MAL-2022-510 Malicious code in @polymail/fetlife-assets (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4c5d29128d9ae8bd6c51f07e417b79bdd6045e3b5843a0b855d45ac271573438 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Polymail, Inc.: Metadata leakage via IDOR

Inbox metadata leakage via Insecure Direct Object Reference on one endpoint...

Polymail, Inc.: Reflected XSS by changing url parameters on the user invite onboarding links.

@renekroka Discovered a potential reflected XSS by changing url parameters on the user invite onboarding links. 1...

Polymail, Inc.: Bug in OAuth Success Redirect URI Validation

@bluebert discovered a bug on the OAuth login endpoint that allows creation of OAuth login urls with Polymail as the subdomain on external domains. This has now been fixed. A bug in how OAuth login URLs were generated in particular, of the redirect URI allowed for an attacker to steal secrets...

Polymail, Inc.: XSPA on API service endpoint

Batch endpoint on the api was vulnerable to XSPA due to incorrect validation of url parameter in the request body...

Polymail, Inc.: [share.polymail.io] XSS when uploading a file to the server

Files uploaded to Polymail could contain javascript. This has now been mitigated and resolved...