elections.k8s.io uses weak session secret key, may place elections at risk

Bug reported by Ian Carroll was disclosed at September 19, 2025, 8:54 pm   |   Cryptographic Issues - Generic

The elections.k8s.io application used a weak Flask SECRET_KEY, the string "N/A", to sign authentication cookies. This allowed the complete compromise of the application, as the session could be manipulated.

Stored XSS in Email Notifcation

Bug reported by khaled Saad was disclosed at September 19, 2025, 6:37 am   |   Cross-site Scripting (XSS) - Stored

A stored XSS vulnerability was discovered in the email notification feature of the crm.na1.insightly.com platform. The vulnerability allowed an attacker to inject malicious code into the email subject, which was then executed when users viewed the notification. The vulnerability was caused by insufficient input sanitization.

CSRF vulnerability allows disabling Gmail contacts link for user referrals

Bug reported by khaled Saad was disclosed at September 19, 2025, 6:36 am   |   Cross-Site Request Forgery (CSRF)

The CSRF vulnerability allowed users to disable Gmail contacts link for user referrals. The vulnerable endpoint did not sufficiently verify that the requests were intentionally performed by the user, allowing an attacker to generate a PoC that could be used to disable the victim's linked account.