47 matches found
Stripo Inc: Public and secret api key leaked in JavaScript source
Summary: Summary the vulnerabilities I am surfing on the stripo website. I found a sensitive data including authentication key written in public accessible javascript file. URL Vulnerability https://staging.empleio.stripo.email/main.c1965c58f39a0f4aadc3.js Steps To Reproduce: Open...
Stripo Inc: multiple email usage -my.stripo.email-
I first went to the "my.stripo.emai" view and registered with my google account. Then I entered the profile. I have replaced my email with an email that is not registered with your google account.I received a verification message on the email I changed. The button was not clicked. I copied it by...
Stripo Inc: [www.stripo.email] You can bypass the speed limit by changing the IP.
You can bypass the speed limit by changing the IP Login page Bypass the speed limit...
Stripo Inc: Integer Overflow (CVE_2017_7529)
Integer Overflow - The issue affects nginx 0.5.6 - 1.13.2...
Stripo Inc: [www.stripo.email] There is no rate limit for /it/contact-us/ endpoints
The speed limit for the https://stripo.email/it/contact-us endpoint has not been implemented...
Stripo Inc: [www.stripo.email] There is no rate limit for contact-us endpoints
Summary The speed limit for the https://stripo.email/es/contact-us endpoint has not been implemented. Steps To Reproduce 1. Go to the https://stripo.email/es/contact-us 2. Turn on blocking and fill out the contact form 3. Send request to Intruder. 4. Set your payloads and start attack. 5. There i...
Stripo Inc: [www.stripo.email] You can override the speed limit by adding the X-Forwarded-For header.
Summary In https://stripo.email/template-order I think you have implemented rate limiting via 429 status code for too many requests, but in reality it is not. An attacker could bypass the 429 speed limit by adding an X-Forwarded-For header. Steps To Reproduce 1. Go to the...
Stripo Inc: SSRF via Export Service in ActiveCampaign
SSRF with ActiveCampaign...
Stripo Inc: Unrestricted File Upload on https://my.stripo.email and https://stripo.email
Hi Stripo Inc, I found 2 Unrestricted File Upload Vulnerabilities on your website. First Vulnerability: Step to Reproduce 1. Create an account in "https://my.stripo.email" 2. Simply Download a php shell from internet and open with text editor. ex: r57 shell 3. Then save it as JPEG file. 4. Go bac...
Stripo Inc: Blind SSRF while Creating Templates
Blind SSRF While Creating Email Templates...
Stripo Inc: XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique
XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique...
Stripo Inc: Strored Xss on https://my.stripo.email/ ( multiple inputs)
Stored Xss in multiples parameters...
Stripo Inc: Authorization for wp-admin directory are vulnerable to brute force.
The domain https://my.stripo.email in the directory /wp-admin are not blocking amount of request in the authorization form, this leads to bruteforce attack. Where the attacker are able to guess tons of passwords without getting blocked or the password field gets locked. This attack make it possib...
Stripo Inc: Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts
Summary: Stripo uses Spring boot for the backend API development , and misconfigured the application to open actuator APIs to the public. This issue is found in 3 domains , don't know if I need to publish 3 reports for that, or just one report , but the domains are :...
Stripo Inc: csrf bypass using flash file + 307 redirect method at plugins endpoint
Hi Security team, i have found that the request sent to https://my.stripo.email/cabinet/stripeapi/v1/plugin/$userid$/plugins don't have any protection against csrf attacks as the server only validates that the content type is application/json and this can be bypassed using the flash file + 307...
Stripo Inc: my.stripo.emai email verification bypassed and also create email templates
Summary: According to the Stripo.emai When the new user sign up Stripo.email allow to create email templates after the verification of the email of Your stripo account. Until your email get verified You are not able to create a email templates in your acc. User need to verified their email...
Stripo Inc: Email verification bypasa
Email verification bypass: after finishing the registration user need to verify the email address, this can be bypased while loggin in to the account...
Stripo Inc: stripo blog search SQL Injection
Summary: Sql injection of search parameters at blog search request Steps To Reproduce: 1. request https://stripo.email/blog/search/ 2. input search 1' AND SELECT 6268 FROM SELECTSLEEP5ghXo AND 'IKlK'='IKlK 3. See a very large response delay Supporting Material/References: See attached screenshot...
Stripo Inc: Tabnabbing in template comments - stripo.email
Tabnabbing - template comments on stripo.email Tabnabbing - template comments on stripo.email...
Stripo Inc: Upload Profile Photo in any folder you want with any extension you want
Summary: There exists a vulnerability in Stripo as a result of which an attacker can upload his/her profile photo in any folder he/she wants, with any file extension he/she wants. I also checked whether it could lead to code execution or directory traversal by modifying the values in the request,...