Regarding Security Vulnerabilities in Pidgin

Eion Robb eion at robbmob.com
Thu Aug 25 19:48:02 EDT 2022


Oh man, I thought your emails were a joke, but it's serious?

You're worried about an *open source application* that's displaying a
changelog?  You might be in for a shock to find out that we also include
all of our commits and our source code for public viewing.  Gasp!

Happy to put your email up on a Hall of Fame if you really want, but maybe
you want to keep that one to yourself.  Hopefully you've not embarrassed
yourself by emailing other open-source projects with the same.

Good luck!

On Thu, 25 Aug 2022 at 23:32, S3cur3 t3ch <s3cur3t3ch2022 at gmail.com> wrote:

> Dear Team,
>
> Kindly let me know if there is any update about the issue mentioned in the
> below mail trail.
>
> Thanks & Regards
>
>
>
> On Tue, Aug 23, 2022 at 3:41 PM S3cur3 t3ch <s3cur3t3ch2022 at gmail.com>
> wrote:
>
> > Dear Team,
> >
> > Greetings of the day
> >
> > Kindly ignore the previous mail.
> >
> > Please find the updated mail below.
> >
> > This mail is to inform you that I got a Security Issue on your website
> > https://pidgin.im/install/.
> > Please find attached screenshot for reference.
> >
> > Issue : Able to access Sensitive Log file
> >
> > Description : Any user can access a Change log file at
> > https://pidgin.im/ChangeLog in which sensitive data is getting revealed
> > (such as all the details of changes done are reflected along with the
> > person name who have done the changes, version numbers, etc.)
> >
> > Steps to Reproduce :
> > 1. Visit https://pidgin.im/ChangeLog
> >
> > Impact :
> > Attackers can use this information for further exploits.
> >
> > Remediation :
> > It is recommended to provide access to only legitimate users to
> > https://pidgin.im/ChangeLog and all other users should get 403 forbidden
> > error.
> >
> > Kindly let me know in case of any additional information required.
> > Please let me know if you have any bug bounty programs or Hall of fame.
> >
> > I look forward to hearing from you.
> >
> > Thanks & Regards
> > s3cur3t3ch2022 at gmail.com
> >
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://lists.pidgin.im/listinfo/security


More information about the security mailing list