Unauthorized Account Access via Leaked Credentials in URL Format (Account Takeover )

Bug reported by Firecat was disclosed at May 7, 2025, 11:08 pm   |   Cleartext Storage of Sensitive Information

The vulnerability allowed attackers to access user accounts on khanAcademy.com using leaked credentials that were publicly available. The credentials were found in clear text format on a third-party website. By entering the email and password, the attacker could perform an account takeover without the user's knowledge or any secondary verification.

Path Traversal Vulnerability found on IBM Cloud

Bug reported by ???? ????? was disclosed at May 7, 2025, 5:43 pm   |   Path Traversal

The path traversal vulnerability on IBM Cloud was reported by an external researcher, analyzed, and remediated. The vulnerability has been addressed.

HTML Injection in LinkedIn Premium Support Chat

Bug reported by atul nagaraj was disclosed at May 7, 2025, 7:53 am   |  

The vulnerability exists in the LinkedIn Premium support chat interface where unsanitized HTML input was rendered directly in the chat window. An attacker could have exploited this by injecting malicious HTML such as clickable links, potentially leading to phishing or redirection attacks on LinkedIn support staff. The observed behavior was that HTML, such as `` tags, was rendered in the chat and appeared clickable to support agents. The expected behavior was that user input in chat should have been sanitized and rendered as plain text without interpreting any HTML or tags.