resolved
Information disclosure due to debug mode enabled at Laravel instance https://mpos.mtn.co.sz/
Bug reported by ꦄꦤ꧀ꦢꦿꦶ was disclosed at February 23, 2025, 9:03 am | Information Disclosure
The Laravel framework contained a vulnerability known as CVE-2021-3129, which allowed remote code execution due to unsafe usage of PHP in the Ignition debug module. This vulnerability was relatively easy to exploit and did not require user authentication, resulting in a high CVSS score of 9.8. The vulnerability was triggered by sending a crafted POST request to the `/_ignition/execute-solution` endpoint, which allowed an attacker to execute arbitrary code on the target system.
resolved
CVE-2023-41763 Business Elevation of Privilege vulnerability on [.mtn.com]
Bug reported by H͟a͟c͟k͟e͟r͟ ͟0͟D͟a͟y͟ ͟W͟o͟m͟a͟n͟ was disclosed at February 22, 2025, 3:49 pm | Command Injection - Generic
The Microsoft Skype for Business installation on the remote host was missing security updates. The flaw was actively exploited. Attackers could access some sensitive information but not alter or restrict access to it. The impact related primarily to confidentiality. Multiple vulnerabilities were affected, including an elevation of privilege vulnerability and remote code execution vulnerabilities.
resolved
Unauthorized access to PII leads to Administrator account Takeover
Bug reported by H͟a͟c͟k͟e͟r͟ ͟0͟D͟a͟y͟ ͟W͟o͟m͟a͟n͟ was disclosed at February 22, 2025, 3:48 pm | Privilege Escalation
The vulnerability arises from insufficient restrictions placed on the list of post authors, which could be exploited by remote attackers to obtain sensitive information through wp/v2/users/15 requests. The sensitive information, including email addresses, could be obtained and used in further attacks such as password guessing. A CORS misconfiguration was also identified, which may have enabled third-party sites to carry out privileged actions and retrieve sensitive information.
resolved
User Email Disclosure via ID-Based Invitation
Bug reported by Mohamed Kamal was disclosed at February 22, 2025, 2:13 am | Information Disclosure
The issue occurs when inviting a user by their WakaTime ID. If a user has set their email to private, their email address was disclosed when they were invited using their ID. This contradicted the privacy settings and led to unintended email exposure.