Posts

PwnDoc up to version 0.5.3 allows remote attackers to identify valid usernames by exploiting response timings during authentication attempts. Product CVE CVSSv3 Score CWE PwnDoc CVE-2022-44022 5.3 (Medium) CWE-307 Exploitation Steps This vulnerability allows username enumeration in PwnDoc (tested on version 0.5.3 - 2022-07-19 and earlier) by observing web server response timings during login attempts. Example Scenario: Suppose the following users are registered in PwnDoc: ...

Finding your first CVE is one of those things that stays with you. Not so much for the assigned number, which is ultimately just an identifier in a database, but for the process: the moment you realize the bug is real, that nobody has reported it before you, and that you have the responsibility to handle it correctly. I’m telling this story in this post from start to finish: the discovery, the exploit, and finally the responsible disclosure process with MITRE. ...

Hi, I’m Lorenzo :) I work in cybersecurity, with a focus on web hacking. In this space I’ll share my experiences in this field, my projects, and the small milestones I’ve achieved.