Hi, We discovered a major problem in the login page of Rollbase. A cross-site scripting vulnerability exists that could allow an attacker to gather username and passwords from the HTTPS login site. Where should we report this? Thanks
Please submit support requests from your customer zone.
Thanks Pavel for the response.
We have submitted a support ticket, but have not yet received a response for more than 24 hours now.
I think this problem needs to be resolved as quickly as possible, as I have created a code that can submit login information to a third party site.
I have not seen your ticket. What's your company name? Anyway, I think the issue is resolved now - please try if you still can hack login page.
Thank you. I have submitted the support ticket to Rollbase.ph, however we have not yet received response yet. It seems that Rollbase.com's XSS problem is fixed, and I'm happy for the quick action, but the problem persists on the .PH site.
Once again, thanks!
It will be fixed on .ph server as well after the next update.
Thanks. However, we still have a problem on the Log-Out portion this time. Sorry to be a nitpicker, but there is still a XSS vulnerability on the log out page. I created script that could steal or hijack an existing user session, bypassing the need to log in. An attacker could have the same access privileges as the hacked account.
Can you please look into this? I can give the attack code if you want.
Again, a big thanks!
Thanks for noticing, will fix ASAP.