Improper Removal of Sensitive Information Before Storage or Transfer in liangliangyy/djangoblog

Valid

Reported on

Feb 11th 2022

Description

The application leaked emails of unvalidated users to anonymous user.

Proof of Concept

  • Step 1: Go to http://127.0.0.1:8000/register and create account. After create success, you will receive URL like http://127.0.0.1:8000/account/result.html?type=register&id=4
  • Step 2: Open another browser and paste link, you will see email of unvalidated user with id=4

Impact

Revealing users' personal information. The application should only show the message immediately after successful registration, not all the time.

We are processing your report and will contact the liangliangyy/djangoblog team within 24 hours. a year ago
We have contacted a member of the liangliangyy/djangoblog team and are waiting to hear back a year ago
且听风吟 validated this vulnerability a year ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
且听风吟 marked this as fixed in master with commit 6512ab a year ago
且听风吟 has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation