Alex Bogdanovski

3 exploits Active since Jun 2025
CVE-2026-34832 WRITEUP MEDIUM WRITEUP
Scoold: Cross-Account Feedback Deletion (IDOR)
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
CVSS 6.5
CVE-2025-48955 WRITEUP MEDIUM WRITEUP
Para < 1.50.8 - Sensitive Information Exposure in Log Files
Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.
CVSS 6.2
CVE-2025-49009 WRITEUP MEDIUM WRITEUP
Para < 1.50.8 - Sensitive Information Exposure in FacebookAuthFilter Log
Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.
CVSS 6.2