total known vulnerabilities: 12 fixed: 10 | won't fix: 2
Oct 11, 2024: Cross-Site Request Forgery - high severity - not exploited - fix
A CSRF vulnerability existed, potentially allowing for account hijacking.
Oct 11, 2024: DoS due to Missing Rate Limits - medium severity - not exploited - fix
Rate limits were not in place. This allowed for a DoS by repeatedly calling endpoints that run multiple FS accesses
Oct 11, 2024: 7xUnsanitized input into path expression - high severity - not exploited - fix
Unsanitized values were passed to several fields in paths, allowing for users to potentially read/write arbitrary files on disk.
Oct 11, 2024: Clear-Text Transmission of Sensitive Cookie - medium severity - won't fix
Session cookies can be intercepted by an attacker when sent over HTTP.
Won't fix as it only affects test environment (prod traffic routed through HTTPS)
Oct 11, 2024: Client-Side URL Redirect - low severity - won't fix
Vulnerability exists in Nic Cage Eats Stuff game. Won't fix as this doesn't compromise anything important.
Oct 11, 2024: Vulnerable dependency - low severity - not exploited - fix
The "cookie" package in Node.JS had a vulnerability allowing for arbitrary data in a cookie to be set.
scribe.stene.xyz (Scribe 1.0)
total known vulnerabilities: 2 fixed: 2 | won't fix: 0
Aug 31, 2023: Cross-Site Scripting - medium severity - not exploited - closed-source
The title of Scribe pages was not properly sanitized before writing to a file, allowing for script tags to be embedded.
Aug 31, 2023: DoS - low severity - not exploited - closed-source
When attempting to create a new site, the web server would loop indefinitely trying to save to a different ID. This made DoS possible by repeatedly creating many sites with the same names.