About me
I am Adrian Junge (vurlo). I started programming in school, and back then I could not have imagined how deep that rabbit hole would go. My first deeper technical interest was algorithms, competitive programming, and the occasional LeetCode problem. Over time that problem-solving curiosity pulled me further into cybersecurity. Today I study computer science at Karlsruhe Institute of Technology (KIT) with a focus on cybersecurity, work in applied computer science at FZI Forschungszentrum für Informatik, and play CTFs with my university team KITCTF. Lately, I have been digging deeper into bug bounty work, coordinated disclosure, and CVE hunting.
This page is meant as a record of what I have worked on and learned from: reproduced bugs, writeups, disclosures, certificates, and a few milestones along the way.
CVEs
10 entries
CVEs
Joomla CMS
Privilege escalation through com_users batch task
Joomla CMS
Privilege escalation through com_users batch taskSummary
Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by an improper access check in the com_users batch task. Authenticated attackers could abuse the batch flow to escalate privileges.
References
Disclosure timeline
- Reported to the Joomla Security Strike Team.
- Confirmation of the issue and initial patch development.
- Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.
Joomla CMS
Authenticated blind SQL injection in com_tags
15 min read
Joomla CMS
Authenticated blind SQL injection in com_tags 15 min readSummary
Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by improper validation of order clauses in com_tags. Authenticated attackers could manipulate generated SQL and infer database contents through blind SQL injection.
References
Disclosure timeline
- Reported to the Joomla Security Strike Team.
- First acknowledgment.
- Confirmation of the issue and initial patch development.
- Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.
Joomla CMS
Authenticated blind SQL injection in com_finder
15 min read
Joomla CMS
Authenticated blind SQL injection in com_finder 15 min readSummary
Joomla CMS 5.4.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by improperly constructed filter clauses in the com_finder search query. Authenticated attackers could influence the SQL query and infer database contents through blind SQL injection.
References
Disclosure timeline
- Reported to the Joomla Security Strike Team.
- First acknowledgment.
- Confirmation of the issue and initial patch development.
- Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.
ChurchCRM
Authenticated blind SQL injection in SettingsIndividual.php
ChurchCRM
Authenticated blind SQL injection in SettingsIndividual.phpSummary
In ChurchCRM 7.0.5, settings input handled by SettingsIndividual.php could be used by an authenticated user to influence a SQL query. The issue enabled blind SQL injection behavior that could expose sensitive database contents.
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM
Authenticated blind SQL injection in PropertyAssign.php
ChurchCRM
Authenticated blind SQL injection in PropertyAssign.phpSummary
In ChurchCRM 7.0.5, property assignment handling in PropertyAssign.php exposed a blind SQL injection path for authenticated users. Attackers could infer database contents and potentially alter application data through injected SQL.
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM
Authenticated blind SQL injection in EventNames.php
ChurchCRM
Authenticated blind SQL injection in EventNames.phpSummary
In ChurchCRM 7.0.5, event-name management in EventNames.php exposed SQL injection behavior to authenticated users with access to the affected configuration path. Successful exploitation could expose or modify ChurchCRM database records.
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM
Authenticated SQL injection in MemberRoleChange.php
ChurchCRM
Authenticated SQL injection in MemberRoleChange.phpSummary
In ChurchCRM 7.0.5, authenticated users with group and role management privileges could inject SQL through the MemberRoleChange.php role update flow. Depending on deployment configuration, this could provide database read/write access and potential privilege escalation.
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM
Authenticated blind SQL injection in PropertyTypeEditor.php
ChurchCRM
Authenticated blind SQL injection in PropertyTypeEditor.phpSummary
In ChurchCRM 7.0.5, property type editing in PropertyTypeEditor.php accepted authenticated input that could influence SQL statements. The issue could lead to database compromise, including data extraction or modification.
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM
Authenticated blind SQL injection in SettingsUser.php
ChurchCRM
Authenticated blind SQL injection in SettingsUser.phpSummary
In ChurchCRM 7.0.5, user settings handling in SettingsUser.php exposed an authenticated blind SQL injection path. Attackers could infer and extract database data through timing-based or boolean blind SQL techniques.
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
ChurchCRM
Second-order SQL injection via FundRaiserEditor.php
ChurchCRM
Second-order SQL injection via FundRaiserEditor.phpSummary
ChurchCRM 7.1.2 and earlier allowed stored input from FundRaiserEditor.php to become executable SQL later in the fundraiser workflow. This second-order SQL injection could lead to database compromise once the malicious stored value was processed.
References
Disclosure timeline
- Report published to ChurchCRM and initial triage.
- GitHub advisory published and CVE assigned.
Bug bounties
1 finding
Bug bounties
Firedancer
Race condition in the netshred module
Firedancer
Race condition in the netshred moduleSummary
Before Frankendancer Mainnet v0.910.40000 a race condition in the netshred module could lead to a remotely triggerable Denial of Service.
References
Disclosure timeline
- Reported to Immunefi via the Firedancer v1 audit competition.
- First acknowledgment.
- Confirmation of the issue, initial patch development and acknowledgment that the finding is also valid for the Frankendancer bug bounty program.
- Fixed in Frankendancer Mainnet v0.910.40000.
- Bounty payout not happened yet...
Created CTF Challenges
2 challenges
Created CTF Challenges
Scanwich Station
14 min read
Scanwich Station
14 min readSummary
Hybrid web and pwn challenge about mass assignment, QR-code decoding, signed integer overflow, and GLIBC dynamic symbol poisoning. Published for GPNCTF 2026.
Smile at me
11 min read
Smile at me
11 min readSummary
Web challenge about URL parser differentials, strict CSP, and an XS-Leak using Scroll-to-Text Fragment behavior with lazy-loaded images. Published for GPNCTF 2025.
Certificates
1 certificate
Certificates
Hack The Box Certified Penetration Testing Specialist
8 min read
Hack The Box Certified Penetration Testing Specialist
8 min readSummary
Completed the HTB CPTS path and passed the practical exam on the first attempt, including a full penetration-test report for the exam environment. The work focused on disciplined enumeration, Active Directory attack paths, web findings, and reproducible reporting.
Talks
1 talk
Talks
KITCTF Web Intro
KITCTF Web Intro
Summary
Introductory web security talk for KITCTF.
Relevant achievements
11 events
Relevant achievements
KITCTF
KITCTF
Summary
Selected KITCTF team results across international CTFs and finals qualifiers.
Timeline
- KITCTF #3 at GlacierCTF 2025 #3 at GlacierCTF.
- FluxKITtens #6 at Google CTF 2025 #6 at Google CTF as the FluxKITtens merger team (FluxFingers and KITCTF), qualifying for the Hackceler8 finals in Mexico.
- KITCTF #3 at SwampCTF 2025 #3 at SwampCTF.
- KITCTF at SnakeCTF 2024 finals Qualified for and participated in the SnakeCTF finals in Italy.
- KITCTF #3 at GlacierCTF 2024 #3 at GlacierCTF, qualifying for DHM 2025 as KITCTF team.
- KITCTF #1 at SwampCTF 2024 #1 at SwampCTF.
DHM
DHM
Summary
Deutsche Hacking Meisterschaft (CSCG finals).
Timeline
- DHM 2025 participation Participated in the DHM finals after qualifying through CSCG.
- DHM 2024 #1 Placed #1 at the Deutsche Hacking Meisterschaft.
CSCG
CSCG
Summary
Cyber Security Challenges Germany: Qualified for DHM in 2024 and 2025.
Timeline
- CSCG 2025 top 10 global & DHM qualification Qualified for DHM again and finished top 10 globally.
- CSCG 2024 DHM qualification Qualified for DHM through CSCG.
Immunefi
Immunefi
Summary
Immunefi bug bounty & audit platform for smart contracts and DeFi projects.
Timeline
- Firedancer v1 audit competition Participated in the Firedancer v1 audit competition.