Improper Input Validation in athou/commafeed

Valid

Reported on

Jul 23rd 2022


Description

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow. There's no bound limit set on the number of characters/special characters in the name field of catagory, which potentially allows bulk inputs to surge on the demo version.

Steps to reproduce

Step 1. Goto - https://www.commafeed.com

Step 2. Register & SignIn

Step 3. Navigate to: https://www.commafeed.com/#/feeds/add_category

Step 4. Can flood boundless characters on Name field

Step 5. Done

Proof of Concept

PoC Image link: https://postimg.cc/8Jbd9L7M

Impact

-> Denial of Service -> This vulnerability is capable of bringing down the availability if the max limit (eg: 128) is not settled on the mentioned field.

We are processing your report and will contact the athou/commafeed team within 24 hours. 11 days ago
We have contacted a member of the athou/commafeed team and are waiting to hear back 10 days ago
Jérémie Panzer validated this vulnerability 10 days ago
Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jérémie Panzer confirmed that a fix has been merged on fe8756 10 days ago
The fix bounty has been dropped
Jérémie Panzer gave praise 10 days ago
Thanks!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Kiran PP
10 days ago

Researcher


My pleasure! ❤

to join this conversation