Lucene search
K

43 matches found

Hacker One
Hacker One
added 2017/11/06 10:35 a.m.8 views

Infogram: Stored XSS On Wordpress Infogram plugin

Hello Team, There is a Stored XSS Vulnerability On Wordpress Infogram plugin. Wordpress version : 4.5 Infogram plugin version : 1.5.1 After installing wordpress and infogram plugin. I created a project to infogram with the following name " and I Created a simple report. Then I go back to my...

6AI score
Exploits0
Hacker One
Hacker One
added 2017/11/05 1:35 p.m.16 views

Infogram: Stored XSS in content when Graph is created via API

Summary It is possible for an attacker to insert javascript code into Graphs by creating a project via the API Steps to reproduce Login Go to API Settings Copy your Key + Secret Go to API Documentation Download one of the official libraries I chose JAVA In the "main" method add the Key + Secret y...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/11/01 11:16 a.m.15 views

Infogram: No Email Verification

There should be an email verification when creating a new user. B/c i can make an account from others email address for example: [email protected] Now when the real person, how own this email address cant make an account with his email address...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/30 7:13 a.m.15 views

Infogram: Javascript Payload reflected Back in Report Embed Code

1Create new Report template 2Spoof its name with payload " My Report alertdocument.cookie;div id=" 3Visit Back to your library list https://infogram.com/app//library 4Select The Created report and click view on web,Click the Share Button 5Copy & embed the code somewhere in html file you ll triage...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/28 7:56 p.m.20 views

Infogram: Multiple xss on infogram templates

Hello Team, There is a multiple xss on some templates. Payload used : "...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/28 7:34 p.m.22 views

Infogram: XSS when Shared

Introduction XSS on an embedded piece of code that, when shared, may make it seem as if it was infogram.com that was doing the malicious act. Proof of Concept 1. Create an account 2. Create a project titled "scriptalert1;" 3. Click on share Here's an example of the share embedded code:...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/28 11:49 a.m.29 views

Infogram: HTML injection

hi team ... i found HTML i on https://infogram.com/app//library step .. 1- go to https://infogram.com/app//library 2- choose Report Templates . 3- Use Report Classic 4- click to editdata 5- edit cell Employee ID 5- payload hacked hacked hacked 6-execute HTML .. POC .. video on attached...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/27 3:57 p.m.19 views

Infogram: XSS on infogram.com

Hello, There is a XSS on Report templates. Free templates : Report Classic When we modify the values of table we can put XSS Payload. Payload used : " "/...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/25 7:57 p.m.15 views

Infogram: Report Design Critical Stored DOM XSS Vulnerability

Hi Team, Another XSS vulnerability in report designer but this one is critical. Problem Point Report's Overview Table Report Creation Url https://infogram.com/app/edit/e7b161f1-f708-48e5-bab7-de9887ae202a Sample Data Click for Detail Sample URL https://infogram.com/report-classic-1g57pr0g3xdvp01...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/24 5:49 p.m.32 views

Infogram: No notification on Password Change

Hi Team, Description : I noticed there is an issue with password reset functionality user is not receiving notification when he reset password. Even though when user change password through profile, not getting an email notification. Issue: user not always gets a notification about password chang...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/10/24 4:4 p.m.14 views

Infogram: XSS on Report Classic

hi team ... i found XSS on https://infogram.com/app//library step .. 1- go to https://infogram.com/app//library 2- choose Report Templates . 3- Use Report Classic 4- click to editdata 5- payload //" “alertdocument.cookie 6-execute XSS and which you edit data XSS stared...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2017/10/24 1:48 p.m.18 views

Infogram: Application Vulnerable to CSRF - Remove Invited user

POC: 1. Login to the application with a business account. 2. Go to Manage teams, where we can send invites to a team member. Send a Invite to a team member 3. After the invite is sent to a user, the admin has option to Remove User. 4. While trying to remove the user, capture the request in burp ,...

Exploits0
Hacker One
Hacker One
added 2017/10/24 12:46 p.m.22 views

Infogram: Sensitive information is publicly available

During the analysis it was found that some sensitive information like ip is available on this url .https://infogram.com/ip/...

6.6AI score
Exploits0
Hacker One
Hacker One
added 2017/10/24 10:51 a.m.18 views

Infogram: Outdated jQuery Version

During analysis, it was observed that the application is using outdated jQuery version i.e. 1.11.2...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/23 8:49 p.m.37 views

Infogram: Stored XSS in the Custom Logo link (non-Basic plan required)

Description Hello. Recently i contacted with Infogram, and requested trial of the Business version to test some features, which was unavailable in the Basic version. I discovered the stored cross-site scripting issue in the Custom Logo link. F232084 There was some URL checks in place, but i was...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/23 10:27 a.m.17 views

Infogram: Internal Ports Scanning via Blind SSRF

Introduction: I found a Blind SSRF issue that allows scanning internal ports. How to reproduce: Login Send the request https://infogram.com/api/webresource/url?q=TARGETURI Look up the response. If valid, it returns status code 200 and the website's title will be exposed, or 404 for otherwise. For...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2017/10/20 6:22 a.m.11 views

Infogram: Non Critical Code Quality Bug / Self XSS on Map Editor

Hi Team, I've found non-critical XSS on map editor. It is not for bounty just for code quality. This is my url: https://infogram.com/app/edit/c024c717-31c2-4c31-8491-1cc9534e9adb When i added map on form then edit Country name and replace with "alert1;" it is executed. Attached screenshots...

6.5AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:57 p.m.23 views

Infogram: No Rate Limit on account deletion request(Leads to huge email flooding/email bombing)

Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account deletion emails for accounts on above selected domain. -As there ...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:22 p.m.18 views

Infogram: Server Side Request Forgery on JSON Feed

Hi Team, I would like to report SSRF issue. PoC: 1. Navigate to https://infogram.com/app/user-project. 2. Click on edit logo fields and click on add JSON Data. 3. Enter urlopenport response is Download failed 4. Enter urlclosedport response is Invalid data source Fix: Don't give permission to por...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/10/19 2:1 p.m.31 views

Infogram: Weak Password Policy on Signup

Hi Team, i would like to let you know about password management issue. PoC: 1. Navigate to signup page. 2. Fill you details and give password as simple as 123123. 3. You can see you will be registered and there is no strong enforcement. Fix: Use complex password management. Regards, Mr.R3boot...

7AI score
Exploits0
Rows per page
Query Builder