Mohammed Al-Barbari

How I was able to takeover any account (Zero-click ATO)

Jan 6, 2023 •
السلام عليكم ورحمة الله وبركاتة Who am I? I am Mohammed Fadhl Al-Barbari, a cybersecurity researcher, tools builder, and bug hunter from Yemen, active on platforms such as HackerOne (H1), BugCrowd, and SRT.
CVE-2022-28081 - arPHP 3.6.0 Reflected XSS

Mar 25, 2022 •
This blog will be updated with more information about the vulnerability and the exploitation once the CVE is assigned. Discovered by: Mohammed Fadhl Al-Barbari
arPHP 3.6.0 - Reflected XSS

Mar 24, 2022 •
This blog will be updated with more information about the vulnerability and the exploitation once the CVE is assigned. Discovered by: Mohammed Fadhl Al-Barbari
CVE-2021-43150 - Opay 1.5.1.26 insecure permission

Oct 29, 2021 •
This blog will be updated with more information about the vulnerability and the exploitation once the CVE is assigned. Discovered by: Mohammed Fadhl Al-Barbari & Zeyad Azima
CVE-2021-3014 - MikroTik hotspot login XSS

Jan 4, 2021 •
Author Mohammed Al-Barbari aka @m4dm0e
CVE-2021-3018 - IPeakCMS v3.5 SQLi

Dec 7, 2020 •
Hi there!, this will be short explaination of the vulnerability I’ve found at IPeakCMS 3.5 which is SQLi and it’s Blind so let’s begin …
IncomCMS 2.0 open redirect

Dec 7, 2020 •
Hi there!, this will be short explaination of the vulnerability I’ve found at Incom 2.0 (Latest version) which is open redirect …
CVE-2020-29597 - IncomCMS 2.0 insecure files upload

Dec 7, 2020 •
Hi there!, I’ve discovered endpoint that accepts any file and upload it without any validation or even being authentication