Curated list of public penetration test reports released by several consulting firms and academic security groups.
SecureIdeas: This report has reasonable write-up on basic web application vulnerabilities like: □ XSS □ Username Harvesting □ Password Field Auto Complete □ Admin Session expiration.
NCC Group - phpMyAdmin: This report has reasonable web application vulnerabilities, but their technical write-up is in detail. Following vulnerabilities were identified: □ CSV Export Allows Arbitrary Command Execution in CSV File □ Login/Logout Actions Vulnerable to CSRF □ Ability to Unset Arbitrary Server Global Variables □ Sensitive Values Vulnerable to Session Fixation □ Sensitive Data in URL GET Query Parameters □ Overly Permissive Content Security Policy □ File Traversal Protection Bypass on Error Reporting □ Self XSS in table_row_action.php □ Multiple HTTP Plaintext Links
§ ISec - Security First Umbrella:
□ 1. Insufficient TLS/SSL certificate validation Cryptography Low
□ 2. Excessive session timeout Session Management Low
□ 3. Weak TLS/SSL ciphers supported Configuration Low
□ 4. SQL Injection in search and password functionality Data Validation Informational
□ 5. SSLv3 enabled and vulnerable to POODLE attack Configuration Informational
□ 6. Hard-coded encryption key in source code Data Exposure Informational
□ 7. Verbose debug error messages logged Error Reporting Informational
□ 8. Reflected Cross-Site Scripting (XSS) in search functionality Data Validation Informational
□ 9. Certificate pinning not implemented in mobile application Cryptography Informational
□ 10. Application does not lock when focus is lost Access Controls Informational
§ ISec - Mailvelope Firefox Extension:
□ 1. Remote content loaded via img, audio, video and other tags
□ 2. DOMPurify engine is the only mechanism to stop Cross Site Scripting
□ 3. Application data persists after uninstall
□ 4. OpenPGP implementation does not verify signed messages
□ 5. Firefox Plugin Allows User Fingerprinting
□ 6. Delivery mechanism does not follow best practices
□ 7. Weak passwords allowed
□ 8. Mailvelope can add Top-Level Domains as Scan Targets
□ 9. No option to modify banner in OpenPGP key
□ 10. Public keys cannot be verified prior to import
□ 11. Lack of source validation of postMessage
§ ISec - Psiphon 3:
□ 1. Missing patches and security updates Patching High
□ 2. Root logins allowed on Psiphon servers Configuration Medium
□ 3. Admin SSH login via username and password Configuration Low
□ 4. Unnecessary applications installed on servers Configuration Low
□ 5. Hosts running unnecessary services as ``root'' Configuration Low
□ 6. fail2ban does not alert on attacks Configuration Informational
□ 7. SSH service displays sensitive information in banner on login Configuration Informational
□ 8. Weak encryption standards for SSH Configuration Informational
□ 9. Insecure default Android browser settings Configuration Informational
□ 10. Windows client persists settings in Registry Data Exposure Informational
□ 11. Windows client update script unreliable Patching Informational
§ ISec - CryptoCat iOS:
□ XMPP connection vulnerable to StartTLS stripping Data Exposure High
□ 2. Private messages are logged in plaintext Data Exposure High
□ 3. Private key stored in plaintext on local storage Data Exposure High
□ 4. Information leaking from iOS screenshots Data Exposure Medium
□ 5. Lack of return value checking for sensitive function calls Configuration Medium
□ 6. HMAC validation timing attack Cryptography Medium
□ 7. Crashes triggered by malformed multi-party messages Denial of Service Low
□ 8. Public key data logged locally Data Exposure Low
□ 9. Autocorrection leaks information to disk Data Exposure Low
□ 10. Precompiled OpenSSL binaries in TBMultipartyProtocolManager Patching Informational
□ 11. Outdated curv25519-donna implementation Patching Informational
□ 12. CryptoCat's security model relies on unrealistic user requirements Authentication High
□ 13. CryptoCat OTR implementation vulnerable to man-in-the-middle attacks Authentication High
□ 14. Browser clients — Misleading security UI for SMP identity checking Authentication High
□ 15. CryptoCat chat rooms log encrypted messages and can be made persistent Data Exposure Medium
□ 16. Browser clients — Chat room eavesdropping using a regular XMPP client Data Exposure Medium
□ 17. Weak SSL/TLS versions and cipher suites supported by XMPP service Configuration Medium
§ ISec - WikiMedia:
□ 1.Reflected XSS in api.php Data Validation High
□ 2. External reference in SVG Data Validation High
□ 3. Stored XSS in uploaded SVG files Data Validation Medium
□ 4. Entity expansion in SVG and XMP Metadata Denial of Service Medium
□ 5. Lack of upper limit on password length allows DoS Denial of Service Medium
□ 6. External reference in PDF Data Validation Medium
□ 7. Stored XSS in PDF files Data Validation Medium
□ 8. Custom JavaScript may yield privilege escalation Data Validation Medium
□ 9. Weak password policy Configuration Medium
□ 10. Lack of registry lock on domain names Configuration Medium
□ 11. Users can inspect each other's personal JavaScript Data Exposure Low
□ 12. Check User page lacks Cross Site Request Forgery (CSRF) protection Data Validation Low
□ 13. User access roles are public Data Exposure Informational
□ 14. RC4 cipher enabled Configuration Informational
§ Cure53 - Cryptocat 2:
□ Stored XSS/HTML Injection via Conversation-/Nick-Name
□ (Remote Code Execution via Conversation-/Nick-Name
□ De-Anonymization / Local Exploits via malformed Data URIs
□ Math.random() usage for unpredictable numbers
□ Potential DOM XSS within user nickname alteration
□ Invalid HTML code in link markup decorator
□ Multi-party HMAC implementation inconsistent with specs
□ Typo in multiparty key request implementation
□ Remote kick / user impersonalization in multipart chat
□ Usernames capable of altering the logic of Cryptocat 2
□ XMPP request IDs potential disclosure of OTR chat activity
□ Cryptocat Chrome extension's cross-origin detection
□ OTR implementation vulnerable to poisoning in rare cases
§ Cure53 - Subrosa :
□ XSS via unfiltered Display Name in Camera View Overlay ( High)
□ XSS via unfiltered Display Name in Call Notification ( Critical)
□ XSS via unfiltered Display Name in online Notification ( Critical)
□ WebSocket Protocol vulnerable to Replay Attacks ( Critical)
□ Manipulation of IV changes Decryption Output ( Critical)
□ Password update leads to full account compromise ( Critical)
□ Call Extension Attack allows for covert Surveillance ( High)
□ Possible passive XSS via unfiltered News Item URL ( Low)
□ Reliance on Server - Sanity causes tremendous XSS Risk ( Medium)
□ Subrosa Version Check can be bypassed ( Low)
□ User information partially sent in C leartext ( Medium)
□ UI can be broken using localStorage. sidebarWidth ( Info)
□ X - Frame - Options Headers or any Form of CSP is used ( Low)
§ Cure53 - Access My Info:
□ DoS via inline XML Stylesheet in HTML to PDF conversion ( Medium)
□ Overly verbose Error Messages leak internal Info ( Low)
□ HTML Injection on dev. accessmyinfo. org ( Low)
□ Missing Cookie Security Flags ( Low)
□ SOME on WordPress via Plupload ( High)
□ XSS on WordPress via insecure MediaElement ( Critical)
□ Local File Access via HTML to PDF conversion ( Info)
□ No validation for language cookies leverages Attacks ( Low)
□ AMI -01-009 Persistent XSS in AMI CMS by design ( Info)
§ Cure53 - SC4:
□ SC 4-01-002 Running from file :// in Chrome is considered insecure ( High)
□ SC 4-01-004 XSS via Attacker - controlled usage of malicious Filenames ( Critical)
□ SC 4-01-006 Inconsistent Warning about a Key’ s Age ( Low)
□ SC 4-01-007 Preamble contains HTTP Link where HTTPS is needed ( Low)
□ SC 4-01-008 Attacker can fake Direction of encrypted , unsigned Messages ( Low)
□ SC 4-01-011 Message Contents shown with attacker - controlled MIME Type ( Critical
□ SC 4-01-012 Signature does not cover filename and MIME type ( Medium)
□ SC 4-02-013 Random File Names are too short and allow brute - force Attacks ( High)
□ SC 4-02-014 No Warning about SC 4 Copy in the Downloads Folder ( Medium)
□ SC 4-02-015 Different Content - Type bypasses Preview Sanitization ( Critical)
□ SC 4-02-017 Links to local files are not removed during Sanitization ( High)
□ SC 4-02-019 CSS can be used to break out of DIV containing Message ( Medium)
□ SC 4-02-020 Signatures for transferred Files are too ambiguous ( Low)
□ SC 4-01-001 Wrong Key - Size given in README. md ( Info)
□ SC 4-01-003 Hosted Version does not employ X - Frame - Options ( Medium)
□ SC 4-01-005 No Content Security Policy Headers are being used ( Medium)
□ SC 4-01-009 Different Signer and Encrypter are accepted ( Low)
□ SC 4-01-010 UI issue : “ Encrypt ” is a misleading label ( Info)
□ SC 4-02-016 No Character Set applied in Content - Type of sanitized Data ( High)
□ SC 4-02-018 No Protection from being framed for Local SC 4 Version ( Low)
§ Cure53 - CaseBox1:
□ CB -01-001 Arbitrary File Disclosure in Preview ( Critical)
□ CB -01-002 Weak Hash in Password Recovery leading to Auth Bypass ( Critical
□ CB -01-003 “ F ”- Grade SSL Cert allows for feasible Eavesdropping Attacks ( High
□ CB -01-004 XSS via unfiltered Folder - and Action - Name ( High)
□ CB -01-005 XSS inContent Field for user - created Actions ( High)
□ CB -01-006 Persistent XSS via HTML Upload and Usage of “ pw ” Parameter ( High
□ CB -01-007 Header Injection via Download and malicious Filenames ( Low)
□ CB -01-009 User Profile and other Forms vulnerable to CSRF Attacks ( High)
□ CB -01-010 User’ s First - and Last - Name vulnerable to XSS Attacks ( Critical)
□ CB -01-011 Persistent XSS via SVG Profile Photo Upload ( High)
□ CB -01-012 Multiple Apache SOLR Query Injections in the Search Class ( Medium)
□ CB -01-014 Remote Code Execution in AutoSetFields Plugin ( Critical)
□ CB -01-015 Permission Restriction Bypass using CaseBox API ( Critical)
□ CB -01-020 Flash XSS via Sencha Ext JS Vulnerability ( High)
□ CB -01-021 Persistent XSS via Upload and File Rename Feature ( Medium)
□ CB -01-022 Permission Restriction Bypass in API Objects class ( High)
□ CB -01-023 Persistent XSS through Preview of Object Field Data ( Medium)
□ CB -01-024 Persistent Passive XSS in Item Title ( High)
□ CB -01-025 Persistent XSS via File Name in Upload Queue ( Medium)
□ CB -01-027 Apache SOLR Injection Deletes all Documents ( High)
□ CB -01-029 Second - Order SQL Injection in getUserData () ( Critical)
□ CB -01-008 Information Disclosure based on enabled PHP Error Display ( Low)
□ CB -01-011 Insufficient Salt and Password Hashing Complexity ( Medium)
□ CB -01-013 Weak Restrictions allow uploading PHP Files to Webroot ( Medium)
□ CB -01-014 Information Disclosure in Browser. php with Invalid File Names ( Low)
□ CB -01-015 Potential Cross - Site Scripting in API Response Handler ( Low)
□ CB -01-016 Potential Second - Order Cross - Site Scripting in TSV Auth ( Low)
□ CB -01-017 Source Code leaks IP Address of Debug Servers ( Low)
□ CB -01-018 Remote MySQL connection on Virtual Machines ( Medium)
□ CB -01-019 Unsanitized CORE _ NAME could lead to Vulnerabilities ( Medium)
□ CB -01-026 Missing SSL Verification in Yubikey Secret Key Request ( Medium)
□ CB -01-028 Limited Path Traversal Vulnerability in CB\ Files ( Low)
□ CB -01-030 Missing HTTP Security Headers and Name - Randomization ( Low)
§ Cure53 - CaseBox Production:
□ CB -02-001 Missing Security Checks allow Privilege Escalation ( High)
□ CB -02-003 User Information Disclosure ( Medium)
□ CB -02-004 WebDav Software causing crashes and Privilege Escalation ( High)
□ CB -02-002 Apache SOLR Exception Information Disclosure ( Low)
□ CB -02-005 Possible Passive XSS in MSIE using poisoned PDF ( Medium)
□ CB -02-006 World Readable SSL Certificates can lead to MitM attacks ( Medium)
□ CB -02-007 Process Core Dumps can lead to potential Data Disclosure ( Low)
□ CB -02-008 UMASK settings are too lax and allow for world readable files ( Medium)
□ CB -02-009 Apache Server discloses Version Number ( Low)
□ CB -02-010 Unnecessary Apache Modules are enabled ( Low)
□ CB -02-011 Multiple Processes are running as root ( Medium)
□ CB -02-012 The TCP/ IP configuration should be hardened ( Low)
□ CB -02-013 SSH Server uses a weak Server Key Length ( Medium)
□ CB -02-014 MySQL allows for local file access ( Medium)
□ CB -02-015 Missing File Integrity and Rootkit Checking ( Medium)
□ CB -02-016 Temporary Directory should be more restrictive ( Medium)
□ CB -02-017 No Linux Security Module was identified ( Medium)
□ CB -02-018 PHP open _ basedir to protect multiple instances from another ( Medium)
§ Cure53 - Clipperz:
□ CLP-01-001 DOMXSS in Clipperz Bookmarklet via benign HTML Injection (Medium)
□ CLP-01-002 Remote Code Execution in PHP Backend (Critical)
□ CLP-01-003 SQL Injection in PHP Backend (High)
□ CLP-01-004 Reflective Cross-Site Scripting in PHP Backend (Medium)
□ CLP-01-005 Local Cross-Site Scripting in PHP Backend (Low)
□ CLP-01-006 Unauthenticated Data Modification in PHP Backend (Info)
□ CLP-01-007 Session Fixation in PHP and Python Backend (Low)
□ CLP-01-008 File Disclosure in Java Backend on Windows (Low)
□ CLP-01-009 Unfiltered Street Address Data causes Self-XSS (Medium)
□ CLP-01-014 Persistent XSS via Direct Login from Bookmarklet (Critical)
□ CLP-01-015 Persistent XSS on Index Page via Direct Login Favicon (Critical)
□ CLP-01-016 SRP Implementation vulnerable to known Attacks (High)
□ CLP-01-017 SRP Authentication Bypass (Critical) Miscellaneous Issues
□ CLP-01-010 Reflection Injection in PHP Backend (Low)
□ CLP-01-011 Static window.name after Card Creation or Editing (Low)
□ CLP-01-012 No ID-Collision check disables Close Button (Low)
□ CLP-01-013 Information Leakage in PHP Backend (Low)
□ CLP-01-018 Weak PRNG in use by Clipperz Crypto-Libraries (Medium)
□ CLP-01-019 Erroneous Code used in SHA Module (Low)
□ CLP-01-020 Dead Code used in Clipperz Crypto Modules (Low)
□ CLP-01-021 AES Block Cipher differs from Standards (Low)
□ CLP-01-022 Usage of outdated MochiKit Library (Low)
□ CLP-01-023 Usage of outdated YUI Library (Low)
□ CLP-01-024 MitM attack allows execution of Privileged Functions (Medium)
□ CLP-01-025 Reuse of a previously calculated Toll (Low) �
§ Cure53 - Cyph:
□ CY -01-002 Fake - Channels cause Memcache Eviction and possible DoS ( Medium)
□ CY -01-003 Castle: WebRTC connections lack Security Properties ( Medium)
□ CY -01-005 Castle: Nonce Reuse in initial Handshake Messages ( Medium)
□ CY -01-006 Castle: Server could MitM connections using hardware for ~$20 k ( High)
□ CY -01-007 Message ordering is not protected allowing message drop ( Medium)
□ CY -01-008 Coturn : My SQL on Port 3306 with default Credentials ( Critical)
□ CY -01-009 Coturn : Server Admin Interface is using Default Credentials ( Medium)
□ CY -01-010 Coturn : SQL Injection in Srver Admin Interface Login Page ( Critical)
□ CY -01-011 WebSign: TLS - MitM - Attacker can replace Cyph code ( High)
□ CY -01-001 Padding is useless for the stated purpose ( Info)
□ CY -01-004 Uneven distribution of characters in random IDs in links ( Low)
□ CY -01-012 Missing noreferrer Attributes allow Access to window. opener ( Low
□ CY -01-013 Markdown Converter for Messages uses Schema Black - List ( Low)
§ Cure53 - DOMPurify:
□ DOM-01-002 Double-clobbering enables sanitization bypass (High)
□ DOM-01-004 Mutation on XML Namespaces enables sanitization bypass (Critical)
□ DOM-01-001 Incorrect fallback handling leads to script termination (Info)
□ DOM-01-003 Missing clobber-check for elements with name attribute (Low)
□ DOM-01-005 Week validation on custom data attribute names (Low)
§ Cure53 - Bazaar / Fdroid:
□ BZ -01-002 TOFU Requests too easy to recognize and intercept ( Low)
□ BZ -01-003 Repository Fingerprint is not verified on first Fetch ( High)
□ BZ -01-004 Command Injection Flaw in root - based Installation Method ( Critical)
□ BZ -01-005 App with WES Permission can replace APKs before Installation ( High)
□ BZ -01-007 Malicious symlinked APK can lead to arbitrary File Read ( Medium)
□ BZ -01-008 Multiple XSS Problems in WP - FDroid Plugin ( Medium)
□ BZ -01-011 Persistent XSS via SVG Upload in MediaWiki ( Medium)
□ BZ -01-012 Arbitrary Command Execution via fdroid import and SVN ( Critical)
□ BZ -01-013 Directory Traversal Exploit Potential caused by fdroid import ( High)
□ BZ -01-014 RCE via fdroid checkupdates Command on Git Repository ( Critical)
□ BZ -01-015 SVN Repository Access leaks Credentials to local Processes ( Low)
□ BZ -01-017 Unauthorized Access to internal Network Resources ( Medium)
□ BZ -01-001 SHA 1 is used for Integrity Protection ( Info)
□ BZ -01-006 Symlinking is implemented using a Shell Command ( Medium)
□ BZ -01-009 Malicious App can inject additional Fields into aapt Output ( Low)
□ BZ -01-010 Insecure PHP String Comparison in WP - FDroid Plugin ( Low)
□ BZ -01-016 Metadata Directive Injection using Newlines in Values ( Low)
§ Cure53 - Globaleaks:
□ GL 01-001 Receiver Login allows password - less authentication ( Critical)
□ GL 01-002 XSS via sniffing and JSON injection in authentication page ( Medium)
□ GL 01-003 Unsafe File - Downloads in Receiver - Area causing Local XSS ( Medium)
□ GL 01-004 Possible information leakage through Browser/ Proxy Cache ( Medium)
□ GL 01-014 Lack of protection against brute - forcing admin role password ( Medium)
□ GL 01-005 Log - File contains un - encoded HTML characters ( Low)
□ GL 01-006 Whistleblower uploads allow flooding the server hard - disk ( Medium)
□ GL 01-007 Crafted File - Uploads allow Content - Type Spoofing ( Low)
□ GL 01-008 X - Frame - Options header not present ( Low)
□ GL 01-009 Login/ File upload sections do not have CSRF tokens ( Low)
□ GL 01-010 Admin role does not have a username ( Low)
□ GL 01-011 Admin - Uploads functional despite content filter/ validation ( Low)
□ GL 01-012 Default admin credentials and search engine indexing ( Medium)
□ GL 01-013 Potential Arbitrary File writes on non - default configuration ( Low)
□ GL 01-015 Application log file contains administrator password ( Low)
□ GL 01-016 Weak filesystem permissions enable local attacks ( Medium)
□ GL 01-017 Readable hard - coded credentials might compromise users ( Low)
§ Cure53 - libjpeg-turbo:
□ LJT -01-003 DoS via progressive , arithmetic image decoding ( Medium)
□ LJT -01-004 DoS via small Image with large Dimensions ( Medium)
□ LJT -01-005 Out - of - Bounds Read via unusually long Blocks in MCU ( High)
□ LJT -01-001 Wraparound in round _ up _ pow 2() ( Low)
□ LJT -01-002 Dangling pointer used as placeholder ( Low)�
§ Cure53 - Mailvelope:
□ MV -01-001 Insufficient Output Filtering enables Frame Hijacking Attacks ( High)
□ MV -01-002 Arbitrary JavaScript execution in decrypted mail contents ( High)
□ MV -01-003 Usage of external CSS loaded via HTTP in privileged context ( Medium)
□ MV -01-004 UI Spoof via z - indexed positioned DOM Elements ( Medium)
□ MV -01-005 Predictable GET Parameter Usage for Connection Identifiers ( Medium)
□ MV -01-006 Rich Text Editor transfers unsanitized HTML content ( High)
□ MV -01-007 Features in showModalDialog Branch expose M ailer to XSS ( Medium)
□ MV -01-008 Arbitrary File Download with RTE editor filter bypass ( Low)
□ MV -01-009 Lack of HTML Sanitization when using Plaintext Editor ( Medium)
§ Cure53 - MiniLock:
□ ML -01-006 Unicode Passphrase causes Denial of Service ( L ow)
□ ML -01-001 Possible Uncloaking via de - crypted HTML Files ( Low)
□ ML -01-002 Lack of exception handling causes Denial of Service ( Info)
□ ML -01-004 Recommended Recipient ID Truncation ( Info)
□ ML -01-005 Insufficient Entropy in generated Passphrase ( Medium)
□ ML -01-007 Use of deprecated Functions escape () and unescape () ( Low)
□ ML -01-008 Missing senderID emits uncaught Error and causes App to freeze ( Info)
□ ML -01-009 Scrypt is used with static Salt assisting Dictionary Attacks ( Info)
□ ML -01-010 Manipulated Metadata causes App to freeze ( Info)
□ ML -01-011 Weak Passphrases possible using Unicode and Umlauts ( Medium)
□ ML -01-012 Unicode Filenames cause erroneous Downloads ( Low)
§ Cure53 - Nitrokey Storage Hardware:
□ NK -02-001 JTAG Header accessible on the Nitrokey PCB ( Critical)
□ NK -02-002 Weak Security Fuse Configuration ( Critical)
□ NK -02-003 Security Relevant Signals Routed On Surface Layers ( Critical)
□ NK -02-004 Microcontroller Contains DFU bootloader ( Low)
□ NK -02-005 Brown Out Detection Not Enabled ( High)
□ NK -02-006 Micro SD and Smartcard Slots lack ejection switch ( High)
□ NK -02-007 Current Design Lacks Tamper Switches ( Medium)
□ NK -02-008 No Offline Tampering Detection ( Medium)
□ NK -02-009 Insufficient Design Density ( Low)
§ Cure53 - Nitrokey Storage Firmware:
□ NK -01-004 Block number is used as IV in CBC mode ( Medium)
□ NK -01-005 Out - of - Bounds Read in ConvertMatrixDataToPassword ( Low)
□ NK -01-007 OTP commands can be used without authorization ( High)
□ NK -01-008 OTP can be unlocked by replacing Smart Card ( High)
□ NK -01-009 Passwords are encrypted in ECB mode ( Low)
□ NK -01-010 GetRandomNumber _ u 32 mixes randomness improperly ( Medium)
□ NK -01-013 Encryption of uninitialized memory in HV _ WriteSlot _ u 8 ( Medium)
□ NK -01-014 Security Bit is bound to Firmware Updates ( High)
□ NK -01-015 Admin Check can be bypassed by resetting Smart Card ( High)
□ NK -01-016 Out - of - Bounds Read in CCID Handling ( Medium)
□ NK -01-001 One - Byte Buffer Overflow in HTML _ CheckInput () ( Low)
□ NK -01-002 Read access to uninitialized stack memory ( Medium)
□ NK -01-011 HV _ InitSlot _ u 8 zeroes encrypted slot data ( Medium)
□ NK -01-017 Sightings of outdated , deprecated or unused code ( Info)
§ Cure53 - Onion Browser:
□ OR -01-004 Information Leakage via Audio & Video Content ( Info)
□ OB -01-005 Third - Party Cookie Protection does not work as expected ( High)
□ OB -01-006 Tor Bypass via Race Condition and iTunes URLs ( Critical)
□ OB -01-009 SSL Certificate Warning Bypass via . onion Subdomains ( Critical)
□ OB -01-010 Tor Bypass leaking User’ s IP via WebSockets ( Critical)
□ OB -01-011 Tor bypass via “ Define ” Functionality ( Medium)
□ OB -01-013 Lack of Confirmation Dialog for “ onionbrowser: forcequit ” URIs ( High)
□ OB -01-014 Cookie Blocker Bypass using Evercookie Features ( High)
□ OB -01-016 Active Content Blocking Bypass via Data URIs ( Critical)
□ OB -01-017 Tor bypass via Protocol Handler ( Critical)
□ OB -01-001 Information Leakage through iOS Screenshots ( Low)
□ OB -01-002 Insecure Browser Cookie Storage ( Low)
□ OB -01-003 Bug in Bookmark Encryption causes Information Leakage ( Low)
□ OB -01-007 Bug in Settings File Encryption causes Information Leakage ( Low)
□ OB -01-008 Weak Default Configuration ( Info)
□ OB -01-012 Lack of ASLR ( Medium)
□ OB -01-015 Information Leakage via Keyboard Cache ( Low)
§ Cure53 - OpenKeychain:
□ OKC -01-001 Private Keys can be imported from Keyserver ( Medium)
□ OKC -01-004 Arbitrary file write when decrypting and saving messages ( High)
□ OKC -01-006 Keyserver can send arbitrary Public Keys without Verification ( Low)
□ OKC -01-009 Bypassable Fingerprint - Check for Key Exchange via QR Code ( High)
□ OKC -01-010 Database can be exported using Encrypt Operation ( Low)
□ OKC -01-011 Unconfirmed Main Identities are shown as confirmed ( Low)
□ OKC -01-012 Database Extraction possible via Version Downgrade ( Medium)
□ OKC -01-013 Key Usage unchecked upon Decryption / Signature Verification ( Low)
□ OKC -01-014 Multiple File overwrite Vulnerabilities via Path Traversal ( High)
□ OKC -01-015 Export of PGP Information in clear - text on insecure Storage ( Medium)
□ OKC -01-017 Predictable File Creation on insecure Location ( Medium)
□ OKC -01-018 Key Server Verification Bypass via HTTP Redirect ( Medium)
□ OKC -01-002 Malicious public Key can lead to persistent Denial of Service ( Medium)
□ OKC -01-003 Malicious Key Server response can lead to Denial of Service ( Low)
□ OKC -01-005 Insufficient and insecure RSA/ DSA Key Sizes permitted ( Medium)
□ OKC -01-007 Signing Operations with weak Key lead to Denial of Service ( Info)
□ OKC -01-008 OpenKeychain accepts weak Passwords without any Warning ( Info)
□ OKC -01-016 No Warnings when adding a clear - text HTTP Key Server ( Low)
§ Cure53 - Peerio:
□ PT -02-001 Client : XSS via Escape from String in JavaScript Eval ( High)
□ PT -02-002 Server : Server can modify user - visible participant list ( Low)
□ PT -02-003 UI : Not showing usernames reduces security ( Low)
□ PT -02-004 Client : iOS app data leakage via Background Screenshots ( Medium)
□ PT -02-008 Client : Files are not encrypted on the client - side ( Medium)
□ PT -02-009 Client : Messages not properly bound to original Message ( High)
□ PT -02-010 Server : belongsToUser () Function not working properly ( Medium)
□ PT -03-001 Cooperating Participant and Server can create fake Receipts ( Low)
□ PT -03-002 Denial of Service using invalid JSON Structures ( Medium)
□ PT -03-004 PeerioServer. helpers. security. hostnameAllowed is bypassable ( Low)
□ PT -03-005 Denial of Service using bad Base 64 encoding ( Medium)
□ PT -03-006 Denial of Service using bad JSON encoding ( Medium)
□ PT -02-005 Client : iOS App Data stored on Mobile Device in Clear - Text ( Low)
□ PT -02-006 Client : Unsafe Method Usage and General iOS App Weaknesses ( Info)
□ PT -02-007 Client : iOS logic bug might ignore SSL warnings for downloads ( Info)
□ PT -02-011 Server : Arbitrary Emails disabled from receiving Peerio Invites ( Medium)
□ PT -03-003 Restricted admin interface performs no host header validation ( Low)
§ Cure53 - SecureDrop:
□ SD -01-001 No HTTP Security Headers on Apache Error Pages ( Medium)
□ SD -01-002 Missing HTTP Security Headers and Name - Randomization ( Low)
□ SD -01-005 Missing HTTP Security Headers for 404 Pages ( Medium)
□ SD -01-006 Possible path confusion / traversal via imprecise store. verify () ( Medium)
□ SD -01-008 HTML Links on SecureDrop static sites leak Referrer ( Medium)
□ SD -01-011 IPTABLES configuration allows outbound traffic ( Medium)
□ SD -01-012 Flask cookies leak ( server - side ) session values ( Low)
□ SD -01-003 Overly permissive Database privileges for “ securedrop ” user ( Low)
□ SD -01-004 Lax Permissions for google - authenticator Files ( Low)
□ SD -01-007 Considerations about TBB Configuration Settings ( Medium)
□ SD -01-009 Possible Attacks via unfiltered File - Names in ZIP - File Creation ( Low)
□ SD -01-010 Denial - Of - Service for Source via UTF -8 in Journalist - Message ( Medium)
§ Cure53 - SmartSheriff:
□ SMS -02-002 Complete lack of authentication on most API calls ( Critical)
□ SMS -02-003 Smart Sheriff API still allows universal Password Leak ( Critical)
□ SMS -02-004 Smart Sheriff leaks parent phone numbers ( Medium)
□ SMS -02-005 Insufficient cryptographic XOR Protection for sensitive Data ( High)
□ SMS -02-006 Reflected XSS via H _ TYPE on ssweb. moiba. or. kr ( Medium)
□ SMS -02-007 Possible Remote Code Execution via MitM in WebView ( Critical)
□ SMS -02-008 Mobile app error handlers are setup to ignore all SSL errors ( High)
□ SMS -02-009 Modifying Child - App Protection Settings ( Medium)
□ SMS -02-010 Faking Child’ s Phone Usage ( High)
□ SMS -02-012 Insecure usage of AES Encryption ( Critical)
□ SMS -02-013 Unsafe Mobile App Data Storage on SD Card ( High)
□ SMS -02-011 Multiple TLS Misconfiguration issues ( Info)
□ SMS -02-001 Multiple Instances of outdated Software on API Servers ( Medium)
§ Cure53 - StreamCryptor:
□ BSC -01-004 Directory Traversal Vulnerability via outputFolder Argument ( High)
□ BSC -01-006 Unauthenticated FilenameNonce allow s Information Leakage ( Low)
□ BSC -01-007 Same Key is used for MAC and SecretBox ( Medium)
□ BSC -01-001 README. md listing an outdated , deprecated Library Location ( Info)
□ BSC -01-002 Redundant Header Data is being used ( Low)
□ BSC -01-003 Outdated libsodium Version is used in Build Process ( Info)
□ BSC -01-005 ChunkLength is not authenticated and not needed ( Low)
□ BSC -01-008 MACs use no explicit Type Prefix ( Low)
□ BSC -01-009 Unchecked Length Additions in ArrayHelpers ( Medium)
□ BSC -01-010 GetRandomString is slightly skewed by an off - by - one Error ( Info)
§ Cure53 - Whiteout.io:
□ WO -03-002 Insecure Regexps usage on DOMPurify Sanitizer Output ( High)
□ WO -03-003 Insecure File Download Method Fallbacks ( Low)
□ WO -03-009 Image Loading Opt - in Protection can be bypassed ( Low)
□ WO -03-011 No Reliable Sender Indication is implemented ( Medium)
□ WO -03-012 Broken postMessage Origin - Check in Iframe - Resizer ( Low)
□ WO -03-013 Lack of X - Frame - Options Header on Whiteout Server ( Medium)
□ WO -03-014 Spoofing of Signed Messages and general UI Concerns ( High)
□ WO -03-016 TOFU Behavior for Forge - based TLS ( Medium)
□ WO -03-017 No Forward Secrecy for TLS Connection in Forge ( L ow)
□ WO -03-018 Weak Passwords & Misleading Passphrase Strength Check ( Low)
□ WO -03-019 Personal Data appearing in Debug Logs ( Low)
□ WO -03-020 Insecure Default in Implementation of BCC Feature ( Low)
□ WO -03-021 No Caching happening for Keyserver Responses ( Medium)
□ WO -03-022 Mail Server Settings are not displayed by default ( Low)
□ WO -03-023 STARTTLS Setting leads to opportunistic STARTSSL ( High)
□ WO -03-024 Links can be opened in the message frame in MSIE 11 ( High)
□ WO -03-027 Public - Key Verifier approves of unknown public Keys ( Low)
□ WO -03-028 Spoofing of Return Address using malformed Reply - To Header ( High)
□ WO -03-001 Loss of Entropy in randomString () Method of crypto - lib ( Low)
□ WO -03-004 Off - by - one Error in randomString () Method of crypto - lib ( Low)
□ WO -03-005 Off - by - one Error in Prime Worker Code of Forge library ( Low)
□ WO -03-008 No Origin Checks for postMessage Communication ( High)
□ WO -03-015 Regex - based Certificate Verification prone to Bypasses ( Medium)
□ WO -03-025 Unsafe Extraction of clearsigned Text ( Low)
□ WO -03-026 Key ID Collisions can prevent Key Download from working ( Low)