+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-08-18 (/Thread-HackerOne-Disclosed-Reports-2025-08-18)
HackerOne disclosed reports - 2025-08-18 - hashXploiter - 08-19-2025
resolved
Email verification bypass via request to endpoint "accounts.insightly.com/signup/provisionuser"
Bug reported by Ali Kostak was disclosed at August 18, 2025, 7:55 pm | Improper Authorization
The vulnerability allowed bypassing email verification when creating a new Insightly account. The vulnerability existed in the "EmailAddress" parameter of the member creation endpoint. By modifying the parameter, an attacker could create a new account using any email address, including those of existing users, effectively taking over their accounts.
resolved
No SPF/DMARC records on mb-cosmos.com
Bug reported by Aditya Sharma was disclosed at August 18, 2025, 1:58 pm | Violation of Secure Design Principles
The domain mb-cosmos.com lacked SPF and DMARC records, allowing email spoofing. Emails appeared to originate from the domain without authentication. This vulnerability was reported as a security issue.