| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| ict:responsible-disclosure [2020/09/08 20:46] โ jonathan | ict:responsible-disclosure [2020/09/09 08:39] (current) โ [Configuration Issues] jonathan |
|---|
| |
| ===== Security Vulnerabilities ===== | ===== Security Vulnerabilities ===== |
| * **[[https://www.linkedin.com/in/sagarbanwa/|Sagar Banwa]]** disclosed an XSS vulnerability on the User Dashboard on //August 7, 2020//. | * **[[https://www.linkedin.com/in/sagarbanwa/|Sagar Banwa]]** disclosed a persistent XSS vulnerability on the User Dashboard on //August 7, 2020//. |
| * **[[https://emilenijssen.nl/|Emile Nijssen]]** disclosed a user input sanitation omission in our UTwente addressbook search on //May 12, 2020//. | * **[[https://emilenijssen.nl/|Emile Nijssen]]** disclosed a user input sanitation omission in our UTwente addressbook search on //May 12, 2020//. |
| * * **Wouter Kobes** disclosed that it was possible for any user to change the profile photo of any other user on //March 15, 2018//. | * **Wouter Kobes** disclosed that it was possible for any user to change the profile photo of any other user on //March 15, 2018//. |
| |
| ===== Configuration Issues ===== | ===== Configuration Issues ===== |
| | * **[[https://www.linkedin.com/in/mohammed-abdul-kareem4855/|Mohammed Abdul Kareem]]** alerted us to a missing ''X-Content-Type-Options'' header on //September 2, 2020//. |
| * **[[https://www.linkedin.com/in/dhanumaalaian-r-b34338189/|Dhanumaalaian R]]** alerted us to some missing CAA records on //September 2, 2020//. | * **[[https://www.linkedin.com/in/dhanumaalaian-r-b34338189/|Dhanumaalaian R]]** alerted us to some missing CAA records on //September 2, 2020//. |
| * **[[https://www.linkedin.com/in/HemantSolo/|Hemant Patidar]]** suggested that changing the e-mail associated with your account could be done a little safer on //August 30, 2020//. | * **[[https://www.linkedin.com/in/HemantSolo/|Hemant Patidar]]** suggested that changing the e-mail associated with your account could be done a little safer on //August 30, 2020//. |
| * **[[https://www.linkedin.com/in/rohan-chaudhari-53aa51174|BABABOUNTY]]** alerted us to some missing HSTS headers on //August 28, 2020//. | * **[[https://www.linkedin.com/in/rohan-chaudhari-53aa51174|BABABOUNTY]]** alerted us to some missing HSTS headers on //August 28, 2020//. |
| | * **[[https://twitter.com/Adityarana1234?s=09|Aditya Rana]]** alerted us to some missing CSP headers on //August 28, 2020//. |
| * **[[https://www.linkedin.com/in/shubham-panchal-636744161/|Shubham Panchal]]** alerted us to some missing HSTS headers on //August 27, 2020//. | * **[[https://www.linkedin.com/in/shubham-panchal-636744161/|Shubham Panchal]]** alerted us to some missing HSTS headers on //August 27, 2020//. |
| * **[[https://www.linkedin.com/in/r0x4r/|Eshan Singh]]** alerted us to some missing rate limiting precautions on authentication endpoints on //August 20, 2020//. | * **[[https://www.linkedin.com/in/r0x4r/|Eshan Singh]]** alerted us to some missing rate limiting precautions on authentication endpoints on //August 20, 2020//. |
