TOPLOCALIZE.md

Back

Top reports from Localize program at HackerOne:

1. 2-factor authentication can be disabled when logged in without confirming account password to Localize - 136 upvotes, $500
2. Stored XSS in Name of Team Member Invitation to Localize - 11 upvotes, $50
3. The password limit is not set, [DoS]. to Localize - 11 upvotes, $50
4. CSRF in adding phrase. to Localize - 10 upvotes, $0
5. Full Path Disclosure / Info Disclosure in Creating New Group to Localize - 9 upvotes, $0
6. Private Project Access Request Invitation Sent Via CSRF to Localize - 6 upvotes, $0
7. XSS & HTML injection to Localize - 5 upvotes, $0
8. Sign-up Form CSRF to Localize - 5 upvotes, $0
9. XSS in Groups to Localize - 4 upvotes, $0
10. XSS in invite approval to Localize - 4 upvotes, $0
11. XSS in main page to Localize - 4 upvotes, $0
12. Nginx version is disclosed in HTTP response to Localize - 4 upvotes, $0
13. XSS in main page (invitation) to Localize - 3 upvotes, $0
14. Sensitive file to Localize - 3 upvotes, $0
15. HTML/Javascript possible in "Discussion" section of reviews to Localize - 3 upvotes, $0
16. Business logic Failure - Browser cache management and logout vulnerability. to Localize - 3 upvotes, $0
17. Path Disclosure (Info Disclosure) in http://www.localize.io to Localize - 2 upvotes, $0
18. Apache Documentation to Localize - 2 upvotes, $0
19. Numerous open ports/services to Localize - 2 upvotes, $0
20. Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!) to Localize - 2 upvotes, $0
21. Full Path Disclosure (FPD) in www.localize.im to Localize - 2 upvotes, $0
22. Atttacker can send "Invitation Request" to a Project that is not even created yet! to Localize - 2 upvotes, $0
23. XSS in Localize.io to Localize - 1 upvotes, $0
24. User credentials are sent in clear text to Localize - 1 upvotes, $0
25. HTML Form Without CSRF protection to Localize - 1 upvotes, $0
26. Full path disclosure to Localize - 1 upvotes, $0
27. No Cross-Site Request Forgery protection at multiple locations to Localize - 1 upvotes, $0
28. Unexpected array leaks information about the system to Localize - 1 upvotes, $0
29. Information Disclosure (Directory Structure) to Localize - 1 upvotes, $0
30. Uninitialized variable error message leaks information to Localize - 1 upvotes, $0
31. Full Path Disclosure (FPD) in www.localize.io to Localize - 1 upvotes, $0
32. Full Path Disclosure / Info Disclosure in Importing XML Section! to Localize - 1 upvotes, $0
33. Full Path Disclosure (2) to Localize - 1 upvotes, $0
34. Full Path Disclosure to Localize - 1 upvotes, $0
35. Assigning a non-existing role to user causes exception when opening project page to Localize - 1 upvotes, $0
36. Password type input with auto-complete enabled to Localize - 1 upvotes, $0
37. infinite number of new project creation! to Localize - 1 upvotes, $0
38. XSS in password to Localize - 1 upvotes, $0
39. Apache2 /icons/ folder accessible to Localize - 1 upvotes, $0
40. Server header - information disclosure to Localize - 1 upvotes, $0
41. PHP PDOException and Full Path Disclosure to Localize - 1 upvotes, $0
42. Full Path Disclosure (FPD) in www.localize.im to Localize - 1 upvotes, $0
43. full path disclosure from false language to Localize - 1 upvotes, $0
44. missing sender policy framework (SPF) to Localize - 1 upvotes, $0
45. Deleting groups in any project without permission to Localize - 0 upvotes, $0
46. Making groups in any project without permission to Localize - 0 upvotes, $0
47. Stored XSS to Localize - 0 upvotes, $0
48. Possible sensitive files to Localize - 0 upvotes, $0
49. Login page password-guessing attack to Localize - 0 upvotes, $0
50. Group Deletion Via CSRF to Localize - 0 upvotes, $0
51. Group Creation Via CSRF to Localize - 0 upvotes, $0
52. Private Project Access Request Accpeted Via CSRF to Localize - 0 upvotes, $0
53. OPTIONS Method Enabled to Localize - 0 upvotes, $0
54. No Wildcard DNS to Localize - 0 upvotes, $0
55. A Serious Bug on SIGNUP Process! to Localize - 0 upvotes, $0
56. No BruteForce Protection to Localize - 0 upvotes, $0
57. ClickJacking to Localize - 0 upvotes, $0
58. Change user settings through CSRF to Localize - 0 upvotes, $0
59. Password Policy to Localize - 0 upvotes, $0
60. X-Content-Type-Options header missing to Localize - 0 upvotes, $0
61. Projects Watch or Notifications Settings Change Via CSRF to Localize - 0 upvotes, $0
62. XSS in Team Only Area to Localize - 0 upvotes, $0
63. Bug on registration as new Translator user to Localize - 0 upvotes, $0
64. PHP PDOException and Full Path Disclosure to Localize - 0 upvotes, $0
65. PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. to Localize - 0 upvotes, $0
66. files likes of README.md is public to Localize - 0 upvotes, $0

Back