resolved
Business Logic Error – Bypass of OTP Verification During Signup on hover.com
Bug reported by was disclosed at September 2, 2025, 6:24 pm | Business Logic Errors
The Business Logic Error – Bypass of OTP Verification During Signup on hover.com was a vulnerability that allowed an attacker to register an account on You are not allowed to view links. Register or Login to view. using any email address without passing the required OTP verification. The vulnerability was caused by the ability to omit the code parameter entirely from the signup request, which resulted in the backend completing the registration and returning a valid session, effectively bypassing the OTP verification mechanism.
resolved
Unauthenticated Sensitive Information Disclosure on █████████ CVE-2021-38314
Bug reported by kuriyama was disclosed at September 2, 2025, 3:43 pm | Information Disclosure
The Gutenberg Template Library & Redux Framework plugin version 4.2.11 and below was found to have an unauthenticated sensitive information disclosure vulnerability (CVE-2021-38314). The issue was identified where the plugin registered several AJAX actions that were accessible to unauthenticated users. These actions used predictable endpoints based on md5 hashes of the site URL with known salt values, allowing attackers to retrieve sensitive system information without authentication.
resolved
Bug Report #23JAN136 (subdomain takeover via shopify )
Bug reported by kuriyama was disclosed at September 2, 2025, 3:30 pm | Privilege Escalation
A subdomain takeover vulnerability was identified on the domain █████████, where the subdomain pointed to an unclaimed Shopify instance. The vulnerability was successfully exploited by the researcher, who created a Shopify account, added the custom domain █████████, and demonstrated control over the subdomain by setting up a password-protected page.
resolved
Bug Report #23JAN135 (subdomain takeover via shopify )
Bug reported by kuriyama was disclosed at September 2, 2025, 3:23 pm | Privilege Escalation
The researcher discovered a subdomain takeover vulnerability affecting ██████████, which was pointing to an unclaimed Shopify instance. The researcher successfully demonstrated the takeover by claiming the subdomain and setting up a proof-of-concept storefront.
resolved
Account Takeover in Password Reset Function
Bug reported by was disclosed at September 2, 2025, 3:08 pm | Authentication Bypass
A critical authentication bypass vulnerability was present in the password reset functionality of the website. The vulnerability allowed attackers to take over any user account without requiring access to the victim's phone number or one-time password. The security flaw existed in the implementation of the "Forgot Password" feature, where the system relied on client-side responses to determine the success of OTP verification. An attacker could intercept the server response and manipulate it to bypass the OTP verification step entirely, allowing them to set a new password for the victim's account.
resolved
Unauthorized Blogs Creation
Bug reported by was disclosed at September 2, 2025, 10:30 am | Improper Access Control - Generic
A vulnerability was identified on the lichess.org website that allowed unauthorized blog creation. By manipulating certain requests and leveraging the session cookies of a different account, an attacker could bypass account-specific limitations and create a blog post on an account that was not yet eligible to do so.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
