Harvest


31 total issues disclosed

$8,650 total paid publicly


Most disclosed (8 disclosures) — Improper Authentication - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Unrestricted View to People’s Web Invoices Data without knowing the Unique Hash Information Disclosure config No rating 2018-07-29
Content Injection at First & Last Name Parameters that could Lead Fraud Issue Violation of Secure Design Principles config Low 2018-07-29
CSRF bypass on Submit Time sheet for Approval Cross-Site Request Forgery (CSRF) vijay_kumar1110 No rating 2017-08-18
Project Manager can approve pending reports(Access control Issue) Privilege Escalation vijay_kumar1110 No rating 2017-08-17
[platform.harvestapp.com] Reflected XSS in Error Message via URL parameters Cross-site Scripting (XSS) - Reflected ysx Medium 2017-05-09
Client can redirect payment, causing payment discrepancy between Harvest and PayPal Business Logic Errors jobert Medium 2017-04-12
Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation) Privilege Escalation vijay_kumar1110 Low 2017-04-12
Login bypass on travel.██████████ aka "Harvest Spring Summit 2017" Improper Access Control - Generic michiel Medium 2017-04-10
Cookie Injection at 'harvestapp.com' Command Injection - Generic zuh4n Low 2017-03-24
Persistent XSS on ForecastApp Cross-site Scripting (XSS) - Generic lucasveigaf Medium 2017-03-04
Opportunity to set arbitrary cookies None supplied s_p_q_r No rating 2017-02-18
Possible to steal any protected files on Android Information Disclosure bagipro No rating 2017-02-09
Linking Invoice to uninvited project. Improper Authentication - Generic bugdiscloseguys Low 2017-01-12
Extracting private info of estimates. Information Disclosure bugdiscloseguys High 2017-01-12
Stored XSS in Restoring Archived Tasks Cross-site Scripting (XSS) - Generic bugs3ra Low 2016-12-15
XSS on expenses attachments Cross-site Scripting (XSS) - Generic eboda No rating 2016-11-27
Editing a project (LIMITED) Privilege Escalation bugdiscloseguys None 2016-11-26
Project Disclosure of all Harvest Instances Improper Authentication - Generic vagg-a-bond No rating 2016-11-02
Invoices can be added to any retainers - even closs-platform Privilege Escalation eboda No rating 2016-10-29
CSRF token fixation in Sign in with Google Cross-Site Request Forgery (CSRF) pradeepch99 No rating 2016-10-25
Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) malcolmx No rating 2016-10-13
Leak of all project names and all user names , even across applications Information Disclosure eboda No rating 2016-10-04
Unauthorized read access to Invoices by PM (Access control Issues) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
PM can delete payment of any invoice in company (Access control Issue) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
Unauthorized access to all the actions of invoices by PM (Access control Issues) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
PM can delete the company logo image (Vertical Privilege Escalation ) Privilege Escalation vijay_kumar1110 No rating 2016-09-30
PM with can Set up email for invoices and estimates (Access control Issue) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
Record payment for any invoice by PM (Access control Issue) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
Stored XSS on invoice, executing on any subdomain Cross-site Scripting (XSS) - Generic eboda No rating 2016-09-11
S3 bucket takeover due to proxy.harvestfiles.com Improper Authentication - Generic eboda No rating 2016-09-11
Users enumeration is possible through cycling through recurring[client_id] argument value. Information Disclosure 0xamir No rating 2016-09-10