Lichess: ImageId Format Injection in Image Upload Endpoint

The image upload endpoint in the Lichess application did not properly validate the 'rel' parameter, allowing an attacker to inject special characters that broke the expected format of the generated ImageId. This could have led to parsing issues in other parts of the application that relied on the...

Lichess: Improper Authentication Throttling Allows Attacker-Controlled Account Lockouts

The application lacks sufficient safeguards in its authentication throttling logic. It permits arbitrary users to trigger lockouts on any account by submitting multiple failed login attempts using a known or guessed username. Because the system does not verify the request origin or impose...

Lichess: Direct IP Access to Website

Summary: The website is accessible directly via its IP address 37.187.205.99, which may bypass domain-based security policies and expose potential misconfigurations. Steps To Reproduce: 1. Open a web browser and enter the IP address: http://37.187.205.99 2. Observe that it loads the main website...