Assassin Game
Monthly
Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact is confined to service integrity abuse - spam distribution, rate-limit evasion, and fraudulent account accumulation.
Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retrieve personally identifiable information (PII) - including email addresses and phone numbers - through the application's API. The exposure also extends to the local database, which holds data on minors and municipal users, significantly elevating privacy and regulatory risk. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 and CWE-200 classification mark this as a high-priority data exposure issue.
Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact is confined to service integrity abuse - spam distribution, rate-limit evasion, and fraudulent account accumulation.
Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retrieve personally identifiable information (PII) - including email addresses and phone numbers - through the application's API. The exposure also extends to the local database, which holds data on minors and municipal users, significantly elevating privacy and regulatory risk. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 and CWE-200 classification mark this as a high-priority data exposure issue.
Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.