bug-bounty489
google318
xss283
microsoft259
facebook227
rce175
apple153
exploit147
malware112
account-takeover109
bragging-post102
cve92
csrf85
privilege-escalation81
authentication-bypass66
stored-xss65
writeup63
phishing60
dos57
browser57
reflected-xss57
react54
ssrf52
access-control51
input-validation49
supply-chain49
cross-site-scripting48
cloudflare48
aws47
node46
docker46
sql-injection45
smart-contract45
ethereum44
web-security43
defi43
web-application43
reverse-engineering42
oauth42
web340
lfi37
burp-suite36
idor36
vulnerability-disclosure35
html-injection33
race-condition33
csp-bypass32
smart-contract-vulnerability32
clickjacking31
information-disclosure30
0
7/10
A researcher discovered a critical vulnerability chain in a multi-tenant business data management app: predictable, non-expiring invitation tokens with no signature protection allowed brute-forcing access to organizations, coupled with a secondary issue allowing visibility of pending admin invitations enabled full organizational takeover with minimal detection risk.
token-brute-force
account-takeover
privilege-escalation
organizational-takeover
invitation-system
weak-token-generation
enumeration
functional-vulnerability
access-control
business-logic-flaw
csrf-bypass
invitation-link-vulnerability
Plenum
InfoSec Write-ups