gh-command
OverviewOpenPRsIssuesReviewsActivityReposSettings
2h ago

fossdot/hikmat

Back

PRs · 2

  • #7 Fix: stored XSS in Lesson Email slot labelsopen
  • #6 Fix: delete_student leaves orphaned Lesson Doubt rowsopen

Issues · 5

  • #5 delete_student leaves orphaned Lesson Doubt rows with the child's PII and free-text questionopen
  • #4 Bearer-token auth bypassed for any student whose auth_token row is empty (_token_ok returns True)open
  • #3 Pre-auth DoS on login_by_name: full-table scan per call + bypassable lockoutopen
  • #2 Pre-auth account takeover of PIN-less students via public roster + login_studentopen
  • #1 Stored XSS in Lesson Email slot labels — unescaped innerHTML interpolationopen