Public
Harvest
bug reports.
4,419
Bug Reports -
$2,030,173
Paid Out
Last Updated:
12th September, 2017
Team
Bounty
Title
Harvest
$300
[platform.harvestapp.com] Reflected XSS in Error Message via URL parameters
Harvest
$400
Client can redirect payment, causing payment discrepancy between Harvest and PayPal
Harvest
-
Login bypass on travel.██████████ aka "Harvest Spring Summit 2017"
Harvest
$250
Persistent XSS on ForecastApp
Harvest
$300
Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation)
Harvest
$250
Stored XSS in Restoring Archived Tasks
Harvest
$100
Editing a project (LIMITED)
Harvest
$150
Linking Invoice to uninvited project.
Harvest
$300
Cookie Injection at 'harvestapp.com'
Harvest
$500
Invoices can be added to any retainers - even closs-platform
Harvest
$250
XSS on expenses attachments
Harvest
$150
CSRF bypass on Submit Time sheet for Approval
Harvest
$150
Project Manager can approve pending reports(Access control Issue)
Harvest
$500
Possible to steal any protected files on Android
Harvest
$150
Extracting private info of estimates.
Harvest
$150
Unauthorized read access to Invoices by PM (Access control Issues)
Harvest
$150
Unauthorized access to all the actions of invoices by PM (Access control Issues)
Harvest
$100
PM can delete payment of any invoice in company (Access control Issue)
Harvest
$100
Record payment for any invoice by PM (Access control Issue)
Harvest
$100
PM can delete the company logo image (Vertical Privilege Escalation )
Harvest
$250
PM with can Set up email for invoices and estimates (Access control Issue)
Harvest
$150
Opportunity to set arbitrary cookies
Harvest
$500
Project Disclosure of all Harvest Instances
Harvest
$1,000
Leak of all project names and all user names , even across applications
Harvest
$350
Users enumeration is possible through cycling through recurring[client_id] argument value.
Harvest
$350
Stored XSS on invoice, executing on any subdomain
Harvest
$250
CSRF token fixation in Sign in with Google
Harvest
$1,000
S3 bucket takeover due to proxy.harvestfiles.com
Harvest
$100
Cross-Site Request Forgery (CSRF)