[FD] CVE ID Request : Centreon remote code execution

reon team * 27/11/2014 : Centreon correct vulnerabilities * 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities Fixes = * https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9 * https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d * https://github.com

[FD] Netgear ReadyNAS Surveillance: Unauthenticated Remote Command Execution

nouncement : http://kb.netgear.com/app/answers/detail/a_id/30275 and remove the ReadyNAS Surveillance package. * 03/03/2016 : Netgear publishes a new version of ReadyNAS Surveillance that fixes the vulnerability. Credits === * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream

[FD] Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (predicatable filename)

hemes Security that fixes the vulnerabilities. Credits === * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <l...@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream signature.

[FD] Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (access rights)

* 26/02/2016 : iThemes confirms the vulnerabilities. * 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes the vulnerabilities. Credits === * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <l...@sysdream.com> GPG : 47D1

[FD] CVE ID Request : OpenFire multiple vulnerabilities

5.5 [comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O ### Vulnerability Description A sensitive information disclosure vulnerabilty is present in the page *system-email.jsp*. It allow's an authenticated user to retreive the md5 hash the

[FD] XSS found on www.google.fr

discovery * 05/08/2016 : Contact with vendor team * 05/08/2016 : Vendor acknowledges with a kind reply: "Nice Catch!" :-) * 09/08/2016 : Vulnerability is fixed. ## Credits * Issam Rabhi <i.ra...@sysdream.com> -- SYSDREAM Labs <l...@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 15

[FD] CVE-2016-7980: SPIP 3.1.2 Exec Code Cross-Site Request Forgery

/revisions/23201 * https://core.spip.net/projects/spip/repository/revisions/23202 ### Affected versions * Version <= 3.1.2 ### Credits * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <l...@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9

[FD] CVE-2016-7982: SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal

repository/revisions/23184 ### Affected versions * Version <= 3.1.2 ### Credits * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <l...@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter:

[FD] CVE-2016-7998: SPIP 3.1.2 Template Compiler/Composer PHP Code Execution

ixes * https://core.spip.net/projects/spip/repository/revisions/23186 * https://core.spip.net/projects/spip/repository/revisions/23189 * https://core.spip.net/projects/spip/repository/revisions/23192 ### Affected versions * Version <= 3.1.2 ### Credits * Nicolas CHATELAIN, S

[FD] CVE-2016-7981: SPIP 3.1.2 Reflected Cross-Site Scripting

t/projects/spip/repository/revisions/23201 * https://core.spip.net/projects/spip/repository/revisions/23202 ### Affected versions * Version <= 3.1.2 ### Credits * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <l...@sysdream.com> GPG : 47D1 E12

[FD] CVE-2016-7999: SPIP 3.1.2 Server Side Request Forgery

* https://core.spip.net/projects/spip/repository/revisions/23188 * https://core.spip.net/projects/spip/repository/revisions/23193 ### Affected versions * Version <= 3.1.2 ### Credits * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <l...@sysdream.com

[FD] [CVE-2017-5870] Multiple XSS vulnerabilities in ViMbAdmin

: Reply from the owner, acknowledging the report and planning to fix the vulnerabilities. * 13/03/2017 : Sysdream Labs request for an update. * 29/03/2017 : Second request for an update. * 29/03/2017 : Reply from the owner stating that he has no time to fix the issues. * 03/05/2017 : Full disclosure

[FD] [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15

contact with opensolutions.io * 16/02/2017 : Advisory sent. * 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities. * 13/03/2017 : Sysdream Labs request for an update. * 29/03/2017 : Second request for an update. * 29/03/2017 : Reply from the owne

[FD] [CVE-2017-11321] UCOPIA Wireless Appliance < 5.1.8 Restricted Shell Escape

ity discovery. * 03/05/2017 : Initial contact. * 10/05/2017 : GPG Key exchange. * 10/05/2017 : Advisory sent to vendor. * 17/05/2017 : Request for feedback. * 22/05/2017 : Vendor acknowledge the vulnerabilities. * 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure. * 2

[FD] [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)

7 : First fixes. * 15/02/2017 : Fixes validation by Sysdream. * 21/02/2017 : PhpCollab ask to wait before publish. * 21/06/2017 : New version has been released. * 29/09/2017 : Public disclosure. ## Credits * Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com) -- SYSDREAM Labs <l...@sysdr

[FD] [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)

ion Update to the latest version avalaible. ## Affected versions * Version <= 2.5.1 ## Timeline (dd/mm/) * 27/08/2016 : Initial discovery. * 05/10/2016 : Initial contact. * 11/10/2016 : GPG Key exchange. * 19/10/2016 : Advisory sent to vendor. * 13/02/2017 : First fixes. * 15/02/20

[FD] [CVE-2017-11322] UCOPIA Wireless Appliance < 5.1.8 Privileges Escalation

017 : Request for feedback. * 22/05/2017 : Vendor acknowledge the vulnerabilities. * 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure. * 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue. * 29/09/2017 : Public disclosure. ## Credits * Nicolas CHATELAIN, Sysdr

[FD] [CVE-2018-10094] Dolibarr SQL Injection vulnerability

# [CVE-2018-10094] Dolibarr SQL Injection vulnerability ## Description Dolibarr is an "Open Source ERP & CRM for Business" used by many companies worldwide. It is available through [GitHub](https://github.com/Dolibarr/dolibarr) or as distribution packages (e.g .deb package). **Threat** The

[FD] [CVE-2018-10092] Dolibarr admin panel authenticated Remote Code Execution (RCE) vulnerability

# [CVE-2018-10092] Dolibarr admin panel authenticated Remote Code Execution (RCE) vulnerability ## Description Dolibarr is an "Open Source ERP & CRM for Business" used by many companies worldwide. It is available through [GitHub](https://github.com/Dolibarr/dolibarr) or as distribution

[FD] Dolibarr XSS Injection vulnerability

/raw.githubusercontent.com/Dolibarr/dolibarr/develop/ChangeLog)) ## Timeline (dd/mm/) * 18/03/2018 : Initial discovery * 17/04/2018 : Contact with the editor * 17/04/2018 : Editor acknowledges the vulnerability * 18/04/2018 : Editor announces fixes in version 7.0.2 * 21/05/2018 : Vulnerabi

[FD] [CVE-2018-10093] Remote command injection vulnerability in AudioCode IP phones

recommends to change the default admin credentials to mitigate the issue. ## Affected versions Theses vulnerabilities have only been tested on the 420HD phone (firmware version: 2.2.12.126). ## Credits a.baube at sysdream dot com -- SYSDREAM Labs GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2

[FD] [CVE-2018-10091] Stored XSS vulnerabilities in AudioCode IP phones

## Credits a.baube at sysdream dot com -- SYSDREAM Labs GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream signature.asc Description: OpenPGP digital signature ___ Sent through the Full

[FD] [CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities in Zimbra Collaboration

nks to the Zimbra security team for the perfect report handling ! -- SYSDREAM Labs GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream signature.asc Description: OpenPGP digital signature __