Harvest Program Statistics

View program

31 total issues disclosed

$8,650 total paid publicly

Most disclosed (8 disclosures) — Improper Authentication - Generic

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Unrestricted View to People’s Web Invoices Data without knowing the Unique Hash Information Disclosure config No rating 2018-07-29
Content Injection at First & Last Name Parameters that could Lead Fraud Issue Violation of Secure Design Principles config Low 2018-07-29
CSRF bypass on Submit Time sheet for Approval Cross-Site Request Forgery (CSRF) vijay_kumar1110 No rating 2017-08-18
Project Manager can approve pending reports(Access control Issue) Privilege Escalation vijay_kumar1110 No rating 2017-08-17
[platform.harvestapp.com] Reflected XSS in Error Message via URL parameters Cross-site Scripting (XSS) - Reflected ysx Medium 2017-05-09
Client can redirect payment, causing payment discrepancy between Harvest and PayPal Business Logic Errors jobert Medium 2017-04-12
Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation) Privilege Escalation vijay_kumar1110 Low 2017-04-12
Login bypass on travel.██████████ aka "Harvest Spring Summit 2017" Improper Access Control - Generic michiel Medium 2017-04-10
Cookie Injection at 'harvestapp.com' Command Injection - Generic zuh4n Low 2017-03-24
Persistent XSS on ForecastApp Cross-site Scripting (XSS) - Generic lucasveigaf Medium 2017-03-04
Opportunity to set arbitrary cookies None supplied s_p_q_r No rating 2017-02-18
Possible to steal any protected files on Android Information Disclosure bagipro No rating 2017-02-09
Linking Invoice to uninvited project. Improper Authentication - Generic bugdiscloseguys Low 2017-01-12
Extracting private info of estimates. Information Disclosure bugdiscloseguys High 2017-01-12
Stored XSS in Restoring Archived Tasks Cross-site Scripting (XSS) - Generic bugs3ra Low 2016-12-15
XSS on expenses attachments Cross-site Scripting (XSS) - Generic eboda No rating 2016-11-27
Editing a project (LIMITED) Privilege Escalation bugdiscloseguys None 2016-11-26
Project Disclosure of all Harvest Instances Improper Authentication - Generic vagg-a-bond No rating 2016-11-02
Invoices can be added to any retainers - even closs-platform Privilege Escalation eboda No rating 2016-10-29
CSRF token fixation in Sign in with Google Cross-Site Request Forgery (CSRF) pradeepch99 No rating 2016-10-25
Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) malcolmx No rating 2016-10-13
Leak of all project names and all user names , even across applications Information Disclosure eboda No rating 2016-10-04
Unauthorized read access to Invoices by PM (Access control Issues) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
PM can delete payment of any invoice in company (Access control Issue) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
Unauthorized access to all the actions of invoices by PM (Access control Issues) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
PM can delete the company logo image (Vertical Privilege Escalation ) Privilege Escalation vijay_kumar1110 No rating 2016-09-30
PM with can Set up email for invoices and estimates (Access control Issue) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
Record payment for any invoice by PM (Access control Issue) Improper Authentication - Generic vijay_kumar1110 No rating 2016-09-30
Stored XSS on invoice, executing on any subdomain Cross-site Scripting (XSS) - Generic eboda No rating 2016-09-11
S3 bucket takeover due to proxy.harvestfiles.com Improper Authentication - Generic eboda No rating 2016-09-11
Users enumeration is possible through cycling through recurring[client_id] argument value. Information Disclosure 0xamir No rating 2016-09-10