WakaTime Program Statistics

View program

47 total issues disclosed

$0 total paid publicly

Most disclosed (12 disclosures) — Violation of Secure Design Principles

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Private leaderboard owner email disclosure when sending invites Information Disclosure hy76t56f565 No rating 2020-08-29
Rate Limit too lenient for endpoint sending emails Weak Password Recovery Mechanism for Forgotten Password harshita174 None 2020-08-19
[wakatime.com] HTML Injection github-btn.html Cross-site Scripting (XSS) - DOM bobrov Low 2018-10-19
SSH backdated version open port Brute Force noob-walid None 2017-11-23
Using an outdated version of OpenSSH on db01.wakatime.com Information Disclosure silv3rpoision Low 2017-10-29
Can link to websites from profile Improper Authentication - Generic flex0geek Low 2017-10-07
password token validation Improper Authentication - Generic flex0geek Low 2017-10-07
Validation of Password reset tokens Violation of Secure Design Principles saikiran-10097 Low 2017-10-01
Users with member privilege are able to see emails and membership information of other users Information Disclosure hackedbrain Medium 2017-09-26
Logout CSRF Cross-Site Request Forgery (CSRF) caesar302 Low 2017-08-29
[Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector] Privilege Escalation axolotl Medium 2017-08-10
[Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge Privilege Escalation axolotl Medium 2017-08-10
Impersonation of Wakatime user using Invitation functionality. Violation of Secure Design Principles asaxena2190 No rating 2017-08-06
Bypassing Access control, changing owner's name in a private leaderboard Improper Access Control - Generic tikoo_sahil Medium 2017-07-31
Failure to check password history Weak Password Recovery Mechanism for Forgotten Password c0d3fire Low 2017-07-30
Unsafe Inline and Eval CSP Usage Violation of Secure Design Principles mr_r3boot Low 2017-07-24
https://wakatime.com/ website CSP "script-src" includes "unsafe-inline" Violation of Secure Design Principles silv3rpoision Low 2017-07-24
Password token validation in https://wakatime.com/ Improper Authentication - Generic silv3rpoision Low 2017-07-24
Password reset links should expire after being used, instead of at specific time Improper Authentication - Generic silv3rpoision Medium 2017-07-23
Add arbitrary content to Password Reset Email Code Injection footstep No rating 2017-07-20
No rate limit on creating private leaderboards. None supplied 3thic4l No rating 2017-07-18
by pass rate limit exceed Improper Access Control - Generic abhiram No rating 2017-07-10
Session Duplication due to Broken Access Control Improper Access Control - Generic anurag98 High 2017-07-10
Blocking users to sign up on the site Violation of Secure Design Principles saikiran-10097 None 2017-07-08
Password Policy Issue Improper Authentication - Generic gnost Low 2017-07-06
Running 2 accounts with a single email Business Logic Errors atruba No rating 2017-07-06
UI Redressing on Embedded Charts UI Redressing (Clickjacking) mr_r3boot Low 2017-07-05
Clickjacking on authorized page https://wakatime.com/share/embed UI Redressing (Clickjacking) silv3rpoision Low 2017-07-05
Missing filteration of meta characters in all full name field on wakatime.com Violation of Secure Design Principles silv3rpoision Low 2017-07-04
Session not expired on logout Improper Authentication - Generic ronygigi No rating 2017-07-03
No rate limiting for confirmation email, can spam anyone with confirmation emails Violation of Secure Design Principles pratyushjanghel No rating 2017-07-03
No rate limit when creating new goals [https://wakatime.com/goals] Violation of Secure Design Principles diti No rating 2017-07-03
JSON CSRF on POST Heartbeats API Cross-Site Request Forgery (CSRF) sp1d3rs Medium 2017-07-03
IDOR create accounts and verify them with original account email Insecure Direct Object Reference (IDOR) b3nac Low 2017-07-03
No redirect uri for Twitter Oath resulting in token leak Improper Authentication - Generic b3nac Low 2017-07-03
No notificatoin sent on email after account deletion. Violation of Secure Design Principles silv3rpoision Low 2017-07-03
Two email addresses can access the same account Violation of Secure Design Principles streaak2 No rating 2017-07-03
Lack of Password Confirmation When Changing Email Violation of Secure Design Principles pratyushjanghel No rating 2017-07-03
Forgot password link doesn't expire after used, only after some hours Weak Password Recovery Mechanism for Forgotten Password mohammad_obaid Low 2017-07-03
Missing Account Deletion Notification None supplied pavanw3b No rating 2017-07-03
[https://wakatime.com/reset_password/] Leaking password reset token via referrer Information Disclosure prateek_0490 No rating 2017-07-03
Sensitive Cookie Without 'HttpOnly' Flag None supplied ninja_778899 None 2017-07-03
Email Spoofing Via /api/v1/users/reset_password None supplied leet-boy No rating 2017-07-02
Login page password - guessing attack Brute Force paxtammy Low 2017-07-02
Session Not Expired On Logout Improper Authentication - Generic pratyushjanghel No rating 2017-07-01
Missing SPF Flags Violation of Secure Design Principles mr_r3boot Low 2017-07-01
Mailgun misconfiguration Privilege Escalation gaurang No rating 2017-07-01