Lucene search
+L

47 matches found

hackerone
hackerone
added 2020/09/16 10:26 a.m.114 views

Stripo Inc: Public and secret api key leaked in JavaScript source

Summary: Summary the vulnerabilities I am surfing on the stripo website. I found a sensitive data including authentication key written in public accessible javascript file. URL Vulnerability https://staging.empleio.stripo.email/main.c1965c58f39a0f4aadc3.js Steps To Reproduce: Open...

7.1AI score
Exploits0
hackerone
hackerone
added 2020/05/29 8:5 p.m.16 views

Stripo Inc: multiple email usage -my.stripo.email-

I first went to the "my.stripo.emai" view and registered with my google account. Then I entered the profile. I have replaced my email with an email that is not registered with your google account.I received a verification message on the email I changed. The button was not clicked. I copied it by...

3.8AI score
Exploits0
hackerone
hackerone
added 2020/05/23 7:57 a.m.16 views

Stripo Inc: [www.stripo.email] You can bypass the speed limit by changing the IP.

You can bypass the speed limit by changing the IP Login page Bypass the speed limit...

1AI score
Exploits0
hackerone
hackerone
added 2020/05/16 10:40 p.m.77 views

Stripo Inc: Integer Overflow (CVE_2017_7529)

Integer Overflow - The issue affects nginx 0.5.6 - 1.13.2...

5CVSS3.8AI score0.62597EPSS
Exploits6
hackerone
hackerone
added 2020/04/22 2:12 p.m.16 views

Stripo Inc: [www.stripo.email] There is no rate limit for /it/contact-us/ endpoints

The speed limit for the https://stripo.email/it/contact-us endpoint has not been implemented...

0.4AI score
Exploits0
hackerone
hackerone
added 2020/04/22 2:4 p.m.76 views

Stripo Inc: [www.stripo.email] There is no rate limit for contact-us endpoints

Summary The speed limit for the https://stripo.email/es/contact-us endpoint has not been implemented. Steps To Reproduce 1. Go to the https://stripo.email/es/contact-us 2. Turn on blocking and fill out the contact form 3. Send request to Intruder. 4. Set your payloads and start attack. 5. There i...

0.1AI score
Exploits0
hackerone
hackerone
added 2020/04/21 12:41 p.m.56 views

Stripo Inc: [www.stripo.email] You can override the speed limit by adding the X-Forwarded-For header.

Summary In https://stripo.email/template-order I think you have implemented rate limiting via 429 status code for too many requests, but in reality it is not. An attacker could bypass the 429 speed limit by adding an X-Forwarded-For header. Steps To Reproduce 1. Go to the...

0.3AI score
Exploits0
hackerone
hackerone
added 2020/04/11 6:3 a.m.15 views

Stripo Inc: SSRF via Export Service in ActiveCampaign

SSRF with ActiveCampaign...

4.1AI score
Exploits0
hackerone
hackerone
added 2020/03/18 3:55 p.m.107 views

Stripo Inc: Unrestricted File Upload on https://my.stripo.email and https://stripo.email

Hi Stripo Inc, I found 2 Unrestricted File Upload Vulnerabilities on your website. First Vulnerability: Step to Reproduce 1. Create an account in "https://my.stripo.email" 2. Simply Download a php shell from internet and open with text editor. ex: r57 shell 3. Then save it as JPEG file. 4. Go bac...

6.4AI score
Exploits0
hackerone
hackerone
added 2020/02/20 3:58 p.m.128 views

Stripo Inc: Blind SSRF while Creating Templates

Blind SSRF While Creating Email Templates...

1.7AI score
Exploits0
hackerone
hackerone
added 2020/02/19 3:54 p.m.69 views

Stripo Inc: XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique

XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique...

1.4AI score
Exploits0
hackerone
hackerone
added 2020/02/05 5:35 p.m.28 views

Stripo Inc: Strored Xss on https://my.stripo.email/ ( multiple inputs)

Stored Xss in multiples parameters...

0.9AI score
Exploits0
hackerone
hackerone
added 2020/02/03 6:44 p.m.95 views

Stripo Inc: Authorization for wp-admin directory are vulnerable to brute force.

The domain https://my.stripo.email in the directory /wp-admin are not blocking amount of request in the authorization form, this leads to bruteforce attack. Where the attacker are able to guess tons of passwords without getting blocked or the password field gets locked. This attack make it possib...

7.6AI score
Exploits0
hackerone
hackerone
added 2020/01/25 9:57 p.m.604 views

Stripo Inc: Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts

Summary: Stripo uses Spring boot for the backend API development , and misconfigured the application to open actuator APIs to the public. This issue is found in 3 domains , don't know if I need to publish 3 reports for that, or just one report , but the domains are :...

6.6AI score
Exploits0
hackerone
hackerone
added 2019/12/30 7:59 p.m.48 views

Stripo Inc: csrf bypass using flash file + 307 redirect method at plugins endpoint

Hi Security team, i have found that the request sent to https://my.stripo.email/cabinet/stripeapi/v1/plugin/$userid$/plugins don't have any protection against csrf attacks as the server only validates that the content type is application/json and this can be bypassed using the flash file + 307...

6.8AI score
Exploits0
hackerone
hackerone
added 2019/12/28 1:7 a.m.101 views

Stripo Inc: my.stripo.emai email verification bypassed and also create email templates

Summary: According to the Stripo.emai When the new user sign up Stripo.email allow to create email templates after the verification of the email of Your stripo account. Until your email get verified You are not able to create a email templates in your acc. User need to verified their email...

1.1AI score
Exploits0
hackerone
hackerone
added 2019/12/23 10:14 a.m.10 views

Stripo Inc: Email verification bypasa

Email verification bypass: after finishing the registration user need to verify the email address, this can be bypased while loggin in to the account...

2.2AI score
Exploits0
hackerone
hackerone
added 2019/12/19 1:25 a.m.208 views

Stripo Inc: stripo blog search SQL Injection

Summary: Sql injection of search parameters at blog search request Steps To Reproduce: 1. request https://stripo.email/blog/search/ 2. input search 1' AND SELECT 6268 FROM SELECTSLEEP5ghXo AND 'IKlK'='IKlK 3. See a very large response delay Supporting Material/References: See attached screenshot...

0.5AI score
Exploits0
hackerone
hackerone
added 2019/12/16 3:19 a.m.30 views

Stripo Inc: Tabnabbing in template comments - stripo.email

Tabnabbing - template comments on stripo.email Tabnabbing - template comments on stripo.email...

1.5AI score
Exploits0
hackerone
hackerone
added 2019/12/06 7:55 p.m.12 views

Stripo Inc: Upload Profile Photo in any folder you want with any extension you want

Summary: There exists a vulnerability in Stripo as a result of which an attacker can upload his/her profile photo in any folder he/she wants, with any file extension he/she wants. I also checked whether it could lead to code execution or directory traversal by modifying the values in the request,...

7.2AI score
Exploits0
Rows per page
Query Builder