Harvest


reports in last 90 days

34

disclosed resolved issues

0

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters

Cross-site Scripting (XSS) - Reflected ysx Time to triage: 0 Days and 14 hours


Time to close: 0 Days and 1 hours
Resolved

No rating Unrestricted View to People’s Web Invoices Data without knowing the Unique Hash

Information Disclosure config Time to triage: 26 Days and 14 hours


Time to close: 12 Days and 5 hours
Resolved

Low Content Injection at First & Last Name Parameters that could Lead Fraud Issue

Violation of Secure Design Principles config Time to triage: 0 Days and 17 hours


Time to close: 706 Days and 6 hours
Resolved

Low Content Injection at First & Last Name Parameters that could Lead Fraud Issue

Violation of Secure Design Principles config Time to triage: 0 Days and 17 hours


Time to close: 706 Days and 6 hours
Resolved

No rating Unrestricted View to People’s Web Invoices Data without knowing the Unique Hash

Information Disclosure config Time to triage: 26 Days and 14 hours


Time to close: 12 Days and 5 hours
Resolved

No rating Project Manager can approve pending reports(Access control Issue)

Privilege Escalation vijay_kumar1110 Issue was not triaged


Time to close: 21 Days and 4 hours
Resolved

No rating CSRF bypass on Submit Time sheet for Approval

Cross-Site Request Forgery (CSRF) vijay_kumar1110 Time to triage: 16 Days and 14 hours


Time to close: 40 Days and 21 hours
Resolved

Medium [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters

Cross-site Scripting (XSS) - Reflected ysx Time to triage: 0 Days and 14 hours


Time to close: 0 Days and 1 hours
Resolved

Medium Login bypass on travel.██████████ aka "Harvest Spring Summit 2017"

Improper Access Control - Generic michiel Issue was not triaged


Time to close: 0 Days and 16 hours
Resolved

Low Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation)

Privilege Escalation vijay_kumar1110 Time to triage: 22 Days and 8 hours


Time to close: 75 Days and 20 hours
Resolved

Medium Client can redirect payment, causing payment discrepancy between Harvest and PayPal

Business Logic Errors jobert Time to triage: 3 Days and 12 hours


Time to close: 0 Days and 22 hours
Resolved

Low Cookie Injection at 'harvestapp.com'

Command Injection - Generic zuh4n Time to triage: 0 Days and 6 hours


Time to close: 25 Days and 23 hours
Resolved

Medium Persistent XSS on ForecastApp

Cross-site Scripting (XSS) - Generic lucasveigaf Time to triage: 0 Days and 7 hours


Time to close: 0 Days and 9 hours
Resolved

No rating Opportunity to set arbitrary cookies

None supplied s_p_q_r Time to triage: 0 Days and 0 hours


Time to close: 133 Days and 22 hours
Resolved

No rating Possible to steal any protected files on Android

Information Disclosure bagipro Time to triage: 87 Days and 16 hours


Time to close: 54 Days and 22 hours
Resolved

High Extracting private info of estimates.

Information Disclosure bugdiscloseguys Time to triage: 11 Days and 15 hours


Time to close: 92 Days and 3 hours
Resolved

Low Linking Invoice to uninvited project.

Improper Authentication - Generic bugdiscloseguys Time to triage: 3 Days and 13 hours


Time to close: 12 Days and 22 hours
Resolved

Low Stored XSS in Restoring Archived Tasks

Cross-site Scripting (XSS) - Generic bugs3ra Time to triage: 0 Days and 7 hours


Time to close: 1 Days and 22 hours
Resolved

None Editing a project (LIMITED)

Privilege Escalation bugdiscloseguys Time to triage: 1 Days and 20 hours


Time to close: 4 Days and 22 hours
Resolved

No rating XSS on expenses attachments

Cross-site Scripting (XSS) - Generic eboda Time to triage: 0 Days and 2 hours


Time to close: 53 Days and 20 hours
Resolved

No rating Invoices can be added to any retainers - even closs-platform

Privilege Escalation eboda Time to triage: 3 Days and 1 hours


Time to close: 12 Days and 23 hours
Resolved

No rating Project Disclosure of all Harvest Instances

Improper Authentication - Generic vagg-a-bond Time to triage: 6 Days and 2 hours


Time to close: 43 Days and 21 hours
Resolved

No rating CSRF token fixation in Sign in with Google

Cross-Site Request Forgery (CSRF) pradeepch99 Time to triage: 7 Days and 1 hours


Time to close: 32 Days and 23 hours
Resolved

No rating Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) malcolmx Time to triage: 0 Days and 0 hours


Time to close: 4 Days and 19 hours
Resolved

No rating Leak of all project names and all user names , even across applications

Information Disclosure eboda Time to triage: 4 Days and 18 hours


Time to close: 18 Days and 2 hours
Resolved