Skip to content

Latest commit

 

History

History
30 lines (30 loc) · 3.66 KB

stripe.md

File metadata and controls

30 lines (30 loc) · 3.66 KB

Reports in stripe program:

S.No Title Bounty
1 Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/ $13000.0
2 Fee discounts can be redeemed many times, resulting in unlimited fee-free transactions $5000.0
3 Email change or personal data change on the account. $3000.0
4 CSRF token validation system is disabled on Stripe Dashboard $2500.0
5 XSS vulnerability without a content security bypass in a CUSTOM App through Button tag $2000.0
6 Possible XSS vulnerability without a content security bypass $2000.0
7 Bypassing domain deny_list rule in Smokescreen via trailing dot leads to SSRF $1500.0
8 User can pay using archived price by manipulating the request sent to POST /v1/payment_pages/for_plink $1000.0
9 Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data $1000.0
10 Limited path traversal in Node.js SDK leads to PII disclosure $1000.0
11 Local applications from user's computer can listen for webhooks via insecure gRPC server from stripe-cli $500.0
12 Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure $500.0
13 HTML Injection in the Invoice memos field $500.0
14 Verifying email bypass $500.0
15 [Broken Access Control ] Unauthorized Linking accounts & Linked Accounts info DIsclosure $250.0
16 GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson $0.0
17 CSRF token validation system is disabled on Stripe Dashboard $0.0
18 Bypass global deny-lists by wrapping domains using "[]" in https://github.com/stripe/smokescreen $0.0
19 Mass Account Takeover at https://app.taxjar.com/ - No user Interaction $0.0
20 Without verifying email and activate account, user can perform all action which are not supposed to be done $0.0
21 Tomcat Servlet Examples accessible at https://44.240.33.83:38443 and https://52.36.56.155:38443 $0.0
22 Bypassing domain deny_list rule in Smokescreen via double brackets [[]] which leads to SSRF $0.0
23 Mass account takeover! $0.0
24 Promotion code can be used more than redemption limit. $0.0
25 Object injection in stripe-billing-typographic GitHub project via /auth/login $0.0
26 CSRF in Importing CSV files [app.taxjar.com] $0.0
27 The stripe/veneur GitHub repository links to a domain veneur.org, which is not under stripe's control $0.0