Cuvva


reports in last 90 days

14

disclosed resolved issues

7

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

None Unclaimed facebook page at www.cuvva.com/about

Violation of Secure Design Principles badcracker Issue was not triaged


Time to close: 0 Days and 11 hours
Resolved

Low Clickjacking in ops.cuvva.com

UI Redressing (Clickjacking) ph0b0s Issue was not triaged


Time to close: 12 Days and 21 hours
Resolved

Medium Insecure Direct Object Reference (IDOR) Allowing me to claim other user's photos (driving license and selfies) as mine

None supplied leet-boy Time to triage: 0 Days and 13 hours


Time to close: 0 Days and 1 hours
Resolved

Low No Notification Sent When Email Is Changed.

None supplied leet-boy Time to triage: 0 Days and 0 hours


Time to close: 111 Days and 7 hours
Resolved

Low CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva

Cross-Site Request Forgery (CSRF) aliv3 Time to triage: 0 Days and 0 hours


Time to close: 5 Days and 12 hours
Informative

None Session cookie without secure flag on https://underwriter.partner.cuvva.com

Reliance on Cookies without Validation and Integrity Checking in a Security Decision amaljacob7531 Time to triage: 0 Days and 0 hours


Time to close: 1 Days and 8 hours
Resolved

Low Sensitive Support Mail Disclosure

Information Disclosure h33t Time to triage: 0 Days and 17 hours


Time to close: 1 Days and 1 hours
Resolved

Medium Reflected XSS on Branch domain

Cross-site Scripting (XSS) - Reflected jrpeg Time to triage: 0 Days and 0 hours


Time to close: 10 Days and 21 hours
Resolved

Medium Missing rate-limits at endpoints

Brute Force introvertmac Time to triage: 2 Days and 15 hours


Time to close: 0 Days and 11 hours
Resolved

None Subdomain take over oh-no.cuvva.co and ohno.cuvva.co

None supplied dennis95 Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

None IDOR spam anyone's cellphone number through Cuvva app link

Insecure Direct Object Reference (IDOR) b3nac Issue was not triaged


Time to close: 0 Days and 3 hours
Informative

Low No rate limiting at POST /2/2017-05-22/send_identifier_token

Violation of Secure Design Principles inhibitor181 Time to triage: 0 Days and 0 hours


Time to close: 5 Days and 2 hours
Resolved

None Verification code for Underwriter dashboard can be brute-forced

Brute Force bhumish Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

Low Missing Rate limiting on https://underwriter.partner.cuvva.com/login

Improper Authentication - Generic str33 Issue was not triaged


Time to close: 0 Days and 5 hours
Duplicate

Medium Missing rate limit on https://underwriter.partner.cuvva.com/login

None supplied leet-boy Time to triage: 0 Days and 3 hours


Time to close: 3 Days and 5 hours
Resolved

Medium RC4 cipher suit in use in vpn.corp.cuvva.co

Inadequate Encryption Strength d0rkerdevil Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 12 hours
Resolved

None cuvva.com website CSP "script-src" includes "unsafe-inline"

None supplied kenziy Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

Low https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options

UI Redressing (Clickjacking) shepard Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 4 hours
Resolved

None Clickjacking vulnerability in support-dashboard.corp.cuvva.co

UI Redressing (Clickjacking) d0rkerdevil Issue was not triaged


Time to close: 0 Days and 1 hours
Informative

None Your two domain login email address are disclosed in

None supplied zerotoone Time to triage: 0 Days and 0 hours


Time to close: 0 Days and 0 hours
Resolved

Medium CRLF Injection [vpn.corp.cuvva.com]

CRLF Injection cyriac Time to triage: 0 Days and 3 hours


Time to close: 1 Days and 13 hours
Resolved

None cuvva.com vulnerable to sweet32

Cryptographic Issues - Generic d0rkerdevil Issue was not triaged


Time to close: 0 Days and 0 hours
Informative