Security Research and CVEs

Reported an OAuth token leak via open redirect in Harvest.

Reported an Broken Access Control in coda.io where an attacker could leverage the trial feature to gain access to paid offerings.

Reported an account takeover vulnerability that allows an attacker to claim accounts having unverified emails in File Sync & Share in Acronis.

Reported a low impact Open Redirect to Flattr

AppSec Village DEF CON 31 CTF^2 (developer) winning entry. Bypassed the encryption and mutation techniques of the Mutant Language.

Reported a bypass of FILTER_VALIDATE_URL filter in PHP 8 that can lead to SSRF by escaping the URL validations in any PHP target which depend on FILTER_VALIDATE_URL.

Reported CVE-2021-27902 (XSS) and CVE-2021-27903 (SSTI) that can be chained together to gain Remote Code Execution in CraftCMS.

Reported a low impact Path Traversal where an OAuth Provider could read local files exploiting relative path traversal in Flarum.

Reported a stored cross site scripting in xyz

Reported a stored cross site scripting by uploading XML file in October CMS.

Reported a stored cross site scripting in digidocu.

Discovered a method to leak IP addresses in a misconfigured WordPress instance (useful when targets are behind a dns firewall like CloudFlare)

Reported a vulnerability in PHPMailer where a function could run unexpectedly while sending a mail leading to untrusted code execution.

Reported and fixed a vulnerability in Laravel where active_url validation rule could be bypassed in a situation where a target has a subdomain localhost.

Reported and fixed a vulnerability in Laravel where Illuminate\Validation\Rules\RequiredIf could be used as a gadget chain for deserialization vulnerabilities.

Reported a code execution via cross site scripting in TagSpaces. The XSS is used to escape the sandbox of electron to gain Code Execution in TagSpaces.