Insecure Storage of Sensitive Information in erudika/scoold


Reported on

Apr 26th 2022


When the user uploads his profile picture, the uploaded image’s EXIF Geolocation Data does not get stripped. As a result, anyone can get sensitive information of Scoold users like their Geolocation, their Device information like Device Name, Version, Software & Software version used, etc.

Proof of Concept

  1. Browse this link:-

  2. Download the image & Upload the picture.

  3. Now see the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )

  4. Then check the Exif Metadata of Image by CLI tool or any online tool.

  5. Paste the URL () of the profile image path now you can see the EXIF data.



This vulnerability impacts all users on Scoold. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads their profile picture on Scoold.

We are processing your report and will contact the erudika/scoold team within 24 hours. a year ago
We have contacted a member of the erudika/scoold team and are waiting to hear back a year ago
Alex Bogdanovski modified the Severity from Critical to Low a year ago
Alex Bogdanovski modified the Severity from Low to Critical (10) a year ago
Alex Bogdanovski modified the Severity from Critical (10) to Medium (6.5) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alex Bogdanovski validated this vulnerability a year ago
Tarun Garg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Bogdanovski marked this as fixed in 1.49.4 with commit 0d2dd3 a year ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


Report is valid for Scoold Pro only. Scoold uploads files only to Cloudinary where EXIF is stripped.

to join this conversation