Mail.ru: [185.30.178.57:8080] - Vulnerable to Jetleak

sfpc.euits.dev-my.games contains a vulnerable to JetLeak web server Jetty...

Mail.ru: [my.games, lootdog.io] XSS via MCS Bucket

Proxy pass for the path in my.games and lootdog.io domains was misconfigured to point to the root of public S3 storage, allowing to place static content in the domain path leading to XSS possibility...

Mail.ru: CSRF Delete chat invitation link.

CSRF vulnerability in api.my.games allowed to delete chat invitation link with crossite request...

Mail.ru: [MY.GAMES] XSS в мессенджере

XSS in store.my.games on chat message...

Mail.ru: [my.games] Stored XSS via untrusted bucket

Domain, site, application -- https://my.games/ Details -- If you check page source of https://my.games, you can notice that site gets static files scripts, styles, images using following URL declaration: https://my.games/hotbox/mygames/frontend/v3-6-13/img/share/main.png mygames here is a name of...

Mail.ru: Cross-Site Request Forgery (CSRF) in my.games API

CSRF vulnerability allowed to add/delete/edit store.my.games comments...

Mail.ru: CSRF on https://market.my.games

Description Hi team, While exploring https://market.my.games/ domain, I got this domain is vulnerable to CSRF. This site include an X-CSRFToken in headers but it seems the server doesn't validate it at all. Many endpoints require application/json as their content-type so we can't exploit this iss...