Malicious code in taxjar-developers (npm)

The package taxjar-developers was found to contain malicious code...

MAL-2025-34584 Malicious code in taxjar-developers (npm)

The package taxjar-developers was found to contain malicious code...

Malicious code in taxjar-bundler (RubyGems)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-7032 Malicious code in taxjar-bundler (RubyGems)

--- -= Per source details. Do not edit below this line.=-...

Stripe: Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/

@mrasg discovered an improper access control issue in TaxJar. This could have allowed for account takeover using the email change functionality. The vulnerability was caused by not correctly validating whether or not the reset password token was connected to the user being reset and was resolved ...

Stripe: Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure

@mrasg discovered that users of an account with member permissions were improperly allowed to view certain subscription details and cancel the subscription for that account. I discovered a Vulnerability that allows the user who has member privileges to unsubscribe Cancel the account instead of th...

Stripe: Fully TaxJar account control and ability to disclose and modify business account settings Due to Broken Access Control in /current_user_data

Improper access control at app.taxjar.com/currentuserdata allows a user with member role to invite themselves to the account as an admin...

Stripe: [Broken Access Control ] Unauthorized Linking accounts & Linked Accounts info DIsclosure

@mrasg discovered that users of an account with member permissions were improperly allowed to see activated linked accounts and connect new carts to the account. I discovered a Vulnerability that allows the user who has member privileges to connect new carts to the Taxjar account , like...

Stripe: Mass account takeover!

@akashhamal0x01 discovered an Organization Owner could update the email address of a member of their organization in TaxJar. This could have allowed an attacker to take over a victim’s account if the victim belonged to the attacker’s organization. The vulnerability was caused by the ability to ed...

Malicious code in taxjar-blog (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f6023826d533e0005bb6eb243f84755034bce33d3f0de3ee904171fd42480858 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6422 Malicious code in taxjar-blog (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f6023826d533e0005bb6eb243f84755034bce33d3f0de3ee904171fd42480858 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Stripe: Mass Account Takeover at https://app.taxjar.com/ - No user Interaction

@beerboyankit discovered an IDOR in the user invite link in Taxjar. This could have allowed an attacker to take over a user's account. The vulnerability was caused by a leaked token in the delete invitation request feature and resolved by using the invitation ID instead of the token to look up th...