Reports in unikrn program: S.No Title Bounty 1 An IDOR that can lead to enumeration of a user and disclosure of email and phone number within cashier $3000.0 2 CSRF logs the victim into attacker's account $100.0 3 Rate Limit workaround in the message of the phone number verification $100.0 4 Staging Rabbitmq instance is exposed to the internet with default credentials $100.0 5 Lack of Input sanitization leads to database Character encoding configuration Disclosure $100.0 6 Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename $50.0 7 Non-Cloudflare IPs allowed to access origin servers $50.0 8 Open Redirection leads to redirect Users to malicious website $50.0 9 Weak Session ID Implementation - No Session change on Password change $40.0 10 Persistent XSS found on bin.pinion.gg due to outdated FlowPlayer SWF file with Remote File Inclusion vulnerability. $30.0 11 ssh: unprivileged users may hijack due to backdated ssh version open port found(███.unikrn.com) $25.0 12 Urgent: Server side template injection via Smarty template allows for RCE $0.0 13 HTML injection in email in unikrn.com $0.0 14 Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg] $0.0 15 Improper validation at Phone verification (possible cost increase + SMS SPAM attack) $0.0 16 CSRF in Raffles Ticket Purchasing $0.0 17 session_id is not being validated at email invitation endpoint $0.0 18 CSRF log victim into the attacker account $0.0 19 Rate-limit protection get executed in the last stage of the registration process, allowing enumeration of existing account. $0.0 20 █████████ on CRM server without authorization $0.0 21 Path Disclosure Vulnerability http://crm.******.com $0.0 22 bypass Claudflare access crm.mautic.com $0.0 23 Full Path Disclosure $0.0 24 [unikrn.com] Profile updated with error":true,"success":false" $0.0 25 Email abuse and Referral Abuse $0.0 26 multiple vulnerabilities on your mautic server $0.0 27 [crm.unikrn.com] Open Redirect $0.0 28 Open URL Redirection $0.0