Mapbox: target="_blank" Vulnerability Resulting in Critical Phishing Vector

Description I have a script running on my server which gives me full control over a visitor's window object. This allows me to replace the user's legitimate mapbox.com session with my own Mapbox phishing form not live. As you can see from the proof-of-concept video below, this vulnerability works...

Mapbox: Blind XSS in mapbox.com/contact

@sahilsaif reported a stored blind XSS issue on www.mapbox.com/contact. To fix the issue we escaped user provided message content before sending to our middleware server...

Mapbox Filter Bypass / Script Insertion

Document Title: =============== Mapbox API - Filter Bypass & Persistent Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1787 ID: 119802 Release Date: ============= 2016-06-06 Vulnerability Laboratory ID VL-ID:...

Mapbox (API) - Filter Bypass & Persistent Vulnerability

Document Title: =============== Mapbox API - Filter Bypass & Persistent Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1787 ID: 119802 Release Date: ============= 2016-06-06 Vulnerability Laboratory ID VL-ID:...

Mapbox: XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth

Description --- When you load the endpoint https://www.mapbox.com/authorize/ a GET request is made to the endpoint https://www.mapbox.com/core/oauth/auth with the parameters passed in the request to https://www.mapbox.com/authorize/. If you only send the parameter redirecturi in the request to...

Mapbox: XSS on www.mapbox.com/authorize

Description --- When you don't include the parameter clientid in the request to the endpoint at https://www.mapbox.com/authorize/, the template template-modal-unauthorized included in the client code of the endpoint is rendered with the value of the parameter redirecturi sent in the request witho...

Mapbox (API) - Filter Bypass & Persistent Vulnerability

Document Title: =============== Mapbox API - Filter Bypass & Persistent Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1787 ID: 119802 Release Date: ============= 2016-06-05 Vulnerability Laboratory ID VL-ID:...

Mapbox: Denial of service in account statistics endpoint

Hi Mapbox, I know that your guidelines explicitly say that Denial of Service coinditions are not in scope and should not be attempted, but I maintained the testing between adequate parameters so as to not to create excessive load on your backend. I also sent an email to [email protected] prior ...

Mapbox: Reflected cross-site scripting (XSS) on api.tiles.mapbox.com

There is a reflective XSS vulnerability in the accesstoken param found in the page.html at api.tiles.mapbox.com A proof of concept link:...

Mapbox: XSS (cross-site scripting) on www.mapbox.com/maki

Hi there, There is an XSS that allows to inject code throw the variable window.name. I had found it two weeks ago but like I told you in the email I was unable to submit you the report. PoC: window.open"https://www.mapbox.com/maki/", "alertdocument.cookie"; This is due to the print of the value...

Mapbox: Mapbox API Access Token with No Scope Can Read Styles

HI I created one api token with 0 scope. Then I sent the following request to server GET /styles/v1/katilthe?accesstoken=pk.eyJ1Ijoia2F0aWx0aGUiLCJhIjoiY2lsbWJwcWpjNjhmNnZubWNhYXdwZm5obyJ9.2cPnaIiXcFnDRFMfrD1TRw HTTP/1.1 Host: api.mapbox.com User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:44.0...

Mapbox: Content Spoofing and Local Redirect in Mapbox Studio

Hi I'm Found Bug It is Possible To Send His message Directly Through URL and Redirect Local . Details When you go to :- https://www.mapbox.com/studio/admin/ website redirect to https://www.mapbox.com/studio/forbidden/?message=Sorry,only admins allowed here.&redirect=/studio/&path=/studio/admin/ Y...

Mapbox: XSS in L.mapbox.shareControl in mapbox.js

Hi Mapbox I've found a xss vulnerability on mapbox sharing system. I've a project called with "'"alert1;""onmouseover="confirm2;"-- " than click it and copy the share URL and go to URL than click the the marked area than you will see the vulnerability...

Mapbox: Disclosure of map information

In July 2015, @hussain submitted a report where a GET request to an internal API endpoint /core/api/Map disclosed details of public maps in a Mapbox user's account. The disclosed information included the name, description, map identifier, geographic center, map layers, date created, and date last...

Mapbox: Stored Cross-Site Scripting in Map Share Page

Hi Team Mapbox Security This is Copy From message email ‫[email protected]‬ intro. I'm Hussain Adnan Researcher Security, Iam Have Found Vulnerability Bug in form project profile Map Type Vulnerability : Cross-Site Scripting Stored - Reflected Affected Domain : Affected Domain : mapbox.com -...

Mapbox: Persistent cross-site scripting (XSS) in map attribution

Hello, I have found a Persistent Cross Site Scripting vulnerability when using a custom style uploaded by myself. Mapbox Studio allows create and upload styles for your maps. So if we create a new style with javascript code as attribution value it will be executed when loading a map that uses our...

Mapbox: Stored xss in editor

On March 28th, 2015 @sahilsaif reported an issue with stored XSS in Mapbox Editor www.mapbox.com/editor. We deployed a fix for this issue on March 30th, 2015. On March 28th, 2015, I found a Stored XSS in Mapbox Editor. Which was hosted on https://mapbox.com/editor Mapbox Editor is now deprecated...

Mapbox: Logging a user into attacker's account using password reset link

On March 26th, 2015 @shahmeer-amir reported an issue with the password reset flow for www.mapbox.com that required social engineering to exploit. We patched the issue and awarded a bounty on April 7th, 2015. Please note that this was not related to denial of service or the institution of an accou...