Improper Removal of Sensitive Information Before Storage or Transfer in liangliangyy/djangoblog

Valid

Reported on

Feb 11th 2022


Description

The application leaked emails of unvalidated users to anonymous user.

Proof of Concept

  • Step 1: Go to http://127.0.0.1:8000/register and create account. After create success, you will receive URL like http://127.0.0.1:8000/account/result.html?type=register&id=4
  • Step 2: Open another browser and paste link, you will see email of unvalidated user with id=4

Impact

Revealing users' personal information. The application should only show the message immediately after successful registration, not all the time.

We are processing your report and will contact the liangliangyy/djangoblog team within 24 hours. 4 months ago
We have contacted a member of the liangliangyy/djangoblog team and are waiting to hear back 4 months ago
且听风吟 validated this vulnerability 3 months ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
且听风吟 confirmed that a fix has been merged on 6512ab 3 months ago
且听风吟 has been awarded the fix bounty
to join this conversation