QIWI


60 total issues disclosed

$37,187 total paid publicly


Most disclosed (10 disclosures) — Cross-site Scripting (XSS) - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Account Takeover through registration to the same email address Improper Authentication - Generic avolume High 2021-12-08
account takeover through password reset in url https://reklama.tochka.com/ Improper Authentication - Generic anonymouus High 2021-12-02
HTTP Request Smuggling on api.flocktory.com Leads to XSS on Customer Sites HTTP Request Smuggling wdahlenb Critical 2021-09-29
CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco Path Traversal lalit2020 Medium 2021-09-24
[QIWI Wallet] Access to protected app components Privilege Escalation shell_c0de High 2021-07-06
Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int Code Injection alexeypetrenko Critical 2021-06-29
account impersonate through broken link Phishing nowsafe Medium 2021-06-04
SSRF на https://qiwi.com с помощью "Prerender HAR Capturer" Server-Side Request Forgery (SSRF) myway Critical 2021-05-22
Account takeover just through csrf in https://booking.qiwi.kz/profile Improper Access Control - Generic sniper302 Medium 2021-05-20
MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass Deserialization of Untrusted Data kalimer0x00 Critical 2021-04-27
Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID Code Injection honoki Critical 2021-04-14
Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID Code Injection honoki Critical 2021-04-14
Слив какого-то access токена None supplied circuit Medium 2020-11-12
IDOR редактирование любого вишлиста Insecure Direct Object Reference (IDOR) circuit No rating 2020-11-12
[qiwi.me] Stored XSS None supplied circuit High 2020-11-12
[qiwi.me] Stored XSS None supplied circuit High 2020-11-12
Keychain data persistence may lead to account takeover Insufficient Session Expiration 0x3c3e Low 2020-09-07
DOM XSS triggered in secure support desk Cross-site Scripting (XSS) - DOM honoki Critical 2020-08-31
DOM XSS triggered in secure support desk Cross-site Scripting (XSS) - DOM honoki Critical 2020-08-31
Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete" Code Injection honoki Critical 2020-06-19
SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution Code Injection honoki Critical 2020-06-19
SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution Code Injection honoki Critical 2020-06-19
XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации None supplied circuit Medium 2020-05-25
Обход комиссии при оплате картой None supplied circuit Critical 2019-11-05
account takeover https://qiwi.me None supplied circuit Critical 2019-10-11
account takeover https://idea.qiwi.com/ Session Fixation circuit Critical 2019-08-28
account takeover https://teamplay.qiwi.com None supplied circuit Critical 2019-08-28
Обход комиссии на переводы Business Logic Errors circuit Critical 2019-07-08
Imformation Disclosure on id.rapida.ru Information Disclosure danila_xawdxawdx Low 2018-06-11
[wallet.rapida.ru] Mass SMS flood Brute Force bigbear_ Medium 2018-05-18
https://fundl.qiwi.com CSRF на подтверждении sms None supplied lincoln9932 Medium 2018-03-11
apache access.log leakage via long request on https://rapida.ru/ Buffer Over-read tsug0d High 2018-02-05
Information disclosure on https://paycard.rapida.ru Information Disclosure tikoo_sahil No rating 2018-01-20
[qiwi.com] XSS on payment form Cross-site Scripting (XSS) - Reflected nstikhomirov High 2017-10-17
Xss on billing Cross-site Scripting (XSS) - Generic nstikhomirov No rating 2017-06-13
[XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS Cross-site Scripting (XSS) - Generic nstikhomirov Medium 2017-06-13
Content Spoofing in mango.qiwi.com Improper Authentication - Generic cyberunit No rating 2017-04-07
Open Redirect in meeting.qiwi.com Open Redirect cyberunit No rating 2017-04-06
[qiwi.com] Information Disclosure Information Disclosure bobrov Medium 2017-03-31
[qiwi.com] .bash_history Information Disclosure bobrov Low 2017-03-27
Stored xss in agent.qiwi.com Cross-site Scripting (XSS) - Generic 4lemon No rating 2017-03-27
[ibank.qiwi.ru] UI Redressing via Request-URI Violation of Secure Design Principles bobrov Medium 2017-03-27
Раскрытие баланса на //kopilka.qiwi.com Information Disclosure nstikhomirov Medium 2017-03-10
[XSS/3dsecure.qiwi.com] 3DSecure XSS Cross-site Scripting (XSS) - Generic nstikhomirov Medium 2017-03-10
[rubm.qiwi.com] Yui charts.swf XSS Cross-site Scripting (XSS) - Generic kxyry No rating 2016-12-01
[qiwi.com] Oauth захват аккаунта Improper Authentication - Generic kxyry No rating 2016-11-26
[qiwi.com] Open Redirect Open Redirect bobrov No rating 2016-10-25
CRLF Injection [ishop.qiwi.com] None supplied bobrov No rating 2016-10-25
XML External Entity (XXE) in qiwi.com + waf bypass None supplied artsploit No rating 2016-07-26
SSL Certificate on qiwi.com will expire soon. Cryptographic Issues - Generic ngaurav No rating 2016-06-06
XSS Reflected in test.qiwi.ru Cross-site Scripting (XSS) - Generic hassham No rating 2015-12-11
Открытый доступ к корпоративным данным. Improper Authentication - Generic cyberunit No rating 2015-11-02
Session Cookie without HttpOnly and secure flag set Violation of Secure Design Principles pradeepch99 No rating 2015-09-27
[ishop.qiwi.com] XSS + Misconfiguration Cross-site Scripting (XSS) - Generic kxyry No rating 2015-08-31
Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails Information Disclosure jmiroche No rating 2015-01-18
[static.qiwi.com] XSS proxy.html Cross-site Scripting (XSS) - Generic smiegles No rating 2014-12-27
Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number Violation of Secure Design Principles born2hack No rating 2014-12-21
[qiwi.com] /oauth/confirm.action XSS Cross-site Scripting (XSS) - Generic akhil-reni No rating 2014-12-20
[send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ Denial of Service bitquark No rating 2014-12-18
[send.qiwi.ru] XSS at auth?login= Cross-site Scripting (XSS) - Generic psych0tr1a No rating 2014-12-17