Uber: CSRF on eng.uber.com may lead to server-side compromise

The site eng.uber.com uses a WordPress plugin called Fluid Responsive Slideshow. The plugin doesn't implement any CSRF check for AJAX requests. Some of these AJAX requests can be used to modify posts and pages on the system. An attacker could use this bug to inject arbitrary JavaScript in any pag...

Uber: Dom Based Xss

Hi. found dom xss on this subdomain eng.uber.com. you are using a vulnerable plugin prettyPhoto.. This XSS will work in Firefox,Chrome - Google and IE last version ! And this is very dangerous! POC Firefox vector http://eng.uber.com/prettyPhotoi/x,/x POC Google and IE...