repository icon
heroiclabs / nakama Project repository

Distributed server for social and realtime games and apps.

Submit a report

FIRST INTERACTION

WITHIN6 DAYS

REVIEW

WITHIN39 DAYS

FIX

WITHIN86 DAYS

SQL Injection
h3athen
pending
Deleting user has no validation which can result to Admin delete's its own accou...
rac-fckscty
pending
Broken Link Hijacking
oiiwroo
pending
No rate limiting on the reset password page will lead to a DOS attack and inbox...
oiiwroo
self closed
No Protection Against Bruteforce Attacks on Admin Login Page
oiiwroo
pending
No rate limit On Forgot Password Lead To Dos and inbox flooding for any user
novemberdad
informative
High
open redirect
oiiwroo
pending
Exposure of Resource to Wrong Sphere
louis-xer
not applicable
Multiple user accounts creation with same email
earth2sky
pending
Deleted User Is Able To Access His Account And Can Create New Accounts
earth2sky
pending
Weak password policy implemented
earth2sky
pending
The session token is not invalidated when deleting the account
juylang
duplicate
High
Sha1 hashing algorithm in use for node
popcorn94
not applicable
grpc server Insecure connection
captain-k-101
pending
nakama does not properly termine existing user sessions when the user was delet...
lujiefsi
duplicate
High
Lack of email validation lead to account takeover
rezaduty
not applicable
Lack of ratelimit in authenticate
rezaduty
not applicable
API Key Disclosure via main.js
bash-shocker
not applicable
Session not exipiry after password change...
raja453
pending
Verify and password reset token revealing the user's email and user id on web:ht...
raja453
informative
Medium
No Rate limit protection on https://cloud.heroiclabs.com/login
raja453
pending
Multiple user creation with the same email Id bypassed with uppercase
moutainpink
duplicate
Critical
DOS at login function
ch1nhpd
pending
no-rate limit leads to mail throttling ( mail flooding )
drxadz
pending
Multiple user accounts via same email and username
nerrorsec
High
$165
UI Discrepancy in Password
nerrorsec
Medium
$45
Login bruteforce
effectrenan
High
$165
Insufficient Session Expiration
vautia
Medium
$45
User Enumeration via Response Timing
vautia
Medium
$45
horizontal privilege escalation
drxadz
not applicable
miss-configuration of Authorization Bearer token lead to account tackover
drxadz
informative
Critical
Admin account takeover using response manipulation
sandeep-vatada
not applicable
no rate limit on the REST API leads to multiple UserID and Username creation
drxadz
informative
High
Clickjacking to delete user accounts
themarkib
duplicate
High
Business logic error: Not able to access newly created admin account with the us...
drxadz
High
$165
No access control in ClockroachDB
shadowfl0w
informative
Medium
RSA Private Key Leak
thwinhtetwin
informative
Critical
Unsigned application
ap062
informative
High
JWT token leakage in HTTP response leads to user information exposure
khanhchauminh
informative
High
Clickjacking leads to user account deletion
akshayravic09yc47
duplicate
Medium
Account takeover
akshayravic09yc47
duplicate
High
Multiple user creation with the same email Id via existing verification bypass
drxadz
Medium
$45
Insufficient Brute Force Protection in Login Portal (Self hosted and cloud.heroi...
dievus
duplicate
Critical
Use of Hard-coded Cryptographic Key
cokebeer
informative
Critical
Session tokens are not invalidated on logout
nerrorsec
High
$165CVE-2022-2306
User Account Deletion and more via Clickjacking
nerrorsec
High
$165
No Protection against Bruteforce attacks on Login page
nerrorsec
High
$165CVE-2022-2321
Improper authorization on view only user
tienpa99
duplicate
High
identify registered user
ranjit-git
Low
unprivileged user can see user details like email,role etc
ranjit-git
Low
Improper Privilege Management
thelabda
Medium
$65
Observable Response Discrepancy
thelabda
Medium