avatar

Onurcan Genç

@onurcangnc

  • Fired
  • Ankara, Turkey
  • @https://x.com/onurcangenc
  • /u/https://www.linkedin.com/in/onurcangnc/
  • https://onurcangenc.com.tr
  • https://github.com/onurcangnc
    • Who am I ?

    I have been studying Information Systems and Technologies at Bilkent University, where I have built a strong domain in programming (C, C++, Python, PHP), mobile app development (Kotlin), Linux, databases (Oracle SQL/PLSQL), and algorithmic thinking. Moreover, I am also a part-time penetration tester with over 10 months of hands on experience on field. Even though I am officially an intern, I have taken on full-time responsibilities and worked on real-world targets involving web, mobile, desktop applications, and network systems. During my internship, I worked on: - Web application penetration testing - Mobile app pentesting - Wireless and network testing - Threat intelligence and leak validations - Writing pentest reports and supporting junior interns Besides that, I participated in: - Boğaziçi Cybersecurity Program - Türk Telekom Cybersecurity Camp - Deloitte CyberOps Bootcamp I am also a CVE-2025-57520 holder, having discovered and responsibly disclosed a vulnerability that was officially assigned a CVE identifier by MITRE.

    Overview

    5

    total CVE

    MEDIUM
    3
    HIGH
    2
    CRITICAL
    0
    LOW
    0
    NONE
    0

    Latest CVEs

    4.3

    CVSS3.1

    CVE-2025-60511 -

    Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administra…

    📅 Published: Oct. 21, 2025, midnight 🔄 Last Modified: Oct. 23, 2025, 1:12 p.m.

    5.4

    CVSS3.1

    CVE-2025-60506 -

    Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or Admin) views the annotate…

    📅 Published: Oct. 21, 2025, midnight 🔄 Last Modified: Oct. 23, 2025, 1:12 p.m.

    8.9

    CVSS3.1

    CVE-2025-60507 -

    Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Admin…

    📅 Published: Oct. 21, 2025, midnight 🔄 Last Modified: Oct. 23, 2025, 1:12 p.m.

    8.8

    CVSS3.1

    CVE-2025-10228 - Session Hijacking in Rolantis Information Technologies' Agentis

    Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.This issue affects Agentis: before 4.44.

    📅 Published: Oct. 14, 2025, 9:20 a.m. 🔄 Last Modified: Oct. 20, 2025, 3:52 p.m.

    6.1

    CVSS3.1

    CVE-2025-57520 -

    A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3. Input fields such as body, tags, title, and description are not properly sanitized before being rendered in the content preview pane. This enables an attacker to inject arbitrary JavaScript which executes whenever a user vie…

    📅 Published: Sept. 10, 2025, midnight 🔄 Last Modified: Sept. 16, 2025, 5:35 p.m.
    See all CVEs of