Security Insight: Read our blog post on the evolution of Password Storage in MIDAS

Credits

We appreciate the time and effort that security researchers contribute. So on this page we publicly acknowledge and thank those who help keep MIDAS and our users safe.

Report Received Resolved Time To Resolve Summary More Info Credit
19th May 2021 11:45 19th May 2021 14:14 2.5 hours Privilege elevation A vulnerability was discovered that could allow a user with limited privileges to escalate them Shail Shah
18th May 2021 17:14 18th May 2021 18:39 85 minutes XEE vulnerability An XML External Entities (XEE) vulnerability was discovered in the public booking/request modules which could lead to a Billion Laughs attack Shail Shah
17th May 2021 17:10 17th May 2021 18:05 55 minutes Stored/Reflected XSS vulnerability in MIDAS A vulnerability was discovered in input sanitization which could lead a malicious attacker to inject stored/reflected XSS Shail Shah
17th May 2021 15:38 17th May 2021 16:30 52 minutes Captcha replay vulnerability on mid.as A vulnerability was discovered in the Captcha implementation on our free trial sign up page that could allow a malicious attacker to re-use a Captcha they'd previously manually solved Shail Shah
2nd April 2021 12:45 2nd April 2021 13:05 20 minutes Missing security headers on some *.midas.hosting sub domains Missing security headers were detected on some *.midas.hosting subdomain. Mayank Mukhi
13th January 2021 09:37 13th January 2021 11:37 2 hours Email flood control weakness in mailing list subscribing A vulnerability was discovered in the mailing list signup form at mid.as/contact which could potentially allow a malicious attacker to send a large volume of subscription confirmation emails to a given target. Pranav Yadav
12th December 2020 17:26 12th December 2020 18:20 54 minutes Information disclosure on midas.network Whilst initially reported as an "Improper Access Control" vulnerability, our team believe this to be a PHP "Information disclosure" vulnerability. See also OBB-1602306. Pramod Yadav
30th July 2020 17:55 30th July 2020 18:08 13 minutes Stored XSS vulnerability in MIDAS A stored XSS vulnerability was discovered in relation to adding new venues to MIDAS.
This has been fixed as of MIDAS v4.25 (Build 30/07/2020 @ 18:08 UTC).
Ranjit Pahan
27th July 2020 10:00 27th July 2020 10:17 17 minutes Reflected XSS vulnerability on mid.as OBB-1236537 Abhi Sharma
16th July 2020 16:55 16th July 2020 17:50 55 minutes Reflected XSS vulnerability on mid.as A Reflected XSS vulnerability was discovered affecting non-existent pages. Pratik Khalane
16th July 2020 01:33 16th July 2020 13:00 11 hours Vulnerable redirect to PayPal A vulnerability was discovered which could allow a malicious attacker to tamper with payment redirects to PayPal. Manoj Khadka
15th July 2020 11:41 15th July 2020 13:04 83 minutes Reflected XSS vulnerability in MIDAS A reflected XSS vulnerability was discovered when adding new venues in MIDAS.
This has been fixed as of MIDAS v4.25 (Build 15/07/2020 @ 13:04 UTC).
Ronit Bhatt
15th July 2020 09:30 15th July 2020 11:05 95 minutes CORS vulnerability in blog.mid.as A CORS vulnerability was discovered in the Wordpress installation at blog.mid.as. Ronit Bhatt
15th July 2020 09:06 15th July 2020 10:09 63 minutes Reflected XSS vulnerability in language editor A reflected XSS vulnerability was discovered in the Beta Test Suite's Language Editor. Manav Doshi
15th July 2020 06:12 15th July 2020 09:36 3 hours Same Site Scripting vulnerability A Same Site Scripting vulnerability was discovered on our mid.as and midas.network domains. Shivam Pravin Khambe
15th July 2020 04:49 15th July 2020 11:34 7 hours No flood control on password reset request emails No rate limiting was imposed for the password reset process in MIDAS.
If a malicious attacker knew the email address for a valid user account in a given MIDAS system, they could potentially flood their inbox with password reset request emails.
This has been fixed as of MIDAS v4.25 (Build 15/07/2020 @ 11:34 UTC)
Abhinav Porwal
2nd June 2020 10:31 2nd June 2020 10:55 23 minutes Reflected XSS vulnerability on mid.as OBB-1181081 raz0r_bl4de
2nd October 2018 17:42 28th October 2018 18:28 48 minutes Reflected XSS vulnerability in MIDAS
Stored XSS vulnerability in MIDAS
Two separate vulnerabilities were discovered.
The first related to a reflected XSS vulnerability in the the Search module, the second to a stored XSS vulnerability in the Booking Grid.
Both were fixed as of MIDAS v4.20 Beta (Build 28/10/2018 @ 18:28 UTC)
lacroute serge france

Times shown are UTC unless otherwise stated