31 matches found
CVE-2021-38349
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
Cross site scripting
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
CVE-2021-38349 Integration of Moneybird for WooCommerce <= 2.1.1 Reflected Cross-Site Scripting
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
CVE-2021-38349
The CVE-2021-38349 entry documents a Reflected Cross-Site Scripting vulnerability in the WordPress plugin “Integration of Moneybird for WooCommerce” prior to or including version 2.1.1. The issue stems from the error_description parameter in the file templates/wcmb-admin.php, enabling injection o...
CVE-2021-38349 Integration of Moneybird for WooCommerce <= 2.1.1 Reflected Cross-Site Scripting
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
Integration of Moneybird for WooCommerce <= 2.1.1 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts...
WordPress Integration of Moneybird for WooCommerce plugin <= 2.1.1 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Integration of Moneybird for WooCommerce plugin versions = 2.1.1. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...
Moneybird: Access control issue on invoice documents downloading feature.
Reporter has found a way to download exports as an unauthorized user. This was only possible after changing the permissions for the user and having a certain page open during this change. The issue has been resolved by adding extra permission checks during the download action...
Moneybird: Open Redirect through POST Request in OAuth
Reporter found an open redirect issue in the OAuth flow. We added extra checks for all redirects in the OAuth flows to mitigate this issue...
Moneybird: Stored XSS on add project
The researcher found a way to store a snippet that was served to him and or other users of his administration. Subsequently the snippet was executed by his browser, making it a viable XSS vulnerability...
Moneybird: Pending MFA logins aren't immediatly expired after a password change
Researcher found an issue with sessions not all being terminated when password is changed. The 2FA implementation was at fault in this scenario as the session was found to be active even after the password was changed and two-step verification was turned off...
Moneybird: IDOR in https://moneybird.com/user/accountant_company/edit(change company name)
Reporter found a way to change the name of an accountant company for which he didn't have permissions. We added extra checks to prevent these kind of Insecure Direct Object Reference bugs...
Moneybird: Bypass password reset rate limit protection at moneybird.com/passwords
Attacker found a way to completely bypass our rate limit protection, allowing for other types of attacks. This involved changing the value of the X-Forwarded-For header. Attacker never got a 429 response from our servers when the value for each request is different. Injecting X-Forwarded-For :...
Moneybird: Enable 2FA without verifying the email
Description : I able to add 2FA to my account without verifying my email Attack scenario : 1. Attacker sign up with victim email Email verification will be sent to victim email. 2. Attacker able to login without verifying email. 3. Attacker add 2FA. Impact the victim can't register an account wit...
Moneybird: Open Redirection while saving User account Settings
Hi team , I got a Open redirection while saving account setting . This could lead to serious issues . Endpoint :- https://moneybird.com/user/edit?returnto=//evil.com Reproduce :- Visit https://moneybird.com/user/edit?returnto=//evil.com and click on Save . You will be take to evil.com . Impact :-...
Moneybird: Bypass of Rate limiting in secure_session endpoint's password input will lead to user password disclosure
The rate limit for entering a password to start a secure session was too low. This allowed for brute force password guessing when an attacker would gain access to an existing session of a user. We have solved the issue by making the password rate limit the same as the regular login procedure...
Moneybird: Stored XSS at Moneybird
Reporter found a stored XSS vulnerability in a search field. We have deployed countermeasures to prevent this vulnerability...
Moneybird: Moneybird customers invoices leak in cacheable urls
Reporter found a few public links with information that is published by our clients. Although our clients choose to make this information public themselves, we have made some small improvements to protect the information better from indexing by search engines...
Moneybird: Stored Cross Site Scripting in Customer Name
Researcher found a vulnerability in our contact selector, in which a contact name with HTML would trigger this HTML to be executed. We have improved our contact selector to handle customer names as text instead of HTML...
Moneybird: [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal )
Reporter found a XSS vulnerability in a JavaScript module in our application. We have implemented counter measures to prevent such vulnerabilities in the future...