Cyber Security Universe

Content Spoofing is an injection in which user input is reflected as it is in the application response which can be used in phishing attacks. During the recon phase, I found itunesconnect.apple.com , a subdomain of apple and after digging into it, I had observed that the content of the error key parameter was reflecting back to the page as shown below

Microsoft Bot Unvalidated File Upload:  The security issue allows a malicious actor to upload any file without validating the extension or content type of the file. Acknowledgment : Microsoft Online Service Acknowledgements for July 2019 ( https://portal.msrc.microsoft.com/en-us/security-guidance/researcher-acknowledgments-online-services?rtc=1 )

The security issue allows a malicious actor to bypass the naive security implementation of rate limiters. This allows an attacker to abuse the functionality of profile view count and increases them indefinitely. The following are the steps to reproduce wherein I have used my own blogger account ( https://www.blogger.com/profile/09844396241453600561 )

As cyber security professional, I come across many various vulnerabilities from critical to low and sometimes informational(How to categorize- CVSS v3 ). Sometime back I was doing as usual my security assessment activity for a Bank(Confidential) for their HRMS web application which was 3rd party software whose vendor was "Adrenalin". CVE ID: CVE-2018-12653 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4.0 Credits: Rishu Ranjan

As cyber security professional, I come across many various vulnerabilities from critical to low and sometimes informational(How to categorize- CVSS v3 ). Sometime back I was doing as usual my security assessment activity for a Bank(Confidential) for their HRMS web application which was 3rd party software whose vendor was "Adrenalin". CVE ID: CVE-2018-12652 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4.0 Credits:    Rishu Ranjan  

As cyber security professional, I come across many various vulnerabilities from critical to low and sometimes informational(How to categorize- CVSS v3 ). Sometime back, I was doing as usual my security assessment activity for a Client (Confidential) for their HRMS web application which was 3rd party software whose vendor was "Adrenalin". CVE ID: CVE-2018-12651 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4 Source: MITRE Credits:    Rishu Ranjan  

As cyber security professional, I come across many various vulnerabilities from critical to low and sometimes informational(How to categorize- CVSS v3 ). Sometime back I was doing as usual my security assessment activity for a Client (Confidential) for their HRMS web application which was 3rd party software whose vendor was "Adrenalin". CVE ID: CVE-2018-12650 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4.0 Credits: Rishu Ranjan

As a cybersecurity expert, I come across a wide variety of vulnerabilities, ranging from critical severity to low severity and sometimes informative (Classification - CVSS v3). Some time ago, I was performing my security assessment as usual for a (confidential) customer for their HRMS web application, a third-party software whose vendor is " Adrenaline". CVE ID: CVE-2018-12234 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4.0 Source: MITRE Credits:    Rishu Ranjan