Improper Removal of Sensitive Information Before Storage or Transfer in liangliangyy/djangoblog


Reported on

Feb 11th 2022


The application leaked emails of unvalidated users to anonymous user.

Proof of Concept

  • Step 1: Go to and create account. After create success, you will receive URL like
  • Step 2: Open another browser and paste link, you will see email of unvalidated user with id=4


Revealing users' personal information. The application should only show the message immediately after successful registration, not all the time.

We are processing your report and will contact the liangliangyy/djangoblog team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the liangliangyy/djangoblog team and are waiting to hear back 2 years ago
且听风吟 validated this vulnerability 2 years ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
且听风吟 marked this as fixed in master with commit 6512ab 2 years ago
且听风吟 has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation