+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-03-24 (/Thread-HackerOne-Disclosed-Reports-2025-03-24)
HackerOne disclosed reports - 2025-03-24 - hashXploiter - 03-25-2025
Medium
resolved
resolved
Non-Production API Endpoints for the Forecast Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
Bug reported by Nick Frichette (Datadog) was disclosed at March 24, 2025, 8:40 pm | Insufficient Logging
The Forecast service in Amazon Web Services (AWS) has four non-production API endpoints that can be accessed using standard IAM credentials, but do not log any activity to CloudTrail. This allows for silent permission enumeration, where an adversary can test the capabilities of compromised credentials without leaving any trace in the CloudTrail logs.
Low
resolved
resolved
Twitter broken link hijacking in thewild.com
Bug reported by Yunxohang Limbu was disclosed at March 24, 2025, 6:11 pm |
A broken link hijacking vulnerability was discovered on thewild.com. The issue was reported and subsequently fixed by Autodesk.