Summary
-
On 16 January 2024, the threat actor discovered a DOM-based XSS vulnerability on zoho.
-
On 24 January 2024, they found a post-message misconfiguration issue on zoho.com.
-
The misconfiguration issue allowed the threat actor to escalate and take over any Zoho account, accessing the user’s email and password, credentials, and credit card information.
-
On 12 April 2024, Zoho awarded the threat actor 1000 for the post-message report.
-
The issue was patched on 19 March for post-message and on 24 January for DOM XSS.