Mavenlink: Users email can be changed without verification

A user api endpoint that accepts updates for user profile information also accepts an email address field. The researcher found a bug where a previously verified email address could be updated via this endpoint but would not be marked as unverified. This endpoint still accepts email address chang...

Mavenlink: CSRF Add user templates

Reproduction: ========== - Log in to account - Visit CSRF page below note default 30 seconds timeout, can be adjusted according to the connection speed: var a = window.open"https://app.mavenlink.com/projecttemplatesnew", "csrf", "height=100,width=100"; var intervalID = setTimeoutfunction a.close;...

Mavenlink: Account members can re-add themselve after has been deleted by administrator

Reproduction: ========= - As an administrator, invite an account members e.g: [email protected] via https://app.mavenlink.com/settings/account/members - An invitation link sent to [email protected], as user1, open email inbox and click on the link, notice the link redirects to page url:...

Mavenlink: User uploaded portfolio files can be accessed by any user even after deleted

Reproduction: ========= 1. Login as a user, e.g: user1 2. Create a portfolio by going to https://app.mavenlink.com/users/1234567-user1/worksamples/new note: replace 1234567-user1 with the actual user id/name endpoint. 3. Uploading any file to the new portfolio and click save. On the right side of...

Mavenlink: Information disclosure when trying to delete an expense's attachment on m.mavenlink.com

There was an information disclosure vulnerability in a particular error message on the mobile site. Using this vulnerability, it was possible to gain access to the filename of certain un-owned attachments...

Mavenlink: Uninitialized server memory disclosure via ImageMagick gif parser

A CVE in ImageMagick allowed an attacker to recover random server memory via GIF upload. GIF processing has since been disabled...

Mavenlink: [app.mavenlink.com] IDOR to view sensitive information

The researcher found an IDOR that when exploited would result in an error message that was too verbose. The verbose error message included the title of the workspace that the user was attempting to access and being denied persmission to...

Mavenlink: Password reset link injection allows redirect to malicious URL

@cablej found a vulnerability in our password reset functionality that allowed an attacker using an HTTP request with a modified Host header to cause a password reset link to be emailed to the target user that would navigate to the attacker's domain. Because the password reset emails are sent fro...

Mavenlink: Participation of expired account holders in Projects can occure financial loss to Mavenlink

I think I have found a security issue . Summery: --------------------- Inviting a person to Project who has an expired account can participate in project activity via email address , Which is against Mavenlink's business policy , As after an account has been expired after trial period they need t...

Mavenlink: Open/Unvalidated Redirect Issue

HI User can be redirect to malicious site POC: https://app.mavenlink.com/logout?frommobile=true&returnpath=//google.com...

Mavenlink: XSS in https://app.mavenlink.com/workspaces/

My name of mavelink account causes cross site scripting vulnerability my name=" go to https://app.mavenlink.com/workspaces/8591867/gantt and click "save snapshot" button than save it When You save it you will get javascrip alert from "Can be viewed by "" area beucae my mavelink name "...

Mavenlink: Email field filtering problem.

From the page: https://app.mavenlink.com/settings/email When I tried to update the email address, I noticed that the database field was allocating 255 characters there.And if the input was more than 255 character that field was truncating. For example: text...

MAVENLINK Cloud Service Detection

Binary data 8472.prm...

Mavenlink: privilege escalation

Consider Two browsers say X and Y, also consider two users say A and B. 2. Sign in to https://app.mavenlink.com using user A through browser X, same as login with user B through browser Y. 3. Now create a project through user A, and add user B as a consultant with Team Lead privilege. 4. Now...

Mavenlink: Cookies are not cleared from Server side on Logout

i logged out from my account after using it and then clicked on back i found my account logged in.Cookies are not handled well on logged out.I saw that cookie is not expired. If the hacker gets victim's cookie, the hacker can use it for a pretty good time period. Best Regardz RajaUzairAbdullah...

Mavenlink: Flash XSS on swfupload.swf showing at app.mavenlink.com

Hello Security I like to report a XSS that affect all users. This flash XSS can be very dangerous. Vulnerable URL: https://app.mavenlink.com/flash/swfupload.swf?movieName=";catcheif!self.aself.a=!alertdocument.domain;// I attach image of Proof: Any problem reproducing this bug please let me know...

Mavenlink: Login CSRF

Hi all, Heres the request on the login page POST /login HTTP/1.1 Host: app.mavenlink.com User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64; rv:31.0 Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,...

Mavenlink: Non Validation of session after password reset

After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. Logging in with the new password doesn't invalidate the older session either: I could browse mavenlink using two sessions in two different browsers which were...

Mavenlink: Password reset token not expiring

Old unused Password reset tokens are not expiring on mail.ru after the issuance of a new token. Explaination Suppose at 09:00 hrs I used password reset options of mavenlink and got a token on my email.Lets call it token01.But i didnot use it. And at 09:04 hrs I used again the password reset optio...

Mavenlink: Clickjacking at https://www.mavenlink.com/ main website

Hello , i found clickjacking on main webpage. CSRF testing frame opacity: 0.5; border: none; position: absolute; top: 0px; left: 0px; z-index: 1000; window.onbeforeunload = function return " Do you want to leave ?"; site is vulnerable for clickjacking! by Vineet bhardwaj same as last bug but its ...