Dropcontact - HackerOne Reports
View on HackerOne16
Total Reports
2
Critical
4
High
5
Medium
4
Low
Django should not have debug mode enabled
Reported by:
higbee
|
Disclosed:
Low
Weakness: Information Exposure Through Debug Information
Django debug enabled showing information about system, database, configuration files.
Reported by:
vbdev
|
Disclosed:
Low
Weakness: Information Disclosure
Idor for firstpromoter service
Reported by:
xploiterr
|
Disclosed:
High
Weakness: Insecure Direct Object Reference (IDOR)
No Valid SPF Records
Reported by:
harshita174
|
Disclosed:
Medium
Weakness: Improper Authentication - Generic
Host Header Injection.
Reported by:
xploiterr
|
Disclosed:
Low
Weakness: Open Redirect
Unauthorized Access and updation of EMAIL settings of other user at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter.
Reported by:
xploiterr
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Unrestricted File Upload on https://app.dropcontact.io/app/upload/
Reported by:
omarelfarsaoui
|
Disclosed:
Weakness: Unrestricted Upload of File with Dangerous Type
User can Subscribe a plan that is hidden by manipulating the value of "subscription" parameter at [ https://app.dropcontact.io/app/checkout/]
Reported by:
xploiterr
|
Disclosed:
Medium
Weakness: Business Logic Errors
Ngnix Server version disclosure.
Reported by:
xploiterr
|
Disclosed:
Low
Weakness: Information Disclosure
Dropcontact's disclosed report is exposing Private/Confidential information
Reported by:
n1m0
|
Disclosed:
High
Weakness: Information Disclosure
User registration using public domain email like gmail in place of professional email.
Reported by:
cyc0rpion
|
Disclosed:
Medium
Weakness: Reliance on Untrusted Inputs in a Security Decision
Information Disclosure through DEBUG at Subscription [https://app.dropcontact.io/app/subscription?connector=salesforce](CRITICAL)
Reported by:
xploiterr
|
Disclosed:
Critical
Weakness: Information Exposure Through Debug Information
Sensitive Information Disclosure
Reported by:
akashhamal0x01
|
Disclosed:
Critical
Weakness: Information Disclosure
API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation.
Reported by:
xploiterr
|
Disclosed:
Medium
Weakness: Improper Authorization
Registering with email [ +70 Chars ] Lead to Disclose some informations [Django Debug Mode ]
Reported by:
elmahdi
|
Disclosed:
Medium
Weakness: Information Disclosure
Django DEBUG mode enabled and leaked system information.
Reported by:
aungkyawphyo
|
Disclosed:
High
Weakness: Misconfiguration