| Postgres Admin Username and Password in Plain text |
Insecure Storage of Sensitive Information |
guusverbeek |
Low |
2026-01-06 |
| Hyper Link Injection while signup |
Improper Input Validation |
011alsanosi |
Low |
2022-06-15 |
| All user password hash can be seen from admin panel |
Insecure Storage of Sensitive Information |
dark_haxor |
Medium |
2022-06-11 |
| OTP reflecting in response sensitive data exposure leads to account take over |
None supplied |
rupachandransangothi |
Critical |
2022-03-26 |
| No Rate Limit on forgot password page |
Improper Restriction of Authentication Attempts |
pranto_0 |
Medium |
2022-03-26 |
| Password reset token leakage |
Misconfiguration |
theendisnear |
High |
2022-03-26 |
| Missing Validation in editing "Your Phone Number" |
Misconfiguration |
theendisnear |
Medium |
2022-03-26 |
| Password Reuse |
Misconfiguration |
theendisnear |
Medium |
2022-03-26 |
| Outdated Copyright Message @ Welcome email |
Misconfiguration |
theendisnear |
None |
2022-03-26 |
| No rate Limit on Password Reset page on upchieve |
None supplied |
rupachandransangothi |
Medium |
2022-03-26 |
| Clickjacking login page of https://hackers.upchieve.org/login |
UI Redressing (Clickjacking) |
sara346 |
Medium |
2022-03-26 |
| No Rate Limiting for Password Reset Email Leads to Email Flooding |
NULL Pointer Dereference |
bd10ceb041a5297f881137c |
Medium |
2022-03-26 |
| Widespread CSRF on authenticated POST endpoints |
Cross-Site Request Forgery (CSRF) |
zeyu2001 |
High |
2022-02-13 |
| No character limit in password field |
Use of Hard-coded Password |
tomyway |
Medium |
2022-01-30 |
| CORS origin validation failure |
None supplied |
jupiter-47 |
Medium |
2021-12-07 |
| Authentication Bypass - Email Verification code bypass in account registration process. |
None supplied |
anas_44 |
Critical |
2021-12-07 |
| Clickjacking ar https://hackers.upchieve.org/login |
UI Redressing (Clickjacking) |
maisanisnotyours |
Low |
2021-11-19 |
| No Rate Limiting on /reset-password-request/ endpoint |
Violation of Secure Design Principles |
1bdool492 |
Medium |
2021-10-04 |
| No Rate Limit On Reset Password |
Violation of Secure Design Principles |
scorpion_x |
Low |
2021-08-31 |
| old session dose not expire after password change |
None supplied |
scorpion_x |
None |
2021-08-31 |
| Failed to validate Session after Password Change |
Insufficient Session Expiration |
mr_sparrow |
Low |
2021-08-31 |
| No Rate Limit On Contact Us |
Improper Restriction of Authentication Attempts |
lu3ky-13 |
None |
2021-08-27 |
| i can join without user and pass in this website https://argocd.upchieve.org/settings/accounts |
Reusing a Nonce, Key Pair in Encryption |
4pag |
High |
2021-08-18 |
| CLICKJACKING LEADS TO DEACTIVATE ACCOUNT |
UI Redressing (Clickjacking) |
scianto05 |
Low |
2021-08-16 |
| Business logic error |
Business Logic Errors |
scianto05 |
Low |
2021-08-11 |
| Password reset token leak on third party website via Referer header |
Storing Passwords in a Recoverable Format |
n1had |
Medium |
2021-08-10 |
| url redirection |
Open Redirect |
ben_lay |
Critical |
2021-07-30 |
| Vulnerability Report - sweet32 UPchieve |
Cryptographic Issues - Generic |
theendisnear |
None |
2021-07-28 |
| hackers.upchieve.org and argocd.upchieve.org is not preloaded. |
Violation of Secure Design Principles |
theendisnear |
Low |
2021-07-28 |
| blind sql on [ https://argocd.upchieve.org/login?return_url=id= ] |
SQL Injection |
ben_lay |
Critical |
2021-07-28 |
| Session Hijacking leads to full control of account by attacker |
None supplied |
sampritdas |
None |
2021-06-24 |
| Clickjacking on profile page leading to unauthorized changes |
UI Redressing (Clickjacking) |
shivanshmalik2 |
Medium |
2021-06-15 |
| Cross-origin resource sharing misconfig | steal user information |
Information Disclosure |
n1had |
High |
2021-06-15 |
| CORS Misconfiguration, could lead to disclosure of sensitive information |
Wrap-around Error |
riski0912 |
Medium |
2021-06-09 |
| No Valid SPF Records/don't have DMARC record |
Improper Access Control - Generic |
recreati |
Critical |
2021-05-18 |
| User enumeration through forget password |
None supplied |
mr-zero |
High |
2021-05-16 |
| Full account takeover of any user through reset password |
Improper Access Control - Generic |
saajanbhujel |
Critical |
2021-05-14 |
| Zero click account Takeover due to Api misconfiguration 🏂🎩 |
Improper Access Control - Generic |
zero_or_1 |
Critical |
2021-05-14 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles