Development » aiaxio

Summary¶

Identified several critical and medium-severity security issues during testing on the Aiaxio platform.

• Rendering issue with the HTML input field for 'First Name' on the Sign-up page.
• The API endpoint exposes user data.
• The upload profile photo option lacks rate limiting, potentially leading to a pixel flood.
• Users can reuse old passwords during the password change process.
• Some IPs are exposed with open ports during port scanning on the Aiaxio domain.
• Aiaxio Origin IP is exposed.
• Cross-site scripting (XSS) vulnerability in the 'First Name' input field, rendered on the email.
• The error page appears suddenly when clicking on "Sign up with Google."
• A strange error was encountered when attempting to sign up for the second time after a previous sign-up was deleted.
• The 'Full Name' field accepts HTML input, which is automatically treated as a username.
• Previous session cookies are not expired after changing the password.
• The IP rate limit warning message appears wired.
• Two different name buttons, "Sign Out" and "Log Out", which seem inconsistent.
• The username field accepts excessively large strings.
• The profile settings page lacks options to view or change the email address.
• The dashboard's 'Your Profile' card has a responsiveness issue with long usernames.

Proof of Concept¶

Vulnerabilities Sheet