High-impact vulnerability on one of your subdomains
Albert Astals Cid
aacid at kde.org
Tue Jul 29 10:25:41 BST 2025
El dilluns, 28 de juliol del 2025, a les 23:13:25 (Hora d’estiu d’Europa
central), r3verii r3verii va escriure:
> Hello, my name is Martino Spagnuolo, and I am a cybersecurity researcher.
> I am contacting you because I have found a fairly serious vulnerability in
> an open source web app. I already contacted the vendor five days ago and
> searched the web to extract all instances of this software. One of your
> subdomains is included in the extracted list.
>
> Do you have a bug bounty program?
KDE does not have a bug bounty program.
> If so, I can provide you with all the
> details to replicate and test the vulnerability and how to fix it.
It is a bit sad that you will only provide us with the details to replicate
and test the vulnerability and how to fix it if we have a bug bounty program.
If you change your mind please contact sysadmin at kde.org with the vulnerability
details (I understand this open source web app is something KDE uses not
something KDE develops).
Best Regards,
Albert
>
> At the time of writing this email, the software vendor has not yet
> responded, making it a “0day” vulnerability.
>
> Technical details:
>
> Vulnerability score: High
> Vulnerability category: XSS / CSRF
> Impact: Admin account takeover
More information about the kde-www
mailing list