CVE
Shopizer - open source e-commerce software:
- CVE-2021-33561 Stored XSS in the administration - vulnerable customer name
- CVE-2021-33562 Reflected XSS - 'ref' parametr
Responsible disclosure
In the table below are already fixed vulnerabilities, that I found in my spare time and reported to a bugbounty or vulnerability disclosure program.
| WWW | Company | Vulnerability | Details | ||
|---|---|---|---|---|---|
| Alza.cz | Alza.cz a.s. | Email Disclosure | Email address disclosure via order tracking | ||
| Att.com | AT&T Inc. | CORS Misconfiguration | Disclosure of user data via js exploit | ||
|
05/2020
|
|||||
| Damejidlo.cz | Damejidlo.cz s.r.o. | Account Takeover (XSS), Open Redirect | Reflected XSS in the parameter GPS | ||
|
07/2020
Vulnerable parameters "lat" and "lng" in the new version of website (img)
|
|||||
| Dpp.cz | Dopravní podnik hl. m. Prahy | XSS | Reflected XSS, Stored XSS | ||
| Eshop-rychle.cz | Golemos s.r.o. | Administration Takeover (XSS), Session Fixation | Multiple Stored XSS | ||
| Foodpanda.com | Delivery Hero SE | Account Takeover (XSS) | Reflected XSS in the parameter GPS | ||
|
07/2020
Vulnerable all websites under foodpanda.com and foodora.com
Food delivery company in 16 countries (e.g. Sweden, Norway, Finland, Bulgaria, Thailand, Singapore...)
|
|||||
| Idos.idnes.cz | MAFRA a.s. | XSS | Multiple Reflected XSS | ||
|
02/2023
Reflected XSS (5x) in various parts of the web application
Reflected XSS (1x) in the mobile version of the website
Slovak version was also vulnerable: cp.hnonline.sk
|
|||||
| Ifortuna.cz | Fortuna Entertainment Group | Session Hijacking (XSS), Open Redirect | Multiple Reflected XSS | ||
|
07/2020
Reflected XSS (6x) in various parts of the web application leading to session stealing
Open Redirect without user interaction
Vulnerable all language variants: ifortuna.cz, ifortuna.sk, efortuna.pl, efortuna.ro
|
|||||
| Intersport.cz | Intersport ČR s.r.o. | Price manipulation (Parameter Tampering) | Change the total price of the order | ||
|
09/2018
Changing total order price during payment process, including successful delivery
|
|||||
| Knihydobrovsky.cz | Knihy Dobrovský s.r.o. | Price manipulation (Parameter Tampering) | Change the total price of the order | ||
|
09/2018
Changing total order price during payment process, including successful delivery
|
|||||
| Kosik.cz | Košík.cz s.r.o. | Session Hijacking (XSS), IDOR | Reflected XSS, Stored XSS | ||
|
08/2020
Save Stored XSS to billing address for all users
|
|||||
| Kupi.cz | Kupi.cz retail, s.r.o. | XSS | Reflected XSS, Stored XSS | ||
|
10/2020
|
|||||
| Mall.cz | Allegro Group CZ s.r.o. | Account Takeover (XSS) | XSS Angular Template → Account Takeover | ||
|
10/2019
|
|||||
| Patro.cz | NWT a.s. | Price manipulation (Parameter Tampering) | Change the total price of the order | ||
|
09/2018
Changing total order price during payment process, including successful delivery
|
|||||
| Rohlik.cz | Velká Pecka s.r.o. | Session Hijacking (XSS), CSRF, Session Fixation, Broken Access Control, Business Logic, Open Redirect | Reported several vulnerabilities | ||
|
04/2020
Stored XSS
CSRF - insert XSS into account
Session Hijacking (XSS + HttpOnly)
Business Logic - purchase for free with 4$ order value
Acknowledgement
|
|||||
| Rohlikbistro.cz | Velká Pecka s.r.o. | Broken Access Control | Access to sensitive info via API | ||
|
06/2020
Insecure API end-point allowing to access to sensitive info(P1)
More information about the project: https://www.cleevio.com/rohlik-bistro
|
|||||
| Seznam.cz | Seznam.cz a.s | Email Persistent Access (Session Hijacking), XSS | XSS → Session Hijacking → Persistent Access | ||
| Shopify.com | Shopify Inc. | Email Spoofing | Bypass SPF, DKIM, DMARC records | ||
|
09/2020
|
|||||
| Shoptet.cz | Shoptet a.s. | Administration Takeover (XSS), Session Fixation, Email Spoofing | Multiple Stored & Reflected XSS | ||
| Slack | Slack Technologies, Inc. | URL Spoofing | Spoofed URL in Slack conversation | ||
|
03/2020
|
|||||
| Slevomat.cz | Slevomat.cz, s.r.o. | XSS | Stored XSS | ||
|
07/2020
Unsecured username in flash-message after login (img)
(Fixed within 20 minutes from reporting 👍)
|
|||||
| Tipsport.cz | Tipsport a. s. | Account Takeover | Session Hijacking → ATO | ||
|
07/2020
Vulnerability were also on Chance.cz and Tipsport.sk
|
|||||
| Webareal.cz | Bohemiasoft s.r.o. | Administration Takeover (XSS) | Reflected XSS, Stored XSS | ||
| Upgates.cz | EVici webdesign s.r.o. | Administration Takeover (XSS), Local File Inclusion, Email Spoofing, SSRF, Session Fixation | Reported several vulnerabilities | ||