VDP Policy
VDP Form
VDP Policy
VDP Form
Menu
Vulnerability Summary
Report title (250 char maximum)
*
Product/website concerned (250 char maximum)
*
Technical details
Bug Type
*
Select a bug type
SQL Injection (SQLi) (CWE-89)
NoSQL Injection (CWE-943)
Command Injection (CWE-77)
LDAP Injection (CWE-90)
XML External Entity (XXE) (CWE-611)
Template Injection (CWE-1336)
Weak Password Policy (CWE-521)
Credential Stuffing Vulnerability (CWE-307)
Session Fixation (CWE-384)
Session Hijacking (CWE-613)
Missing Multi-Factor Authentication (CWE-287)
JWT Token Misconfiguration (CWE-345)
Reflected XSS (CWE-79)
Stored XSS (CWE-79)
DOM-Based XSS (CWE-79)
Insecure Direct Object Reference (IDOR) (CWE-639)
Missing Access Checks (CWE-284)
Privilege Escalation (CWE-269)
Path Traversal (CWE-22)
Default Credentials in Use (CWE-798)
Directory Listing Enabled (CWE-548)
Verbose Error Messages (CWE-209)
Misconfigured CORS Policy (CWE-942)
Open S3 Bucket / Cloud Storage (CWE-200)
Plaintext Password Storage (CWE-256)
Unencrypted Data in Transit (CWE-319)
Hardcoded Secrets in Code (CWE-798)
Insufficient TLS Configuration (CWE-326)
Missing CSRF Tokens (CWE-352)
Bypassing CSRF Protection (CWE-352)
Internal Network Access via SSRF (CWE-918)
Cloud Metadata Exposure (CWE-918)
Remote Code Execution via Deserialization (CWE-502)
Logic Manipulation via Deserialization (CWE-502)
Application-Level DoS (CWE-400)
Resource Exhaustion (CWE-400)
Algorithmic Complexity Attack (CWE-407)
Bypass of Business Rules (CWE-840)
Unauthorized Discounts or Transactions (CWE-840)
Order Manipulation (CWE-840)
Outdated Libraries / Frameworks (CWE-1104)
Vulnerable API Endpoints (CWE-200)
Known CVEs in Dependencies (CWE-937)
Lack of Rate Limiting (CWE-770)
Excessive Data Exposure (CWE-201)
Mass Assignment (CWE-915)
Improper API Authentication (CWE-287)
Insecure Data Storage (CWE-922)
Insecure Communication (CWE-319)
Insecure WebView Implementation (CWE-749)
Reverse Engineering Exposure (CWE-494)
Weak Biometric Authentication (CWE-307)
Publicly Accessible Cloud Storage (CWE-200)
Overly Permissive IAM Policies (CWE-732)
Unrestricted Network Access to Cloud Services (CWE-284)
Exposed Cloud API Keys (CWE-798)
Misconfigured Security Groups / Firewalls (CWE-284)
Use of Weak Cryptographic Algorithms (CWE-327)
Insecure Random Number Generation (CWE-338)
Improper Key Management (CWE-320)
Failure to Use Salt in Hashing (CWE-759)
Unauthenticated Device Access (CWE-287)
Firmware Vulnerabilities (CWE-494)
Unencrypted Device Communication (CWE-319)
Insecure Over-the-Air Updates (CWE-494)
Other
Endpoint
*
Vulnerable part
*
Select a vulnerable part
GET Parameter
POST Parameter
Cookie
Header
Path
HTTP Method
HTTP Response
Others
PUT parameter
DNS record
Part name (250 char maximum)
*
Payload
*
Technical environment (250 char maximum)
*
CVE
CVE
Impact
Select Impact
Account takeover
Privilege Escalation
Unauthorized Account Manipulation
Sensitive Data Exposure
Source Code Exposure
Secret and Credential Leak
PII Leak
Application Level Denial of Service (DoS)
Access to Unauthorized Resources
Payment Manipulation
Arbitrary File Read
Arbitrary File Write
Remote Code Execution (RCE)
Authentication Bypass
2FA authentication Bypass
Email Verification Bypass
CVSS3 Score
Attack Vector (AV)
Network (N)
Adjacent (A)
Local (L)
Physical (P)
Attack Complexity (AC)
Low (L)
High (H)
Privilege Required (PR)
None (N)
Low (L)
High (H)
User Interaction (UI)
None (N)
Required (R)
Scope
Unchanged (U)
Changed (C)
Confidentaility (C)
None (N)
Low (L)
High (H)
Integrity
None (N)
Low (L)
High (H)
Availability (A)
None (N)
Low (L)
High (H)
Score
Severity
Vulnerability description
Drop or select jpeg or png files (2.0MB/file)
Reporter information
Your Name
*
Your Mail
*
Terms and conditions
The preferred method for contacting Plume Infosec Team regarding such vulnerabilities and errors is using the VDP Form or by contacting us at infosec@plume.com.
By submitting a report, security researcher warrants that the report and any attachments do not violate the intellectual property rights of any third party and the security researcher assigns free of charge to the receiving company who accepts all intellectual property rights.
Submit
