Security Insight: Read our latest blog post on the evolution of Password Storage in MIDAS

Credits

We appreciate the time and effort that security researchers contribute. So on this page we publicly acknowledge and thank those who help keep MIDAS and our users safe.

Report Received Resolved Time To Resolve Summary More Info Credit
30th July 2020 17:55 30th July 2020 18:08 13 minutes Stored XSS vulnerability in MIDAS A stored XSS vulnerability was discovered in relation to adding new venues to MIDAS.
This has been fixed as of MIDAS v4.25 (Build 30/07/2020 @ 18:08 UTC)
Ranjit Pahan
27th July 2020 10:00 27th July 2020 10:17 17 minutes Reflected XSS vulnerability on mid.as OBB-1236537 Abhi Sharma
16th July 2020 16:55 16th July 2020 17:50 55 minutes Reflected XSS vulnerability on mid.as A Reflected XSS vulnerability was discovered affecting non-existent pages. Pratik Khalane
16th July 2020 01:33 16th July 2020 13:00 11 hours Vulnerable redirect to PayPal A vulnerability was discovered which could allow a malicious attacker to tamper with payment redirects to PayPal. Manoj Khadka
15th July 2020 11:41 15th July 2020 13:04 83 minutes Reflected XSS vulnerability in MIDAS A reflected XSS vulnerability was discovered when adding new venues in MIDAS.
This has been fixed as of MIDAS v4.25 (Build 15/07/2020 @ 13:04 UTC)
Ronit Bhatt
15th July 2020 09:30 15th July 2020 11:05 95 minutes CORS vulnerability in blog.mid.as A CORS vulnerability was discovered in the Wordpress installation at blog.mid.as. Ronit Bhatt
15th July 2020 09:06 15th July 2020 10:09 63 minutes Reflected XSS vulnerability in language editor A reflected XSS vulnerability was discovered in the Beta Test Suite's Language Editor. Manav Doshi
15th July 2020 06:12 15th July 2020 09:36 3 hours Same Site Scripting vulnerability A Same Site Scripting vulnerability was discovered on our mid.as and midas.network domains. Shivam Pravin Khambe
15th July 2020 04:49 15th July 2020 11:34 7 hours No flood control on password reset request emails No rate limiting was imposed for the password reset process in MIDAS.
If a malicious attacker knew the email address for a valid user account in a given MIDAS system, they could potentially flood their inbox with password reset request emails.
This has been fixed as of MIDAS v4.25 (Build 15/07/2020 @ 11:34 UTC)
Abhinav Porwal
2nd June 2020 10:31 2nd June 2020 10:55 23 minutes Reflected XSS vulnerability on mid.as OBB-1181081 raz0r_bl4de
2nd October 2018 17:42 28th October 2018 18:28 48 minutes Reflected XSS vulnerability in MIDAS
Stored XSS vulnerability in MIDAS
Two separate vulnerabilities were discovered.
The first related to a reflected XSS vulnerability in the the Search module, the second to a stored XSS vulnerability in the Booking Grid.
Both were fixed as of MIDAS v4.20 Beta (Build 28/10/2018 @ 18:28 UTC)
lacroute serge france

Times shown are UTC unless otherwise stated