SSRF via HTTP redirect in repository migration allows authenticated users to bypass internal address restrictions and reach localhost or private-network services
Security Research
Security vulnerabilities I have responsibly disclosed. All findings were reported to the affected vendors and patched before public disclosure.
Disclosure ledger / 29
heap over-read in UPnP event callback URL host parsing (upnpevents.c)
PGP email verification handler discards GPG return values, falsely marking all inbound signed emails as valid signatures
unauthenticated request to OTRS import controller endpoint blocks request workers for ~115 seconds, enabling denial of service
knowledge base permission checks allow users with limited read permissions to access items outside their assigned scope
unauthenticated staff crypto poisoning breaks E2E recipient directory
WebAuthn passkey injection allows account takeover
unauthenticated GLOBAL_ADMIN account creation post-bootstrap
unauthenticated POST /api/log accepts arbitrary content with CRLF injection and no size or rate limits
bootstrap challenge proof-of-work difficulty hardcoded to 16 bits enables abuse rate amplification
stored click-triggered XSS via javascript: tenant links rendered into patient-facing footer
tenant detail endpoint discloses live PostgreSQL connection string, superuser-scoped in the tested official deployment
logout page clears local access_token before server-side revocation, leaving duplicated tokens valid until expiry
schedule endpoint discloses isPublic=false channels and slot availability to unauthenticated callers
GET appointment by ID returns full appointment record without authorization
bootstrap booking flow allows unauthenticated booking on isPublic=false channels
unauthenticated add-to-tunnel endpoint accepts arbitrary appointment injections
staff deletion removes pending invites cross-tenant by email match
client PIN challenge throttle is keyed by emailHash only, allowing cross-tenant lockout
insecure direct object reference leading to authenticated arbitrary post deletion via course GET parameter
IDOR in FieldDefinition lets authenticated users alter or destroy other users’ submission fields and stored disclosure content
in-app password change does not rotate User.session_id, contradicting the documented threat model
missing authorization in AI assistance controller for text tools
missing authorization in AI assistance controller for context data used in text tools
vulnerability in Microsoft Online Services
bypass of UNC path mitigation in Windows OSQuery via \\?\UNC\
Hall of fame
Ranked among the top contributors of the program.