Upserve : Payment method token being sent to 3rd party analytics service

Vulnerability Details: Payment Tokens can be re-used to link the Credit Card to Another Users Account. When Linking a Credit Card, a url with Paymentmethodtoken will be generated and then the user will be redirected to the generated url F523794 Then, a Request will be Made to orders.upserve.com t...

Upserve : Open redirect on https://hq-api.upserve.com/

The returnto parameter on https://hq-api.upserve.com/auth/auth0?prompt=none&returnto= was not validated and allowed an open redirect...

Upserve : Reflected XSS on https://inventory.upserve.com/ (affects IE users only)

The REQUESTURI was assigned as the value of a hidden field in the login form without proper escaping resulting in a reflected cross-site scripting bug. Browsers were mitigating the issue and IE was only impacted if XSS protection was disabled. We've improved the sanitization of this field. The...

Upserve : Open redirect at https://inventory.upserve.com/http://google.com/

The following URL is vulnerable to an open redirect it will redirect to stanko.sh: https://inventory.upserve.com/http://stanko.sh/ Impact Users could get redirected to malicious domain...

Upserve : [theacademy.upserve.com] Reflected XSS Query-String

Steps To Reproduce: Open URL in FireFox: https://theacademy.upserve.com/roles/?%22%3E%3Cscript//src=data,alertlocation// HTTP Request http GET /roles/?%22%3E%3Cscript//src=data,alertlocation// HTTP/1.1 Host: theacademy.upserve.com HTTP Response html Name Views Duration Impact Reflected XSS...

Upserve : OLO Total price manipulation using negative quantities

Manipulating an order request JSON object, containing an additional item with a negative quantity directly manipulates the total amount of the order. In the following JSON request, an order is submitted for 2 ChickenBurgers $12 each, as well as -1 BreadPuddings $9 each. The total price after tax...

Upserve : reports.breadcrumb.com is vulnerable for Arbitrary file existence disclosur CVE-2014-7829

A directory traversal vulnerability in a third-party ruby gem allowed a remote actor to determine the existence but not the contents of files outside of the application root...

Upserve : Blind stored xss in demo form

Through Upserve's demo request form, @pareshparmar found a blind XSS in a 3rd party package for Upserve's CRM system. While the CRM system and 3rd party package are out of scope for our program, we decided to reward @pareshparmar for his work in bringing this issue to our attention. - Endpoint...

Upserve : Information disclosure through search engines (password reset token)

Search on google for: site:"hq.breadcrumb.com" Or access this link: https://www.google.com/search?q=site%3A%22hq.breadcrumb.com%22&oq=site%3A%22hq.breadcrumb.com%22&aqs=chrome..69i57j69i58.6216j0j7&sourceid=chrome&ie=UTF-8 Note that this vulnerability can be obtain on other search engines. Impact...

Upserve : Ability to reset password for account

The attacker was able to send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address. POST https://hq.breadcrumb.com/api/v1/passwordreset HTTP/1.1 with body like "emailaddress":"[email protected]","[email protected]"...