Mail.ru: Stored XSS in Review Section https://games.mail.ru/

Stored XSS via malcrafted link bbcode in review editor...

Mail.ru: CSRF на отправку вопроса на [games.mail.ru]

CSRF in gmr.operator.mail.ru allowed to send a question on behalf of the user to TimeZero project support. CSRF to send a question in the disabled method /support/tz/questions/ajax in the interface...

Mail.ru: Reflected XSS @ games.mail.ru

Hi, I've found a reflected XSS in games.mail.ru. The vulnerable parameter is url in /r area. PoC - Visit the following URL and click on javascript:alertdocument.domain - Alert will popup with domain. https://games.mail.ru/r/?url=javascript:alertdocument.domain F115537 - Also, to show current...