EXIF Geolocation Data Not Stripped From Uploaded Images

EXIF Geolocation Data Not Stripped From Uploaded Images.md

@@ -0,0 +1,13 @@
+<h4>Summary:</h4>
+When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.
+
+<h4>Steps to reproduce:</h4>
+
+1. Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg) <br>
+2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s . <br>
+3. Go to Upload option on the website <br>
+4. Upload the image<br>
+5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect ,   edit it as html )</br>
+6. open it (http://exif.regex.info/exif.cgi)</br>
+7. See wheather is that still showing exif data , if it is then Report it.
+

weak password policy.md

@@ -0,0 +1,11 @@
+<h4>Summary:</h4>
+
+A weak password policy increases the probability of an attacker having success using brute force and dictionary attacks against user accounts. An attacker who can determine user passwords can take over a user's account and potentially access sensitive data in the application.
+
+<h4>Steps to reproduce:</h4>
+
+1. Create a new account and use the email address as the password. </br>
+2. Reset your password and choose your email address as the password. </br>
+   In both cases, the application does not prevent this decision. </br>
+
+To improve the password strength, the application should avoid 1-to-1 usage of personal information as the account password.