Malicious code in starbucks (npm)

The package starbucks was found to contain malicious code...

MAL-2025-33944 Malicious code in starbucks (npm)

The package starbucks was found to contain malicious code...

Starbucks Shifts to Manual Processes After Contractor Ransomware Attack

Ransomware attack cripples Starbucks operations, forcing the coffee giant to rely on manual processes for employee scheduling and…...

MAL-2023-810 Malicious code in starbuckssystem (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e18ed0052a42d62686c598273bcac8bb23988607df0ebe2362b653cc3c1ea3cd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

starbucks.collectionhero.com Cross Site Scripting vulnerability OBB-3214266

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Starbucks: Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome

elber discovered a CSRF in webapp.starbucks.co.jp leaked an access token if an authenticated user opened a crafted HTML file in a browser other than Chrome which has Same Site Attribute for the cookie set by default. elber also demonstrated the ability to add a Starbucks card to the account with...

Starbucks: Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg

ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg intended for image files permitted unrestricted file type uploads which could lead to a potential RCE. ko2sec's thorough analysis provided additional endpoints on other out of scope domains that shared this vulnerability. @ko2sec —...

Starbucks: Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload

ko2sec discovered it was possible to upload arbitrary content on https://campaign.starbucks.com.sg/api/upload, leading to a stored XSS. This site was decommissioned. @ko2sec — thank you for reporting this vulnerability and for confirming the resolution...

Starbucks: Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE

neweq discovered that a temporary proof of concept site alipoc.stg.starbucks.com.cn was initially configured with default credentials for a brief period of time before being taken offline. @neweq — thank you for reporting this vulnerability and for confirming the resolution...

Starbucks: Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages

Hi team, Summary: There is a cross-site scripting vulnerability on the login page of www.starbucks.com and various regions, due to improper escaping on the URL path. Description: The login page at https://www.starbucks.com/account/signin builds several links by the relative URL path. An attacker...

Starbucks: Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data

zlz and rhynorater discovered that by obtaining a valid authentication cookie and then combining that with a path traversal, this allowed access to restricted data. noapearson assisted by providing additional information post discovery. @zlz / @rhynorater / @noapearson — thank you for reporting...

Starbucks: Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number

nnez discovered that after a successful card balance transfer between two of their own registered Thailand Starbucks cards, they could update the 2nd card number URL parameter to another known Thailand Starbucks card number and view that 2nd card balance. @nnez — thank you for reporting this...

Starbucks: CRLF injection on www.starbucks.com

The vulnerability allows setting arbitrary headers, and also enables response splitting which can then be exploited further. POC: curl -i 'https://www.starbucks.com/email-prospecttg9wh%0d%0aset-cookie:foo%0d%0a%0d%0a4t6uf?requesturl=/responsibility/global-report/policies' -d...

Starbucks: China - Open redirect at trackinghub.starbucks.com.cn

m82a1 discovered an open redirect at https://trackinghub.starbucks.com.cn/trackinstallation due to improper validation of the redirecturl parameter. @m82a1 — thank you for reporting this vulnerability...

Starbucks: Korea - LFI Server directory traversal at starbucks.co.kr

b4bilal discovered a misconfiguration when handling URI paths. This permitted an adversary to traverse the docroot and access non sensitive resources that are normally unavailable to web users. @b4bilal — thank you for reporting this vulnerability and for confirming the resolution...

Starbucks: Minimal information disclosure of internal asset names and links which were not publicly accessible.

e4366eolywrgpidfbio discovered an application with links to internal Starbucks related resources. No public access to these resources was available, resulting in minimal information disclosure of host and resource names. @e4366eolywrgpidfbio — thank you for reporting this issue...

Starbucks: Singapore - IDOR in campaign.starbucks.com.sg

bytebunny discovered an Insecure Direct Object Reference IDOR exposing limited marketing data for customers in Singapore. @bytebunny — thank you for reporting the vulnerability and for confirming the resolution...

Starbucks: Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/

@iampuky — thank you for reporting the original vulnerability and for confirming the resolution. While analyzing the Starbucks Korea mobile application, i noticed that it called an API at https://msr.istarbucks.co.kr:6443/appif/. It was found that the application running under that directory was...

Starbucks: sdrc.starbucks.com - Information Disclosure via unsecured attachment directory

l00ph0le submitted a valid high severity XSS vulnerability report for sdrc.starbucks.com. After Starbucks confirmed this vulnerability and advised this asset was not in scope; l00ph0le performed additional analysis and research to uncover an unsecured attachment directory which elevated this to a...

Starbucks: Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters

rexvuz discovered the endpoint at https://www.istarbucks.co.kr/app/getGiftStock.do was susceptible to a reflected cross-site scripting vulnerability via the skuNo and skuImgUrl parameters. @rexvuz — thank you for reporting this vulnerability and for confirming the resolution...