Skip to main content

Advisories

Bug Title CVE/Ref Vendor/Software Date
Multiple Unauthenticated Stored Cross Site Scripting CVE-2019-3769 / CVE-2019-3770 Dell Wyse Management Nov 2019
Sensitive Data Retrieval Possible Without Authentication CVE-2019-2761 Oracle e-Business Suite Oct 2019
Unauthenticated Stored XSS CVE-2019-3591 McAfee ePolicy Orchestrator 11.2.x or earlier Jul 2019
Multiple vulnerabilities (XSS, SSRF) n/a Microsoft PowerBI Report Server version 15 Apr 2019
Multiple vulnerabilities (SQLi, LFI, XSS) 612518, 612524, 612523, 612522 Lansweeper 6.0.130.62, Lspush 6.0.100.32 Feb 2018
SQL Injection Information Disclosure ZDI-CAN-4409 Trend Micro SafeSync for Enterprise Mar 2017
SQL Injection Remote Code Execution ZDI-CAN-4642/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4643/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4644/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4645/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4646/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4647/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4648/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4649/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4650/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4651/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4652/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4653/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4654/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4656/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4657/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4658/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4659/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4660/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4661/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4662/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4663/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4664/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4665/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4666/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4667/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4668/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4670/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4672/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4676/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4678/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4680/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4682/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4685/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4686/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4687/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4688/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4690/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4691/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4692/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4693/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
Unrestricted File Upload Remote Code Execution ZDI-CAN-4780/CVE-2017-14079 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4781/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4782/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4783/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
Unrestricted File Upload Remote Code Execution ZDI-CAN-4784/CVE-2017-14079 Trend Micro Mobile Security for Enterprise Sep 2017
Unrestricted File Upload Remote Code Execution ZDI-CAN-4785/CVE-2017-14079 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4786/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4786/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4788/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4790/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4791/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4792/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4793/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4794/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4796/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4797/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4801/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4803/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4804/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
Unrestricted File Upload Remote Code Execution ZDI-CAN-4805/CVE-2017-14079 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4806/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4679/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
SQL Injection Remote Code Execution ZDI-CAN-4683/CVE-2017-14078 Trend Micro Mobile Security for Enterprise Sep 2017
Remote Agent Configuration Settings Information Disclosure ZDI-CAN-4283 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
dlpCrawlerServerInvoker Deserialization of Untrusted Data ZDI-CAN-4284 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listLogDatas SQL Injection ZDI-CAN-4141 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listEndPointDocScanResultLIs SQL Injection ZDI-CAN-4142 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listReportDatas SQL Injection ZDI-CAN-4143 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listRoleDatas SQL Injection ZDI-CAN-4144 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
getSourceAcquisitionHistory SQL Injection ZDI-CAN-4145 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listFingerprints SQL Injection ZDI-CAN-4131 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listReportDefs SQL Injection ZDI-CAN-4133 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listEndpoints SQL Injection ZDI-CAN-4134 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listEntities SQL Injection ZDI-CAN-4136 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
listKeywords SQL Injection ZDI-CAN-4137 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
fileAttribList SQL Injection ZDI-CAN-4146 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
importComplianceTemplate XXE Processing File Disclosure ZDI-CAN-4138 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
dataManagementList Remote File Delete DoS ZDI-CAN-4120 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
exportdatatojsp Directory Trevrsal File Disclosure ZDI-CAN-4119 Trend Micro Data Loss Prevention Management Server <= 5.6 Apr 2017
Session Generation Authentication Bypass CVE-2016-8584 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Directory Traversal Authentication Bypass CVE-2016-7552 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Command Injection Remote Code Execution CVE-2016-8586 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Information Disclosure CVE-2016-7547 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Command Injection Remote Code Execution CVE-2016-8585 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
dlp_policy_upload.cgi Remote Code Execution CVE-2016-8587 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
hotfix_upload.cgi Command Injection Remote Code Execution CVE-2016-8588 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
log_query_dlp.cgi Command Injection Remote Code Execution CVE-2016-8589 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
log_query_dae.cgi Command Injection Remote Code Execution CVE-2016-8590 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
log_query.cgi Command Injection Remote Code Execution CVE-2016-8591 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
log_query_system.cgi Command Injection Remote Code Execution CVE-2016-8592 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
upload.cgi Remote Code Execution Vulnerability CVE-2016-8593 Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Apr 2017
Reflected Cross Site Scripting CVE-2017-5599 eClinicalWorks Patient Portal 7.0 build 13 Jan 2017
SQL Injection CVE-2017-5598 eClinicalWorks healow@work 8.0 build 8 Jan 2017
SQL Injection CVE-2017-5570 eClinicalWorks Patient Portal 7.0 build 13 Jan 2017
SQL Injection CVE-2017-5569 eClinicalWorks Patient Portal 7.0 build 13 Jan 2017
UXSS CVE-2016-8011 McAfee Endpoint Security 10.2 and SiteAdvisor Enterprise 3.5 Dec 2016
Unauthenticated Remote Code Execution CVE-2016-9796 Alcatel Lucent Omnivista 8770 2.0, 2.6, 3.0 and 3.1 Dec 2016
Privilege Escalation CVE-2016-2246 HP ThinPro 4.4, 5.0, 5.1, 5.2, 5.2.1, 6.0, 6.1 Oct 2016
PDF Library Information Disclosure CVE-2016-3374 Microsoft Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, and Windows 10 Oct 2016
Predictable Session CVE-2015-3326 Trend Micro SMEX 10 SP2 May 2016
ReDoS CVE-2015-2526 Microsoft .NET Framework 4.5, 4.5.1, 4.5.2 and 4.6 September 2015
External JAR Injection CVE-2015-2630 Oracle e-Business Suite 11.5.10.2, 12.0.6, 12.1.3 July 2015
Multiple Vulnerabilities CVE-2015-2159 / CVE-2015-2160 / CVE-2015-2161 / CVE-2015-2162 / CVE-2015-2163 / CVE-2015-2164 / CVE-2015-2240 FootPrints Service Core 11.0, 11.1, 11.6, 11.5 May 2015
Root shell access - Kiosk Bypass n/a HP Thin Pro OS - T6X44017 Apr 2015
Remote Code Execution and multiple vulnerabilities CVE-2014-5287/5288 Kemp Load Master (load balancer) v.7.1-16 Apr 2015
Multiple vulnerabilities CVE-2014-0844, CVE-2014-0845 and CVE-2014-0846 IBM Rational Doors Next Generation, Composer and Requirements Feb 2014
Reflected Cross Site Scripting CVE-2013-6956 Juniper - Junos Pulse Secure Access Service - SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611 Apr 2014
Multiple vulnerabilities CVE-2014-0844, CVE-2014-0845 and CVE-2014-0846 IBM Rational Doors Next Generation, Composer and Requirements Feb 2014
WAF Bypass n/a Barracuda Web Application Firewall Oct 2013
Multiple Reflected XSS, 2 ESRI - ArcGIS for Server 10.1, 10.2 Sep 2013
Unrestricted File Upload CVE-2013-5221 ESRI - ArcGIS for Server 10.1, 10.2 Sep 2013
Cross Context Scripting (XCS) - about:history - Remote Code Execution TBA Maxthon Dec 2012
Cross Context Scripting (XCS) - RSS - Remote Code Execution TBA Maxthon Dec 2012
Privileged API Available On i.maxthon.com TBA Maxthon Dec 2012
Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark Sidebar TBA Maxthon Dec 2012
Incorrect Executable File Handling and Same Origin Policy Implementation TBA Maxthon Dec 2012
Same of Origin Policy Bypass - browser:home TBA Avant Browser Dec 2012
Cross Context Scripting - browser:home - Most Visited And History Tabs TBA Avant Browser Dec 2012
Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*) TBA Avant Browser Dec 2012
CSRF 2012-0550 Oracle GlassFish Server Apr 2012
Multiple Cross Site Scripting 2012-0551 Oracle GlassFish Server Apr 2012
Use After Free 2011-4152 Opera Oct 2011
DOM Cross Site Scripting 2011-2133 Adobe RoboHelp 9 Aug 2011
ParanoidFragmentSink allows javascript: URLs in chrome documents 2010-1585 Mozilla Firefox / Thunderbird Mar 2011
Session Fixation 2010-4437 Oracle WebLogic Server Mar 2011
Multiple Cross Site Scripting Vulnerabilities 2010-2406 Oracle eBusiness Application Oct 2010
HTTP Response Splitting 2010-3514 Oracle Sun Java System Web Server Oct 2010
SOP Bypass 2010-3573 Oracle JRE java.net.URLConnection Oct 2010
XML Entity and XML Injections 2009-3960 Multiple Adobe Products Feb 2010
Chrome Privilege Code Execution Update Scanner Aug 2009
Chrome Privilege Code Execution Coolpreviews Aug 2009
Stored Cross Site Scripting 2008-4725 Opera Oct 2008
Stored Cross Site Scripting Google Analytics Oct 2008
Local File Disclosure 2008-2045 SugarCRM Apr 2008
Reflected Cross Site Scripting DotNetNuke Aug 2006

Comments

Popular posts from this blog

TrendMicro ScanMail for Microsoft Exchange (SMEX) predictable session token - CVE-2015-3326

It's time for another advisory ( CVE-2015-3326 ), a simple one, for a vulnerability which can be found quickly and trivially. For those of you who just want to give a glance at the post, I suggest to directly watch the picture which says it all! The following vulnerability was discovered on TrendMicro SMEX (ScanMail for Microsoft Exchange) 10 SP2 but it affects other versions as well. While surfing the SMEX web administrative interface using a web proxy, I have noticed something in the HTTP request - the session token itself and its format, a number. After observing a significant number of logins, the session token was always represented with an number composed of minimum 4 digits and maximum 5 digits, as shown in the screen shot below:   Although the observed session tokens were never generated sequentially, the lack of a cryptographically strong PRNG for the session identifier, allows a malicious user to trivially guess the token. This attack can be easily automated.

Alcatel Lucent Omnivista or: How I learned GIOP and gained Unauthenticated Remote Code Execution (CVE-2016-9796)

It is time for another advisory or better a blog post about Alcatel Lucent Omnivista  and its vulnerabilities. Omnivista is a central management network tool and it is typically used in medium/large organisation with a complex VoIP/SIP infrastructure. Interestingly enough, this software belongs to the niche of "undownloadable" software and it requires a license to work as well. My "luck" came during an engagement where it was already installed and this post documents one of the many 0days discovered during such audit. The reasons why I wanted to dedicate a single blog post on this vulnerability are several. First, remote code execution (RCE) is always a sweet bug to show. Second, I strongly believe that documenting vulnerabilities in applications using old protocols and standards, respectively GIOP and CORBA, can be beneficial for the infosec community, since no many examples of vulnerabilities in such applications are available or published on the Interne

Microsoft .NET MVC ReDoS (Denial of Service) Vulnerability - CVE-2015-2526 (MS15-101)

Microsoft released a security bulletin ( MS15-101 ) describing a .NET MVC Denial of Service vulnerability ( CVE-2015-2526 ) that I reported back in April. This blog post analyses the vulnerability in details, starting from the theory and then providing a PoC exploit against a MVC web application developed with Visual Studio 2013. For those of you who want to see the bug, you can directly skip to the last part of this post or watch the video directly... ;-) A bit of theory The .NET framework (4.5 tested version) uses backtracking regular expression matcher when performing a match against an expression. Backtracking is based on the NFA (non-deterministic finite automata) algorithm engine which is designed to validate all input states. By providing an “evil” regex expression – an expression for which the engine can be forced to calculate an exponential number of states - it is possible to force the engine to calculate an exponential number of states, leading to a condition defined su