Security Research and CVEs
Here you can find all research content and vulnerability writeups that I have published.
Web (4)
- Oct 22, 2023Stealing OAuth tokens of connected Microsoft accounts via open redirect in Harvest AppReported an OAuth token leak via open redirect in Harvest.
- Jun 24, 2020Unrestricted access to any "connected pack" in docs in coda.ioReported an Broken Access Control in coda.io where an attacker could leverage the trial feature to gain access to paid offerings.
- Jun 24, 2020Account Takeover on unverified emails in File Sync & Share in AcronisReported an account takeover vulnerability that allows an attacker to claim accounts having unverified emails in File Sync & Share in Acronis.
- Jun 11, 2020Open Redirect in FlattrReported a low impact Open Redirect to Flattr
Compilers, Interpreters and Languages (2)
- Aug 15, 2023Breaking The Mutant Language's "Encryption (Writeup)"AppSec Village DEF CON 31 CTF^2 (developer) winning entry. Bypassed the encryption and mutation techniques of the Mutant Language.
- Jul 17, 2021FILTER_VALIDATE_URL bypass in PHP 8 CVE-2021-21705Reported a bypass of FILTER_VALIDATE_URL filter in PHP 8 that can lead to SSRF by escaping the URL validations in any PHP target which depend on FILTER_VALIDATE_URL.
CMS, CRM and Forums (6)
- Jul 29, 2021CraftCMS Zero-day Chain: XSS to SSTI triggering RCE CVE-2021-27902, CVE-2021-27903Reported CVE-2021-27902 (XSS) and CVE-2021-27903 (SSTI) that can be chained together to gain Remote Code Execution in CraftCMS.
- Jun 11, 2021Relative Path Traversal in Flarum using fake OAuth ProviderReported a low impact Path Traversal where an OAuth Provider could read local files exploiting relative path traversal in Flarum.
- May 18, 2021XSS in Unified Transform (A school management software)Reported a stored cross site scripting in xyz
- Apr 3, 2021Stored Cross Site Scripting in October CMSReported a stored cross site scripting by uploading XML file in October CMS.
- Mar 30, 2021Cross Site Scripting in digidocuReported a stored cross site scripting in digidocu.
- Dec 27, 2020Internal IP Address leak in Misconfigured WordPress to bypass WAFDiscovered a method to leak IP addresses in a misconfigured WordPress instance (useful when targets are behind a dns firewall like CloudFlare)
Frameworks and Libraries (3)
- Jul 10, 2021Untrusted code execution in PHPMailer CVE-2021-3603Reported a vulnerability in PHPMailer where a function could run unexpectedly while sending a mail leading to untrusted code execution.
- Jun 12, 2021active_url validation check bypass in LaravelReported and fixed a vulnerability in Laravel where active_url validation rule could be bypassed in a situation where a target has a subdomain localhost.
- Jun 12, 2021POP Gadget using function injection in RequiredIfReported and fixed a vulnerability in Laravel where Illuminate\Validation\Rules\RequiredIf could be used as a gadget chain for deserialization vulnerabilities.
Desktop Applications (1)
- Jun 11, 2021Code Execution via Cross Site Scripting in Tagspaces (A file manager)Reported a code execution via cross site scripting in TagSpaces. The XSS is used to escape the sandbox of electron to gain Code Execution in TagSpaces.