mixmax.co.il XSS vulnerability

Open Bug Bounty ID: OBB-582743 Description| Value ---|--- Affected Website:| mixmax.co.il Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

Mixmax: app.mixmax.com Information Discloure on cal.mixmax.com and Not Signing out after Removing information grant access from Google

Hi, I found that there was Email Disclosed in the source code of the public calendar link. PoC: 1: Visit https://cal.mixmax.com/wwelatestevents 2: View Page Source 3: Find email at the end of the page. organizer:...

Mixmax: Public calendar link can be invisible

Hello, I was working on the calendar settings. Where I saw, there is a public calendar link creator box. Usually people put their username in that box. But I was tired to do something. I know the calendar link can be unlisted as public. But the things I found, I can make my calendar link public a...

Mixmax: SSRF via webhook

Hi, There exists an SSRF vulnerability with the account webhook feature, allowing an attacker to verify the existence of the EC2 metadata url and enumerate URL's. POC: 1. Create a webhook at https://app.mixmax.com/dashboard/settings/rules with url http://169.254.169.254/latest/meta-data/. 2...

Mixmax: Improper parsing of input could lead to future XSS vulnerabilities in Sequences

Hello, I understand this probably doesn't qualify as a vulnerability, but I figured it would be important to bring to your attention regardless. I ask that if you are to close this, you mark it as informative for the sake of signal, reputation, etc. as I mean no harm with this post, and simply wi...

Mixmax: Design issue with webhook (several) notifications on mixmax.com

Hi team, I noticed a design problem involving successive notifications about an incorrect webhook set at https://app.mixmax.com/dashboard/settings/rules I set an incorrect webhook for testing on this page and in a few hours I received more than 10 notifications. This can cause a certain...

Mixmax: Stored XSS in Templates>Enahance>Social Badges

Hi, just like the report 237927, I found stored XSS in TemplatesEnhance Social Badges section. 1. Go to templates section and click on one of your templates. 2. Enhance Social Badges. 3. Enter the payload: javascript:alert1 in any of the social networking button url. 4. You'll see that the xss is...

Mixmax: Stored XSS templates -> 'call for action' feature

Hi Jeff, Reporting the Stored XSS in template section on 'call for action' button. Already discussed in mail 1 Login to Mixmax and navigate to template section 2 Click on enhance and select call for action button 3 Enter anything in button text and in URL enter XSS payload...

Mixmax: no string size restriction on team name

To limit unintended effects across our UI and infrastructure, we put a maximum length on team names...

Mixmax: Email Leakage in staging environment

A developer's personal email address was used as the point of contact for an OAuth configuration used in our staging environment. Mixmax did a great job for the fix. :D...

Mixmax: Blind SSRF due to img tag injection in career form

Hi, There is SSRF vulnerability due to img tag injection in career form. Attacker can inject multiple tags and perform multiple requests on remote hosts. POC 1. Visit https://mixmax.com/careers. 2. Click on Apply now. 3. Insert img tag in all the fields. 4. Click on Send Application. 5. Check...

Mixmax: Missing restriction on string size of contact field

There was no restriction on the amount of text that can be inserted into a custom field while adding a new contact...

Mixmax: [compose.mixmax.com] Stored XSS on compose.mixmax.com in contact names.

Thanks @sh3r1 !...

Mixmax: Privilege escalation-User who does not have access is able to add notes to the contact

We didn't properly check that users had read-write access to contacts when posting notes...

Mixmax: CRLF Injection on https://vpn.mixmax.com

Hey guys, I found that the site https://vpn.mixmax.com is vulnerable to a CRLF Injection. By injecting a Carriage Return and Line Feed character, we are able to make the server issue a set-cookie header. Proof-of-Concept: ==============...

Mixmax: Security Vulnerability - SMTP protection not used

Hi, I'm checking your website found SPF record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...

Mixmax: Subdomain takeover (sales.mixmax.com)

Unused DNS record was reported, we promptly removed...

Mixmax: Possible Subdomain Takeover

None of the weakness categories really fit this so I apologize for that. The subdomain sales.mixmax.com points to 151.101.16.229, a webflow.io proxy server. Because it 404s, this leads me to believe that a subdomain takeover is possible through the webflow service as whatever this is pointing to ...

Mixmax: Attacker can trick other into logging in as themselves

Hi Team, This bug is similar to bug report https://hackerone.com/reports/2228 as this bug also allows a user to be logged in as the attacker. An attacker can escalate this to attach his account with the victims profile and monitor his activities. Login CSRF is a type of attack where the attacker...

Mixmax: mailbomb through invite feature on chrome addon

We didn't rate-limit our API to invite users to Mixmax, leading to potential spamming...