Responsible vulnerability disclosure acknowledgements

All vulnerabilties listed here are already fixed.

philip.media would like to thank the following security researchers, who have reported vulnerabilities to us as part of a Responsible Disclosure Procedure:

2023

Researcher	Vulnerability	CVE	Risk level
Automated via Snyk Code	Path Traversal	CWE-23	Low risk
Automated via Snyk Code	Cross-site Scripting (XSS)	CWE-79	Medium risk
Jack Works via Dependabot	Cross-realm object access in Webpack 5	CVE-2023-28154	Medium risk

2022

Researcher	Vulnerability	CVE	Risk level
Parshwa Bhavsar	Unauthorized REST-API Access (WP)	CVE-2017-5487	Medium risk
Gaurang Maheta	Deprecated SSH Protocol (False positive)	CVE-2001-1473	Low risk
Dependabot	Cross-domain cookie leakage in Guzzle (guzzlehttp/guzzle)	CVE-2022-29248	High risk
Dependabot	Fix failure to strip Authorization header on HTTP downgrade in Guzzle (guzzlehttp/guzzle)	CVE-2022-31043	Medium risk
Dependabot	Failure to strip the Cookie header on change in host or HTTP downgrade in Guzzle (guzzlehttp/guzzle)	CVE-2022-31042	Medium risk
Dependabot	Change in port should be considered a change in origin in Guzzle (guzzlehttp/guzzle)	CVE-2022-31091	Low risk
Dependabot	CURLOPT_HTTPAUTH option not cleared on change of origin in Guzzle (guzzlehttp/guzzle)	CVE-2022-31090	Medium risk

2021

Researcher	Vulnerability	CVE	Risk level
Intern (pb)	Log4Shell	CVE-2021-45105	High risk
Gaurang Maheta	OpenSSH Username Enumeration		Medium risk
Sivan Mujtaba	XSS Vulnerability		Low risk
ykl	XSS Vulnerability		Low risk
SECFAULT	iFrame injection		Medium risk

2020

Researcher	Vulnerability	CVE	Risk level
No name given	Database leakage		High risk