Harvest: Cookie Injection at 'harvestapp.com'

Hello guys, Details: Well, initially I was testing for CRLF Carriage Return Line Feed Injection, but how turned out, I was able to inject cookie without CRLF, just via value at HTTP Request. PoC: Attacker able to inject new cookie from any application place, e.g...

Harvest: Unrestricted View to People’s Web Invoices Data without knowing the Unique Hash

Dear Harvest Security Team, To be honest, it’s really hard for me to report this issue without trying to see other user’s data, because in my point of view, this is an issue at the session of the HarvestApp that catchup already by Google Bot. What I would like to say is, I can’t proof yet the iss...

Harvest: Users enumeration is possible through cycling through recurring[client_id] argument value.

Details: An attacker can enumerate the names of companies on your site by going to the URL https://harvesterxxx.harvestapp.com/recurringinvoices/new?utf8=%E2%9C%93&recurringclientid=4677449&newclientname= and cycling through the numerical value of the recurringclientid= argument, which will view...