Stripe Program Statistics

View program

27 total issues disclosed

$30,750 total paid publicly

Most disclosed (5 disclosures) — Improper Access Control - Generic

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Limited path traversal in Node.js SDK leads to PII disclosure Information Disclosure zerodivisi0n Medium 2023-10-10
The `stripe/veneur` GitHub repository links to a domain `veneur.org`, which is not under stripe's control Misconfiguration peterldowns Low 2023-07-03
Possible XSS vulnerability without a content security bypass Cross-site Scripting (XSS) - Generic saajanbhujel Medium 2023-05-01
XSS vulnerability without a content security bypass in a `CUSTOM` App through Button tag Cross-site Scripting (XSS) - Generic saajanbhujel Medium 2023-05-01
CSRF in Importing CSV files [app.taxjar.com] Cross-Site Request Forgery (CSRF) bashcancare Low 2023-03-16
Object injection in `stripe-billing-typographic` GitHub project via /auth/login Resource Injection ph0r3nsic Low 2023-03-06
Verifying email bypass Improper Access Control - Generic fisjkars Low 2023-03-03
HTML Injection in the Invoice memos field Improper Access Control - Generic sn-shyk Medium 2023-03-01
Fee discounts can be redeemed many times, resulting in unlimited fee-free transactions Business Logic Errors ian Medium 2023-02-25
Promotion code can be used more than redemption limit. Time-of-check Time-of-use (TOCTOU) Race Condition d_sharad Low 2023-02-13
Mass account takeover! Misconfiguration akashhamal0x01 High 2022-12-21
Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure Improper Access Control - Generic mr_asg Medium 2022-12-20
[Broken Access Control ] Unauthorized Linking accounts & Linked Accounts info DIsclosure Improper Access Control - Generic mr_asg Low 2022-12-20
Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/ Authentication Bypass Using an Alternate Path or Channel mr_asg High 2022-10-19
Local applications from user's computer can listen for webhooks via insecure gRPC server from stripe-cli Improper Authentication - Generic gregxsunday Low 2022-10-19
Bypassing domain deny_list rule in Smokescreen via double brackets [[]] which leads to SSRF Server-Side Request Forgery (SSRF) sim4n6 Low 2022-10-19
Tomcat Servlet Examples accessible at https://44.240.33.83:38443 and https://52.36.56.155:38443 Improper Authorization mustafa_farrag Medium 2022-10-19
Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data Improper Access Control - Generic mr_asg Medium 2022-10-19
Without verifying email and activate account, user can perform all action which are not supposed to be done Violation of Secure Design Principles tabaahi Low 2022-07-18
Mass Account Takeover at https://app.taxjar.com/ - No user Interaction Authentication Bypass Using an Alternate Path or Channel beerboy_ankit Critical 2022-07-11
CSRF token validation system is disabled on Stripe Dashboard Cross-Site Request Forgery (CSRF) rodolfomarianocy Medium 2022-05-31
Bypass global deny-lists by wrapping domains using "[]" in https://github.com/stripe/smokescreen Improper Input Validation haxatron1 Low 2022-05-18
CSRF token validation system is disabled on Stripe Dashboard Cross-Site Request Forgery (CSRF) d_sharad Medium 2022-04-02
Bypassing domain deny_list rule in Smokescreen via trailing dot leads to SSRF Server-Side Request Forgery (SSRF) gregxsunday Low 2022-03-23
GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson Insecure Direct Object Reference (IDOR) freesec High 2022-03-08
Email change or personal data change on the account. Insecure Direct Object Reference (IDOR) dk82hg Critical 2022-01-21
User can pay using archived price by manipulating the request sent to `POST /v1/payment_pages/for_plink` Insecure Direct Object Reference (IDOR) gregxsunday Medium 2022-01-19