Jonathan BoumanBricks Huisarts v2.3.12.94166 vulnerable to executable uploads in e-consultation send by patientsA bug alowed executable file uploads from patients into the EHR system. A double click on the wrong file could execute malicious code.Mar 21Mar 21
Jonathan BoumanMisconfigured API endpoint on portal.skge.nl leaks PII data of registered healthcare providersTwo IDOR bugs leak private data on healthcare providers; their e-mail, phone and address.Mar 211Mar 211
Jonathan BoumanTwo different IDOR bugs at mijn.VvAA.nlThe bugs lead to potential access to data of 130k healthcare providers; including their own cyber risk insurance policy documents.Mar 211Mar 211
Jonathan BoumanRemote Code execution at ws1.aholdusa.com — Compromising logins of Ahold Delhaize USA employeesCompromising logins of Ahold Delhaize USA employees for >3.5 years (or even 18 years?). Escalating a XSS bug to Perl SSTI RCE. Full…Dec 14, 20235Dec 14, 20235
Jonathan BoumanLaravel debug mode left on at Zouikwatzeggen.nlCoordinated vulnerability disclosure of a bug in an application used to submit reports of improper behaviour.Jun 30, 2023Jun 30, 2023
Jonathan BoumanUnprotected API endpoint at HAwebsso.nlBackground As some might know, I work as a medical doctor (general practitioner) by day and as a security researcher by night. One of my…Dec 14, 20222Dec 14, 20222
Jonathan BoumanBlind SQL Injection at fasteditor.hema.comA full write-up that explains the discovery and exploitation of a blind SQL injection bug.Aug 6, 2020Aug 6, 2020
Jonathan BoumanReflected XSS at fotoservice.hema.nlA full write-up that learns the reader how to find reflected XSS and open redirect bugs. Hema.nl was used as an real life example.Aug 6, 20202Aug 6, 20202
Jonathan BoumanStored XSS in Paytium 3.0.13 WordPress PluginA full write up: How to find a stored XSS bug in a Wordpress plugin and create a proof of concept payload that hijacks the full…May 12, 2020May 12, 2020
Jonathan BoumanEmail content spoofing at IKEA.comIKEA.com did not check the fields being used in one of their email forms. This resulted in the creation of fully signed phishing email.Apr 6, 20193Apr 6, 20193