Security Advisory – CVE-2020-12832

Product: Simple File List Vendor : https://elementengage.comVulnerable Version: Simple File List < 4.2.7Category: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Vendor Notified: 2020-05-03Patched: May 11 2020Researcher(s) : Christian AngelCVE: 2020-12832Simple File List is a free plugin that gives your WordPress website a list of your files allowing your users to open and download them. Users can also upload files if you choose. Simple … Continue reading Security Advisory – CVE-2020-12832

Non-Verified User can Submit Report,View Disclosed Reports | Secuna Bug Bounty

Details: it's Cold Afternoon at the Manila Bulletin while enjoying my Iced Mocha from Paper + Cup.I currently have 2 Accounts at Secuna https://app.secuna.io/ctulhu - Verifiedhttps://app.secuna.io/imongmama - Not VerifiedAs a Verified user in Secuna you should be able to update your profile,submit reports,view disclosed reports and update payout method meanwhile if your account is not … Continue reading Non-Verified User can Submit Report,View Disclosed Reports | Secuna Bug Bounty

Static Analysis of wish-you.co

Hello.Recently wish-you.co became viral on the Philippines when Filipino Facebook users started sending their own customized New Year's Greetings to their Facebook Friends.Note: This Analysis is focused on the web application of wish-you.co to see if there is anything malicious. wish-you.co landing page Bruteforcing the Subdomain, gives us 3 results. 144.217.211.126 - old.wish-you.co 104.31.93.16 - http://www.wish-you.coContinue reading Static Analysis of wish-you.co

Exposed S3 Credentials of QuadX

What is Secuna?Secuna is the first and only crowdsourced cybersecurity testing platform in the Philippines helping startups and SMEs by connecting them to vetted security researchers to find and fix security vulnerabilities before they can be exploited by cybercriminals. Benefits at Secuna:Hacker Success Team Secuna is an ever-evolving crowdsourced cybersecurity testing platform managed by an … Continue reading Exposed S3 Credentials of QuadX

Insufficient Rate Limitting on Facebook Fundraisers

Summary Facebook Fundraisers Lacks Rate Limiting Protection. Malicious actors can bruteforce this by sending different random credit or debit card numbers. This could result to large scale fraud. The Expected Behaviour is Once You tried to Repeatedly Link or Use a Declined or Invalid Credit/Debit Card the System Should block you from doing additional Transactions … Continue reading Insufficient Rate Limitting on Facebook Fundraisers

Security Advisory – CVE-2019-5450

Product: Nextcloud App on AndroidVendor : Nextcloud GmbH.Vulnerable Version: Nextcloud Android < 3.7.0Category: Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80)Vendor Notified: 2019-06-28Patched: July 9 2019Researcher(s) : Christian AngelCVE: 2019-5450 Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud application functionally is similar to Dropbox. Unlike Dropbox, … Continue reading Security Advisory – CVE-2019-5450

Security Advisory – CVE-2018-19937

Product: VLC for Mobile IOSVendor: VideoLAN/Open Source SoftwareVersion: 3.1.4 BelowCategory: Permissions, Privileges, and Access Control (CWE-264)Vendor Notified: 2018-11-26 11:00 PMPatched: 2018-12-21Disclosed: 2019-01-01Researcher(s): Christian AngelCVE: 2018-19937 Summary A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone. Solution Update the application to the latest version References https://apps.apple.com/ms/app/vlc-for-mobile/id650377962 https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986fContinue reading Security Advisory – CVE-2018-19937