Upserve


reports in last 90 days

12

disclosed resolved issues

1

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium Reflected XSS on https://inventory.upserve.com/ (affects IE users only)

Cross-site Scripting (XSS) - Reflected stealthy Time to triage: 0 Days and 6 hours


Time to close: 14 Days and 5 hours
Resolved

Critical OLO Total price manipulation using negative quantities

Business Logic Errors fuzz Time to triage: 0 Days and 15 hours


Time to close: 43 Days and 1 hours
Resolved

High DOM Based XSS via postMessage at https://inventory.upserve.com/login/

Cross-site Scripting (XSS) - DOM gamer7112 Time to triage: 2 Days and 12 hours


Time to close: 2 Days and 22 hours
Resolved

Medium Insufficient validation of sides/modifiers quantity

Business Logic Errors liquid8 Time to triage: 0 Days and 11 hours


Time to close: 49 Days and 23 hours
Resolved

Medium Open redirect on https://hq-api.upserve.com/

Open Redirect sydpy Time to triage: 2 Days and 15 hours


Time to close: 96 Days and 8 hours
Resolved

Medium Open redirect at https://inventory.upserve.com/http://google.com/

Open Redirect stankoja Time to triage: 0 Days and 10 hours


Time to close: 14 Days and 5 hours
Resolved

High Ability to create own account UUID leads to stored XSS

Cross-site Scripting (XSS) - Stored cache-money Time to triage: 1 Days and 6 hours


Time to close: 27 Days and 4 hours
Resolved

Critical Ability to reset password for account

Improper Access Control - Generic exadmin Time to triage: 0 Days and 18 hours


Time to close: 0 Days and 22 hours
Resolved

Low [theacademy.upserve.com] Reflected XSS Query-String

Cross-site Scripting (XSS) - Reflected bobrov Time to triage: 1 Days and 2 hours


Time to close: 6 Days and 0 hours
Resolved

Low Reflected xss on theacademy.upserve.com

Cross-site Scripting (XSS) - Reflected naasha Time to triage: 0 Days and 19 hours


Time to close: 0 Days and 0 hours
Resolved

High Blind stored xss in demo form

Cross-site Scripting (XSS) - Stored paresh_parmar Time to triage: 27 Days and 5 hours


Time to close: 5 Days and 1 hours
Resolved

Low reports.breadcrumb.com is vulnerable for Arbitrary file existence disclosur CVE-2014-7829

Information Disclosure s3curityb3ast Time to triage: 0 Days and 19 hours


Time to close: 3 Days and 6 hours
Resolved

Medium Information disclosure through search engines (password reset token)

Information Disclosure nitesculucian Issue was not triaged


Time to close: 4 Days and 22 hours
Informative