Cuvva Program Statistics

View program

20 total issues disclosed

$0 total paid publicly

Most disclosed (6 disclosures) — None supplied

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Insecure Direct Object Reference (IDOR) Allowing me to claim other user's photos (driving license and selfies) as mine None supplied leet-boy Medium 2017-09-15
No Notification Sent When Email Is Changed. None supplied leet-boy Low 2017-09-13
CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva Cross-Site Request Forgery (CSRF) aliv3 Low 2017-07-23
Session cookie without secure flag on https://underwriter.partner.cuvva.com Reliance on Cookies without Validation and Integrity Checking in a Security Decision amaljacob7531 None 2017-06-06
Subdomain take over oh-no.cuvva.co and ohno.cuvva.co None supplied dennis95 None 2017-06-02
Missing rate-limits at endpoints Brute Force introvertmac Medium 2017-06-02
Reflected XSS on Branch domain Cross-site Scripting (XSS) - Reflected jrpeg Medium 2017-06-02
Sensitive Support Mail Disclosure Information Disclosure h33t Low 2017-06-02
No rate limiting at POST /2/2017-05-22/send_identifier_token Violation of Secure Design Principles inhibitor181 Low 2017-06-01
IDOR spam anyone's cellphone number through Cuvva app link Insecure Direct Object Reference (IDOR) b3nac None 2017-06-01
Missing rate limit on https://underwriter.partner.cuvva.com/login None supplied leet-boy Medium 2017-05-27
Missing Rate limiting on https://underwriter.partner.cuvva.com/login Improper Authentication - Generic str33 Low 2017-05-27
Verification code for Underwriter dashboard can be brute-forced Brute Force bhumish None 2017-05-27
CRLF Injection [vpn.corp.cuvva.com] CRLF Injection cyriac Medium 2017-05-26
Your two domain login email address are disclosed in None supplied zerotoone None 2017-05-25
Clickjacking vulnerability in support-dashboard.corp.cuvva.co UI Redressing (Clickjacking) d0rkerdevil None 2017-05-25
https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options UI Redressing (Clickjacking) shepard Low 2017-05-24
cuvva.com website CSP "script-src" includes "unsafe-inline" None supplied kenziy None 2017-05-24
RC4 cipher suit in use in vpn.corp.cuvva.co Inadequate Encryption Strength d0rkerdevil Medium 2017-05-24
cuvva.com vulnerable to sweet32 Cryptographic Issues - Generic d0rkerdevil None 2017-05-22