miércoles, 22 de octubre de 2014

[Multiple Stored XSS] Compose.io [Reported, ignored, unfixed]

I reported this security issue on August and I've not got any answer...
Affected domain: compose.io
Vulnerability description: Stored XSS affecting multiple fields and sections.
How to:
  1. Go to Admin --> Users  https://app.compose.io/[your name]/mongo/[your user]/users---> Add new user
  2. Type your payload in the name field and type a random password, then confirm the user.
  3. Done!
It's funny because it affects multiple fields of the app, not only the users field. It also affects https://app.compose.io/account/activity

A few images...

They offer Hall of Fame ---> https://bugcrowd.com/list-of-bug-bounty-programs
Their Hall of Fame ----> https://www.compose.io/security

Kind regards.

No hay comentarios:

Publicar un comentario

Please, leave a comment! Thank you!