Exposure of Private Personal Information to an Unauthorized Actors
CVE-2022-0482
Lack of authentication logic in the backend API was leading to sensitive PII data exposed to unauthenticated attackers.
Over the last few years, I discovered more than 70 new vulnerabilities, half of which are in open-source software.
CVE-2022-0482
Lack of authentication logic in the backend API was leading to sensitive PII data exposed to unauthenticated attackers.
CVE-2022-1397
Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed. On Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user can take over the system.
CVE-2023-6744
The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'et_pb_text' shortcode, due to insufficient input sanitization and output escaping on user supplied custom field data.
CVE-2022-3600
Missing data sanification in the CSV export feature leads to CSV formula injection vulnerability.
CVE-2021-24704
An unprepared SQL query in conjuntion with a CSRF vulnerability allows full database takeover.