HackerOne: Lack of input sanitization in Marketo form leads to execution of HTML in lead emails

Hi, There is SSRF vulnerability due to img tag injection in "Contact HackerOne Sales" form. Since vulnerability triggers after 18-20 minutes so I am not sure which site it affects. It might affect hackerone or marketo. So I thought it would be better to report it first on hackerone. POC 1. Naviga...

Detecting threat actors in recent German industrial attacks with Windows Defender ATP

When a Germany-based industrial conglomerate disclosed in December 2016 that it was breached early that year, the breach was revealed to be a professionally run industrial espionage attack. According to the German press, the intruders used the Winnti family of malware as their main implant, givin...

searchenginewatch.com XSS vulnerability

Open Bug Bounty ID: OBB-200423 Description| Value ---|--- Affected Website:| searchenginewatch.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

Microsoft Windows - GDI+ EMR_EXTTEXTOUTA EMR_POLYTEXTOUTA Heap Buffer Overflow (MS16-097)

Microsoft Windows - GDI+ EMREXTTEXTOUTA EMRPOLYTEXTOUTA Heap Buffer Overflow MS16-097 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=828 The Microsoft GDI+ implementation of the EMF format supports records corresponding to the ExtTextOutA and PolyTextOutA API functions. Both...

GoAutoDial CE 3.3 SQL Injection / Command Injection

Title : GoAutoDial CE 3.3 Multiple SQL injections, Command Injection Date : 06/12/2015 Author : R-73eN Tested on : goautodial-32bit-ce-3.3-final Software : http://goautodial.org/ | | / | / | / \ | | | || ' | | / | | / \ ' \ / \ | | | || | | | | | || | / | | | / | | ||| ||| / ||| || // \|...

FreeBSD : froxlor -- database password information leak (9ee72858-4159-11e5-93ad-002590263bf5)

[email protected] reports : An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file...

Unspecified Vulnerability in IBM Leads

IBM Leads is a solution from IBM USA for improving the customer management process. The program provides functions such as finding prospects, assigning customers and sending notifications of new customer information. A security vulnerability exists in IBM Leads that stems from the program's failu...

WordPress vTiger Plugin - Unknown Vulnerability

This plugin is prone to CRM lead capture unspecified vulnerability. Solution Update the plugin...

OroCRM - Stored XSS Vulnerability

No description provided by source. Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing! Discovered by: Provensec Website: http://www.provensec.com Author: Provensec Labs...

OroCRM Cross Site Scripting

Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing! Discovered by: Provensec Website: http://www.provensec.com Author: Provensec Labs Type of vulnerability: XSS Stored...

OroCRM - Stored XSS Vulnerability

Exploit for php platform in category web applications Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing! Discovered by: Provensec Website: http://www.provensec.com Autho...

OroCRM - Persistent Cross-Site Scripting

Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing! Discovered by: Provensec Website: http://www.provensec.com Author: Provensec Labs Type of vulnerability: XSS Stored...

SA-CONTRIB-2014-082 - Marketo MA - Cross Site Scripting (XSS)

The Marketo MA module adds Marketo marketing automation tracking capability to your website as well as the ability to capture lead data during user registration and via webform integration. It consists of a base module as well as Marketo MA User Webform and Marketo MA User sub-modules. The Market...

CVE-2014-5189

SQL injection vulnerability in lib/optin/optinpage.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter...

Sql injection

SQL injection vulnerability in lib/optin/optinpage.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter...

CVE-2014-5189

SQL injection vulnerability in lib/optin/optinpage.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter...

CVE-2014-5189

Lead Octopus Power is a WordPress plugin affected by an SQL injection in lib/optin/optin_page.php via the id parameter. The vulnerability allows remote attackers to execute arbitrary SQL commands, potentially compromising data. Public sources (NVD, WPVulnDB, PatchStack) corroborate the SQLi vecto...

WordPress-to-Lead for Salesforce CRM 1.0 - salesforce.php Multiple Parameter XSS

The Brilliant Web-to-Lead for Salesforce WordPress plugin was affected by a salesforce.php Multiple Parameter XSS security vulnerability...

Video Lead Form - "errMsg" Cross-Site Scripting

The Video Lead Form WordPress plugin was affected by a "errMsg" Cross-Site Scripting security vulnerability...

WordPress To Lead For Salesforce Plugin <= 1.0.1 - Cross Site Scripting

This plugin is prone to salesforce.php salesforceformshortcode Function Error Message H&ling cross site scripting vulnerability. Solution Update the plugin...