arxius: Missing Rate Limit for Password Reset Verification - Vulnerable to brute force

Description The password reset verification do not seem to contain rate limit which is implemented in the email verification on sign up. The password reset link looks like this: https://arxius.io/password/EMAIL%40DOMAIN.COM/RESTTOKEN On clicking the link, it prompts to enter a new password. When...

arxius: another local file disclosure via ffmpeg

Summary The fix for https://hackerone.com/reports/242831 can be easily bypassed. It looks like you've banned file:// substring, which is not enough. Repro steps 1. Download genavi.py attached and run the script like this: python3 genavi.py /etc/passwd mustsandboxffmpeg.avi.mp4. 2. Visit...