URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer header

Description The plugin does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link. PoC 1. Add a new shortened link in the interface...

Reverb.com: Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app

Hi, in file com/reverb/app/CloudinaryFacade.java you have hardcoded the following config: java private static final java.lang.String CONFIG = "cloudinary://434762629765715:█████@reverb"; where 434762629765715:████████ is basic auth details. It shouldn't be disclosed to third parties as official...