Reports in kartpay program: S.No Title Bounty 1 Error Page Content Spoofing or Text Injection [https://vpn.kartpay.com/] $0.0 2 Captcha protection Bypass on Forgot password page $0.0 3 Application Design issue for Phone Number field in Registration. $0.0 4 XSS in https://merchant.kartpay.com/settlements $0.0 5 Reflected XSS on https://merchant.kartpay.com/payment_settings [status] $0.0 6 SMTP Failure Leads to Chain of Internal System Failure $0.0 7 Application Error disclosure, Verification token seen error and user able to change password $0.0 8 Option method enabled in kartpay Webservers $0.0 9 URl redirection $0.0 10 Bypass _token in forms [Merchant.Kartpay.com ] $0.0 11 Referer issue in Kartpay.com $0.0 12 bypass captcha in the form forgot password $0.0 13 Admin/Info lekage $0.0 14 Being able to change account contents even after password change $0.0 15 Misconfiguration of Merchant id in jwt header + Weird Debug mode enabling behavior leads to exposed OTP of mobile number. $0.0 16 Disclosure of Merchant_id into the source code without entered OTP code leads to Victims MID takeover. $0.0 17 Duplicate Entry of email leads to 500 Server Error which disclosing the SQL Database table information $0.0 18 Host Header Injection $0.0 19 Full Path Disclosure of Server through 500 Server Error $0.0