OWOX, Inc.: The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS.

Hi team, This is another report with 732987. Because it is completely independent Detail -- In the process of selecting the data source at https://bi.owox.com/ui/settings/connected-services/setup/, I found a reflected XSS. Specifically, when you click on Google Analytics, a page will appear for y...

OWOX, Inc.: Session is not expire after logout

Reproduction: step no 1:Open URL:https://www.owox.com/products/ or open your user account step no 2: copy URL or paste another tab step no 3:Go back again first tab or logout your account step no 4: And check the copied URL section is working properly Reference From :244875 Reference From :263873...

OWOX, Inc.: Server-side cache poisoning leads to the http://my.dev.owox.com inaccessibility

By using single specially crafted URL, it was possible to cause service inaccessibility for all users who will visit the site, as result of infinite redirect loop. I discovered an issue, when by using single specially crafted URL, it was possible to cause service inaccessibility for all users who...

OWOX, Inc.: Broken Authentication & Session Management (Login Bypass) at support.owox.com

Hello Team, While I was testing your Web Application OWOX, I came to know that https://support.owox.com/ is Vulnerable to "Broken Authentication & Session Management Vulnerability" and it is possible to bypass the login very easily. When the user login with his credentials via gmail account, he...

OWOX, Inc.: Subdomain takeover in many subdomains

Subdomain takeover was possible in some of the subdomains. Though you cant claim it and host your page but it compromises them of using certain google services like GMAIL,Calendar,G-Drive,etc on those susbdomains. Subdomain takeover was possible in some of the subdomains. Though you cant claim it...

OWOX, Inc.: Stored XSS at https://finance.owox.com/customer/accountList

XSS on finance.owox.com instance POC: 1 Login to zhe site 2 Go to the https://finance.owox.com/customer/accountList 3 You will be XSSed immediately. Reproduce steps: 1 Go to the https://finance.owox.com/customer/accountAdd Place in the username next payload: "alertdocument.cookie; 3 Go to the...

OWOX, Inc.: Access to Grafana Dashboard

Hi, I was looking at the office.owox.com on port 3000 Grafana webapp. I'm not sure if it is for demo purposes, but I can access the main dashboard and view all graphs. I am also able to sign in and create my own organizations, dashboards etc. I searched on the net for any reference to this web...

OWOX, Inc.: Subdomain Takeover on OWOX.RU

Subdomain http://www.owox.ru/ was preserved from being taken over by an attacker: https://kiosk.owox.ru/ https://blog.owox.ru/...

OWOX, Inc.: Subdomain Takeover on http://blog.owox.com/

Subdomain Takeover via http://blog.owox.com Subdomain Takeover via http://blog.owox.com...

OWOX, Inc.: ClickJacking

hi there ! i have found clickjacking vulnerability in your website you should set the frames to fix the issue...

OWOX, Inc.: Subdomain Takeover on http://kiosk.owox.com/

Subdomain http://kiosk.owox.com/ was preserved from being taken over by an attacker...

OWOX, Inc.: HTTP Response Splitting(CRLF injection) in bi.owox.com

Hello, I found a CRLF injection vulnerability in bi.owox.com More about HTTP response splitting https://www.owasp.org/index.php/TestingforHTTPSplitting/SmugglingOTG-INPVAL-016 POC Burp Adding a new header with %0d%0a F122461 Regards, Florin...