-
Captcha Replay Bypasses Brute-Force ProtectionThe login function fails to invalidate the captcha after one use. This allows an attacker to replay a valid captcha to bypass brute-force protection.
2 min read English -
SQLI in User List Leads to Sensitive Data DisclosureA critical SQL injection vulnerability in the user list endpoint allows authenticated attackers to exfiltrate sensitive user data, including password hashes.
3 min read English -
Missing Authorization Leads to Arbitrary File DeletionA missing authorization check in the file deletion function allows any authenticated user to delete any file on the system by its ID.
1 min read English