Cuvva: Time-limit Bypassing, Rate-limit Bypassing and Spamming at https://ops.cuvva.co

Hello cuvva secteam, Hope you are well and safe Summary When trying to sign in at https://ops.cuvva.com: 1. There is no checking if supplied email is valid before sending login link Note: the sent login links do not work but this bug can be used for spamming any supplied email. 2. The time-limit...

Cuvva: CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva

Description : cuvva.co allows user to send app download link to his/her mobile number via SMS. But attacker can abuse this system via cross site request forgery and can send SMS to N number of mobile numbers without even visiting the cuvva.com/cuvva.insure website. Reproduction Steps :...

Cuvva: Missing rate-limits at endpoints

This is similar to 230674, but it turns out we missed out a key endpoint while fixing that one - the legacy POST /1/verificationtokensend used by older apps on our system. This has now been resolved : Thanks to @introvertmac for flagging this!...

Cuvva: IDOR spam anyone's cellphone number through Cuvva app link

Good afternoon, The following url https://cuvva-alternate.app.link/ITHZI8FrKB?branchflowtype=deepviewtmta&branchflowid=397220061845644344&branchdesktopdeepviewtype=1 can be used to spam phone numbers remotely. Example POC: Send After grabbing the form code I can spam numbers from my desktop, I...

Cuvva: Missing Rate limiting on https://underwriter.partner.cuvva.com/login

Duplicate of 231380...

Cuvva: Subdomain take over oh-no.cuvva.co and ohno.cuvva.co

Cuvva has an old EV certificate which lists a very large number of subject alternative names SANs, as listed below. These were included because we anticipated potentially wanting to use these hostnames in the future and it was free to add them. Very few of the hostnames actually exist, and those...

Cuvva: https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options

Description: I found the resource on https://admin.corp.cuvva.co/, which can be vulnerable to the Clickjacking. Impact The resource without X-Frame-Options potentially vulnerable to the Clickjacking. The vulnerability exist only for authenticated users possible UI redressing in the Dashboard...

Cuvva: cuvva.com website CSP "script-src" includes "unsafe-inline"

Hello cuvva Reporting a low profile risk, "script-src" value should be considered best practice The cuvva.com website https://cuvva.com has a Content-Security-Policy configured the "script-src" parameter is set to "unsafe-inline", which allows injection of user passed values, which in result can ...

Cuvva: cuvva.com vulnerable to sweet32

To the Cuvva security team, i was going through your website and i thought to look for latest cryptographic issues as the website uses SSL/TLS i.e,HTTPS target: https:cuvva.com:443 so i quickly run the nmap with ssl-enum script to look for new Vulnerability that is known as "SWEET32" detail about...