan Anh Nguyen
(@haxor31337)
9.1Web services unauthenticated arbitrary file deletion.Raisul Islam Reyad
(@m4m4r4i5ul)
7.5Web services read-only path traversal.Raisul Islam Reyad
(@m4m4r4i5ul)
5.3Website directory listing.Aswin Krishna
(@733n_wolf)
5.3Website Improper error handlingSiddhesh Sonje
7.5Web form security measure bypass.Anmol K Sachan
(@FR13ND0x7F)
3.1Web server misconfiguration.Ravindra Dagale
5.3Web server misconfiguration.Siddhesh Sonje
5.3Website directory listing.Kabeer Saxena
(@iTheKabeer)
7.5Arbitrary denial of service attack.Yu-Cheng Lin
5.3Website user enumeration.
Gourab Sadhukhan
4.3Website configuration vulnerability.Gourab Sadhukhan
(@gourab-sadhukhan-71158216a)
7.4Insecure URI handling.Prajwal Khante
(@khanteprajwal)
5.8Insecure web form design.Ayushi Poreddiwar
4.3Website configuration vulnerability.Ayushi Poreddiwar
3.1Insecure cookie configuration.Amit Kumar
4.3Website configuration vulnerability.ZW Cai
(@x43x61x69)
5.5Insecure session handling.VIVEK PANDAY
6.5Website form design flaw.Ankit Jeetendra Bhanushali
4.3Website configuration vulnerability.Pritam Mukherjee
(@pritam-mukherjee-urvil)
4.3Website configuration vulnerability.Jasmeet Singh
(@jasmeetsingh01)
4.3Website configuration vulnerability.Akash Rajendra Patil
(@skypatil98)
3.0Website insecure refererr handling.Vikas Srivastava
(@007vikaxh)
4.3Website configuration vulnerability.Girish Khamkar
6.5Website CSP bypass.Zeyad Azima
6.5Improper authentication scope and website configuration vulnerability.ZW Cai
(@x43x61x69)
6.6Broken authentication and session management.Ashwin V
6.4Improper session token handling. Ashwin V
7.5Website session hijacking.Ashwin V
4.3Website configuration vulnerability.Sakshi Patil
6.8Upload filetype limitation bypass.Celebrimbor
6.1Website XSS.Alan Abhilash
(@alan_abhilash)
5.3Web server misconfiguration.Ahmed Salah Abdalhfaz
(@mazoka777)


1Scores were based on Common Vulnerability Scoring System (CVSS).

2Due to company policies, only the name and handle of the researchers are allowed. Other information, including but not limited to hyperlinks and email addresses, which could potentially lead to security, legal, or political issues, were not allowed. Duplicate reports without any previously unknown information will not be acknowledged. Demanding for acknowledgement is subject to disqualification.

All submissions must undergo scrutiny and credits would only be given if they were determined eligible.
MediaTek reserves the right, at its discretion, to change, modify, add, or remove portions of the terms of eligibility or information on this page at any time.