Jump to content
akkiliON

XSS reflected - outlook.[*].com & [*].live.com

Recommended Posts

  • Active Members

Salut. Am gasit doua vulnerabilitati XSS in aplicatiile detinute de cei de la Microsoft. Una este in Outlook, iar a doua intr-o alta aplicatie folosita si cunoscuta de multi... nu pot da detalii momentan deoarece nu a fost rezolvata nici una pana acum... Cel putin, nu am primit duplicat pe rapoartele trimise. 🙂

 

1. XSS reflected (without user interaction) - [*].live.com:

 

xss-live.png

 

 

 

2. XSS reflected (user interaction required) - Outlook:

 

xss-outlook.png

 

 

Am observat ca si domeniile acestea sunt vulnerabile: office365.com si live.com.

  • Like 9
  • Upvote 2
Link to comment
Share on other sites

  • Active Members
On 10/1/2022 at 10:45 PM, Nytro said:

Frumos, sunt curios cat o sa plateasca pentru ele. 

 

O sa revin cu un mesaj cand primesc vreo noutate.... O sa dureze sigur ceva timp....

 

23 hours ago, GabrielRo said:

Felicitări! 👏

 

Mersi !

 

4 hours ago, 0xStrait said:

Nice, felicitari!

 

BTW (out of scope):

 

https://api.partnercenter.microsoft.com/insights/v1/mpn/swagger/index.html?configUrl=https://pentesting.syzhack.com/swg/test.json

 

 

Asta l-am gasit si eu si am vrut sa il raportez pentru HoF macar. Daca l-ai gasit si tu si ti-au zis ca e out-of-scope.... nu mai are rost.... 😅

 

3 hours ago, Zatarra said:

N00b :| ai gasit si te-ai oprit

 

Ma nO_Ob, pe tine cine te-o pus sa stai... treci la munci 😂

Link to comment
Share on other sites

  • Active Members
Spoiler

Thank you for taking the time to share your report. Based on the assessment from our engineering team, we have determined that your case 74XYZ is eligible for a US$3000.00 bounty award under the M365 Bounty Program. Congratulations!

 

Vulnerabilitatea din [*].live.com. Azi am primit mesaj. Nu ma asteptam asa repede la un raspuns. 🙂

 

L.E: Au si reparat-o... LOL. Am verificat acum 😅

Edited by akkiliON
  • Like 5
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...