9 matches found
XSS vulnerabilities via various embeds
Description JSFiddle, Gliffy, Otter and Tldraw embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain. This XSS triggers for everyone viewing the document. Proof of Concept PoC file is different for each vulnerable embed. See...
Adobe: Main Domain Takeover at https://www.marketo.net/
Resolved valid subdomain takeover report on Marketo. We appreciate the collaboration with the researcher...
Sifchain: Username disclosure at Main Domain
Hello, PoC Link https://sifchain.finance//wp-json/wp/v2/users/ thanks. Impact Malicious counterpart could collect the usernames disclosed and the admin user and be focused throughout BF attack as the usernames are now known, making it less harder to penetrate the data.gov systems...
Sifchain: Vulnerable javascript dependency at Main domain
Hello, Issue detail, Burp observed 1 outdated JavaScript libraries with 4 known vulnerabilities. Burp detected bootstrap version 4.0.0, which has the following vulnerabilities: CVE-2019-8331: XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2018-14041: XSS in...
Sifchain: Subdomain Takeover At the Main Domain Of Your Site
Hello, I Know that isn't in the Scope But this The Only Way I can Report With And This Issue Is Very High It Belongs to the Main Domain this is pretty serious security issue in some context, so please act as fast as possible. overview the Main Domain sifchain.finance is pointing to wix.com, which...
Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat
Hi, As you may realize I noted "Domain" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat. As you can see in the screenshot below, when you type "Addlive" in Google https://goo.gl/EAxBaj , the first two results will be: F261984 First one...
Yelp: Clickjacking @ Main Domain[www.yelp.com]
Hello Yelp Security Team, I Just want to submit a report Clickjacking on your Main Domain, I Know that this is a Low Risk But may i know if your aware of it. PoC: See Atachments. Impact: For example, imagine an attacker who builds a web site that has a button on it that says "click here for a fre...
APITest.IO: Clickjacking: X-Frame-Options header missing
same as this report https://hackerone.com/reports/7492 vulnerable :- sign in ,sign up ,and main domain poc attached...
Instacart: Cross-Site Scripting Reflected On Main Domain
Hi Security Team instacart I'm Found Have Vulnerability Cross-Site Scripting Reflected on Main Domain in Variable utmsource POC --- https://www.instacart.com/green-zebra-grocery?utmsource="'alert/Hussain/&utmmedium="'alert/XSS/&utmcampaign="'alert/injection/ Img :- http://i.imgur.com/wSn4EU7.jpg...