Reports in ubiquiti inc program: S.No Title Bounty 1 Reflected XSS in scores.ubnt.com $0.0 2 Open Redirect in unifi.ubnt.com [Controller Finder] $0.0 3 Shell Injection via Web Management Console (dl-fw.cgi) $0.0 4 Stored XSS in unifi.ubnt.com $0.0 5 Subdomain takeover on partners.ubnt.com due to non-used CloudFront DNS entry $0.0 6 IDOR Causing Deletion of any account $0.0 7 Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com $0.0 8 account.ubnt.com CSRF $0.0 9 Reflected Xss in AirMax [Nanostation Loco M2] $0.0 10 Subdomain Takeover (moderator.ubnt.com) $0.0 11 [scores.ubnt.com] DOM based XSS at form.html $0.0 12 Wordpress directories/files visible to internet $0.0 13 Weak credentials for nutty.ubnt.com $0.0 14 [nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html $0.0 15 sqli $0.0 16 [account-global.ubnt.com] CRLF Injection $0.0 17 Content Spoofing or Text Injection in (403 forbidden page injection) and Nginx version disclosure via response header $0.0 18 Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter. $0.0 19 200 http code in 403 forbidden directories on main Ubnt.com domain $0.0 20 Stored XSS in community.ubnt.com $0.0 21 XSS via SVG file $0.0 22 Subdomain takeover on https://cloudfront.ubnt.com/ due to non-used CloudFront DNS entry $0.0 23 Can upload files without authentication on AirFibre 3.2 $0.0 24 AirFibre products vulnerable to HTTP Header injection $0.0 25 Expired SSL certificate $0.0 26 XSS $0.0 27 Reflected File Download in community.ubnt.com/restapi/ $0.0 28 HTML Injection on airlink.ubnt.com $0.0 29 CRLF Injection on openvpn.svc.ubnt.com $0.0 30 [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users $0.0 31 Ability to log in as any user without authentication if █████████ is empty $0.0 32 [dev-unifi-go.ubnt.com] Insecure CORS, Stealing Cookies $0.0 33 [dev-nightly.ubnt.com] Local File Reading $0.0 34 Stored XSS / Bypassing .htaccess protection in http://nodebb.ubnt.com/ $0.0 35 XSS on Nanostation Loco M2 Airmax $0.0 36 Unauthenticated Cross-Site Scripting in Web Management Console $0.0 37 Exposed API-key allows to control nightly builds of firmwares (█████████ & ████████) $0.0 38 Directory traversal at https://nightly.ubnt.com $0.0 39 Privilege escalation in the client impersonation functionality $0.0 40 Security: Publicly accessible x.509 Public and Private Key of Ubiquiti Networks. $0.0 41 Privilege Escalation: From operator to ubnt (and root) with non-interactive Session Hijacking $0.0 42 CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection $0.0 43 Privilege Escalation using API->Feature $0.0 44 Remote Code Execution at http://tw.corp.ubnt.com $0.0 45 Privilege Escalation with Session Hijacking Having a Non-privileged Valid User $0.0 46 Command injection in the process of downloading the latest version of the cloud key firmware through the unifi management software. $0.0 47 UniFi Video v3.2.2 (Windows) Local Privileges Escalation due to weak default install directory ACLs $0.0 48 Stored XSS in dev-ucrm-billing-demo.ubnt.com In Client Custom Attribute $0.0 49 Stored XSS => community.ubnt.com $0.0 50 Unrestricted File System Access via Twig Template Injection on dev-ucrm-billing-demo.ubnt.com $0.0 51 Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300 $0.0 52 Authenticated RCE in ToughSwitch $0.0 53 Code Execution in restricted CLI of EdgeSwitch $0.0 54 Format String Vulnerability in the EdgeSwitch restricted CLI $0.0 55 UniFi Video Server web interface Configuration Restore path traversal leading to local system compromise $0.0 56 Bypass blocked profile protection on aircrm.ubnt.com $0.0 57 Two Factor Authentication Bypass $0.0 58 Public Jenkins instance with /script enabled $0.0 59 Reflected XSS $0.0 60 UniFi Video Server - Arbitrary file upload as SYSTEM $0.0 61 UniFi Video Server - Broken access control on system configuration $0.0 62 UBNT Amplification DDOS Attack $0.0 63 EdgeSwitch Command Injection $0.0 64 Privilege-0 to Root Privilege Escalation on EdgeSwitch $0.0 65 Login as root without password on EdgeSwitchX $0.0 66 UniFi Video Server web interface Configuration Restore CSRF leading to full application compromise $0.0 67 CORS Misconfiguration leading to Private Information Disclosure $0.0 68 Resource Consumption DOS on Edgemax v1.10.6 $0.0 69 Catch mails sent to an SMTP Server over SSL using an Evil SMTP Server $0.0 70 JetBrains .idea project directory $0.0 71 Privilege Escalation From user to SYSTEM via unauthenticated command execution $0.0 72 UniFi Video v3.10.1 (Windows) Local Privileges Escalation to SYSTEM from arbitrary filedelete and DLL hijack vulnerabilities. $0.0 73 UniFi Video Server web interface admin user Firmware Update path traversal leading to local system compromise $0.0 74 UniFi Video web interface Configuration Restore user privilege escalation $0.0 75 Unauthenticated request allows changing hostname $0.0 76 Firmware download/install vulnerable to CSRF $0.0 77 Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7 $0.0 78 RCE in AirOS 6.2.0 Devices with CSRF bypass $0.0 79 Local File Disclosure (+XSS+CSRF) in AirOS 6.2.0 devices $0.0 80 Camera adoption DoS - UniFi Protect $0.0 81 Web Server Predictable Session ID on EdgeSwitch $0.0 82 Readonly to Root Privilege Escalation on EdgeSwitch $0.0 83 SNMP Community String Disclosure to ReadOnly Users on EdgeSwitch $0.0 84 View Only to Root Privilege Escalation on UniFi Protect $0.0 85 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290) $0.0 86 XW 6.2.0 firmware: 5 Reflected XSS issues in link.cgi $0.0