Stripe - HackerOne Reports
View on HackerOne27
Total Reports
2
Critical
3
High
11
Medium
11
Low
Email change or personal data change on the account.
Reported by:
dk82hg
|
Disclosed:
Critical
Weakness: Insecure Direct Object Reference (IDOR)
Bounty: $3000.00
Verifying email bypass
Reported by:
fisjkars
|
Disclosed:
Low
Weakness: Improper Access Control - Generic
Bypassing domain deny_list rule in Smokescreen via trailing dot leads to SSRF
Reported by:
gregxsunday
|
Disclosed:
Low
Weakness: Server-Side Request Forgery (SSRF)
Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure
Reported by:
mr_asg
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Bounty: $500.00
The `stripe/veneur` GitHub repository links to a domain `veneur.org`, which is not under stripe's control
Reported by:
peterldowns
|
Disclosed:
Low
Weakness: Misconfiguration
CSRF in Importing CSV files [app.taxjar.com]
Reported by:
bashcancare
|
Disclosed:
Low
Weakness: Cross-Site Request Forgery (CSRF)
GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson
Reported by:
freesec
|
Disclosed:
High
Weakness: Insecure Direct Object Reference (IDOR)
Object injection in `stripe-billing-typographic` GitHub project via /auth/login
Reported by:
ph0r3nsic
|
Disclosed:
Low
Weakness: Resource Injection
HTML Injection in the Invoice memos field
Reported by:
sn-shyk
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Bounty: $500.00
Without verifying email and activate account, user can perform all action which are not supposed to be done
Reported by:
tabaahi
|
Disclosed:
Low
Weakness: Violation of Secure Design Principles
Tomcat Servlet Examples accessible at https://44.240.33.83:38443 and https://52.36.56.155:38443
Reported by:
mustafa_farrag
|
Disclosed:
Medium
Weakness: Improper Authorization
CSRF token validation system is disabled on Stripe Dashboard
Reported by:
rodolfomarianocy
|
Disclosed:
Medium
Weakness: Cross-Site Request Forgery (CSRF)
Bounty: $2500.00
Fee discounts can be redeemed many times, resulting in unlimited fee-free transactions
Reported by:
ian
|
Disclosed:
Medium
Weakness: Business Logic Errors
Bounty: $5000.00
[Broken Access Control ] Unauthorized Linking accounts & Linked Accounts info DIsclosure
Reported by:
mr_asg
|
Disclosed:
Low
Weakness: Improper Access Control - Generic
Bounty: $250.00
Limited path traversal in Node.js SDK leads to PII disclosure
Reported by:
zerodivisi0n
|
Disclosed:
Medium
Weakness: Information Disclosure
Bounty: $1000.00
Possible XSS vulnerability without a content security bypass
Reported by:
saajanbhujel
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Generic
Bounty: $2000.00
Promotion code can be used more than redemption limit.
Reported by:
d_sharad
|
Disclosed:
Low
Weakness: Time-of-check Time-of-use (TOCTOU) Race Condition
Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/
Reported by:
mr_asg
|
Disclosed:
High
Weakness: Authentication Bypass Using an Alternate Path or Channel
Bounty: $13000.00
User can pay using archived price by manipulating the request sent to `POST /v1/payment_pages/for_plink`
Reported by:
gregxsunday
|
Disclosed:
Medium
Weakness: Insecure Direct Object Reference (IDOR)
Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data
Reported by:
mr_asg
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Bounty: $1000.00
Page 1 of 2
Next