Public WakaTime bug reports.

Team Bounty Title
WakaTime - Impersonation of Wakatime user using Invitation functionality.
WakaTime - Failure to check password history
WakaTime - Session Duplication due to Broken Access Control
WakaTime - by pass rate limit exceed
WakaTime - [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector]
WakaTime - Running 2 accounts with a single email
WakaTime - Password Policy Issue
WakaTime - Blocking users to sign up on the site
WakaTime - No rate limit on creating private leaderboards.
WakaTime - Sensitive Cookie Without 'HttpOnly' Flag
WakaTime - JSON CSRF on POST Heartbeats API
WakaTime - Bypassing Access control, changing owner's name in a private leaderboard
WakaTime - Lack of Password Confirmation When Changing Email
WakaTime - Missing Account Deletion Notification
WakaTime - Two email addresses can access the same account
WakaTime - Missing filteration of meta characters in all full name field on
WakaTime - No rate limiting for confirmation email, can spam anyone with confirmation emails
WakaTime - Session not expired on logout
WakaTime - No notificatoin sent on email after account deletion.
WakaTime - Clickjacking on authorized page
WakaTime - No redirect uri for Twitter Oath resulting in token leak
WakaTime - Login page password - guessing attack
WakaTime - Session Not Expired On Logout
WakaTime - No rate limit when creating new goals []
WakaTime - Logout CSRF
WakaTime - website CSP "script-src" includes "unsafe-inline"
WakaTime - Unsafe Inline and Eval CSP Usage
WakaTime - UI Redressing on Embedded Charts
WakaTime - Add arbitrary content to Password Reset Email
WakaTime - Forgot password link doesn't expire after used, only after some hours
WakaTime - IDOR create accounts and verify them with original account email
WakaTime - Password token validation in
WakaTime - Password reset links should expire after being used, instead of at specific time
WakaTime - [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge
WakaTime - Email Spoofing Via /api/v1/users/reset_password
WakaTime - Mailgun misconfiguration
WakaTime - [] Leaking password reset token via referrer
WakaTime - Missing SPF Flags