WakaTime


47 total issues disclosed

$0 total paid publicly


Most disclosed (12 disclosures) — Violation of Secure Design Principles

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Private leaderboard owner email disclosure when sending invites Information Disclosure hy76t56f565 No rating 2020-08-29
Rate Limit too lenient for endpoint sending emails Weak Password Recovery Mechanism for Forgotten Password harshita174 None 2020-08-19
[wakatime.com] HTML Injection github-btn.html Cross-site Scripting (XSS) - DOM bobrov Low 2018-10-19
SSH backdated version open port Brute Force noob-walid None 2017-11-23
Using an outdated version of OpenSSH on db01.wakatime.com Information Disclosure silv3rpoision Low 2017-10-29
Can link to websites from profile Improper Authentication - Generic flex0geek Low 2017-10-07
password token validation Improper Authentication - Generic flex0geek Low 2017-10-07
Validation of Password reset tokens Violation of Secure Design Principles saikiran-10097 Low 2017-10-01
Users with member privilege are able to see emails and membership information of other users Information Disclosure hackedbrain Medium 2017-09-26
Logout CSRF Cross-Site Request Forgery (CSRF) caesar302 Low 2017-08-29
[Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector] Privilege Escalation axolotl Medium 2017-08-10
[Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge Privilege Escalation axolotl Medium 2017-08-10
Impersonation of Wakatime user using Invitation functionality. Violation of Secure Design Principles asaxena2190 No rating 2017-08-06
Bypassing Access control, changing owner's name in a private leaderboard Improper Access Control - Generic tikoo_sahil Medium 2017-07-31
Failure to check password history Weak Password Recovery Mechanism for Forgotten Password c0d3fire Low 2017-07-30
Unsafe Inline and Eval CSP Usage Violation of Secure Design Principles mr_r3boot Low 2017-07-24
https://wakatime.com/ website CSP "script-src" includes "unsafe-inline" Violation of Secure Design Principles silv3rpoision Low 2017-07-24
Password token validation in https://wakatime.com/ Improper Authentication - Generic silv3rpoision Low 2017-07-24
Password reset links should expire after being used, instead of at specific time Improper Authentication - Generic silv3rpoision Medium 2017-07-23
Add arbitrary content to Password Reset Email Code Injection footstep No rating 2017-07-20
No rate limit on creating private leaderboards. None supplied 3thic4l No rating 2017-07-18
by pass rate limit exceed Improper Access Control - Generic abhiram No rating 2017-07-10
Session Duplication due to Broken Access Control Improper Access Control - Generic anurag98 High 2017-07-10
Blocking users to sign up on the site Violation of Secure Design Principles saikiran-10097 None 2017-07-08
Password Policy Issue Improper Authentication - Generic gnost Low 2017-07-06
Running 2 accounts with a single email Business Logic Errors atruba No rating 2017-07-06
UI Redressing on Embedded Charts UI Redressing (Clickjacking) mr_r3boot Low 2017-07-05
Clickjacking on authorized page https://wakatime.com/share/embed UI Redressing (Clickjacking) silv3rpoision Low 2017-07-05
Missing filteration of meta characters in all full name field on wakatime.com Violation of Secure Design Principles silv3rpoision Low 2017-07-04
Session not expired on logout Improper Authentication - Generic ronygigi No rating 2017-07-03
No rate limiting for confirmation email, can spam anyone with confirmation emails Violation of Secure Design Principles pratyushjanghel No rating 2017-07-03
No rate limit when creating new goals [https://wakatime.com/goals] Violation of Secure Design Principles diti No rating 2017-07-03
JSON CSRF on POST Heartbeats API Cross-Site Request Forgery (CSRF) sp1d3rs Medium 2017-07-03
IDOR create accounts and verify them with original account email Insecure Direct Object Reference (IDOR) b3nac Low 2017-07-03
No redirect uri for Twitter Oath resulting in token leak Improper Authentication - Generic b3nac Low 2017-07-03
No notificatoin sent on email after account deletion. Violation of Secure Design Principles silv3rpoision Low 2017-07-03
Two email addresses can access the same account Violation of Secure Design Principles streaak2 No rating 2017-07-03
Lack of Password Confirmation When Changing Email Violation of Secure Design Principles pratyushjanghel No rating 2017-07-03
Forgot password link doesn't expire after used, only after some hours Weak Password Recovery Mechanism for Forgotten Password mohammad_obaid Low 2017-07-03
Missing Account Deletion Notification None supplied pavanw3b No rating 2017-07-03
[https://wakatime.com/reset_password/] Leaking password reset token via referrer Information Disclosure prateek_0490 No rating 2017-07-03
Sensitive Cookie Without 'HttpOnly' Flag None supplied ninja_778899 None 2017-07-03
Email Spoofing Via /api/v1/users/reset_password None supplied leet-boy No rating 2017-07-02
Login page password - guessing attack Brute Force paxtammy Low 2017-07-02
Session Not Expired On Logout Improper Authentication - Generic pratyushjanghel No rating 2017-07-01
Missing SPF Flags Violation of Secure Design Principles mr_r3boot Low 2017-07-01
Mailgun misconfiguration Privilege Escalation gaurang No rating 2017-07-01