There were vulnerabilities in the websites of Microsoft and Twilio and flaws in the ProActive content management system (CMS), a researcher said.
Twilio rushed to address the Cross-site request forgery (CSRF) vulnerability identified by researcher Rafay Baloch.
To demonstrate his findings, Baloch published a proof-of-concept video on his personal blog in which he shows how tools such as Burp Suite and Tamper Data can identify such security holes.
Microsoft also fixed the DOM-based cross-site scripting vulnerability discovered by the researcher on the Microsoft Cloud and Server site dedicated to users from France.
The researcher said another similar vulnerability is undergoing validation by Microsoft.
Right now, CMS ProActive has not taken steps to address the issues reported by Baloch.
“I found three different vulnerabilities inside ProActive CMS. It has not been updated for a while, it’s really unsecure. I did not find a single CSRF token in its forms,” he said.
“Next, I found a stored XSS inside the new user field. The input was not being properly validated/checked. Along with it, I also found an open redirection vulnerability which could be exploited by an attacker to carry out phishing attacks.”
In December 2012, Baloch found a remote code execution vulnerability on PayPal.com. At the time, the company rewarded him with $10,000 (7,500 EUR) for his work.