Sorare: Unsufficent input verification leads to DoS and resource consumption

The vulnerability affects the API endpoint at api.sorare.com/api/v1/users/, where insufficient input verification of the email parameter was discovered. This allowed an attacker to submit an excessively long email, causing the server to become unresponsive and return a 503 Service Unavailable...

Sorare: Circular based introspetion Query leading to single request denial of service and cost consumption and query cost on api.sorare.com/graphql

The Sorare GraphQL API has an introspection feature enabled by default, which allows developers to explore the API's schema. However, due to a lack of depth limits, an attacker can execute a circular introspection query that leads to a single request denial of service, affecting both the...

Sorare: Mystery with a leaked token and Reusability of email confirmation link leading to Account Takeover

A vulnerability was discovered where leaked email confirmation links could be reused to gain access to a user's account without requiring a password. This was possible by modifying the token parameter in the URL of the expired confirmation link. An attacker who gains access to such a leaked link...

Malicious Package

Overview @sorare-marketplace/components is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if...