CVE-2024-52270

User Interface UI Misrepresentation of Critical Information vulnerability in DropBox SignHelloSign allows Content Spoofing. Displayed version does not show the layer flattened version, once download, If printed e.g. via Google Chrome - Examine the print preview: Will render the vulnerability only...

CVE-2024-52270

DropBox Sign (HelloSign) is affected by a UI misrepresentation vulnerability (Content Spoofing) affecting versions through 2024-12-04. The issue is observed when printing the UI; the layered content is not flattened in print previews, potentially enabling spoofed content disclosure. Concrete deta...

VulnCheck KEV: CVE-2024-52270

User Interface UI Misrepresentation of Critical Information vulnerability in DropBox SignHelloSign allows Content Spoofing. Displayed version does not show the layer flattened version, once download, If printed e.g. via Google Chrome - Examine the print preview: Will render the...

PT-2024-35141 · Dropbox · Dropbox Sign

Name of the Vulnerable Software and Affected Versions: DropBox SignHelloSign versions through 2024-12-04 Description: The issue is related to a User Interface UI Misrepresentation of Critical Information vulnerability, allowing Content Spoofing. The displayed version does not show the layer...

Dropbox Discloses Breach of Digital Signature Service Affecting All Users

Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign formerly HelloSign was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with th...

Malicious code in hellosign-embedded-cla (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 48e040d099ac8087da48a2e03051478f6929f6ccc2c841992999d9160c6d8ef6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-496 Malicious code in hellosign-embedded-cla (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 48e040d099ac8087da48a2e03051478f6929f6ccc2c841992999d9160c6d8ef6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Dropbox: Full Response SSRF via Google Drive

This researcher pointed out that HelloSign's Google Drive doc export feature had a URL parsing issue that could allow extra parameters to be passed to Google Drive API. By making use of an extra parameter in the Google Drive API, it was possible for researchers to force HelloSign to parse externa...

Dropbox: Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure

The report details about a Server Side Request Forgery vulnerability that was present on the document upload through integrations feature in the HelloSign application. The vulnerability was caused due to an unvalidated external file upload through our various integration partners. The attacker...

Dropbox: Leaking API_KEY of testrail of HelloSign gives read/write access

The APIKEY and testrail config details were leaked on Github, which attackers could use to access testrail accounts of HelloSign and perform read/write actions. Impact: Access to testrail account of HelloSign...

HelloSign - Dynamic Code Loading, External URLs, KeyStore usage vulnerabilities

HackApp vulnerability scanner discovered that application HelloSign published at the 'play' market has multiple vulnerabilities...