Skip to content

Latest commit

 

History

History
146 lines (145 loc) · 16.9 KB

TOPWEBLATE.md

File metadata and controls

146 lines (145 loc) · 16.9 KB
Raw

Top reports from Weblate program at HackerOne:

  1. Reset password cookie leads to account takeover to Weblate - 33 upvotes, $0
  2. no captcha for register user and weak question attacker can spam email to Weblate - 27 upvotes, $0
  3. CSRF with logout action to Weblate - 26 upvotes, $0
  4. Open Github Repo Leaking WEBLATE SECRET KEY to Weblate - 22 upvotes, $0
  5. HTML injection and information disclosure in support panel to Weblate - 20 upvotes, $0
  6. Uploaded XLF files result in External Entity Execution to Weblate - 16 upvotes, $0
  7. Insecure Account Removal #2 to Weblate - 14 upvotes, $0
  8. Broken Authentication – Session Token bug to Weblate - 13 upvotes, $0
  9. Race Condition allows to get more free trials and get more than 100 languages and strings for free to Weblate - 13 upvotes, $0
  10. Rate Limit Bypass on login Page to Weblate - 12 upvotes, $0
  11. Password Restriction to Weblate - 12 upvotes, $0
  12. DKIM records not present, Email Hijacking is possible..... to Weblate - 11 upvotes, $0
  13. flood of comment no rate limit on commnets >> by using different user agent to Weblate - 11 upvotes, $0
  14. Stored XSS via Create Project (Add new translation project) to Weblate - 11 upvotes, $0
  15. Weak password policy to Weblate - 10 upvotes, $0
  16. Account Takeover using Third party Auth CSRF to Weblate - 9 upvotes, $0
  17. Login CSRF : Login Authentication Flaw to Weblate - 9 upvotes, $0
  18. Rate Limit Issue on hosted.weblate.org to Weblate - 9 upvotes, $0
  19. No Rate On Add Suggest to Weblate - 9 upvotes, $0
  20. Logging in without knowing credentials after logged out action to Weblate - 9 upvotes, $0
  21. Insecure Account Removal to Weblate - 8 upvotes, $0
  22. Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register to Weblate - 8 upvotes, $0
  23. No Rate Limiting at /contact to Weblate - 8 upvotes, $0
  24. Missing Restriction On String Size to Weblate - 8 upvotes, $0
  25. no notification send to victim if attacker hacks/accesses his victims WebLate account. to Weblate - 8 upvotes, $0
  26. No rate Limit on Add new Translation Project to Weblate - 8 upvotes, $0
  27. CSRF to Connect third party Account to Weblate - 7 upvotes, $0
  28. Activation tokens are not expiring to Weblate - 7 upvotes, $0
  29. Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/ to Weblate - 7 upvotes, $0
  30. Captcha Bypass at Email Reset can lead to Spamming users. to Weblate - 7 upvotes, $0
  31. Invalidate session after password reset - hosted website to Weblate - 7 upvotes, $0
  32. Password token validation in Weblate Bypass #2 to Weblate - 7 upvotes, $0
  33. Browser Self XSS Protection not implemented to Weblate - 7 upvotes, $0
  34. Stored XSS @ /engage/<project_slug> to Weblate - 7 upvotes, $0
  35. No rate limiting for Remove Account lead to huge Mass mailings to Weblate - 7 upvotes, $0
  36. Testing flow includes a DeepSource secret to Weblate - 7 upvotes, $0
  37. No Rate Limitting at Change Password to Weblate - 6 upvotes, $0
  38. Logout CSRF to Weblate - 6 upvotes, $0
  39. CSV export filter bypass leads to formula injection. to Weblate - 6 upvotes, $0
  40. CSRF : Reset API to Weblate - 6 upvotes, $0
  41. You can simply just use passwords that simply are as 123456 to Weblate - 6 upvotes, $0
  42. Open SMTP port can let anyone send email from mail.chihar.com to Weblate - 6 upvotes, $0
  43. Information Disclosure on demo.weblate.org to Weblate - 6 upvotes, $0
  44. Old password can be new password to Weblate - 6 upvotes, $0
  45. Application allowing old password to be set as new password | hosted.weblate.org to Weblate - 6 upvotes, $0
  46. Reset password more than once with a reset link #2 to Weblate - 6 upvotes, $0
  47. 2nd issue>>> flood of email no rate limit on delete account confirmation email >> to Weblate - 6 upvotes, $0
  48. Secret_key in GitHub to Weblate - 6 upvotes, $0
  49. Web server is vulnerable to Beast Attack to Weblate - 5 upvotes, $0
  50. No Password Length Restriction leads to Denial of Service to Weblate - 5 upvotes, $0
  51. [hosted.weblate.org]Account Takeover to Weblate - 5 upvotes, $0
  52. session id missing secure flag - Hosted Website to Weblate - 5 upvotes, $0
  53. Weak e-mail change functionality could lead to account takeover to Weblate - 5 upvotes, $0
  54. CSV Injection with the CSV export feature to Weblate - 5 upvotes, $0
  55. No BruteForce Protection to Weblate - 5 upvotes, $0
  56. Access to completion page without performing any action to Weblate - 5 upvotes, $0
  57. Option method enabled to Weblate - 5 upvotes, $0
  58. Self-XSS can be achieved in the editor link using filter bypass to Weblate - 5 upvotes, $0
  59. Design Flaw in session management of password reset to Weblate - 5 upvotes, $0
  60. Missing restriction on string size to Weblate - 5 upvotes, $0
  61. Clickjacking docs.weblate.org to Weblate - 5 upvotes, $0
  62. Open redirect while disconnecting authenticated account to Weblate - 5 upvotes, $0
  63. Open redirect while disconnecting Email to Weblate - 5 upvotes, $0
  64. Weblate |Security Misconfiguration| Method Enumeration Possible on domain to Weblate - 5 upvotes, $0
  65. Csrf in watch-unwatch projects to Weblate - 5 upvotes, $0
  66. Improper validation of unicode characters to Weblate - 5 upvotes, $0
  67. Improper validation of unicode characters still not fixed to Weblate - 5 upvotes, $0
  68. Improper validation of unicode characters still not fixed #2 to Weblate - 5 upvotes, $0
  69. Improper validation of unicode characters #3 to Weblate - 5 upvotes, $0
  70. Persistence of Third Party Association. to Weblate - 5 upvotes, $0
  71. No Rate Limitation on Regenerate Api Key to Weblate - 5 upvotes, $0
  72. Full Name Overwrite on Third party login to Weblate - 5 upvotes, $0
  73. Reset password more than once with a reset link to Weblate - 5 upvotes, $0
  74. Improper Cookie expiration | Cookies Expiration Set to Future to Weblate - 5 upvotes, $0
  75. Running 2 accounts with a single email [Part 2] to Weblate - 5 upvotes, $0
  76. Running 2 accounts with a single email #3 to Weblate - 5 upvotes, $0
  77. Tab nabbing via window.opener to Weblate - 5 upvotes, $0
  78. Improper access control when an added email address is deleted from authentication to Weblate - 4 upvotes, $0
  79. Registration captcha bypass to Weblate - 4 upvotes, $0
  80. Login using disconnected google account i.e login using old email id to Weblate - 4 upvotes, $0
  81. CSV Injection with the CVS export feature - Glossary to Weblate - 4 upvotes, $0
  82. [demo.weblate.org] Stored Self-XSS via Editor Link in Profile to Weblate - 4 upvotes, $0
  83. Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form to Weblate - 4 upvotes, $0
  84. Missing DMARC on weblate.org to Weblate - 4 upvotes, $0
  85. Content Spoofing in error message to Weblate - 4 upvotes, $0
  86. Spamming any user from Reset Password Function to Weblate - 4 upvotes, $0
  87. CSRF : Lock and Unlock Translation to Weblate - 4 upvotes, $0
  88. Running 2 accounts with a single email to Weblate - 4 upvotes, $0
  89. No notificatoin sent on email after account deletion. to Weblate - 4 upvotes, $0
  90. API Does Not Apply Access Controls to Translations to Weblate - 4 upvotes, $0
  91. CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org to Weblate - 4 upvotes, $0
  92. Weblate- Banner Grabbing-Ngnix Server version to Weblate - 4 upvotes, $0
  93. Improper validation of unicode characters to Weblate - 4 upvotes, $0
  94. No filteration of null characters in name field to Weblate - 4 upvotes, $0
  95. The username of an account can be .. to Weblate - 4 upvotes, $0
  96. Password token validation in Weblate Bypass to Weblate - 4 upvotes, $0
  97. Previous password could set as new password to Weblate - 4 upvotes, $0
  98. [debian.weblate.org]-Missing SPF Record to Weblate - 4 upvotes, $0
  99. Add another email address without verification to Weblate - 4 upvotes, $0
  100. Improper validation of unicode characters to Weblate - 4 upvotes, $0
  101. Account Restore / Reactivating an old email via old reset link to Weblate - 4 upvotes, $0
  102. Audit log validation to Weblate - 4 upvotes, $0
  103. Open port leads to information disclosure to Weblate - 4 upvotes, $0
  104. Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile] to Weblate - 4 upvotes, $0
  105. Email verification over an unencrypted channel to Weblate - 3 upvotes, $0
  106. Open redirect in Signing in via Social Sites to Weblate - 3 upvotes, $0
  107. Content Spoofing to Weblate - 3 upvotes, $0
  108. Open Redirect via "next" parameter in third-party authentication to Weblate - 3 upvotes, $0
  109. No expiration of session ID after Password change to Weblate - 3 upvotes, $0
  110. Already Registered Email Disclosure to Weblate - 3 upvotes, $0
  111. User Enumeration when adding email to account to Weblate - 3 upvotes, $0
  112. Self XSS at translation page through Editor Link at demo.weblate.org to Weblate - 3 upvotes, $0
  113. HttpOnly Flag not set to Weblate - 3 upvotes, $0
  114. Setting a password with a single character to Weblate - 3 upvotes, $0
  115. Null Password - Setting a new password doesn't check for empty spaces to Weblate - 3 upvotes, $0
  116. CSRF - Changing the full name / adding a secondary email identity of an account via a GET request to Weblate - 3 upvotes, $0
  117. Takeover of an account via reset password options after removing the account to Weblate - 3 upvotes, $0
  118. 7BO: Binary Option Robot URL should be HTTPS to Weblate - 3 upvotes, $0
  119. Email spoofing at weblate.org to Weblate - 3 upvotes, $0
  120. Existing sessions valid after removing third party auth to Weblate - 3 upvotes, $0
  121. Adding Email lacks Password validation to Weblate - 3 upvotes, $0
  122. Error Message When Changing Username to Weblate - 3 upvotes, $0
  123. Improper validation of unicode characters#2 to Weblate - 3 upvotes, $0
  124. hosted.weblate.org display of unfiltered results to Weblate - 3 upvotes, $0
  125. full path disclosure at hosted.weblate.org/admin/accounts/profile/ to Weblate - 2 upvotes, $0
  126. demo.weblate.org is vulnerable to SWEET32 Vulnerability to Weblate - 2 upvotes, $0
  127. Specify maximal length in translation to Weblate - 2 upvotes, $0
  128. hosted.weblate.org: X-XSS-Protection not enabled to Weblate - 2 upvotes, $0
  129. weblate.org: X-XSS-Protection not enabled to Weblate - 2 upvotes, $0
  130. Specify maximal length in new comment to Weblate - 2 upvotes, $0
  131. Abuse of Api that causes spamming users and possible DOS due to missing rate limit to Weblate - 2 upvotes, $0
  132. Notify user about password change to Weblate - 2 upvotes, $0
  133. Facebook share URL should be HTTPS to Weblate - 2 upvotes, $0
  134. ClickJacking on Debug to Weblate - 2 upvotes, $0
  135. Incorrect HTTPS Certificate to Weblate - 2 upvotes, $0
  136. Directory Listing to Weblate - 2 upvotes, $0
  137. Password token validation in https://demo.weblate.org/ to Weblate - 2 upvotes, $0
  138. Captcha bypass at registration to Weblate - 2 upvotes, $0
  139. Bypassing captcha in registration on Hosted site to Weblate - 2 upvotes, $0
  140. No Rate Limit On Add new word to Weblate - 2 upvotes, $0
  141. Improper Password Reset Policy on https://hosted.weblate.org/ to Weblate - 1 upvotes, $0
  142. CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org to Weblate - 1 upvotes, $0
  143. No rate limit or captcha to identify humans to Weblate - 1 upvotes, $0
  144. DNSSEC Zone Walk using NSEC Records to Weblate - 1 upvotes, $0