resolved
Possible to enumerate valid files in password protected shares/files drop shares as well as spam folder with files
Bug reported by Lukas Reschke was disclosed at February 21, 2025, 10:39 am | Information Disclosure
The summary is as follows:
It was possible to enumerate valid files in password protected shares and file drop shares. Additionally, it was possible to spam the folder with empty files using an attacker-controlled file name. The vulnerability existed in the `DocumentAPIController#create` method, which did not validate whether the share was writable, upload-only, or password protected.
resolved
IDOR on ads.tiktok.com Allows Unauthorized Product Addition
Bug reported by seyedh2o was disclosed at February 20, 2025, 10:16 pm | Insecure Direct Object Reference (IDOR)
An Insecure Direct Object Reference (IDOR) vulnerability was discovered on the TikTok Ads API that allowed the addition of arbitrary products to a user's catalog without proper authorization.
resolved
Uncontrolled Resource Consumption when parsing maliciously crafted XML with REXML
Bug reported by L33thaxor was disclosed at February 20, 2025, 3:21 pm | Uncontrolled Resource Consumption
The REXML library in Ruby was found to be vulnerable to an issue where parsing a maliciously crafted XML file could lead to uncontrolled resource consumption, resulting in a denial of service. The vulnerability was caused by a flaw in the namespace handling functionality of the REXML library.
resolved
Unauthenticated phpinfo()files could lead to ability file read at h2f54.n1.ips.mtn.co.ug [/dashboard/]
Bug reported by ꦄꦤ꧀ꦢꦿꦶ was disclosed at February 20, 2025, 1:32 pm | Violation of Secure Design Principles
The phpinfo() files at h2f54.n1.ips.mtn.co.ug were left unauthenticated, potentially allowing remote attackers to obtain sensitive information about the web server configuration.