Wakatime


reports in last 90 days

36

disclosed resolved issues

6

disclosed informative issues

1

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Low Vulnerability Name: Host Header Injection Redirect

Open Redirect jatingupta Issue was not triaged


Time to close: 0 Days and 3 hours
Resolved

Medium JSON CSRF on POST Heartbeats API

Cross-Site Request Forgery (CSRF) sp1d3rs Time to triage: 0 Days and 12 hours


Time to close: 0 Days and 3 hours
Resolved

Low [wakatime.com] HTML Injection github-btn.html

Cross-site Scripting (XSS) - DOM bobrov Time to triage: 0 Days and 19 hours


Time to close: 14 Days and 0 hours
Resolved

None SSH backdated version open port

Brute Force noob-walid Issue was not triaged


Time to close: 1 Days and 10 hours
Resolved

Low Using an outdated version of OpenSSH on db01.wakatime.com

Information Disclosure silv3rpoision Time to triage: 1 Days and 12 hours


Time to close: 82 Days and 20 hours
Resolved

Low password token validation

Improper Authentication - Generic flex0geek Issue was not triaged


Time to close: 0 Days and 5 hours
Informative

Low Can link to websites from profile

Improper Authentication - Generic flex0geek Issue was not triaged


Time to close: 0 Days and 20 hours
Informative

Low Validation of Password reset tokens

Violation of Secure Design Principles saikiran-10097 Issue was not triaged


Time to close: 0 Days and 6 hours
Informative

Medium Users with member privilege are able to see emails and membership information of other users

Information Disclosure hackedbrain Time to triage: 0 Days and 0 hours


Time to close: 86 Days and 15 hours
Resolved

Low Logout CSRF

Cross-Site Request Forgery (CSRF) caesar302 Issue was not triaged


Time to close: 0 Days and 0 hours
Duplicate

No rating Impersonation of Wakatime user using Invitation functionality.

Violation of Secure Design Principles asaxena2190 Time to triage: 0 Days and 1 hours


Time to close: 0 Days and 0 hours
Resolved

Medium [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge

Privilege Escalation axolotl Time to triage: 0 Days and 10 hours


Time to close: 27 Days and 17 hours
Resolved

Medium [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector]

Privilege Escalation axolotl Time to triage: 0 Days and 2 hours


Time to close: 20 Days and 22 hours
Resolved

Low Failure to check password history

Weak Password Recovery Mechanism for Forgotten Password c0d3fire Issue was not triaged


Time to close: 0 Days and 0 hours
Not-applicable

Medium Bypassing Access control, changing owner's name in a private leaderboard

Improper Access Control - Generic tikoo_sahil Time to triage: 0 Days and 15 hours


Time to close: 27 Days and 15 hours
Resolved

No rating Add arbitrary content to Password Reset Email

Code Injection footstep Issue was not triaged


Time to close: 0 Days and 1 hours
Resolved

Medium Password reset links should expire after being used, instead of at specific time

Improper Authentication - Generic silv3rpoision Issue was not triaged


Time to close: 0 Days and 6 hours
Resolved

Low Password token validation in https://wakatime.com/

Improper Authentication - Generic silv3rpoision Issue was not triaged


Time to close: 0 Days and 14 hours
Resolved

Low https://wakatime.com/ website CSP "script-src" includes "unsafe-inline"

Violation of Secure Design Principles silv3rpoision Time to triage: 0 Days and 13 hours


Time to close: 22 Days and 23 hours
Resolved

Low Unsafe Inline and Eval CSP Usage

Violation of Secure Design Principles mr_r3boot Time to triage: 0 Days and 17 hours


Time to close: 22 Days and 21 hours
Resolved

No rating No rate limit on creating private leaderboards.

None supplied 3thic4l Time to triage: 0 Days and 4 hours


Time to close: 0 Days and 0 hours
Resolved

No rating by pass rate limit exceed

Improper Access Control - Generic abhiram Time to triage: 0 Days and 5 hours


Time to close: 2 Days and 14 hours
Resolved

No rating Running 2 accounts with a single email

Business Logic Errors atruba Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

Low Password Policy Issue

Improper Authentication - Generic gnost Issue was not triaged


Time to close: 0 Days and 18 hours
Resolved

None Blocking users to sign up on the site

Violation of Secure Design Principles saikiran-10097 Issue was not triaged


Time to close: 0 Days and 3 hours
Resolved