When finding a vulnerability in a project, I will disclose it to the project maintainer(s).
After a vulnerability has been fixed and a patch has been released, I will publish an advisory here.
Latest Posts
-
ISL-2021-001: Insecure TrustManager in ballerina-platform/ballerina-lang
ballerina-platform/ballerina-lang before commit d7e08e0 used an insecure
TrustManagerfor HTTPS connections making clients vulnerable to a machine-in-the-middle attack (MiTM) and Remote code execution (RCE). -
ISL-2020-008: Missing Hostname Verification and Insecure TrustManager in openMF/mifos-mobile
openMF/mifos-mobile before commit e505f62 disabled hostname verification and used an insecure
TrustManagerfor HTTPS connections making clients vulnerable to a machine-in-the-middle attack (MiTM). -
ISL-2020-007: Missing Hostname Verification and Insecure TrustManager in opencast/opencast
opencast/opencast before commit 4225bf9 disabled hostname verification and used an insecure
TrustManagerfor HTTPS connections making clients vulnerable to a machine-in-the-middle attack (MiTM). -
ISL-2020-006: Missing Hostname Verification and Insecure TrustManager in apache/fineract
apache/fineract before commit e054a6f disabled hostname verification and used an insecure
TrustManagerfor HTTPS connections making clients vulnerable to a machine-in-the-middle attack (MiTM). -
ISL-2020-005: Missing Hostname Verification and Insecure TrustManager in apache/calcite
The
HttpUtils#getURLConnectionfunction of apache/calcite before commit 43eeafc disabled hostname verification and used an insecureTrustManagerfor HTTPS connections making clients vulnerable to a machine-in-the-middle attack... -
ISL-2021-005: Missing Validation of JWT Signature in fxbin/bubble-fireworks
fxbin/bubble-fireworks before commit 67b2ef4 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT.
-
ISL-2021-004: Missing Validation of JWT Signature in grassrootza/grassroot-platform
grassrootza/grassroot-platform before version 1.3.1 did not properly verify the signature of JSON Web Tokens when refreshing an existing JWT. This allows forging a valid JWT and can lead to authentication...
-
ISL-2021-003: Missing Validation of JWT Signature in nimble-platform/common
nimble-platform/common before commit 3b96cb0 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT and can lead to authentication bypasses.
-
ISL-2021-002: Missing Validation of JWT Signature in ManyDesigns/Portofino
ManyDesigns/Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT and can lead to authentication bypasses.
-
ISL-2020-004: RCE via MiTM in Texas Instruments' Code Composer Studio
The insecure configuration of JxBrowser in the “Getting Started” view of Code Composer Studio allows a machine-in-the-middle attack (MiTM) which can be escalated to remote code execution (RCE).
-
ISL-2020-003: XSS in w3c/css-validator
w3c/css-validator is vulnerable to cross-site scripting (XSS) due to insufficient input sanitization.
-
ISL-2020-002: Arbitrary File Read/Write in loklak/loklak_server
Insufficient input validation allowed a directory traversal vulnerability. Any admin config and file readable by the app can be retrieved by the attacker. Furthermore, user-controlled content could be written to...
-
ISL-2020-001: Arbitrary File Read/Write in fossasia/susi_server Leading to RCE
Insufficient input validation allowed a directory traversal vulnerability. Any admin config and file readable by the app can be retrieved by the attacker. Furthermore, some files can also be moved...