Omise: PII Exposure via Email Confirmation Link – Email Embedded in Token & Leaked via Wayback Machine

The vulnerability involved the exposure of personally identifiable information PII, specifically email addresses, through an email confirmation link used by Omise. The email address was embedded directly in a token that was visible in the URL. This token was subsequently archived by the Wayback...

Malicious code in omise-woocommerce (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 978dcc95cfdc2a3984742e165589b781c4f082929c56916182c817d9e30f08ec Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4650 Malicious code in omise-woocommerce (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 978dcc95cfdc2a3984742e165589b781c4f082929c56916182c817d9e30f08ec Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in omise-example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd9b3fdf30ee1fe797c8e5dae15567ab22d58f003ac1d570f2b6655af66dd5a8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-9427 Malicious code in omise-example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd9b3fdf30ee1fe797c8e5dae15567ab22d58f003ac1d570f2b6655af66dd5a8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Omise: IDOR Payments Status

Summary: Found in the payment status function, IDOR's weakness. Where when doing the experiment managed to see the payment status of another account The following is the POC of the experiments carried out. Steps To Reproduce: 1.GET /payments/paymtestxxxx/status HTTP/2 Host: api.omise.co Sec-Ch-Ua...

Omise: Open redirect Via X-Forwarded-Host

The vulnerability found involved an open redirect issue on the dashboard.omise.co website. The issue was reported on February 8, 2022, where it was discovered that the open redirect could be abused by the attacker through the use of the X-Forwarded-Host header...

Omise: Brute force attack of current password on login page by bypassing account limit using IP rotator(https://dashboard.omise.co/signin)

brute force...

Omise: Race condition on action: Invite members to a team

Summary: Hello there, I've found a race condition vulnerability which allows the invitation of the same member multiple times to a single team via the dashboard. Tools needed: Burp Suite community edition with the extension Turbo Intruder. This is the way I adopted to detect such vulnerability,...

Omise: ████.

input validation...

Omise: assets/vendor.js file exposing sentry.io token and DNS and application id .

Information Disclosure in javascript file...

Omise: Authenticity token doesnt expire after single use leading to CSRF

Summary Once you said that you ruby framework for making the authenticity-token which acts as a CSRF protection. You also send me this as to help me understand https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef . After finding i found that an authenticity-token c...

Omise: Open Redirect

Open Redirect Vulnerability URL : https://www.omise.co////bing.com/?www.omise.co/?category=interview&page=2 Parameter Type : URL Rewrite Attack Pattern : %2f%2f%2fr87.com%2f%3fwww.omise.co%2f How to Reproduce 1. Intercept the below url using Burpsuite & send it to repeater...