[FD] [KIS-2014-09] X2Engine = 4.1.7 (SiteController.php) PHP Object Injection Vulnerability

2014-09-23 Thread Egidio Romano
] - CVE number assigned [05/09/2014] - Version 4.2 released [23/09/2014] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-5297 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano

[FD] [KIS-2014-10] X2Engine = 4.1.7 (FileUploadsFilter.php) Unrestricted File Upload Vulnerability

2014-09-23 Thread Egidio Romano
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-5298 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2014-10 ___ Sent through the Full

[FD] [KIS-2014-11] TestLink = 1.9.12 (execSetResults.php) PHP Object Injection Vulnerability

2014-10-23 Thread Egidio Romano
Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-8081 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2014-11

[FD] [KIS-2014-12] TestLink = 1.9.12 (database.class.php) Path Disclosure Weakness

2014-10-23 Thread Egidio Romano
: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2014-12 ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org

[FD] [KIS-2014-13] Tuleap = 7.6-4 (register.php) PHP Object Injection Vulnerability

2014-11-28 Thread Egidio Romano
/11/2014] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-8791 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2014-13

[FD] [KIS-2014-14] Osclass = 3.4.2 (Search::setJsonAlert) SQL Injection Vulnerability

2014-12-31 Thread Egidio Romano
: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2014-14 ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/

[FD] [KIS-2014-15] Osclass = 3.4.2 (ajax.php) Local File Inclusion Vulnerability

2014-12-31 Thread Egidio Romano
requested [11/10/2014] - CVE number assigned [31/12/2014] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-8084 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original

[FD] [KIS-2014-16] Osclass = 3.4.2 (contact.php) Unrestricted File Upload Vulnerability

2014-12-31 Thread Egidio Romano
and Exposures project (cve.mitre.org) has assigned the name CVE-2014-8085 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2014-16 ___ Sent through the Full Disclosure

[FD] [KIS-2015-01] Concrete5 = 5.7.3.1 (sendmail) Remote Code Execution Vulnerability

2015-06-11 Thread Egidio Romano
. [-] Credits: Vulnerability discovered by Egidio Romano of Minded Security. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-01 [-] Other References: https://hackerone.com/reports/59663 ___ Sent through the Full Disclosure mailing list

[FD] [KIS-2015-02] Concrete5 = 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities

2015-06-11 Thread Egidio Romano
Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to these vulnerabilities yet. [-] Credits: Vulnerabilities discovered by Egidio Romano of Minded Security. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-02 [-] Other References: https://hackerone.com/reports

[FD] [KIS-2015-03] Concrete5 = 5.7.4 (Access.php) SQL Injection Vulnerability

2015-06-11 Thread Egidio Romano
[-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet. [-] Credits: Vulnerability discovered by Egidio Romano of Minded Security. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-03 [-] Other

[FD] [KIS-2015-07] ATutor <= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability

2015-11-04 Thread Egidio Romano
ned the name CVE-2015-7711 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-07 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldis

[FD] [KIS-2015-06] ATutor <= 2.2 (confirm.php) Session Variable Overloading Vulnerability

2015-11-04 Thread Egidio Romano
disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-9753 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-06 __

[FD] [KIS-2015-09] Piwik <= 2.14.3 (viewDataTable) Autoloaded File Inclusion Vulnerability

2015-11-04 Thread Egidio Romano
ic disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-7815 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmains

[FD] [KIS-2015-10] Piwik <= 2.14.3 (DisplayTopKeywords) PHP Object Injection Vulnerability

2015-11-04 Thread Egidio Romano
CVE number requested [14/10/2015] - CVE number assigned [22/10/2015] - Version 2.15.0 released: https://piwik.org/changelog/piwik-2-15-0 [04/11/2015] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-7816 to th

[FD] [KIS-2015-05] ATutor <= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability

2015-11-04 Thread Egidio Romano
CVE-2014-9752 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-05 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archive

[FD] [KIS-2015-04] Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability

2015-09-11 Thread Egidio Romano
lic disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-6497 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano of Minded Security. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-04

[FD] [KIS-2016-05] SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities

2016-06-23 Thread Egidio Romano
osures project (cve.mitre.org) has not assigned a CVE identifier for these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2016-05 ___ Sent through the Full Disclosure mailing li

[FD] [KIS-2016-01] CakePHP <= 3.2.0 "_method" CSRF Protection Bypass Vulnerability

2016-01-15 Thread Egidio Romano
ated [01/12/2015] - CVE number requested [01/12/2015] - CVE number assigned [12/01/2016] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-8379 to this vulnerability. [-] Credits: Vulnerability discovered b

[FD] [KIS-2016-02] Magento <= 1.9.2.2 (RSS Feed) Information Disclosure Vulnerability

2016-02-23 Thread Egidio Romano
- CVE number assigned [12/02/2016] - Bug bounty received [23/02/2016] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2016-2212 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Or

[FD] Hacking Magento eCommerce For Fun And 17.000 USD

2016-03-03 Thread Egidio Romano
Hello list, Tonight I'd like to share with you my latest blog post. Seeing my personal experience with the Magento bug bounty program (and even experiences from other security researchers), it looks like they truly believe in a "security through obscurity" methodology. I'm quite disappointed

[FD] Hacking Magento eCommerce For Fun And 17.000 USD

2016-03-03 Thread Egidio Romano
Hello list, Tonight I'd like to share with you my latest blog post. Seeing my personal experience with the Magento bug bounty program (and even experiences from other security researchers), it looks like they truly believe in a "security through obscurity" methodology. I'm quite disappointed

[FD] [KIS-2016-09] Concrete5 <= 5.7.3.1 Multiple Stored Cross-Site Scripting Vulnerabilities

2016-06-28 Thread Egidio Romano
uot; page. [-] Solution: Update to a fixed version. [-] Disclosure Timeline: [05/05/2015] - Vulnerabilities details sent through HackerOne [02/10/2015] - CVE number requested [28/12/2015] - Vendor said the vulnerabilities should be fixed in the upstream [26/06/2016] - Vulnerabilities publicly di

[FD] [KIS-2016-10] Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability

2016-06-28 Thread Egidio Romano
The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2016-10 [-] Other References: https://hackerone.com/repor

[FD] [KIS-2016-08] Concrete5 <= 5.7.3.1 Multiple Cross-Site Request Forgeries Vulnerabilities

2016-06-28 Thread Egidio Romano
nce: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2016-08 [-] Other References: https://hackerone.

[FD] [KIS-2017-01] PEAR HTML_AJAX <= 0.5.7 (PHP Serializer) PHP Object Injection Vulnerability

2017-02-06 Thread Egidio Romano
disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2017-5677 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2017-01 __

[FD] [KIS-2016-12] Magento <= 1.9.2.2 (RSS Feed) Information Disclosure Vulnerability

2016-10-06 Thread Egidio Romano
e.org) has assigned the name CVE-2016-5313 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2016-12 ___ Sent through the Full Disclosure mailing list https://n

[FD] [KIS-2016-13] Piwik <= 2.16.0 (saveLayout) PHP Object Injection Vulnerability

2016-11-07 Thread Egidio Romano
k.org/changelog/piwik-2-16-1/ [16/06/2016] - CVE number requested [07/11/2016] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egi

[FD] Tales of SugarCRM Security Horrors

2017-04-23 Thread Egidio Romano
Hello list, Tonight I'd like to share with you my latest blog post. Enjoy! Link: http://karmainsecurity.com/tales-of-sugarcrm-security-horrors Best regards, /EgiX ___ Sent through the Full Disclosure mailing list

[FD] [KIS-2017-02] Tuleap <= 9.6 Second-Order PHP Object Injection Vulnerability

2017-10-23 Thread Egidio Romano
Exposures project (cve.mitre.org) has assigned the name CVE-2017-7411 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2017-02 ___ Sent through the Full Disclosure mai

[FD] [KIS-2018-05] SugarCRM (SaveDropDown) PHP Code Injection Vulnerability

2018-12-31 Thread Egidio Romano
[-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2018-05 [-] Other References: https

[FD] [KIS-2018-02] SugarCRM (WorkFlow module) PHP Code Injection Vulnerability

2018-12-31 Thread Egidio Romano
ublication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2018-02 [-] Other

[FD] [KIS-2018-01] Oracle Application Express (AnyChart) Flash-based Cross-Site Scripting Vulnerability

2018-12-31 Thread Egidio Romano
16/01/2018] - Oracle fixed the issue in the January Critical Patch Update (CPU) [31/12/2018] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2018-2699 to this vulnerability. [-] Credits: Vulnerability discove

[FD] [KIS-2018-07] SugarCRM (Web Logic Hooks module) PHP Code Injection Vulnerability

2018-12-31 Thread Egidio Romano
31/12/2018] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/K

[FD] [KIS-2018-08] SugarCRM (Web Logic Hooks module) Path Traversal Vulnerability

2018-12-31 Thread Egidio Romano
published [31/12/2018] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainse

[FD] [KIS-2018-04] SugarCRM (ConnectorsController) Server-Side Request Forgery Vulnerability

2018-12-31 Thread Egidio Romano
018] - Fixed versions released and security advisory published [31/12/2018] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio R

[FD] [KIS-2018-06] SugarCRM (addLabels) PHP Code Injection Vulnerability

2018-12-31 Thread Egidio Romano
31/12/2018] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/K

[FD] [KIS-2018-03] SugarCRM (portal_get_related_notes) SQL Injection Vulnerability

2018-12-31 Thread Egidio Romano
t assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2018-03 [-] Other References: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2018-003/ __

[FD] [KIS-2019-10] YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability

2019-12-04 Thread Egidio Romano
it.io/JeD2U [02/11/2019] - CVE number assigned [02/12/2019] - Versions 7.8 released [04/12/2019] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2019-18662 to this vulnerability. [-] Credits: Vulnerabili

[FD] [KIS-2019-02] vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability

2019-10-07 Thread Egidio Romano
osures project (cve.mitre.org) has assigned the name CVE-2019-17132 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2019-02 ___ Sent through the Full Disclosure mai

[FD] vBulletin <= 5.5.4 Two SQL Injection Vulnerabilities

2019-10-07 Thread Egidio Romano
ties and Exposures project (cve.mitre.org) has assigned the name CVE-2019-17271 to these vulnerabilities. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2019-01 ___ Sent through the Full Dis

[FD] [KIS-2019-03] SugarCRM <= 9.0.1 Multiple Reflected Cross-Site Scripting Vulnerabilities

2019-10-10 Thread Egidio Romano
[-] Disclosure Timeline: [07/02/2019] - Vendor notified [01/10/2019] - Versions 9.0.2 and 8.0.4 released [10/10/2019] - Publication of this advisory [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2019-03 [-] Other References: htt

[FD] [KIS-2019-08] SugarCRM <= 9.0.1 Multiple PHP Object Injection Vulnerabilities

2019-10-10 Thread Egidio Romano
t;authenticateDownloadKey()" function is using the unserialize() function with the "license_validation_key" setting variable, and such a value can be arbitrarily manipulated in different ways. This can be exploited by malicious users to inject arbitrary PHP objects into

[FD] [KIS-2019-09] SugarCRM <= 9.0.1 Multiple Phar Deserialization Vulnerabilities

2019-10-10 Thread Egidio Romano
ct arbitrary PHP objects into the application scope (PHP Object Injection via phar:// stream wrapper), allowing them to carry out a variety of attacks, such as executing arbitrary PHP code. [-] Solution: Upgrade to version 9.0.2, 8.0.4, or later. [-] Disclosure Timeline: [07/02/2019] - Vendor notified

[FD] [KIS-2019-05] SugarCRM <= 9.0.1 Multiple Broken Access Control Vulnerabilities

2019-10-10 Thread Egidio Romano
eter to "Administration" and the "parent_type" parameter to "expandDatabase" or any other action which does not implement ACL checks). [-] Solution: Upgrade to version 9.0.2, 8.0.4, or later. [-] Disclosure Timeline: [07/02/2019] - Vendor notified [01/10/2019]

[FD] [KIS-2019-04] SugarCRM <= 9.0.1 Multiple SQL Injection Vulnerabilities

2019-10-10 Thread Egidio Romano
d before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks. [-] Solution: Upgrade to version 9.0.2, 8.0.4, or later. [-] Disclosure Timeline: [07/02/2019] - Vendor notified [01

[FD] [KIS-2019-06] SugarCRM <= 9.0.1 Multiple Path Traversal Vulnerabilities

2019-10-10 Thread Egidio Romano
- Vendor notified [01/10/2019] - Versions 9.0.2 and 8.0.4 released [10/10/2019] - Publication of this advisory [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2019-06 [-] Other References:

[FD] [KIS-2019-07] SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities

2019-10-10 Thread Egidio Romano
ful exploitation of this vulnerability requires a System Administrator account. [-] Solution: Upgrade to version 9.0.2, 8.0.4, or later. [-] Disclosure Timeline: [07/02/2019] - Vendor notified [01/10/2019] - Versions 9.0.2 and 8.0.4 released [10/10/2019] - Publication of this advisory

[FD] [KIS-2020-03] SuiteCRM <= 7.11.11 (action_saveHTMLField) Bean Manipulation Vulnerability

2020-02-12 Thread Egidio Romano
ure intention, no response [07/02/2020] - CVE number assigned [12/02/2020] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-8802 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano.

[FD] [KIS-2020-02] SuiteCRM <= 7.11.11 Multiple Phar Deserialization Vulnerabilities

2020-02-12 Thread Egidio Romano
ve.mitre.org) has assigned the name CVE-2020-8801 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-02 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [KIS-2020-04] SuiteCRM <= 7.11.11 (add_to_prospect_list) Broken Access Control Vulnerability

2020-02-12 Thread Egidio Romano
has assigned the name CVE-2020-8803 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-04 ___ Sent through the Full Disclosure mailing list https://nmap.or

[FD] [KIS-2020-05] SuiteCRM <= 7.11.10 Multiple SQL Injection Vulnerabilities

2020-02-12 Thread Egidio Romano
d [10/02/2020] - Version 7.11.11 released [12/02/2020] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-8804 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Origina

[FD] [KIS-2020-01] SuiteCRM <= 7.11.11 Second-Order PHP Object Injection Vulnerabilities

2020-02-12 Thread Egidio Romano
the name CVE-2020-8800 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-01 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/full

[FD] SugarCRM < 10.1.0 Multiple Reflected Cross-Site Scripting Vulnerabilities

2020-08-11 Thread Egidio Romano
nce:* The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-17372 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-17372> to these vulnerabilities. *• Credits:* Vulnerabilities discovered by Egid

[FD] SugarCRM < 10.1.0 (Reports Export) SQL Injection Vulnerability

2020-08-11 Thread Egidio Romano
org) has assigned the name CVE-2020-17373 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-17373> to this vulnerability. *• Credits:* Vulnerability discovered by Egidio Romano. ___ Sent through the Full Disclosure mailing list https://nmap.or

[FD] [KIS-2020-07] openSIS <= 7.4 (Bottom.php) Local File Inclusion Vulnerability

2020-06-30 Thread Egidio Romano
erabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-13383 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-07 ___ Sent through the F

[FD] [KIS-2020-06] openSIS <= 7.4 Incorrect Access Control Vulnerabilities

2020-06-30 Thread Egidio Romano
osures project (cve.mitre.org) has assigned the name CVE-2020-13382 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-06 ___ Sent through the Full

[FD] [KIS-2020-08] openSIS <= 7.4 Multiple SQL Injection Vulnerabilities

2020-06-30 Thread Egidio Romano
nce: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-13380 to vulnerabilities (1) and (2), and name CVE-2020-13381 for the other vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com