Home > Vulnerability Disclosures
-
Detecting Player Robux Balances
-
CSRF in sending two-step verification message
-
CSRF in group endpoints
-
Injecting Lua code into game servers via Player.CharacterAppearance
-
Detecting the existence of local files using path traversal
-
ContentProvider vulnerable to path traversal attacks
-
Using unmoderated game assets via asset handler
-
CSRF in uploading assets
-
Game server fork bomb
-
Stealing a player's games
-
Injecting Lua code into game servers using CreatePlaceInPlayerInventoryAsync
-
Personal information disclosure via console
-
Stealing a player's virtual currency
-
Using unmoderated game assets
-
Bypassing HttpService's rate limits
-
Bypassing MAC address bans
-
CSRF in changing group member ranks
-
CSRF in email verification page
-
Changing any user's birthdate or chat privacy setting
-
Overwriting local files from Studio plugins
-
CSRF in friend endpoints
-
Reflected XSS in outdated JavaScript library
-
Stealing the game server authentication key
-
Creating a clan for any group
-
Using unmoderated game assets
-
Stealing the source of server scripts via HopperBins II
-
Stealing a user's Robux from a Studio plugin
-
Stealing the source of server scripts via HopperBins I
-
Session hijacking in Studio
-
CSRF in mobile site endpoints
-
Unthrottled login endpoint
-
Injecting Lua code into game servers using an unvalidated redirect and Player.CharacterAppearance
-
Injecting Lua code into game client via querystring injection
-
CSRF in reporting MAC addresses
-
Uploading Luas as any user
-
Persistent XSS in group admin page
-
Persistent XSS in Studio's toolbox
-
CSRF on sets page
-
Fetch information from third-party website by bypassing filter