Insecure Direct Object Reference (IDOR) Allowing me to claim other user's photos (driving license and selfies) as mine |
None supplied |
leet-boy |
Medium |
2017-09-15 |
No Notification Sent When Email Is Changed. |
None supplied |
leet-boy |
Low |
2017-09-13 |
CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva |
Cross-Site Request Forgery (CSRF) |
aliv3 |
Low |
2017-07-23 |
Session cookie without secure flag on https://underwriter.partner.cuvva.com |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
amaljacob7531 |
None |
2017-06-06 |
Subdomain take over oh-no.cuvva.co and ohno.cuvva.co |
None supplied |
dennis95 |
None |
2017-06-02 |
Missing rate-limits at endpoints |
Brute Force |
introvertmac |
Medium |
2017-06-02 |
Reflected XSS on Branch domain |
Cross-site Scripting (XSS) - Reflected |
jrpeg |
Medium |
2017-06-02 |
Sensitive Support Mail Disclosure |
Information Disclosure |
h33t |
Low |
2017-06-02 |
No rate limiting at POST /2/2017-05-22/send_identifier_token |
Violation of Secure Design Principles |
inhibitor181 |
Low |
2017-06-01 |
IDOR spam anyone's cellphone number through Cuvva app link |
Insecure Direct Object Reference (IDOR) |
b3nac |
None |
2017-06-01 |
Missing rate limit on https://underwriter.partner.cuvva.com/login |
None supplied |
leet-boy |
Medium |
2017-05-27 |
Missing Rate limiting on https://underwriter.partner.cuvva.com/login |
Improper Authentication - Generic |
str33 |
Low |
2017-05-27 |
Verification code for Underwriter dashboard can be brute-forced |
Brute Force |
bhumish |
None |
2017-05-27 |
CRLF Injection [vpn.corp.cuvva.com] |
CRLF Injection |
cyriac |
Medium |
2017-05-26 |
Your two domain login email address are disclosed in |
None supplied |
zerotoone |
None |
2017-05-25 |
Clickjacking vulnerability in support-dashboard.corp.cuvva.co |
UI Redressing (Clickjacking) |
d0rkerdevil |
None |
2017-05-25 |
https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options |
UI Redressing (Clickjacking) |
shepard |
Low |
2017-05-24 |
cuvva.com website CSP "script-src" includes "unsafe-inline" |
None supplied |
kenziy |
None |
2017-05-24 |
RC4 cipher suit in use in vpn.corp.cuvva.co |
Inadequate Encryption Strength |
d0rkerdevil |
Medium |
2017-05-24 |
cuvva.com vulnerable to sweet32 |
Cryptographic Issues - Generic |
d0rkerdevil |
None |
2017-05-22 |