Cross-Site Request Forgery (CSRF) in e107inc/e107

Description Hi there e107 team, there is another CSRF on your downloading plugins feature Proof of Concept 1. Install a local instance of e107. 2. Log in as admin 3. Access this link...

Imgur: CSRF leads to a stored self xss

Followup from 311460 Summary Self xss and CSRF are both out of scope, but when paired it is possible to create an attack on a user. Description A favorites folder with an xss payload for a name will launch when saving an image to said folder. This can be verified by following these steps Visit yo...

Shopify: CSRF in all API endpoints when authenticated using HTTP Authentication

Description: Short: I have found a CSRF vulnerability in all API endpoints /admin/anyapiendpoint/ if the current user has authenticated using HTTP authentication. Details: When a user generates API credentials for a private application in his shop he will be given API key and password that he can...