MAL-2022-210 Malicious code in @dropcontact/fetlife-assets (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f5c373e0739e7760a1b826371b15f768ea8cd40dcd6bb27579d441ea9e73fdcf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @dropcontact/fetlife-assets (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f5c373e0739e7760a1b826371b15f768ea8cd40dcd6bb27579d441ea9e73fdcf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Dropcontact: Information Disclosure through DEBUG at Subscription [https://app.dropcontact.io/app/subscription?connector=salesforce](CRITICAL)

We were displaying some sytem information in case of app crashing...

Dropcontact: Django should not have debug mode enabled

We were displaying sensitive information...

Dropcontact: Registering with email [ +70 Chars ] Lead to Disclose some informations [Django Debug Mode ]

We were displaying / leaking sytems information in case of app crash...

Dropcontact: Django DEBUG mode enabled and leaked system information.

We were leaking / showing system information. Django DEBUG mode was enabled and showing some information on some errors.I just follow the errors and finally got some sensitive system information such as configuation ,API keys ,Database users ,System Directories,etc...

Dropcontact: Dropcontact's disclosed report is exposing Private/Confidential information

Some other report was disclosed fully with confidential information !...

Dropcontact: Django debug enabled showing information about system, database, configuration files.

We were displaying sensitive information...

Dropcontact: API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation.

We didn't verified the API key when a new user was using his pipedrive free trial, so someone could take a key of another pipedrive which don't belong to him and make his free trial on this api key. Or launch a free trial on a pipedrive already connected to pipedrive...

Dropcontact: Idor for firstpromoter service

An IDOR has been detected on firstpromoter service...

Dropcontact: Host Header Injection.

Someone could change the redirection when login out from firstpromoter, by tweaking the logout request and using http X-Forwarded-Host, someone could redirect the logout toward a bad place...

Dropcontact: Unauthorized Access and updation of EMAIL settings of other user at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter.

When changing email settings with firstpromoter, the email of the account was right in the url, so by changing this parameter, we could change setting of other users...

Dropcontact: Ngnix Server version disclosure.

Nginx Server version was returned by our server...