Events Manager – Stored XSS

Info Product: Events Manager Version: Active installations: 100,000+ Product page: CVE: 2018-9020 Description An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event. The problem is in the file events-manager.js, the variable mapTitle is not escaped. Proof of Concept Events Manager 5....

March 25, 2018 · 1 min · 124 words · Luigi Gubello

Multiple stored XSS in AOL Mail

In November, I reported various persistent XSS vulnerabilities in AOL Mail to the AOL Security Team. They replied quickly and fixed the vulnerabilities in less than 90 days. 1. Using an unclosed tag, it was possible to inject arbitrary javascript code. The payload ran as soon as the victim opened the site because the code was in the e-mail preview. 18/11/2017 - I send the report 28/11/2017 - The vulnerability is fixed and I’m rewarded by having my name written in the Hall of Fame...

March 23, 2018 · 2 min · 223 words · Luigi Gubello

Utilizzare il Raspberry Pi 3 via Termux

Qualche mese fa ho comprato un Raspberry Pi 3 Model B, l’ho comprato per curiosità, per giocarci (letteralmente). Nelle settimane successive ho acquistato un piccolo schermo da 3,5 pollici, una powerbank e un paio di joystick (modello Nintendo SNES) e grazie al bellissimo progetto RetroPie ho trasformato il mio Raspberry in una console portatile di giochi retro. L’obiettivo di questo post è spiegare come configurare un Raspberry per poterlo usare tramite smartphone Android via connessione SSH, anche se il Raspberry non è connesso a nessuna rete wi-fi....

March 7, 2018 · 4 min · 824 words · Luigi Gubello

Stored XSS via cloud attachment

ZOHO Mail is a business mail that includes integrated calendar, contacts, notes, and tasks apps. Initially I was looking for a stored XSS in the webmail, but I did not find it so I started checking the other services. I wondered if it was possible to inject malicious code via attachments in ZOHO Notes. By attaching a local file it wasn’t, but in ZOHO Notes you can attach files from some cloud services: Google Drive, Dropbox, Box and Evernote....

January 20, 2018 · 2 min · 342 words · Luigi Gubello

Stored XSS in

This is my first public disclosure on HackerOne. It is a partial disclosure, but the summary is clear: there was a stored XSS in the image preview feature via crafted attachment filename. #275274 - - Stored XSS 07/10/2017 - I send the report 11/10/2017 - The vulnerability is fixed and the bug bounty reward is 750$ 27/12/2017 - Public disclosure

December 27, 2017 · 1 min · 61 words · Luigi Gubello