resolved
Unsufficent input verification leads to DoS and resource consumption
Bug reported by Tinine was disclosed at February 26, 2025, 6:58 am | Uncontrolled Resource Consumption
The vulnerability affects the API endpoint at api.sorare.com/api/v1/users/, where insufficient input verification of the email parameter was discovered. This allowed an attacker to submit an excessively long email, causing the server to become unresponsive and return a 503 Service Unavailable error. No further details on potential impacts were provided.
resolved
Account Takeover via Password Reset without user interactions
Bug reported by Asterion was disclosed at February 26, 2025, 6:29 am | Improper Access Control - Generic
The report submitted to GitLab described a vulnerability that allowed account takeover via the password reset form. The vulnerability was triggered by modifying the JSON request to include the victim's email along with the attacker's email. This resulted in the password reset email being sent to both emails, allowing the attacker to access the victim's account by using the reset link.
resolved
Amazon Comprehend Medical Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints
Bug reported by Nick Frichette (Datadog) was disclosed at February 25, 2025, 8:52 pm | Insufficient Logging
The Comprehend Medical service was found to have 8 API endpoints that incorrectly reported the user-agent and network information as "AWS Internal" in CloudTrail event logs. This behavior was observed specifically for FIPS endpoints, which may have been an intentional design decision. The vulnerability could have allowed an adversary to perform API calls using these endpoints and evade the logging of their IP address and operating system information.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
