Veris - HackerOne Bug Reports

Public Veris bug reports.

4,419 Bug Reports - $2,030,173 Paid Out
Last Updated: 12th September, 2017

Team	Bounty	Title
Veris	-	Reflected Cross site scripting
Veris	-	Internal server error 500 at log.veris.in
Veris	-	bug
Veris	-	Email spoofing in support@veris.in
Veris	-	Registeration Link "Jacking&Redirecting"
Veris	-	Unauthenticated CSRF(User can input any value for CSRF Token)
Veris	-	Text injection can be used in phishing 404 page and should not include attacker text
Veris	-	Reflected XSS in domain www.veris.in
Veris	-	Stored XSS on 'Badges' page
Veris	-	[Stored XSS] sandbox.veris.in
Veris	-	[XSS] sandbox.veris.in
Veris	-	SSL/TLS BEAST ATTACK VULNERABILITY
Veris	-	XSS in Asset name
Veris	-	Stored XSS in member book
Veris	-	XSS on multiple fields
Veris	-	Captcha Bypass enable login bruteforce
Veris	-	Wordpress Pingback DDoS Attacks in domain: veris.in
Veris	-	Stored XSS in Access Rules
Veris	-	Complete Profile URL is not Random and not expiring
Veris	-	Not Using Secure Flag Option on Cookies Could Lead to a Man in the Middle Session Highjacking
Veris	-	Complete or Edit Another User's Profile
Veris	-	Insecure Direct 'org-visitor-log' References
Veris	-	Insecure Direct 'org-invite-log' References
Veris	-	Security Vulnerability - SMTP protection not used
Veris	-	Insecure Direct Member Disclosure
Veris	-	User enumeration via error message
Veris	-	Creating multiple user with the same link which is sent to email after registeration
Veris	-	Server and PHP version Disclosed in Response Header
Veris	-	Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App
Veris	-	Multiple Stored XSS
Veris	-	Critical IDOR - Make Rule for Any Group & Any Venue remotely
Veris	-	Critical IDOR - Get Rules of any organization remotely
Veris	-	Critical IDOR - Can select any Parent while creating new Venue
Veris	-	Critical IDOR - Get venue data of any organization remotely
Veris	-	Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper
Veris	-	Critical IDOR - Set anyone's Terminal Data remotely
Veris	-	Critical IDOR - Get anyone's Terminal Data remotely
Veris	-	Critical IDOR - Delete any terminal/gatekeeper of any organization remotely
Veris	-	Missing Server Side Validation of CSRF Middleware Token in Change Password Request
Veris	-	Critical IDOR - Delete any rule of any organization remotely
Veris	-	Critical IDOR - Delete any venue of any organization remotely
Veris	-	Critical IDOR - Delete any group of any organization remotely
Veris	-	Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely
Veris	-	Password(s) can be found via login process.
Veris	-	www.veris.in DOM based XSS
Veris	-	Stored XSS
Veris	-	Password reset link is not Expiring