Reverb


reports in last 90 days

12

disclosed resolved issues

0

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Low Basic auth details is still work on report ( 351555 )

Information Disclosure m7mdharoun Time to triage: 4 Days and 22 hours


Time to close: 17 Days and 21 hours
Resolved

High Stored xss in shop name @ lp.reverb.com

Cross-site Scripting (XSS) - Stored sandeep_hodkasia Time to triage: 0 Days and 10 hours


Time to close: 1 Days and 0 hours
Resolved

Medium Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app

None supplied bagipro Time to triage: 0 Days and 2 hours


Time to close: 3 Days and 19 hours
Resolved

Medium XSS in main search, use class tag to imitate Reverb.com core functionality, create false login window

None supplied kiyell Issue was not triaged


Time to close: 1 Days and 5 hours
Resolved

Medium XSS in buying and selling pages, can created spoofed content (false login message)

Cross-site Scripting (XSS) - Reflected kiyell Time to triage: 1 Days and 13 hours


Time to close: 3 Days and 4 hours
Resolved

High Items bought for free due to lacks of quantity controls

Business Logic Errors nadino Time to triage: 3 Days and 17 hours


Time to close: 2 Days and 3 hours
Resolved

Low Basic auth details is still work on report ( 351555 )

Information Disclosure m7mdharoun Time to triage: 4 Days and 22 hours


Time to close: 17 Days and 21 hours
Resolved

Low Bypassing CSRF Token On Reply Message & Send Message

None supplied apapedulimu Time to triage: 6 Days and 12 hours


Time to close: 0 Days and 4 hours
Resolved

Medium Api token exposed in Reverb.com's public github repository

Information Disclosure albatraoz Issue was not triaged


Time to close: 0 Days and 7 hours
Resolved

High Persistent XSS in https://sandbox.reverb.com/item/

Cross-site Scripting (XSS) - Stored bigshaq Time to triage: 0 Days and 17 hours


Time to close: 2 Days and 1 hours
Resolved

No rating Possible Blind Writing to S3 Bucket

Violation of Secure Design Principles yaworsk Issue was not triaged


Time to close: 0 Days and 13 hours
Resolved

No rating IDOR - Ability to view unlisted products

Violation of Secure Design Principles yaworsk Time to triage: 0 Days and 12 hours


Time to close: 1 Days and 6 hours
Resolved