Adobe: Main Domain Takeover at https://www.marketo.net/

Resolved valid subdomain takeover report on Marketo. We appreciate the collaboration with the researcher...

Virginia National Guard suffers cyberattack as Marketo leaks data

By Waqas According to the organization, email accounts linked with Virginia National Guard were targeted in the cyberattack. This is a post from HackRead.com Read the original post: Virginia National Guard suffers cyberattack as Marketo leaks data...

Adobe Releases Security Updates for Multiple Products

Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency CISA encourages users and administrators to review the following...

CVE-2020-24416

CVE-2020-24416 affects Marketo Sales Insight plugin for Salesforce, specifically version 1.4355 and earlier, by a blind stored XSS in vulnerable form fields. Exploitation could cause arbitrary JavaScript execution in a victim’s browser when visiting pages containing the affected field. Multiple s...

APSB20-60 Security updates available for Marketo

Marketo has released an update for the Marketo Sales Insight package for Salesforce. This update addresses an important vulnerability. Successful exploitation could lead to arbitrary JavaScript execution in the browser...

Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS

Lack of CSRF checks and sanitisation on the plugin's settings page could allow XSS attacks via CSRF. PoC...

Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS

Lack of CSRF checks and sanitisation on the plugin's settings page could allow XSS attacks via CSRF. document.getElementById'csrf'.submit;...

HackerOne: DOM Based XSS in www.hackerone.com via PostMessage (bypass of #398054)

Summary The security fix by Marketo to resolve the issue reported by @adac95 in 398054 can be bypassed by purchasing an .ma domain for €60. Description The issues described by @adac95 in 398054 remain insufficiently resolved because of an inadequate security check by Marketo in the following piec...

eu-lon05.marketo.com XSS vulnerability

Open Bug Bounty ID: OBB-695732 Description| Value ---|--- Affected Website:| eu-lon05.marketo.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

eu-lon06.marketo.com XSS vulnerability

Open Bug Bounty ID: OBB-695719 Description| Value ---|--- Affected Website:| eu-lon06.marketo.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

HackerOne: Client-Side Race Condition using Marketo, allows sending user to data-protocol in Safari when form without onSuccess is submitted on www.hackerone.com

Hi, I made a talk earlier this month about Client-Side Race Conditions for postMessage on AppSecEU: https://speakerdeck.com/fransrosen/owasp-appseceu-2018-attacking-modern-web-technologies In this talk I mention some fun ways to race postMessages from a malicious origin before the legit source...

HackerOne: Lack of input sanitization in Marketo form leads to execution of HTML in lead emails

Hi, There is SSRF vulnerability due to img tag injection in "Contact HackerOne Sales" form. Since vulnerability triggers after 18-20 minutes so I am not sure which site it affects. It might affect hackerone or marketo. So I thought it would be better to report it first on hackerone. POC 1. Naviga...

HackerOne: Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP

Hi, I just discovered that there's a scenario where the Marketo Forms solution being used on www.hackerone.com can actually be abused, using a few fun techniques, to trigger an XSS in the Cross-Origin-iframe being used by Marketo. This results in eavesdropping of the data being sent in the...

Marketo Cloud - Persistent Mail Encoding Vulnerability

Document Title: =============== Marketo Cloud - Persistent Mail Encoding Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1321 Release Date: ============= 2015-01-13 Vulnerability Laboratory ID VL-ID: ==================================== 132...

CVE-2014-8379

The CVE-2014-8379 entry concerns the Marketo MA module for Drupal (7.x) and its Webform and User sub-modules. The root cause is unsanitized field titles that allow cross-site scripting (XSS) by remote authenticated users with certain permissions. Affected versions are Marketo MA 7.x-1.3 and earli...