Reports in weblate program: S.No Title Bounty 1 Web server is vulnerable to Beast Attack $0.0 2 CSRF to Connect third party Account $0.0 3 Account Takeover using Third party Auth CSRF $0.0 4 Improper access control when an added email address is deleted from authentication $0.0 5 full path disclosure at hosted.weblate.org/admin/accounts/profile/ $0.0 6 No Rate Limitting at Change Password $0.0 7 Email verification over an unencrypted channel $0.0 8 No Password Length Restriction leads to Denial of Service $0.0 9 Improper Password Reset Policy on https://hosted.weblate.org/ $0.0 10 demo.weblate.org is vulnerable to SWEET32 Vulnerability $0.0 11 Open redirect in Signing in via Social Sites $0.0 12 [hosted.weblate.org]Account Takeover $0.0 13 Content Spoofing $0.0 14 Registration captcha bypass $0.0 15 Login using disconnected google account i.e login using old email id $0.0 16 Insecure Account Removal $0.0 17 Open Redirect via "next" parameter in third-party authentication $0.0 18 Activation tokens are not expiring $0.0 19 CSV Injection with the CVS export feature - Glossary $0.0 20 Specify maximal length in translation $0.0 21 [demo.weblate.org] Stored Self-XSS via Editor Link in Profile $0.0 22 Logout CSRF $0.0 23 hosted.weblate.org: X-XSS-Protection not enabled $0.0 24 weblate.org: X-XSS-Protection not enabled $0.0 25 Specify maximal length in new comment $0.0 26 Content Spoofing $0.0 27 Abuse of Api that causes spamming users and possible DOS due to missing rate limit $0.0 28 Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form $0.0 29 Missing DMARC on weblate.org $0.0 30 No expiration of session ID after Password change $0.0 31 Content Spoofing in error message $0.0 32 Already Registered Email Disclosure $0.0 33 CSV export filter bypass leads to formula injection. $0.0 34 Spamming any user from Reset Password Function $0.0 35 User Enumeration when adding email to account $0.0 36 Rate Limit Bypass on login Page $0.0 37 session id missing secure flag - Hosted Website $0.0 38 Self XSS at translation page through Editor Link at demo.weblate.org $0.0 39 Weak e-mail change functionality could lead to account takeover $0.0 40 CSRF : Lock and Unlock Translation $0.0 41 CSV Injection with the CSV export feature $0.0 42 CSRF : Reset API $0.0 43 No BruteForce Protection $0.0 44 Notify user about password change $0.0 45 Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/ $0.0 46 HttpOnly Flag not set $0.0 47 Running 2 accounts with a single email $0.0 48 Setting a password with a single character $0.0 49 Access to completion page without performing any action $0.0 50 Null Password - Setting a new password doesn't check for empty spaces $0.0 51 You can simply just use passwords that simply are as 123456 $0.0 52 Open SMTP port can let anyone send email from mail.chihar.com $0.0 53 Option method enabled $0.0 54 Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register $0.0 55 CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org $0.0 56 No Rate Limiting at /contact $0.0 57 Login CSRF : Login Authentication Flaw $0.0 58 Self-XSS can be achieved in the editor link using filter bypass $0.0 59 No notificatoin sent on email after account deletion. $0.0 60 Design Flaw in session management of password reset $0.0 61 API Does Not Apply Access Controls to Translations $0.0 62 Uploaded XLF files result in External Entity Execution $0.0 63 CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org $0.0 64 Information Disclosure on demo.weblate.org $0.0 65 Captcha Bypass at Email Reset can lead to Spamming users. $0.0 66 CSRF - Changing the full name / adding a secondary email identity of an account via a GET request $0.0 67 Missing restriction on string size $0.0 68 Old password can be new password $0.0 69 Weblate- Banner Grabbing-Ngnix Server version $0.0 70 Clickjacking docs.weblate.org $0.0 71 Open redirect while disconnecting authenticated account $0.0 72 Open redirect while disconnecting Email $0.0 73 Takeover of an account via reset password options after removing the account $0.0 74 Facebook share URL should be HTTPS $0.0 75 7BO: Binary Option Robot URL should be HTTPS $0.0 76 ClickJacking on Debug $0.0 77 Incorrect HTTPS Certificate $0.0 78 Email spoofing at weblate.org $0.0 79 Directory Listing $0.0 80 Existing sessions valid after removing third party auth $0.0 81 Improper validation of unicode characters $0.0 82 Password token validation in https://demo.weblate.org/ $0.0 83 Adding Email lacks Password validation $0.0 84 Captcha bypass at registration $0.0 85 Weblate |Security Misconfiguration| Method Enumeration Possible on domain $0.0 86 Rate Limit Issue on hosted.weblate.org $0.0 87 Bypassing captcha in registration on Hosted site $0.0 88 Invalidate session after password reset - hosted website $0.0 89 No filteration of null characters in name field $0.0 90 The username of an account can be .. $0.0 91 Error Message When Changing Username $0.0 92 Csrf in watch-unwatch projects $0.0 93 Weak password policy $0.0 94 Improper validation of unicode characters $0.0 95 Password Restriction $0.0 96 Improper validation of unicode characters still not fixed $0.0 97 Improper validation of unicode characters still not fixed #2 $0.0 98 Improper validation of unicode characters #3 $0.0 99 Password token validation in Weblate Bypass $0.0 100 Password token validation in Weblate Bypass #2 $0.0 101 Previous password could set as new password $0.0 102 Persistence of Third Party Association. $0.0 103 No Rate Limitation on Regenerate Api Key $0.0 104 Full Name Overwrite on Third party login $0.0 105 Reset password more than once with a reset link $0.0 106 [debian.weblate.org]-Missing SPF Record $0.0 107 Improper Cookie expiration | Cookies Expiration Set to Future $0.0 108 No rate limit or captcha to identify humans $0.0 109 Missing Restriction On String Size $0.0 110 DKIM records not present, Email Hijacking is possible..... $0.0 111 Add another email address without verification $0.0 112 Application allowing old password to be set as new password | hosted.weblate.org $0.0 113 Reset password more than once with a reset link #2 $0.0 114 Running 2 accounts with a single email [Part 2] $0.0 115 Improper validation of unicode characters $0.0 116 DNSSEC Zone Walk using NSEC Records $0.0 117 Running 2 accounts with a single email #3 $0.0 118 Account Restore / Reactivating an old email via old reset link $0.0 119 Insecure Account Removal #2 $0.0 120 Audit log validation $0.0 121 Tab nabbing via window.opener $0.0 122 Open port leads to information disclosure $0.0 123 Broken Authentication – Session Token bug $0.0 124 Browser Self XSS Protection not implemented $0.0 125 no notification send to victim if attacker hacks/accesses his victims WebLate account. $0.0 126 flood of comment no rate limit on commnets >> by using different user agent $0.0 127 2nd issue>>> flood of email no rate limit on delete account confirmation email >> $0.0 128 No Rate Limit On Add new word $0.0 129 No Rate On Add Suggest $0.0 130 Stored XSS @ /engage/<project_slug> $0.0 131 Stored XSS via Create Project (Add new translation project) $0.0 132 HTML injection and information disclosure in support panel $0.0 133 no captcha for register user and weak question attacker can spam email $0.0 134 Secret_key in GitHub $0.0 135 Improper validation of unicode characters#2 $0.0 136 Open Github Repo Leaking WEBLATE SECRET KEY $0.0 137 Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile] $0.0 138 Reset password cookie leads to account takeover $0.0 139 Race Condition allows to get more free trials and get more than 100 languages and strings for free $0.0 140 No rate Limit on Add new Translation Project $0.0 141 hosted.weblate.org display of unfiltered results $0.0 142 No rate limiting for Remove Account lead to huge Mass mailings $0.0 143 Testing flow includes a DeepSource secret $0.0 144 CSRF with logout action $0.0 145 Logging in without knowing credentials after logged out action $0.0 146 Information Disclosure $0.0