Yasin Soliman

Yasin Soliman


I'm Yasin, a security analyst and OSCP from the UK, interested in web application testing and red team operations. This is my personal blog for sharing research findings.

Yasin Soliman
Author

Share


Twitter


Advisories and acknowledgements

Yasin SolimanYasin Soliman

Advisories

Project maintainers have issued the following disclosures in response to specific remediated vulnerabilities of note.

Web applications

ProductDisclosure DateIssue(s)CVE
GitLab (8.16.5)February 15th 2017Stored XSS via markup languages (blogpost)N/A
GitLab (9.0.2)March 30th 2017Private group name disclosureN/A
GitLab (9.0.4)March 30th 2017Open redirect via importN/A
Piwik (3.1.0)September 12th 2017XSS issue within applicationN/A
WordPress (4.8.2)September 19th 2017Open redirect via user and term edit screensCVE-2017-14725
GitLab (10.0.4)October 18th 2017Stored XSS via Markdown parser bypassN/A
BuddyPress (2.9.2)November 2nd 2017Open redirect via extended user edit screenN/A

Packages and libraries

PackageDisclosure DateIssue(s)CVE
geminabox (0.13.10)November 13th 2017Stored XSS via Gemspec homepage URL injectionCVE-2017-16792
gemirro (0.15.0)November 15th 2017Stored XSS via Gemspec homepage URL injectionCVE-2017-16833

Acknowledgements

The following organisations have publicly* acknowledged my responsible disclosure and vulnerability research efforts. Follow my activities on HackerOne, Bugcrowd, and the Google VRP to keep updated with new findings.

Year (first recognised)Organisations
2016Ubiquiti Networks, General Motors, Hootsuite, Netflix, Instacart, Constant Contact, Xero, OwnCloud, Coursera, Shopify, GlassWire, Skyport Systems, and Legal Robot
2017GitHub, Recorded Future, Sourceforge, Uber, Automattic, Dell, AOL, Gogo, Sophos, Auto Trader, Envato, DigitalOcean, New Relic, Yahoo, Informatica Corporation, AT&T, Bosch, Etsy, Twitter, Mozilla (Firefox & Web Services), Algolia, Snapchat, Harvest, Plotly, Artsy, WordPress, Google, Imgur, and more...

*Recognition from invitation-only bug bounty engagements and private programs are not included in the list above.