Known issues

Mett.nl

Update 2025-01-13 - Vulnerabilities found on this site are no longer eligible for a reward. The website mett.nl is no longer part of our vulnerability program.

Mett 3 sites, *.mett.nl

ID

DATE

PRODUCT

CATEGORY

TITLE

DESCRIPTION

STATUS

#24001

2024-11-30

Mett 3

Website

XSS Injection

Open

#24002

2024-11-30

Mett 3

Website

HTML Injection

Possibility to insert and execute HTML-tags within the website and email.

Accepted risk

#24003

2024-11-30

Mett 3

Website

Failure to invalidate session after reset password link

After clicking the password-reset-link the session is not terminated, allowing the user to use the browsers back-button to continue using the site.

Under investigation

#24004

2024-11-30

Mett 3

Website

Failure to invalidate session after logout

On logout, the server session is not directly terminated.

Accepted Risk

#24005

2024-11-30

Mett 3

Website

CSP not found.
CSP uses of unsafe directives.
CSP mode is report-only.

The use of a CPS is optional within our product.

Accepted Risk

#24006

2024-11-30

Mett 3

Website

Header: X-Frame-Options not present

This header is optional.

Accepted Risk

#24007

2024-11-30

Mett 3

Website

Header: Strict-Transport-Security not present or misconfigured

This header is optional.

Accepted Risk

#24008

2024-11-30

Mett 3

Website

Header: X-Content-Type-Options not present or misconfigured

This header is optional.

Accepted Risk

#24009

2024-11-30

Mett 3

Website

Header: X-Xss-Protection not present or misconfigured

This header is optional.

Accepted Risk

#24010

2024-11-30

Mett 3

Website

Header: Access-Control-Allow-Origin not present or misconfigured

This header is optional.

Accepted Risk

#24011

2024-11-30

Mett 3

DNS

CAA-record not present or misconfigured

This is configured within the main domain.

Accepted Risk

#24012

2024-11-30

Mett 3

DNS

BIMI-record not present or misconfigured

This is configured within the main domain.

Accepted Risk

#24013

2024-11-30

Mett 3

DNS

SPF, DKIM or DMARC record not present or misconfigured

This is configured within the main domain.

Accepted Risk

#24014

2024-11-30

Mett 3

DNS

MTS-STS or related record not present or misconfigured

This is configured within the main domain.

Accepted Risk

#24015

2024-11-30

Mett 3

FTP

Private FTP address disclosed in response

Accepted Risk

#24016

2024-11-30

Mett 3

Website

Rate limiting login.mett.nl not working properly

Open

Mett Studio, *.mettstudio.nl

ID

DATE

PRODUCT

CATEGORY

TITLE

DESCRIPTION

STATUS

#24018

2024-11-30

All

Email

HTML links in email

While registering entering an emailaddress as a name results in a clickable link in the emailclient.

Accepted Risk

#24019

2024-11-30

All

Website

Leader user credentials phonebook.cz

Export with "leaked" usernames. Often old, no more existing accounts.

Accepted Risk

#24020

2024-11-30

All

Website

Header: Permission-policy missing or misconfigured

Header is not yet broadly adopted.

Open

#24023

2024-11-30

All

Website

Header: Featury-policy is missing or misconfigured

Header is not yet broadly adopted

Open

#24013

2024-11-30

apps.mett.nl

Website

SPF & Content Spoofing

Accepted Risk

#24021

2024-11-30

Mett Studio, security.mett.nl

Website

No IPv6 support

Mett Studio has no IPv6 support.

Accepted Risk

#24022

2024-11-30

All

Website

(Google) API key exposed

Needs to be public. We advice to make it single-domain-only.

Accepted Risk