Skip to content

Latest commit

 

History

History
40 lines (40 loc) · 3.97 KB

upchieve.md

File metadata and controls

40 lines (40 loc) · 3.97 KB

Reports in upchieve program:

S.No Title Bounty
1 Full account takeover of any user through reset password $0.0
2 Zero click account Takeover due to Api misconfiguration 🏂🎩 $0.0
3 User enumeration through forget password $0.0
4 No Valid SPF Records/don't have DMARC record $0.0
5 CORS Misconfiguration, could lead to disclosure of sensitive information $0.0
6 Cross-origin resource sharing misconfig | steal user information $0.0
7 Clickjacking on profile page leading to unauthorized changes $0.0
8 Session Hijacking leads to full control of account by attacker $0.0
9 blind sql on [ https://argocd.upchieve.org/login?return_url=id= ] $0.0
10 hackers.upchieve.org and argocd.upchieve.org is not preloaded. $0.0
11 Vulnerability Report - sweet32 UPchieve $0.0
12 url redirection $0.0
13 Password reset token leak on third party website via Referer header $0.0
14 Business logic error $0.0
15 CLICKJACKING LEADS TO DEACTIVATE ACCOUNT $0.0
16 i can join without user and pass in this website https://argocd.upchieve.org/settings/accounts $0.0
17 No Rate Limit On Contact Us $0.0
18 Failed to validate Session after Password Change $0.0
19 old session dose not expire after password change $0.0
20 No Rate Limit On Reset Password $0.0
21 No Rate Limiting on /reset-password-request/ endpoint $0.0
22 Clickjacking ar https://hackers.upchieve.org/login $0.0
23 Authentication Bypass - Email Verification code bypass in account registration process. $0.0
24 CORS origin validation failure $0.0
25 No character limit in password field $0.0
26 Widespread CSRF on authenticated POST endpoints $0.0
27 No Rate Limiting for Password Reset Email Leads to Email Flooding $0.0
28 Clickjacking login page of https://hackers.upchieve.org/login $0.0
29 No rate Limit on Password Reset page on upchieve $0.0
30 Outdated Copyright Message @ Welcome email $0.0
31 Password Reuse $0.0
32 Missing Validation in editing "Your Phone Number" $0.0
33 Password reset token leakage $0.0
34 No Rate Limit on forgot password page $0.0
35 OTP reflecting in response sensitive data exposure leads to account take over $0.0
36 All user password hash can be seen from admin panel $0.0
37 Hyper Link Injection while signup $0.0