TOPXXE.md

Top XXE reports from HackerOne:

1. XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx to Starbucks - 311 upvotes, $0
2. XXE on pulse.mail.ru to Mail.ru - 264 upvotes, $6000
3. XXE on sms-be-vip.twitter.com in SXMP Processor to X (Formerly Twitter) - 251 upvotes, $0
4. XXE on https://duckduckgo.com to DuckDuckGo - 212 upvotes, $0
5. Phone Call to XXE via Interactive Voice Response to ██████ - 171 upvotes, $0
6. Partial bypass of #483774 with Blind XXE on https://duckduckgo.com to DuckDuckGo - 151 upvotes, $0
7. Multiple endpoints are vulnerable to XML External Entity injection (XXE) to Pornhub - 138 upvotes, $2500
8. XXE through injection of a payload in the XMP metadata of a JPEG file to Informatica - 131 upvotes, $0
9. XXE Injection through SVG image upload leads to SSRF to Zivver - 112 upvotes, $0
10. XXE in Site Audit function exposing file and directory contents to Semrush - 102 upvotes, $0
11. XXE in DoD website that may lead to RCE to U.S. Dept Of Defense - 91 upvotes, $0
12. [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com to Pornhub - 90 upvotes, $0
13. Blind XXE via Powerpoint files to Open-Xchange - 86 upvotes, $2000
14. LFI and SSRF via XXE in emblem editor to Rockstar Games - 72 upvotes, $1500
15. blind XXE in autodiscover parser to Mail.ru - 70 upvotes, $0
16. Blind OOB XXE At "http://ubermovement.com/" to Uber - 55 upvotes, $500
17. XXE на webdav.mail.ru - PROPFIND/PROPPATCH to Mail.ru - 54 upvotes, $0
18. XXE on ██████████ by bypassing WAF ████ to QIWI - 53 upvotes, $0
19. [rev-app.informatica.com] - XXE to Informatica - 44 upvotes, $0
20. RCE via Local File Read -> php unserialization-> XXE -> unpickling to h1-5411-CTF - 44 upvotes, $0
21. XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 41 upvotes, $0
22. Authenticated XXE to WordPress - 40 upvotes, $0
23. XML Parser Bug: XXE over which leads to RCE to drchrono - 34 upvotes, $0
24. [HTA2] XXE on https://███ via SpellCheck Endpoint. to U.S. Dept Of Defense - 33 upvotes, $0
25. XXE on DoD web server to U.S. Dept Of Defense - 31 upvotes, $0
26. Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 to Starbucks - 30 upvotes, $0
27. [app.informaticaondemand.com] XXE to Informatica - 24 upvotes, $0
28. Blind XXE on my.mail.ru to Mail.ru - 23 upvotes, $800
29. Non-production Open Database In Combination With XXE Leads To SSRF to Evernote - 23 upvotes, $0
30. XXE in upload file feature to Informatica - 21 upvotes, $0
31. [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ to QIWI - 18 upvotes, $0
32. Blind XXE on pu.vk.com to VK.com - 16 upvotes, $500
33. AEM forms XXE Vulnerability to Adobe - 15 upvotes, $0
34. XXE in the Connector Designer to Bime - 13 upvotes, $0
35. [marketplace.informatica.com] - XXE to Informatica - 13 upvotes, $0
36. blind XXE when uploading avatar in mymail phone app to Mail.ru - 12 upvotes, $1000
37. OOB XXE to Mail.ru - 12 upvotes, $500
38. [rev-app.informatica.com] - XXE via SAML to Informatica - 11 upvotes, $0
39. [marketplace.informatica.com] - XXE to Informatica - 11 upvotes, $0
40. XXE issue to Moneybird - 11 upvotes, $0
41. h1-5411-CTF report: LFI / Deserialization / XXE vulnerability, to h1-5411-CTF - 8 upvotes, $0
42. [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB to Uber - 8 upvotes, $0
43. XXE крит to Mail.ru - 7 upvotes, $0
44. XXE in Enterprise Search's App Search web crawler to Elastic - 7 upvotes, $0
45. XXE on www.publish.engelvoelkers.com to Engel & Völkers Technology GmbH - 7 upvotes, $0
46. XXE at Informatica sub-domain to Informatica - 6 upvotes, $0
47. [Java]: Add XXE sinks to GitHub Security Lab - 6 upvotes, $0
48. OOB XXE to Mail.ru - 5 upvotes, $500
49. [Python]: CWE-611: XXE to GitHub Security Lab - 4 upvotes, $1800
50. XXE and SSRF on webmaster.mail.ru to Mail.ru - 4 upvotes, $0
51. XXE in OAuth2 Applications gallery profile App logo to Coinbase - 3 upvotes, $0
52. XXE at host vpn.owncloud.com to ownCloud - 2 upvotes, $0
53. Pippo XML Entity Expansion (Billion Laughs Attack) to Central Security Project - 1 upvotes, $0