Stripo Inc - HackerOne Reports
View on HackerOne70
Total Reports
5
Critical
12
High
43
Medium
7
Low
Improper Authorization
Reported by:
abdellah29
|
Disclosed:
High
Weakness: Improper Authorization
No rate limiting for confirmation email lead to huge Mass mailings
Reported by:
buggfuzz1
|
Disclosed:
Medium
Weakness: Business Logic Errors
Able to change password by entering wrong old password
Reported by:
rutik346
|
Disclosed:
Weakness: Cryptographic Issues - Generic
OLD SESSION DOES NOT EXPIRE AFTER PASSWORD CHANGE
Reported by:
aishkendle
|
Disclosed:
Medium
Clickjacking on my.stripo.email for MailChimp credentials
Reported by:
jasongardner
|
Disclosed:
Medium
Weakness: UI Redressing (Clickjacking)
Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo
Reported by:
sankalpa_1337
|
Disclosed:
Medium
Weakness: Cleartext Transmission of Sensitive Information
Able to use 'PREMIUM TEMPLATES' in 'FREE PLAN' at [https://my.stripo.email/cabinet/#/my-templates/]
Reported by:
xploiterr
|
Disclosed:
High
Weakness: Business Logic Errors
SSRF in my.stripo.email
Reported by:
x25s
|
Disclosed:
High
Weakness: Server-Side Request Forgery (SSRF)
stripo blog search SQL Injection
Reported by:
bluebridsec
|
Disclosed:
Medium
Weakness: SQL Injection
Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN
Reported by:
0xwise
|
Disclosed:
High
Weakness: Improper Access Control - Generic
XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique
Reported by:
abdellah29
|
Disclosed:
Medium
Weakness: Cross-Site Request Forgery (CSRF)
[SSRF] my.stripo.email via the setup-wizard parameter
Reported by:
deb0con
|
Disclosed:
Critical
Weakness: Server-Side Request Forgery (SSRF)
Authorization for wp-admin directory are vulnerable to brute force.
Reported by:
brumens
|
Disclosed:
High
Weakness: Improper Restriction of Authentication Attempts
Integer Overflow (CVE_2017_7529)
Reported by:
whitehatmat
|
Disclosed:
Medium
Weakness: Integer Overflow
SSRF leads to internal port scan
Reported by:
theoriginal
|
Disclosed:
Low
Weakness: Server-Side Request Forgery (SSRF)
No Rate Limiting on /reset-password-request/ endpoint
Reported by:
tess
|
Disclosed:
Medium
Weakness: Violation of Secure Design Principles
Strored Xss on https://my.stripo.email/ ( multiple inputs)
Reported by:
abdellah29
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
[www.stripo.email] You can bypass the speed limit by changing the IP.
Reported by:
what_web
|
Disclosed:
Medium
Weakness: Information Exposure Through Debug Information
Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts
Reported by:
secyour-org
|
Disclosed:
Critical
Weakness: Exposed Dangerous Method or Function
HTTP Request Smuggling on my.stripo.email
Reported by:
codeslayer1337
|
Disclosed:
High
Page 1 of 4
Next