Stored Cross-Site Scripting in mercadopago.com.ar

Bug reported by El Mago was disclosed at March 13, 2025, 7:53 pm   |   Cross-site Scripting (XSS) - Stored

The summary is as follows: A stored cross-site scripting vulnerability was discovered in mercadopago.com.ar. The issue was acknowledged and addressed by MercadoLibre internally.

Domain highlighting on External link warning is not working on Chrome & Microsoft Edge browsers on Mobile

Bug reported by Sarthak Raju Bhingare‎ was disclosed at March 13, 2025, 5:34 pm   |   Violation of Secure Design Principles

The domain highlighting functionality on the External Link Warning interstitial page was not working as intended on the Chrome and Microsoft Edge mobile browsers. The issue was reported to have been previously fixed by HackerOne, but it appears to have resurfaced. The vulnerability could have potentially allowed malicious actors to trick users into believing they were being redirected to a legitimate website when in reality they were being redirected to a malicious site.

cgi scripts wordlist entry for windmail.exe has payload that sends arbitrary file read result to third-party

Bug reported by floyd was disclosed at March 13, 2025, 3:44 pm   |   Information Disclosure

The windmail.exe application in the CGI scripts wordlist had a vulnerability that allowed an attacker to read arbitrary files on the server and send the contents to a third-party email address.