| Reset password cookie leads to account takeover |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
seqrity |
Medium |
2020-10-12 |
| Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile] |
Cross-Site Request Forgery (CSRF) |
seqrity |
Low |
2020-10-12 |
| Open Github Repo Leaking WEBLATE SECRET KEY |
Cleartext Storage of Sensitive Information |
nafisaqil |
None |
2020-07-26 |
| Improper validation of unicode characters#2 |
None supplied |
code_monkey |
None |
2020-07-26 |
| Secret_key in GitHub |
Information Disclosure |
fr0gz0x |
None |
2020-07-18 |
| 2nd issue>>> flood of email no rate limit on delete account confirmation email >> |
Violation of Secure Design Principles |
crazy_wonk |
Low |
2018-09-28 |
| flood of comment no rate limit on commnets >> by using different user agent |
Violation of Secure Design Principles |
crazy_wonk |
Low |
2018-09-28 |
| no notification send to victim if attacker hacks/accesses his victims WebLate account. |
Business Logic Errors |
c0narp |
Low |
2018-09-26 |
| Browser Self XSS Protection not implemented |
Information Disclosure |
hallaleen |
No rating |
2018-09-26 |
| Broken Authentication – Session Token bug |
None supplied |
crazy_wonk |
None |
2018-09-26 |
| Open port leads to information disclosure |
Information Disclosure |
str33 |
Low |
2018-09-10 |
| Tab nabbing via window.opener |
None supplied |
logan47 |
No rating |
2018-09-01 |
| Audit log validation |
Improper Neutralization of HTTP Headers for Scripting Syntax |
mur90210 |
None |
2018-08-28 |
| Insecure Account Removal #2 |
Violation of Secure Design Principles |
japz |
Low |
2018-08-28 |
| Account Restore / Reactivating an old email via old reset link |
None supplied |
footstep |
No rating |
2018-08-27 |
| Running 2 accounts with a single email #3 |
Business Logic Errors |
footstep |
No rating |
2018-08-27 |
| DNSSEC Zone Walk using NSEC Records |
Information Disclosure |
pk21 |
None |
2018-01-30 |
| Improper validation of unicode characters |
None supplied |
crazy_wonk |
None |
2017-11-17 |
| Running 2 accounts with a single email [Part 2] |
Business Logic Errors |
footstep |
No rating |
2017-10-07 |
| Reset password more than once with a reset link #2 |
Business Logic Errors |
footstep |
No rating |
2017-10-07 |
| Application allowing old password to be set as new password | hosted.weblate.org |
None supplied |
punkit |
No rating |
2017-10-05 |
| Add another email address without verification |
Improper Access Control - Generic |
tungpun |
No rating |
2017-10-05 |
| DKIM records not present, Email Hijacking is possible..... |
Improper Authentication - Generic |
kaamakya |
None |
2017-09-16 |
| Missing Restriction On String Size |
Memory Corruption - Generic |
alyanwarr |
None |
2017-09-16 |
| No rate limit or captcha to identify humans |
Violation of Secure Design Principles |
alyanwarr |
None |
2017-09-15 |
| Improper Cookie expiration | Cookies Expiration Set to Future |
None supplied |
punkit |
Low |
2017-08-31 |
| [debian.weblate.org]-Missing SPF Record |
Violation of Secure Design Principles |
hackerhero |
Low |
2017-08-24 |
| Reset password more than once with a reset link |
Business Logic Errors |
footstep |
No rating |
2017-08-21 |
| Full Name Overwrite on Third party login |
None supplied |
footstep |
No rating |
2017-08-21 |
| No Rate Limitation on Regenerate Api Key |
None supplied |
footstep |
No rating |
2017-08-21 |
| Persistence of Third Party Association. |
Business Logic Errors |
footstep |
No rating |
2017-08-21 |
| Previous password could set as new password |
None supplied |
footstep |
No rating |
2017-08-21 |
| Password token validation in Weblate Bypass #2 |
None supplied |
footstep |
No rating |
2017-08-21 |
| Password token validation in Weblate Bypass |
Improper Authentication - Generic |
footstep |
None |
2017-08-21 |
| Improper validation of unicode characters #3 |
None supplied |
footstep |
No rating |
2017-08-21 |
| Improper validation of unicode characters still not fixed #2 |
None supplied |
footstep |
No rating |
2017-08-21 |
| Improper validation of unicode characters still not fixed |
None supplied |
footstep |
No rating |
2017-08-21 |
| Password Restriction |
Violation of Secure Design Principles |
chols |
Low |
2017-08-19 |
| Improper validation of unicode characters |
Violation of Secure Design Principles |
asaxena2190 |
No rating |
2017-08-19 |
| Weak password policy |
None supplied |
platinum1933 |
Low |
2017-08-18 |
| Csrf in watch-unwatch projects |
Cross-Site Request Forgery (CSRF) |
ashish_r_padelkar |
Low |
2017-08-17 |
| Error Message When Changing Username |
Business Logic Errors |
blake12356 |
None |
2017-08-17 |
| The username of an account can be .. |
Business Logic Errors |
blake12356 |
None |
2017-07-27 |
| No filteration of null characters in name field |
Violation of Secure Design Principles |
blake12356 |
None |
2017-07-27 |
| Bypassing captcha in registration on Hosted site |
Denial of Service |
pavanw3b |
Medium |
2017-07-03 |
| Invalidate session after password reset - hosted website |
None supplied |
pavanw3b |
Low |
2017-07-03 |
| Rate Limit Issue on hosted.weblate.org |
Brute Force |
imran_hadid |
Low |
2017-07-02 |
| Weblate |Security Misconfiguration| Method Enumeration Possible on domain |
None supplied |
punkit |
None |
2017-07-02 |
| Captcha bypass at registration |
None supplied |
proabiral |
Low |
2017-06-28 |
| Adding Email lacks Password validation |
None supplied |
proabiral |
Low |
2017-06-28 |
| Password token validation in https://demo.weblate.org/ |
Improper Authentication - Generic |
brdoors3 |
No rating |
2017-06-27 |
| Improper validation of unicode characters |
None supplied |
rammarj |
No rating |
2017-06-20 |
| Existing sessions valid after removing third party auth |
Improper Authentication - Generic |
brdoors3 |
Low |
2017-06-16 |
| Directory Listing |
Cleartext Storage of Sensitive Information |
haxor_kiddie |
None |
2017-06-16 |
| Email spoofing at weblate.org |
None supplied |
pyrk2142 |
No rating |
2017-06-16 |
| Incorrect HTTPS Certificate |
Improper Certificate Validation |
numbshiva |
None |
2017-06-16 |
| ClickJacking on Debug |
UI Redressing (Clickjacking) |
bf7e43565d8cf54de3bc5a7 |
No rating |
2017-06-16 |
| 7BO: Binary Option Robot URL should be HTTPS |
None supplied |
bf7e43565d8cf54de3bc5a7 |
No rating |
2017-06-16 |
| Facebook share URL should be HTTPS |
None supplied |
bf7e43565d8cf54de3bc5a7 |
No rating |
2017-06-16 |
| Takeover of an account via reset password options after removing the account |
Improper Authentication - Generic |
imran_hadid |
Low |
2017-06-13 |
| Open redirect while disconnecting Email |
Open Redirect |
atruba |
No rating |
2017-06-08 |
| Open redirect while disconnecting authenticated account |
Open Redirect |
gsecure |
Medium |
2017-06-08 |
| Clickjacking docs.weblate.org |
None supplied |
lolninja |
Low |
2017-06-05 |
| Weblate- Banner Grabbing-Ngnix Server version |
None supplied |
punkit |
No rating |
2017-06-05 |
| Old password can be new password |
None supplied |
proabiral |
Low |
2017-06-03 |
| Missing restriction on string size |
None supplied |
proabiral |
Low |
2017-06-03 |
| Login CSRF : Login Authentication Flaw |
Cross-Site Request Forgery (CSRF) |
japz |
Medium |
2017-06-02 |
| No Rate Limiting at /contact |
Memory Corruption - Generic |
chols |
Low |
2017-06-02 |
| CSRF - Changing the full name / adding a secondary email identity of an account via a GET request |
Cross-Site Request Forgery (CSRF) |
inhibitor181 |
Medium |
2017-06-02 |
| Captcha Bypass at Email Reset can lead to Spamming users. |
Violation of Secure Design Principles |
sahilmk |
No rating |
2017-06-02 |
| Information Disclosure on demo.weblate.org |
Information Disclosure |
sp1d3rs |
Low |
2017-06-02 |
| CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org |
Cross-Site Request Forgery (CSRF) |
sup3r-b0y |
Medium |
2017-06-02 |
| Uploaded XLF files result in External Entity Execution |
XML External Entities (XXE) |
4cad |
High |
2017-06-02 |
| API Does Not Apply Access Controls to Translations |
Improper Access Control - Generic |
4cad |
Low |
2017-06-02 |
| Design Flaw in session management of password reset |
Improper Access Control - Generic |
asaxena2190 |
No rating |
2017-06-02 |
| No notificatoin sent on email after account deletion. |
None supplied |
mansoor_gilal |
No rating |
2017-06-02 |
| Self-XSS can be achieved in the editor link using filter bypass |
Cross-site Scripting (XSS) - Generic |
sp1d3rs |
None |
2017-06-02 |
| CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org |
Violation of Secure Design Principles |
mrr3boot |
None |
2017-05-23 |
| Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register |
Violation of Secure Design Principles |
smit |
None |
2017-05-22 |
| Option method enabled |
Violation of Secure Design Principles |
hurthearts |
None |
2017-05-21 |
| Open SMTP port can let anyone send email from mail.chihar.com |
Cryptographic Issues - Generic |
str33 |
No rating |
2017-05-20 |
| You can simply just use passwords that simply are as 123456 |
None supplied |
sarlis |
Low |
2017-05-19 |
| Null Password - Setting a new password doesn't check for empty spaces |
Weak Cryptography for Passwords |
footstep |
Low |
2017-05-18 |
| Access to completion page without performing any action |
Improper Access Control - Generic |
footstep |
None |
2017-05-18 |
| Setting a password with a single character |
Weak Cryptography for Passwords |
footstep |
Low |
2017-05-18 |
| Running 2 accounts with a single email |
Business Logic Errors |
footstep |
None |
2017-05-18 |
| HttpOnly Flag not set |
Violation of Secure Design Principles |
secachhunew |
None |
2017-05-18 |
| Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/ |
Memory Corruption - Generic |
smit |
Low |
2017-05-18 |
| hosted.weblate.org: X-XSS-Protection not enabled |
Cross-site Scripting (XSS) - Generic |
eugui |
Low |
2017-05-17 |
| Logout CSRF |
Cross-Site Request Forgery (CSRF) |
japz |
Low |
2017-05-17 |
| [demo.weblate.org] Stored Self-XSS via Editor Link in Profile |
Cross-site Scripting (XSS) - Stored |
ysx |
Low |
2017-05-17 |
| Specify maximal length in translation |
Violation of Secure Design Principles |
eugui |
None |
2017-05-17 |
| CSV Injection with the CVS export feature - Glossary |
Command Injection - Generic |
eugui |
Low |
2017-05-17 |
| Activation tokens are not expiring |
Cross-Site Request Forgery (CSRF) |
japz |
Medium |
2017-05-17 |
| Open Redirect via "next" parameter in third-party authentication |
Open Redirect |
ysx |
Medium |
2017-05-17 |
| Insecure Account Removal |
Violation of Secure Design Principles |
japz |
Low |
2017-05-17 |
| Login using disconnected google account i.e login using old email id |
Improper Authentication - Generic |
tushar21 |
Low |
2017-05-17 |
| Registration captcha bypass |
Violation of Secure Design Principles |
blacky |
Medium |
2017-05-17 |
| Content Spoofing |
None supplied |
mga_bobo |
Low |
2017-05-17 |
| [hosted.weblate.org]Account Takeover |
None supplied |
mga_bobo |
Low |
2017-05-17 |
| Open redirect in Signing in via Social Sites |
Open Redirect |
rajauzairabdullah |
Medium |
2017-05-17 |
| demo.weblate.org is vulnerable to SWEET32 Vulnerability |
Inadequate Encryption Strength |
d0rkerdevil |
Low |
2017-05-17 |
| Improper Password Reset Policy on https://hosted.weblate.org/ |
Violation of Secure Design Principles |
mrr3boot |
Low |
2017-05-17 |
| No Password Length Restriction leads to Denial of Service |
Denial of Service |
ant_pyne |
Low |
2017-05-17 |
| Email verification over an unencrypted channel |
Man-in-the-Middle |
pavanw3b |
Low |
2017-05-17 |
| No Rate Limitting at Change Password |
None supplied |
mga_bobo |
Medium |
2017-05-17 |
| full path disclosure at hosted.weblate.org/admin/accounts/profile/ |
Path Traversal |
geekdad |
Medium |
2017-05-17 |
| Improper access control when an added email address is deleted from authentication |
Improper Access Control - Generic |
cache_bounty |
High |
2017-05-17 |
| Account Takeover using Third party Auth CSRF |
Cross-Site Request Forgery (CSRF) |
ansariosama |
High |
2017-05-17 |
| Notify user about password change |
Improper Authentication - Generic |
eugui |
Low |
2017-05-17 |
| No BruteForce Protection |
Brute Force |
jaypatel |
Medium |
2017-05-17 |
| CSRF : Reset API |
Cross-Site Request Forgery (CSRF) |
jaypatel |
Low |
2017-05-17 |
| CSV Injection with the CSV export feature |
OS Command Injection |
jaypatel |
Low |
2017-05-17 |
| CSRF : Lock and Unlock Translation |
Cross-Site Request Forgery (CSRF) |
jaypatel |
Medium |
2017-05-17 |
| Weak e-mail change functionality could lead to account takeover |
Violation of Secure Design Principles |
twicedi |
Low |
2017-05-17 |
| Self XSS at translation page through Editor Link at demo.weblate.org |
Cross-site Scripting (XSS) - Generic |
csanuragjain |
Low |
2017-05-17 |
| session id missing secure flag - Hosted Website |
None supplied |
pavanw3b |
Low |
2017-05-17 |
| Rate Limit Bypass on login Page |
Improper Authentication - Generic |
atruba |
Medium |
2017-05-17 |
| User Enumeration when adding email to account |
None supplied |
atruba |
Low |
2017-05-17 |
| Spamming any user from Reset Password Function |
Violation of Secure Design Principles |
atruba |
Low |
2017-05-17 |
| CSV export filter bypass leads to formula injection. |
Command Injection - Generic |
edoverflow |
Medium |
2017-05-17 |
| Already Registered Email Disclosure |
Information Disclosure |
anonymans |
Low |
2017-05-17 |
| Content Spoofing in error message |
Violation of Secure Design Principles |
codertom |
Low |
2017-05-17 |
| No expiration of session ID after Password change |
Insufficient Session Expiration |
str33 |
Low |
2017-05-17 |
| Missing DMARC on weblate.org |
None supplied |
khalidamin |
Low |
2017-05-17 |
| Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form |
None supplied |
khalidamin |
None |
2017-05-17 |
| Abuse of Api that causes spamming users and possible DOS due to missing rate limit |
None supplied |
khalidamin |
Low |
2017-05-17 |
| Content Spoofing |
Violation of Secure Design Principles |
eveeez |
Low |
2017-05-17 |
| Specify maximal length in new comment |
Violation of Secure Design Principles |
eugui |
Low |
2017-05-17 |
| weblate.org: X-XSS-Protection not enabled |
Cross-site Scripting (XSS) - Generic |
eugui |
Low |
2017-05-17 |
| CSRF to Connect third party Account |
Cross-Site Request Forgery (CSRF) |
bhavi |
Medium |
2017-05-02 |
| Web server is vulnerable to Beast Attack |
Cryptographic Issues - Generic |
mrr3boot |
Low |
2017-04-24 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles