Page MenuHomeVulnz

avm99963 (Adrià Vilanova Martínez)
UserAdministrator

Projects

User does not belong to any projects.

User Details

User Since
Apr 25 2018, 7:59 PM (81 w, 5 d)
Roles
Administrator

Recent Activity

Sep 17 2019

avm99963 added a comment to T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.

CESICAT sent me an email on Sep 13, 2019, 4:54 PM stating the following:

Sep 17 2019, 10:22 PM · Unknown Object (Project)

Sep 9 2019

avm99963 changed Deadline from 90 to 97 on T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.
Sep 9 2019, 12:57 AM · Unknown Object (Project)
avm99963 added a comment to T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.

I haven't updated this report for a long time, so this is the timeline of the most important events since CESICAT had access to the vulnerability details until now:

Sep 9 2019, 12:57 AM · Unknown Object (Project)

Aug 23 2019

avm99963 changed the visibility for T14: Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums.
Aug 23 2019, 4:24 AM · Unknown Object (Project)
avm99963 changed the visibility for T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".
Aug 23 2019, 4:23 AM · Unknown Object (Project)
avm99963 added a comment to T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".

T13 and T14 were considered the same bug by Google in their own issue tracker, so I marked T14 as a duplicate of T13 in my issue tracker.

Aug 23 2019, 4:23 AM · Unknown Object (Project)
avm99963 merged task T14: Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums into T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".
Aug 23 2019, 4:17 AM · Unknown Object (Project)
avm99963 merged T14: Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums into T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".
Aug 23 2019, 4:17 AM · Unknown Object (Project)

Jun 19 2019

avm99963 set CVE to CVE-2019-12837 on T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.
Jun 19 2019, 1:35 AM · Unknown Object (Project)

Jun 15 2019

avm99963 published a new version of Vulnerability Reports Lifecycle.
Jun 15 2019, 5:05 PM · Unknown Object (Project)

Jun 11 2019

avm99963 set Reported to Jun 11 2019, 1:00 PM on T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.
Jun 11 2019, 1:03 PM · Unknown Object (Project)
avm99963 added a comment to T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.

I emailed an AES-256 encrypted ZIP file with a translation of this report in Catalan on Jun 10, 3:18 AM and I just gave CESICAT the key via another contact method, so I'm setting this vulnerability as reported on Jun 11, 1:00 PM because this is when they first had access to the document.

Jun 11 2019, 1:03 PM · Unknown Object (Project)

Jun 10 2019

avm99963 triaged T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat as Priority-0 priority.
Jun 10 2019, 3:18 AM · Unknown Object (Project)

Jun 5 2019

avm99963 triaged T14: Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums as Priority-1 priority.
Jun 5 2019, 11:17 PM · Unknown Object (Project)
avm99963 changed the visibility for T7: Remote code execution and full access to database and codebase at offerplaying.com.
Jun 5 2019, 10:40 PM · Unknown Object (Project)
avm99963 closed T7: Remote code execution and full access to database and codebase at offerplaying.com as WontFix.

Prinsen Group seems to have disappeared completely from the map and exactly 1 year has passed since the vulnerability was first known, so I'm disclosing it publicly and marking it as WontFix.

Jun 5 2019, 10:39 PM · Unknown Object (Project)
avm99963 created T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".
Jun 5 2019, 10:26 PM · Unknown Object (Project)

Mar 19 2019

avm99963 changed the visibility for T11: All SAE support emails are visible to the public.
Mar 19 2019, 6:26 PM · Unknown Object (Project)
avm99963 changed the visibility for T10: Error message reveals information about some internal data structure.
Mar 19 2019, 6:26 PM · Unknown Object (Project)
avm99963 closed T11: All SAE support emails are visible to the public as Verified.

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

Mar 19 2019, 6:26 PM · Unknown Object (Project)
avm99963 closed T10: Error message reveals information about some internal data structure as Verified.

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

Mar 19 2019, 6:26 PM · Unknown Object (Project)

Mar 18 2019

avm99963 set Reported to Mar 18 2019, 12:47 AM on T10: Error message reveals information about some internal data structure.
Mar 18 2019, 12:52 AM · Unknown Object (Project)
avm99963 set Reported to Mar 18 2019, 12:47 AM on T11: All SAE support emails are visible to the public.
Mar 18 2019, 12:52 AM · Unknown Object (Project)
avm99963 updated the task description for T11: All SAE support emails are visible to the public.
Mar 18 2019, 12:25 AM · Unknown Object (Project)
avm99963 triaged T11: All SAE support emails are visible to the public as Priority-1 priority.
Mar 18 2019, 12:18 AM · Unknown Object (Project)

Mar 17 2019

avm99963 updated the task description for T10: Error message reveals information about some internal data structure.
Mar 17 2019, 11:33 PM · Unknown Object (Project)
avm99963 changed the visibility for T9: Access to transcripts for other UB students.
Mar 17 2019, 11:33 PM · Unknown Object (Project)
avm99963 changed the status of T9: Access to transcripts for other UB students from Fixed to Verified.

I received a repsonse from them on Tue, Mar 12, 6:44 PM:

Mar 17 2019, 11:33 PM · Unknown Object (Project)
avm99963 triaged T10: Error message reveals information about some internal data structure as Priority-3 priority.
Mar 17 2019, 11:33 PM · Unknown Object (Project)
avm99963 closed T9: Access to transcripts for other UB students as Fixed.

Just as an observation, this report was sent to pau@ub.edu on Feb 7, 2019, 12:43 AM, 20 days ago.

Mar 17 2019, 11:33 PM · Unknown Object (Project)
avm99963 added a comment to T9: Access to transcripts for other UB students.

I've been quite busy for the last week so I haven't been able to update this issue until today.

Mar 17 2019, 11:33 PM · Unknown Object (Project)
avm99963 renamed T9: Access to transcripts for other UB students from Accés a expedient d'altres alumnes de la UB to Access to transcripts for other UB students.
Mar 17 2019, 11:33 PM · Unknown Object (Project)
avm99963 set Reported to Feb 7 2019, 12:43 AM on T9: Access to transcripts for other UB students.
Mar 17 2019, 11:33 PM · Unknown Object (Project)
avm99963 triaged T9: Access to transcripts for other UB students as Priority-1 priority.
Mar 17 2019, 11:33 PM · Unknown Object (Project)

Jan 9 2019

avm99963 triaged T8: XSS and input validation vulnerability in "Competitions" section as Priority-1 priority.
Jan 9 2019, 12:29 AM · Unknown Object (Project)
avm99963 closed T8: XSS and input validation vulnerability in "Competitions" section as Verified.

On Tuesday, December 13, at 10:12 AM, a Jutge.org developer told me that this had been fixed, and I could verify it that same day.

Jan 9 2019, 12:29 AM · Unknown Object (Project)
avm99963 changed the visibility for T8: XSS and input validation vulnerability in "Competitions" section.
Jan 9 2019, 12:29 AM · Unknown Object (Project)

Jun 5 2018

avm99963 updated the task description for T7: Remote code execution and full access to database and codebase at offerplaying.com.
Jun 5 2018, 12:58 PM · Unknown Object (Project)
avm99963 triaged T7: Remote code execution and full access to database and codebase at offerplaying.com as Priority-0 priority.
Jun 5 2018, 12:56 PM · Unknown Object (Project)
avm99963 changed the visibility for F24: 172.zip.
Jun 5 2018, 12:53 PM

May 2 2018

avm99963 closed T6: Some users continue to receive email updates of some threads of a Google group after being removed from a group as Verified.
May 2 2018, 12:02 AM · Unknown Object (Project)

Apr 28 2018

avm99963 changed the visibility for T1: Students can see other student's personal information at accesuniversitat.gencat.cat.
Apr 28 2018, 2:25 PM · Unknown Object (Project)
avm99963 closed T1: Students can see other student's personal information at accesuniversitat.gencat.cat as Verified.

Yesterday at 14:26 someone from CESICAT called me in order to confirm that the issue was solved, as I had noticed the day before, when I updated this report.

Apr 28 2018, 2:25 PM · Unknown Object (Project)

Apr 26 2018

avm99963 added a comment to T1: Students can see other student's personal information at accesuniversitat.gencat.cat.

CESICAT hasn't replied yet to the message I sent them yesterday, but I have just seen that they the reproduction steps are no longer functional, so they must have fixed it or are actively working on fixing it.

Apr 26 2018, 6:46 PM · Unknown Object (Project)

Apr 25 2018

avm99963 created Vulnerability Reports Lifecycle.
Apr 25 2018, 11:25 PM · Unknown Object (Project)
avm99963 created Wiki.
Apr 25 2018, 11:25 PM
avm99963 updated the task description for T1: Students can see other student's personal information at accesuniversitat.gencat.cat.
Apr 25 2018, 10:16 PM · Unknown Object (Project)
avm99963 changed Reported from Apr 25 2018, 12:00 AM to Apr 25 2018, 5:52 PM on T1: Students can see other student's personal information at accesuniversitat.gencat.cat.
Apr 25 2018, 9:33 PM · Unknown Object (Project)
avm99963 changed the status of T1: Students can see other student's personal information at accesuniversitat.gencat.cat from New to Accepted.
Apr 25 2018, 9:14 PM · Unknown Object (Project)