Mail.ru: [pandao.ru] possibility to attach arbitrary phone number to account registered via social network

It was possible to attach an arbitrary unregistered phone number to account registered via different id e.g. social network id. This behavior can prevent user from registering with his phone number and facilitate phishing attack if victim attempts to login by phone number...

Mail.ru: Avatar upload allows arbitrary file overwriting

Directory traversal via filename extension for avatar upload allowed to overwrite arbitrary files in S3-compatible bucket for static files in pandao.ru. Pandao.ru belongs to extended scope...

Mail.ru: Disable 2FA via CSRF (Leads to 2FA Bypass)

CSRF vulnerability in pandao.ru allowed to disable 2FA. pandao.ru belongs to extended scope...

Mail.ru: Раскрытие информации о совершенных операциях

History API in pandao.ru could disclosure non-personalized data about last operations...

Mail.ru: [https://pandao.ru] - PUT method available

Unrestricted PUT method allowed upload of static content to server in pandao.ru...

Mail.ru: Доступ к аккаунту после смены пароля.

Session was not expired on password change in pandao.ru...

Mail.ru: CSRF на удаление товара из корзины

CSRF vulnerability in pandao.ru allowed to remove item with id known to attacker from the cart. On the time of reportting, clientside vulnerabilities in pandao.ru are not covered by bug bounty program...

Mail.ru: [pandao.ru] Возможность списания несуществующих бонусных баллов

Race condition TOCTOU in pandao.ru marketplace allowed to use bonus points more than once. On the time of reporting, pandao.ru runs temporary pre-bug bounty competition program with $1000 bounties for vulnerabilities related to money/points/orders manipulation...

Mail.ru: [api.pandao.ru] IDOR позволяет изменять адрес любого пользователя

IDOR in deliveryProfiles API of pandao.ru marketplace allowed to change delivery address of arbitrary user On the time of reporting, pandao.ru runs temporary pre-bug bounty competition program with $1000 bounties for vulnerabilities related to money/points/orders manipulation...

Mail.ru: Возможность зайти на любой аккаунт https://pandao.ru/

Logical bug in SMS verification code allowed access to pandao.ru account bond to arbitrary phone number. On the moment of reporting, pandao.ru runs preliminate bug bounty for business logic bugs with potential for fraud. При входе по номеру телефона не было проверки, принадлежит ли отправленая SM...

Mail.ru: CSRF на лайк к отзыву (Pandao)

CSRF vulnerability in pandao.ru allowed to force user to "like" the user's comment. On the time of reportting, clientside vulnerabilities in pandao.ru are not covered by bug bounty program...