fossdot/hikmat
PRs · 2
Issues · 5
- #5 delete_student leaves orphaned Lesson Doubt rows with the child's PII and free-text questionopen
- #4 Bearer-token auth bypassed for any student whose auth_token row is empty (_token_ok returns True)open
- #3 Pre-auth DoS on login_by_name: full-table scan per call + bypassable lockoutopen
- #2 Pre-auth account takeover of PIN-less students via public roster + login_studentopen
- #1 Stored XSS in Lesson Email slot labels — unescaped innerHTML interpolationopen