Improper Privilege Management API V2

# Description There are some `api v2` doesn't check permission allow attackers to retrieve/edit information `ticket`,`account`,`group`,`department`,`team`,`ElasticSearch` # Proof of Concept *Get user ...

Continue Reading

May 20, 2022

Register users in spite of Allow User Registration disabled

# Description Attacker can register a user in spite of the `Allow User Registration` is disable by default. # Proof of Concept 1. Go to `/captcha`, get the captcha value and cookie. ![alt text](htt ...

Continue Reading

May 20, 2022

Application Level DoS:

# Description Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant ...

Continue Reading

May 19, 2022

Phabricator: Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object

The Conduit feed.publish API allows a user to publish stories to the feed. The API accepts a parameter "type" which will be set to `PhabricatorTokenGivenFeedStory` and accepts JSON in the "data" para ...

Continue Reading

May 19, 2022

1 370,500 370,501 370,502

Back to Main
Subscribe for the latest news: