FoxyCart (Bug Bounty) - Filter Bypass & Persistent API Vulnerability
This week an issue in the foxycart api has been patched due to the participation in the official bug bounty program. The security researcher and CEO Benjamin Kunz Mejri discovered an application-side input validation vulnerability in connection with a filter bypass issue.
The security vulnerability was located in the `comments` input field value of the `landing/white-glove-onboarding > Help Form` module. Remote attackers can exploit the issue to execute persistent malicious context in foxycart service mails.
The injection takes place in the help contact form POST method request with the vulnerable comments input value. The execution of the script code occurs on the application-side in the email body context. Attackers are able to inject iframes, img sources with onload alert or other script code tags. The service does not encode the input and has also no input restriction.
Advanced Persistent Threat Golden_hands - Digital Bank Robbery of the Year 2020
Facebook Security - 12.500$ Bug Bounty reward to Security Researcher
Bug Bounty Program Award Winners 2014 - Exclusive Interview by Microsoft & PayPal
Shopify | Buy Button | Persistent Embed POST Inject Vulnerability