Reports in stripo inc program: S.No Title Bounty 1 SSRF in /cabinet/stripeapi/v1/siteInfoLookup?url=XXX $0.0 2 Able to change password by entering wrong old password $0.0 3 Redirection through referer tag $0.0 4 Bypass email verification and create email template with the editor $0.0 5 OLD SESSION DOES NOT EXPIRE AFTER PASSWORD CHANGE $0.0 6 Password token leak via Host header $0.0 7 No length on password $0.0 8 subdomain takeover at status0.stripo.email $0.0 9 stripo.email reflected xss $0.0 10 Clickjacking on my.stripo.email for MailChimp credentials $0.0 11 Information disclosure through Server side resource forgery $0.0 12 subdomain takeover at status-stage0.stripo.email $0.0 13 stripo blog search SQL Injection $0.0 14 Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts $0.0 15 Stored XSS in template comments. $0.0 16 Tabnabbing in template comments - stripo.email $0.0 17 CSRF - Modify Project Settings $0.0 18 Improper Authorization $0.0 19 my.stripo.emai email verification bypassed and also create email templates $0.0 20 No Rate Limiting on /reset-password-request/ endpoint $0.0 21 Authorization for wp-admin directory are vulnerable to brute force. $0.0 22 Able to download any hosted content on AWS S3 bucket(stripo) $0.0 23 csrf bypass using flash file + 307 redirect method at plugins endpoint $0.0 24 SSRF & unrestricted file upload on https://my.stripo.email/ $0.0 25 Email verification bypasa $0.0 26 SSRF leads to internal port scan $0.0 27 Blind SSRF while Creating Templates $0.0 28 Strored Xss on https://my.stripo.email/ ( multiple inputs) $0.0 29 XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique $0.0 30 HTTP Request Smuggling on my.stripo.email $0.0 31 SSRF in Export template to ActiveCampaign $0.0 32 Unrestricted File Upload on https://my.stripo.email and https://stripo.email $0.0 33 [www.stripo.email] You can override the speed limit by adding the X-Forwarded-For header. $0.0 34 CORS on my.stripo.email $0.0 35 [www.stripo.email] There is no rate limit for contact-us endpoints $0.0 36 SSRF in my.stripo.email $0.0 37 [www.stripo.email] You can bypass the speed limit by changing the IP. $0.0 38 multiple email usage -my.stripo.email- $0.0 39 [www.stripo.email] There is no rate limit for /it/contact-us/ endpoints $0.0 40 SSRF via Export Service in ActiveCampaign $0.0 41 Integer Overflow (CVE_2017_7529) $0.0 42 Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN $0.0 43 No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address $0.0 44 Public and secret api key leaked in JavaScript source $0.0 45 SSL cookie without secure flag set $0.0 46 weak password poilicy in signup password leak to account takeover $0.0 47 Race condition on my.stripo.email at /cabinet/stripeapi/v1/projects/298427/emails/folders uri $0.0 48 No rate limiting for subscribe email + lead to Cross origin misconfiguration $0.0 49 Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo $0.0 50 SSRF external interaction $0.0 51 No rate limiting for confirmation email lead to huge Mass mailings $0.0 52 Permanent DOS for new users! $0.0 53 Stored XSS at Template Editor in "Section Name" Field of Block element 'Accordion'. $0.0 54 Stored XSS at "Conditions " through "My Custom Rule" Field at [https://my.stripo.email/cabinet/#/template-editor/] in Template Editor. $0.0 55 No rate limiting - Create Plug-ins $0.0 56 No rate limiting - Create data $0.0 57 No rate limit in email subscription $0.0 58 Bypass of #1047119: Missing Rate Limit while creating Plug-Ins at https://my.stripo.email/cabinet/plugins/ $0.0 59 Able to use 'PREMIUM TEMPLATES' in 'FREE PLAN' at [https://my.stripo.email/cabinet/#/my-templates/] $0.0 60 Memory Dump and Env Disclosure via Spring Boot Actuator $0.0 61 Stored XSS in the banner block description $0.0 62 Stored XSS at Module Name $0.0 63 Bypassing Content-Security-Policy leads to open-redirect and iframe xss $0.0 64 Ability to use premium templates as free user via https://stripo.email/templates/?utm_source=viewstripo&utm_medium=referral $0.0 65 Insecure Storage and Overly Permissive API Keys $0.0 66 Upload Profile Photo in any folder you want with any extension you want $0.0 67 Non-revoked API Key Information disclosure via Stripo_report() $0.0 68 Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo $0.0 69 [demo.stripo.email] HTTP request Smuggling $0.0 70 [SSRF] my.stripo.email via the setup-wizard parameter $0.0