Closed r00tuser111 closed 1 year ago
Hi @r00tuser111,
Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.
Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.
Thanks!
Please take a look #273
Any updates?
Hi @YuriyPobezhymov! Reward has been granted. Thanks!
@nttran8, great, waiting for email.
Hi @YuriyPobezhymov! The internal status indicates reward has been granted. Could you please double check? Thanks!
Hi @YuriyPobezhymov! The email from the rewards program was sent on June 1 and I think you're pending the email from the payment team right?
Hello @nttran8. In my email inbox I see only one email about WSO2: "Tsunami Patch Reward Submission 68: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/ for WSO2 products". This thread doesn't contain any further interactions, like they were for old submissions. So I haven't even panel decision result.
@nttran8, any updates?
Hi @YuriyPobezhymov, thank you for your patience. The email sent on June 1 is a reply to the email chain you mentioned. I forwarded you the email for reference. In the meantime, we're reaching out to the payment team and will inform you of any updates.
@nttran8, I don't see forwarded email.
@YuriyPobezhymov Thanks for flagging! We see where the issue is and is in the process of initiating payment.
@YuriyPobezhymov Decision email has been sent! The payment team is processing the reward.
@nttran8, still haven't any emails from the payment team
Hello @nttran8! Thank you, I've got reward. Waiting for accepting my Dupal fingerprinting PR #326 from you team.
Hello.
I would like to start implementing a plugin to detect WSO2 Unrestricted arbitrary file upload and remote code to execution vulnerability.
Reference:
Description: Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.
versions: WSO2 API Manager 2.2.0 and above WSO2 Identity Server 5.2.0 and above WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0 WSO2 Identity Server as Key Manager 5.3.0 and above WSO2 Enterprise Integrator 6.2.0 and above