Public
Cuvva
bug reports.
4,419
Bug Reports -
$2,030,173
Paid Out
Last Updated:
12th September, 2017
Team
Bounty
Title
Cuvva
-
CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva
Cuvva
-
Session cookie without secure flag on https://underwriter.partner.cuvva.com
Cuvva
-
Sensitive Support Mail Disclosure
Cuvva
-
Missing rate-limits at endpoints
Cuvva
-
IDOR spam anyone's cellphone number through Cuvva app link
Cuvva
-
Missing Rate limiting on https://underwriter.partner.cuvva.com/login
Cuvva
-
Subdomain take over oh-no.cuvva.co and ohno.cuvva.co
Cuvva
-
Verification code for Underwriter dashboard can be brute-forced
Cuvva
-
Your two domain login email address are disclosed in
Cuvva
-
Clickjacking vulnerability in support-dashboard.corp.cuvva.co
Cuvva
-
CRLF Injection [vpn.corp.cuvva.com]
Cuvva
-
https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options
Cuvva
-
Missing rate limit on https://underwriter.partner.cuvva.com/login
Cuvva
-
cuvva.com website CSP "script-src" includes "unsafe-inline"
Cuvva
-
RC4 cipher suit in use in vpn.corp.cuvva.co
Cuvva
-
cuvva.com vulnerable to sweet32
Cuvva
-
Reflected XSS on Branch domain
Cuvva
-
No rate limiting at POST /2/2017-05-22/send_identifier_token