Exposure of Private Personal Information to an Unauthorized Actors
CVE-2022-0482
Lack of authentication logic in the backend API was leading to sensitive PII data exposed to unauthenticated attackers.
Hacking code to make the internet a safer place.
Over the last few years, I discovered more than 60 new vulnerabilities, half of which are in open-source software.
Easy!Appointments
API Privilege Escalation
CVE-2022-1397
Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed. On Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user can take over the system.
WordPress
Clerk <= 3.8.2 - Authentication Bypass and API Keys Disclosure
CVE-2022-3907
The plugin is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.
Easy Digital Downloads <= 3.0.4 - Unauthenticated CSV Injection
CVE-2022-3600
Missing data sanification in the CSV export feature leads to CSV formula injection vulnerability.
Orange Form <= 1.0 - SQL Injection via CSRF
CVE-2021-24704
An unprepared SQL query in conjuntion with a CSRF vulnerability allows full database takeover.