Known issues
Mett 3 sites, *.mett.nl
ID | DATE | PRODUCT | CATEGORY | TITLE | DESCRIPTION | STATUS |
|---|---|---|---|---|---|---|
#24001 | 2024-11-30 | Mett 3 | Website | XSS Injection | Open | |
#24002 | 2024-11-30 | Mett 3 | Website | HTML Injection | Possibility to insert and execute HTML-tags within the website and email. | Accepted risk |
#24003 | 2024-11-30 | Mett 3 | Website | Failure to invalidate session after reset password link | After clicking the password-reset-link the session is not terminated, allowing the user to use the browsers back-button to continue using the site. | Under investigation |
#24004 | 2024-11-30 | Mett 3 | Website | Failure to invalidate session after logout | On logout, the server session is not directly terminated. | Accepted Risk |
#24005 | 2024-11-30 | Mett 3 | Website | CSP not found. | The use of a CPS is optional within our product. | Accepted Risk |
#24006 | 2024-11-30 | Mett 3 | Website | Header: X-Frame-Options not present | This header is optional. | Accepted Risk |
#24007 | 2024-11-30 | Mett 3 | Website | Header: Strict-Transport-Security not present or misconfigured | This header is optional. | Accepted Risk |
#24008 | 2024-11-30 | Mett 3 | Website | Header: X-Content-Type-Options not present or misconfigured | This header is optional. | Accepted Risk |
#24009 | 2024-11-30 | Mett 3 | Website | Header: X-Xss-Protection not present or misconfigured | This header is optional. | Accepted Risk |
#24010 | 2024-11-30 | Mett 3 | Website | Header: Access-Control-Allow-Origin not present or misconfigured | This header is optional. | Accepted Risk |
#24011 | 2024-11-30 | Mett 3 | DNS | CAA-record not present or misconfigured | This is configured within the main domain. | Accepted Risk |
#24012 | 2024-11-30 | Mett 3 | DNS | BIMI-record not present or misconfigured | This is configured within the main domain. | Accepted Risk |
#24013 | 2024-11-30 | Mett 3 | DNS | SPF, DKIM or DMARC record not present or misconfigured | This is configured within the main domain. | Accepted Risk |
#24014 | 2024-11-30 | Mett 3 | DNS | MTS-STS or related record not present or misconfigured | This is configured within the main domain. | Accepted Risk |
#24015 | 2024-11-30 | Mett 3 | FTP | Private FTP address disclosed in response | Accepted Risk | |
#24016 | 2024-11-30 | Mett 3 | Website | Rate limiting login.mett.nl not working properly | Open |
Mett.nl
ID | DATE | PRODUCT | CATEGORY | TITLE | DESCRIPTION | STATUS |
|---|---|---|---|---|---|---|
#24017 | 2024-11-30 | mett.nl | Website | Open ports | Mett.nl runs on a shared hosting platform. We're unable to make any changes to this configuration. | Accepted Risk |
#24022 | 2024-11-30 | mett.nl | FTP | Information and paths disclosed using FTP | While using FTP certain paths can be found. As well as performing open redirects. | Accepted Risk |
Mett Studio, *.mettstudio.nl
ID | DATE | PRODUCT | CATEGORY | TITLE | DESCRIPTION | STATUS |
|---|---|---|---|---|---|---|
#24018 | 2024-11-30 | All | HTML links in email | While registering entering an emailaddress as a name results in a clickable link in the emailclient. | Accepted Risk | |
#24019 | 2024-11-30 | All | Website | Leader user credentials phonebook.cz | Export with "leaked" usernames. Often old, no more existing accounts. | Accepted Risk |
#24020 | 2024-11-30 | All | Website | Header: Permission-policy missing or misconfigured | Header is not yet broadly adopted. | Open |
#24013 | 2024-11-30 | apps.mett.nl | Website | SPF & Content Spoofing | Accepted Risk | |
#24021 | 2024-11-30 | Mett Studio, security.mett.nl | Website | No IPv6 support | Mett Studio has no IPv6 support. | Accepted Risk |
#24022 | 2024-11-30 | All | Website | (Google) API key exposed | Needs to be public. We advice to make it single-domain-only. | Accepted Risk |