LocalTapiola Program Statistics

View program

102 total issues disclosed

$69,259 total paid publicly

Most disclosed (17 disclosures) — Cross-site Scripting (XSS) - Generic

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
CORS misconfiguration allows to steal client's "password", Authorization token and the customer details e.g. names, SSN, bank account etc. None supplied muon4 High 2019-12-13
CORS misconfiguration allows to steal customers data Violation of Secure Design Principles muon4 Critical 2019-11-21
User Information Disclosure via the REST API - /?_method=GET Information Disclosure lovepakistan No rating 2018-09-10
F5 BigIP Backend Cookie Disclosure Information Disclosure lovepakistan Medium 2018-09-10
WordPress username enumeration (/author) Information Disclosure linkks No rating 2018-09-10
Wordpress Users Disclosure (/wp-json/wp/v2/users/) Information Disclosure rootnepal Medium 2018-07-30
User able to access company details in yrityspalvelu without proper permissions Improper Authentication - Generic billy_blaze Critical 2018-06-22
F5 BIG-IP Cookie Remote Information Disclosure Information Disclosure petruknisme Medium 2018-06-21
Reflected XSS (myynti.lahitapiolarahoitus.fi) Cross-site Scripting (XSS) - Reflected yasar Medium 2018-06-19
Sitemap causing strain on your Lahitapiola.fi server Denial of Service ozzyoz High 2018-06-19
User Information Disclosure via Json response Information Disclosure d3ad1y_b0073r Medium 2018-05-22
Disclosure of Users Information via Wordpress API (?rest_route) Information Disclosure victorrocha Medium 2018-05-22
DoS of www.lahitapiolarahoitus.fi via CVE-2018-6389 exploitation Denial of Service exadmin High 2018-04-28
Authorization issue on 'valtakirjat' (/e2/verkkopalvelu/) Insecure Direct Object Reference (IDOR) muon4 High 2018-04-28
Internal IP Address Disclosure at https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/pages Information Disclosure sinusoidal Low 2018-04-28
Flash-based XSS on mediaelement-flash-audio-ogg.swf of www.lahitapiolarahoitus.fi Cross-site Scripting (XSS) - Reflected putsi High 2018-04-13
The parameter in the POST query allows to control size of returned page which in turn can lead to the potential DOS attack Denial of Service tan_stream Medium 2018-04-11
Exposed authentication (/cs/Satellite) Brute Force curiositysec Medium 2018-04-11
Reflected XSS Vulnerability in https://www.lahitapiola.fi/cs/Satellite Cross-site Scripting (XSS) - Reflected teemuk Medium 2018-04-11
CSRF possible when SOP Bypass/UXSS is available Violation of Secure Design Principles bugdiscloseguys Medium 2018-04-10
Malicious file upload (secure.lahitapiola.fi) Violation of Secure Design Principles muon4 Medium 2018-04-10
xmlrpc.php FILE IS enable it will used for bruteforce attack and denial of service Denial of Service jacksonkv67 Medium 2018-04-09
Reflected XSS on bbe_open_htmleditor_popup.php of BBE Theme via "value"-GET-parameter Cross-site Scripting (XSS) - Reflected putsi High 2018-04-09
Single user DOS on selectedLanuage -cookie at (verkkopalvelu.tapiola.fi) Denial of Service mr_edwards Medium 2018-03-31
Information exposure via error pages (www.lahitapiola.fi Tomcat) Information Exposure Through an Error Message muon4 No rating 2018-03-02
Reflected XSS+CSRF on secure.lahitapiola.fi Cross-site Scripting (XSS) - Reflected putsi Medium 2018-03-02
RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi) OS Command Injection yonm13 High 2018-02-27
Test Page available with Server details on /r/test (viestinta.lahitapiola.fi) Information Disclosure yonm13 Low 2018-02-27
Verbose error message reveals internal system hostnames, protols and used ports (yrityspalvelu.tapiola.fi) Information Disclosure muon4 Medium 2018-02-22
Securemail server used to internal spam and resource exhaustion Denial of Service billy_blaze No rating 2018-02-15
Cleartext protocol after bank authentication (yrityspalvelu.tapiola.fi) Violation of Secure Design Principles muon4 No rating 2018-01-14
Reflected XSS Vulnerability in www.lahitapiola.fi/cs/Satellite Cross-site Scripting (XSS) - Reflected teemuk Medium 2018-01-10
Blacklist bypass for /cs/Satellite (www.lahitapiola.fi) None supplied bobrov High 2017-12-31
Multiple Vulnerabilities in Oracle Webcenter Sites (/cs/Satellite) SQL Injection teemuk High 2017-12-29
High server resource usage on captcha (viestinta.lahitapiola.fi) Denial of Service putsi Medium 2017-12-27
PHPMYADMIN Setup is accessible without authentication on https://lml.lahitapiola.fi/ Improper Access Control - Generic w00tr00t Medium 2017-12-13
Possible sweet32 lahitapiola.fi None supplied tonsku No rating 2017-12-13
Single User DOS on SelectedLocale -cookie (verkkopalvelu.tapiola.fi) Denial of Service mr_edwards Medium 2017-12-13
Brute force unsubscription on /webApp/unsub_sb (viestinta.lahitapiola.fi) Cross-Site Request Forgery (CSRF) mr_edwards Medium 2017-03-19
Creating arbitrary cookies values /cs/CookieServer (www.lahitapiola.fi) None supplied bobrov Low 2017-03-18
High server resource usage on captcha (viestinta.lahitapiola.fi) Denial of Service irotem2 Medium 2017-03-18
SMTP configuration vulnerability viestinta.lahitapiola.fi None supplied rnmx Medium 2017-03-18
XSS on 3rd party service Localtapiola is using Cross-site Scripting (XSS) - Generic billy_blaze No rating 2017-03-18
Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi) Cross-site Scripting (XSS) - Generic ahsan Medium 2017-03-18
HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti Cross-site Scripting (XSS) - Generic billy_blaze Low 2017-03-13
/icons/README is still available on viestinta.lahitapiola.fi Violation of Secure Design Principles delimitry None 2017-03-12
Single user DOS on selectedLanguage -cookie (yrityspalvelu.lahitapiola.fi) Violation of Secure Design Principles mr_edwards Medium 2017-03-11
CSRF bypass + XSS on verkkopalvelu.tapiola.fi Cross-site Scripting (XSS) - Generic kenan Medium 2017-03-10
Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi) Cross-site Scripting (XSS) - Generic sandh0t Medium 2017-03-06
Reflected XSS on iltakoulu_varkaus (viestinta.lahitapiola.fi) Cross-site Scripting (XSS) - Generic yonm13 Medium 2017-03-06
CSRF allows attacker to delete item from customer's "Postilaatikko" Cross-Site Request Forgery (CSRF) putsi Medium 2017-02-25
show control page if you insert ' at http://viestinta.lahitapiola.fi/ Privilege Escalation modam3rly Low 2017-02-22
Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage Cross-site Scripting (XSS) - Generic putsi Critical 2017-02-22
/icons/README available on viestinta.lahitapiola.fi Violation of Secure Design Principles joukahainen None 2017-02-22
OpenSSL Padding Oracle Attack (CVE-2016-2107) on viestinta.lahitapiola.fi Cryptographic Issues - Generic anandakshya Medium 2017-02-18
Mixed Active Scripting Issue on https://www.lahitapiola.fi Violation of Secure Design Principles shahriyar No rating 2017-02-18
SQL Injection /webApp/cancel_iltakoulu regId parameter (viestinta.lahitapiola.fi) SQL Injection yasar Medium 2017-02-11
SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi) SQL Injection 3p1c Medium 2017-02-10
SQL Injection on /webApp/viivanalle (viestinta.lahitapiola.fi) SQL Injection 3p1c Medium 2017-02-10
Sql injection on /webApp/sijoituswebinaari (viestinta.lahitapiola.fi) SQL Injection 3p1c Medium 2017-02-10
HTTP status code manipluation & java stack trace Information Disclosure ras-it Low 2017-02-04
Enumeration in unsubscribe -function of /omatalousuk (viestinta.lahitapiola.fi) Privilege Escalation frankie_xote Medium 2017-02-04
Open Redirect bypass and cookie leakage on www.lahitapiola.com Open Redirect bugdelivery Medium 2017-02-04
Suspicious browser fingerprinting(?) scripts on http://www.lahitapiola.fi/ redirector Violation of Secure Design Principles eeko Low 2017-02-03
Multiple Reflected XSS /webApp/lahti (viestinta.lahitapiola.fi) Cross-site Scripting (XSS) - Generic bobrov Medium 2017-02-03
SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (viestinta.lahitapiola.fi) SQL Injection jimmyjohns Medium 2017-01-28
Reflected XSS on sankarikoulutus (viestinta.lahitapiola.fi) Cross-site Scripting (XSS) - Generic sandh0t Low 2017-01-25
SQL Injection in lapsuudenturva (viestinta.lahitapiola.fi) SQL Injection sandh0t Medium 2017-01-25
Disclosure of IBM Websphere page Violation of Secure Design Principles whitehattushu Low 2017-01-19
Error Page Content Spoofing or Text Injection (viestinta.lahitapiola.fi) Violation of Secure Design Principles ak1t4 Low 2017-01-09
SQL Injection on /webApp/omatalousuk (viestinta.lahitapiola.fi) SQL Injection anandakshya Medium 2017-01-07
SQL Injection in sijoitustalous_peruutus (viestinta.lahitapiola.fi) SQL Injection cyriac Medium 2016-12-26
Open Redirect (verkkopalvelu.lahitapiola.fi) Open Redirect bobrov Low 2016-12-26
Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) Denial of Service teemuk High 2016-12-15
Poodle attack SSLv3 Support (viestinta.lahitapiola.fi) Cryptographic Issues - Generic monish Medium 2016-12-15
Option method enabled (viestinta.lahitapiola.fi) Information Disclosure 1_1_1 Low 2016-12-11
Open redirection protection bypass (/cs/Satellite) Open Redirect shailesh4594 Medium 2016-12-10
XSS and open redirect in verkkopalvelu.lahitapiola.fi Cross-site Scripting (XSS) - Generic th3g3nt3lman Medium 2016-12-10
HTML Injection in email /webApp/lahti (viestinta.lahitapiola.fi) Cross-site Scripting (XSS) - Generic bobrov Low 2016-12-10
Lahitapiola´s customer names send to 3rd party Information Disclosure billy_blaze No rating 2016-12-10
SQL Injection /webApp/sijoitustalous_peruutus locId parameter (viestinta.lahitapiola.fi) SQL Injection bobrov Medium 2016-12-08
SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) SQL Injection bobrov Medium 2016-12-08
Reflected XSS in www.lahitapiola.fi (/cs/Satellite) using Oracle WebCenter -page Cross-site Scripting (XSS) - Generic rpinuaga No rating 2016-11-17
Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite) Information Disclosure rpinuaga No rating 2016-11-17
Email Server Compromised at secure.lahitapiola.fi Code Injection ak1t4 High 2016-11-13
Content Spoofing or Text Injection (404 error page injection on yrityspalvelu) Violation of Secure Design Principles ng1 No rating 2016-11-10
Reflected XSS in LTContactFormReceiver (/cs/Satellite) Cross-site Scripting (XSS) - Generic tsug0d No rating 2016-11-10
SQL Injection on `/cs/Satellite` path SQL Injection g0blin No rating 2016-10-19
CRLF injection in https://verkkopalvelu.lahitapiola.fi/ None supplied derision No rating 2016-09-29
Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback) Code Injection nyymi No rating 2016-09-20
The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack Cross-Site Request Forgery (CSRF) putsi No rating 2016-09-05
DOM XSS bypassing in Regional Office -selector Cross-site Scripting (XSS) - Generic rojansec No rating 2016-08-31
Cookie-based client-side denial-of-service to all of the Lähitapiola domains Cross-Site Request Forgery (CSRF) putsi No rating 2016-08-30
Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage Cross-site Scripting (XSS) - Generic mlitchfield No rating 2016-07-13
Persistent XSS at verkkopalvelu.tapiola.fi using spoofed React element and React v.0.13.3 Cross-site Scripting (XSS) - Generic fransrosen No rating 2016-06-28
Exploiting Secure Shell (SSH) on mobilelt.lahitapiola.fi Memory Corruption - Generic aaditya_purani No rating 2016-06-16
Possibly big authorization problem in Lähitapiola´s varainhoito Improper Authentication - Generic billy_blaze No rating 2016-06-08
www.lahitapiola.fi DOM XSS by choosing regional company Cross-site Scripting (XSS) - Generic reactors08 No rating 2016-06-01
Abusing and Hacking the SMTP Server secure.lahitapiola.fi Privilege Escalation aaditya_purani No rating 2016-05-20
Posting modified information in 'Investment section' will cause unintended information change in verkkopalvelu.tapiola.fi None supplied billy_blaze No rating 2016-05-14
Amazon Bucket Accessible (http://inpref.s3.amazonaws.com/) Information Disclosure maxy No rating 2016-05-12
Source Code Disclosure on out of scope domain viestinta.lahitapiola.fi None supplied konqi No rating 2016-05-12