Th3Gowham

**Name of the Vulnerable Software and Affected Versions** PlaciPy version 1.0.0 **Description** PlaciPy is a placement management system for educational institutions. Version 1.0.0 improperly derives the tenant identifier from the user-provided email domain without validating ownership or registration. This flaw enables cross-tenant data access. The application uses the email domain to determine the tenant, potentially allowing a user to access data belonging to another tenant by simply using an email address with a different domain. **Recommendations** Implement proper domain validation to ensure users only have access to data within their registered tenant.

**Name of the Vulnerable Software and Affected Versions** PlaciPy version 1.0.0 **Description** PlaciPy is a placement management system for educational institutions. The admin authorization middleware in version 1.0.0 trusts client-controlled JWT claims, specifically the `role` and `scope`, without performing server-side role verification. This could allow unauthorized access or actions. **Recommendations** Apply server-side role verification to ensure that JWT claims are validated against authorized roles and scopes.