Malicious code in upchieve-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4e71a98a78cfa7d530e0544425c37aeb89014ae938333f157afa35954bde0492 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6800 Malicious code in upchieve-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4e71a98a78cfa7d530e0544425c37aeb89014ae938333f157afa35954bde0492 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

UPchieve: Clickjacking ar https://hackers.upchieve.org/login

I found clickjacking at login page on https://hackers.upchieve.org that can be exploited if the UI overlay can be performed correctly by the attacker. Clickjack test page Website is vulnerable to clickjacking! Click me when you finish : Impact Its login page so if the UI overlay can be performed...

UPchieve: Outdated Copyright Message @ Welcome email

POC : Description : Outdated Copyright is present @ Welcome to UPchieve! email which is of years "2020" Impacted Security Property : Integrity ASVS Categories : Architecture , Design and Threat Modeling POC email and video : Gmail - Welcome to UPchieve!.pdf and recording-1632912432386.webm...

UPchieve: Password reset token leakage

Reset Password link : http://hackers.upchieve.org/setpassword?token=a3c448b1eb9b982f93ec39a7181ec1a2 1.Open Password reset page from email. 2.Intercept the requestI have used burp suite 3.You can see the link for reset password in below requests POST...

UPchieve: Password Reuse

Issue Description: A user is able to reuse any of their old passwords during the change passwords process. URL & Location: https://hackers.upchieve.org/resetpassword POC video : recording-1632907447530.webm @thug645 Impact Misconfiguration...

UPchieve: Missing Validation in editing "Your Phone Number"

Verification method is missing in changing "Your Phone Number" . There is no OTP or code send to new number for validating. POC video : recording-1632905982558.webm @thug645 Impact Misconfiguration...

UPchieve: No Rate Limiting for Password Reset Email Leads to Email Flooding

There is "No Rate Limiting" implemented in sending the Password Reset Email. Thus, attacker can use this Vulnerability to bomb out the Email Inbox of the victim. Affected URL : https://hackers.upchieve.org/resetpassword Steps to Reproduce: 1. Log In to : https://hackers.upchieve.org/ 2. Go To :...

UPchieve: i can join without user and pass in this website https://argocd.upchieve.org/settings/accounts

Summary: i can see the Content Steps To Reproduce: the wbsite is not good 1. if i join this website i can see Content https://argocd.upchieve.org/settings/accounts Supporting Material/References: you most need good programmers https://argocd.upchieve.org/settings/accounts Recommendations for...

UPchieve: url redirection

Summary: the following url is vulnerable to redirect https://app.upchieve.org Steps To Reproduce: when you add @evil.com the user will be directed to evil.com https://[email protected] Impact Users could get redirected to malicious domain...

UPchieve: blind sql on [ https://argocd.upchieve.org/login?return_url=id= ]

Summary: i have discoverd a blind sql on your site login page which i confirmed using two scenarios to confirm its existance. Steps To Reproduce: add details for how we can reproduce the issue use the following payloads this one retured a 200 ok response confirming sql vulnerability existance...

UPchieve: Clickjacking on profile page leading to unauthorized changes

Summary: Any attacker could use iFrame options to connect remotely to the real website, And he can craft his own website using the iFrame options of the specific link and can lead to unauthorized changes if the user will be logged in. Steps To Reproduce: 1. Login to https://app.upchieve.org/profi...

UPchieve: Full account takeover of any user through reset password

Summary: Hi Security team members, Usually, If we reset our password on https://app.upchieve.org that time we got a password reset link on the email. And through that password reset link, we can reset our password. But, I noticed that if we add another email in the request of forgot password...

UPchieve: Zero click account Takeover due to Api misconfiguration 🏂🎩

Hacker reported that full account takeover was possible through exploitation of one our forms. Hacker provided sufficient information to prove capability and how to remediate. Our team remediated the issue so that the takeover is no longer possible. i was able to take over any account without any...

UPchieve: Hyper Link Injection while signup

Summary: Attacker can add their name to a URL in order to send email containing malicious hyperlinks. while signup Steps To Reproduce: 1-Go to https://app.upchieve.org and create account with the first name http://attacker.com/ and last name . 2-Now check your email and you notice there is...