[FD] [RT-SA-2014-003] Metadata Information Disclosure in OrbiTeam BSCW

2014-05-08 Thread RedTeam Pentesting GmbH
2014-03-10 Vendor acknowledges vulnerability 2014-04-22 Vendor released fixed version 2014-05-08 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby

[FD] [RT-SA-2014-006] Directory Traversal in DevExpress ASP.NET File Manager

2014-06-05 Thread RedTeam Pentesting GmbH
://security.devexpress.com/de7c4756/?id=ff8c1703126f4717993ac3608a65a2e2 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products

[FD] [RT-SA-2013-003] Endeca Latitude Cross-Site Scripting

2014-06-25 Thread RedTeam Pentesting GmbH
. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer

[FD] [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution

2014-06-26 Thread RedTeam Pentesting GmbH
source code repository 2014-06-23 CVE number requested 2014-06-25 CVE number assigned 2014-06-26 Advisory released References == http://bugs.python.org/issue21766 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests

[FD] [RT-SA-2014-007] Remote Code Execution in TYPO3 Extension ke_dompdf

2014-12-01 Thread RedTeam Pentesting GmbH
] http://typo3.org/teams/security/security-bulletins/typo3-extensions/ typo3-ext-sa-2014-010/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses

[FD] [RT-SA-2014-012] Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management Components

2014-12-02 Thread RedTeam Pentesting GmbH
://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rb RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby

[FD] [RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite

2015-02-18 Thread RedTeam Pentesting GmbH
requests more time to notify customers for the 3rd time, RedTeam Pentesting declines 2015-02-18 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts

[FD] [RT-SA-2014-015] Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0

2015-01-12 Thread RedTeam Pentesting GmbH
[2] https://support.tapatalk.com/threads/19540/#post-146253 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products

[FD] CVE-2014-8870: Arbitrary Redirect in Tapatalk Plugin for WoltLab Burning Board 4.0

2015-01-12 Thread RedTeam Pentesting GmbH
?board_url=https://www.redteam-pentesting.de CVE-2014-8870 was assigned to this issue. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany

[FD] [RT-SA-2014-013] Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page

2015-02-10 Thread RedTeam Pentesting GmbH
and software upgrade 2015-02-04 Customer approves public disclosure 2015-02-10 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses

[FD] [RT-SA-2015-002] SQL Injection in TYPO3 Extension Akronymmanager

2015-06-15 Thread RedTeam Pentesting GmbH
more time 2015-05-21 Requested update from vendor 2015-05-22 Vendor states that upload to extension registry doesn't work 2015-06-03 Requested update from vendor 2015-06-10 Vendor uploads new version to extension registry 2015-06-15 Advisory published RedTeam Pentesting GmbH

[FD] [RT-SA-2014-014] AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images

2016-01-07 Thread RedTeam Pentesting GmbH
releasing fixed versions (7490 [0]) 2015-10-01 Vendor finished releasing fixed versions (other models) 2016-01-07 Advisory released References == [0] https://avm.de/service/sicherheitshinweise/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration

[FD] [RT-SA-2015-005] o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials

2016-01-07 Thread RedTeam Pentesting GmbH
2014-09-08 - Potential vulnerability discovered 2014-09-20 - Vulnerability verified 2014-10-17 - ISP was notified about the vulnerability 2014-10-17 - ISP implemented first countermeasures 2014-10-24 - ISP wants to investigate further 2014-11-28 - ISP needs more time, depends on hardwar

[FD] [RT-SA-2015-013] Symfony PHP Framework: Session Fixation In "Remember Me" Login Functionality

2015-12-22 Thread RedTeam Pentesting GmbH
/cookbook/security/remember_me.html [2] https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby

[FD] [RT-SA-2015-012] XML External Entity Expansion in Paessler PRTG Network Monitor

2016-05-31 Thread RedTeam Pentesting GmbH
ID requested 2015-09-24 CVE ID requested again 2015-10-07 CVE ID assigned 2015-10-21 Vendor contacted 2016-04-04 Vendor released fixed version 2016-05-31 Advisory released References == [1] https://www.paessler.com [2] https://www.paessler.com/prtg/history/stable RedTeam Pentesting GmbH

[FD] [RT-SA-2016-004] Websockify: Remote Code Execution via Buffer Overflow

2016-05-31 Thread RedTeam Pentesting GmbH
visory provided to customer 2016-05-06 Customer provided updated firmware, notified users 2016-05-23 Customer notified users again 2016-05-31 Advisory published References == [0] https://github.com/kanaka/websockify/commit/192ec6f5f9bf9c80a089ca020d05ad4bd9e7bcd9 RedTeam Pentesting

[FD] [RT-SA-2016-005] Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution

2016-05-31 Thread RedTeam Pentesting GmbH
2016-05-31 Advisory published References == [1] https://github.com/HadoDokis/Relay-Ajax-Directory-Manager [2] https://code.google.com/p/relay/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-

[FD] [RT-SA-2016-002] Cross-site Scripting in Securimage 3.6.2

2016-03-22 Thread RedTeam Pentesting GmbH
-03 Vendor releases fixed version 2016-03-22 Advisory released References == https://www.phpcaptcha.org/uncategorized/securimage-3-6-4-released/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-s

[FD] [RT-SA-2016-003] Less.js: Compilation of Untrusted LESS Files May Lead to Code Execution through the JavaScript Less Compiler

2016-11-24 Thread RedTeam Pentesting GmbH
rchive.org/web/20140202171923/http://www.lesscss.org/ [2] http://www.bennadel.com/blog/2638-executing-javascript-in-the-less-css-precompiler.htm [3] http://lesscss.org/#client-side-usage RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests p

[FD] [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto

2016-12-23 Thread RedTeam Pentesting GmbH
states that there is no concrete timeline 2016-12-05 Vendor announces a release 2016-12-20 Vendor released fixed version 2016-12-23 Advisory released References == [1] https://github.com/mwielgoszewski/python-paddingoracle [2] http://httpd.apache.org/security/vulnerabilities_24.ht

[FD] [RT-SA-2017-009] Remote Command Execution as root in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
ds are executed with root privileges and no authentication is required, this is rated as a high risk. Timeline 2017-05-17 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-07-20 Vulnerabil

[FD] [RT-SA-2017-004] Unauthenticated Arbitrary File Disclosure in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
m-pentesting.de/advisories/rt-sa-2017-003 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed im

[FD] [RT-SA-2017-006] Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
-2017-005 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few expert

[FD] [RT-SA-2017-003] Cross-Site Scripting in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
5-26 Customer provided details of vulnerability to vendor 2017-06-21 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ [1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads (Requires login

[FD] [RT-SA-2017-008] Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
as a high risk. Timeline 2017-05-17 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-07-20 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] ht

[FD] [RT-SA-2016-007] Cross-Site Scripting in TYPO3 Formhandler Extension

2017-07-27 Thread RedTeam Pentesting GmbH
com/files/137127/typo3-xssbypass.txt [3] http://examples.typo3-formhandler.com/start/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks

[FD] [RT-SA-2017-011] Remote Command Execution in PDNS Manager

2017-07-05 Thread RedTeam Pentesting GmbH
fers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance

[FD] [RT-SA-2015-010] WebClientPrint Processor 2.0: Unauthorised Proxy Modification

2017-08-22 Thread RedTeam Pentesting GmbH
wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products

[FD] [RT-SA-2015-011] WebClientPrint Processor 2.0: No Validation of TLS Certificates

2017-08-22 Thread RedTeam Pentesting GmbH
https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/ [1] http://www.dest-unreach.org/socat/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security expert

[FD] [RT-SA-2015-008] WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs

2017-08-22 Thread RedTeam Pentesting GmbH
elease 2017-08-22 Advisory released References == [0] http://webclientprint.azurewebsites.net/ [1] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penet

[FD] [RT-SA-2016-008] XML External Entity Expansion in Ladon Webservice

2017-11-03 Thread RedTeam Pentesting GmbH
te and announced public release for end of October 2017-10-09 RedTeam Pentesting asked vendor for status update 2017-11-03 Advisory released (no reply from vendor to status update requests) References == [1] http://ladonize.org [2] https://pypi.python.org/pypi/defusedxml RedTeam

[FD] [RT-SA-2017-013] Truncation of SAML Attributes in Shibboleth 2

2018-01-15 Thread RedTeam Pentesting GmbH
11-13 Customer approved further research 2017-12-01 Further research conducted 2018-01-09 Customer approved disclosure to vendor 2018-01-10 Vendor notified 2018-01-12 Vendor released fixed version 2018-01-15 Advisory released References == [1] https://www.shibboleth.net/ [2] https://www.w3.org

[FD] [RT-SA-2018-001] Arbitrary Redirect in Tuleap

2018-03-08 Thread RedTeam Pentesting GmbH
version 2018-03-05 Vendor made issue public 2018-03-08 Advisory released References == [1] https://www.tuleap.org/what-is-tuleap [2] https://tools.ietf.org/html/rfc3986 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests per

[FD] [RT-SA-2017-012] Shopware Cart Accessible by Third-Party Websites

2018-03-13 Thread RedTeam Pentesting GmbH
ed 2017-09-13 Customer approved disclosure to vendor 2017-09-14 Vendor notified 2018-02-27 Vendor released fixed version 2018-03-13 Advisory released References == [1] https://github.com/shopware/shopware [2] https://community.shopware.com/Downloads_cat_448.html#5.4.0 RedTeam Pentesting GmbH ==

[FD] [RT-SA-2017-014] CyberArk Password Vault Web Access Remote Code Execution

2018-04-09 Thread RedTeam Pentesting GmbH
s/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf [2] https://github.com/pwntester/ysoserial.net [3] https://curl.haxx.se/ [4] https://www.tcpdump.org/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of special

[FD] [RT-SA-2017-015] CyberArk Password Vault Memory Disclosure

2018-04-09 Thread RedTeam Pentesting GmbH
ne 2017-11-24 Vulnerability identified 2018-01-22 Customer approved disclosure to vendor 2018-02-05 Vendor notified 2018-04-06 CVE number requested 2018-04-07 CVE number assigned 2018-04-09 Advisory released References == [1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enter

[FD] [RT-SA-2019-005] Cisco RV320 Command Injection Retrieval

2019-03-27 Thread RedTeam Pentesting GmbH
sting.de/advisories/rt-sa-2018-004 [3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security ex

[FD] [RT-SA-2019-004] Cisco RV320 Unauthenticated Diagnostic Data Retrieval

2019-03-27 Thread RedTeam Pentesting GmbH
c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html [2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-003 [3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info RedTeam Pentesting GmbH === RedTeam

[FD] [RT-SA-2019-003] Cisco RV320 Unauthenticated Configuration Export

2019-03-27 Thread RedTeam Pentesting GmbH
index.html [2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-002 [3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a

[FD] [RT-SA-2019-007] Code Execution via Insecure Shell Function getopt_simple

2019-03-26 Thread RedTeam Pentesting GmbH
nce the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pente

[FD] [RT-SA-2018-003] Cisco RV320 Unauthenticated Diagnostic Data Retrieval

2019-01-24 Thread RedTeam Pentesting GmbH
t-wan-vpn-router/index.html [2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are u

[FD] [RT-SA-2018-004] Cisco RV320 Command Injection

2019-01-24 Thread RedTeam Pentesting GmbH
2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor 2019-01-16 List of affected versions provided by vendor 2019-01-23 Advisory published References == [1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html [2] https://wiki.open

[FD] [RT-SA-2018-002] Cisco RV320 Unauthenticated Configuration Export

2019-01-24 Thread RedTeam Pentesting GmbH
[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html [2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-securi

[FD] [RT-SA-2019-002] Directory Traversal in Cisco Expressway Gateway

2019-05-17 Thread RedTeam Pentesting GmbH
ON%2026%20presentations/Orange%20Tsai%20-%20Updated/DEFCON-26-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-and-Pop-0days-Out-Updated.pdf [4] https://tomcat.apache.org RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests perf

[FD] [RT-SA-2019-012] Information Disclosure in REDDOXX Appliance

2019-07-01 Thread RedTeam Pentesting GmbH
uot;2020-01-30T12:34:56", "Valid": true, "VirusScan": true } } } Workaround ====== None Fix === Install the latest hotfixes for the appliance, see [2]. Security Risk =

[FD] [RT-SA-2019-014] Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC

2019-10-31 Thread RedTeam Pentesting GmbH
https://www.rapid7.com/db/modules/auxiliary/scanner/scada/modbusclient [4] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team o

[FD] [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC

2019-10-31 Thread RedTeam Pentesting GmbH
n of CVE-2019-13553 References ====== [0] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0 [1] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-014.txt RedTeam Pentesting GmbH === RedTeam Pentesting offe

[FD] [RT-SA-2019-016] IceWarp: Cross-Site Scripting in Notes

2020-01-02 Thread RedTeam Pentesting GmbH
ure 2019-11-25 CVE number requested 2019-11-25 CVE number assigned 2019-12-02 Vendor released fixed version 2019-12-10 Customer approved disclosure 2019-12-13 Fixed version released 2020-01-02 Advisory released References == [1] https://www.redteam-pentesting.de/a

[FD] [RT-SA-2019-015] IceWarp: Cross-Site Scripting in Notes for Contacts

2020-01-02 Thread RedTeam Pentesting GmbH
xed version released 2020-01-02 Advisory released References == [1] https://tools.ietf.org/html/rfc6350 [2] https://tools.ietf.org/html/rfc2445 [3] https://www.redteam-pentesting.de/advisories/rt-sa-2019-16 RedTeam Pentesting GmbH === RedTeam Pentesting offers individu

[FD] [RT-SA-2020-001] Credential Disclosure in WatchGuard Fireware AD Helper Component

2020-03-13 Thread RedTeam Pentesting GmbH
Tried to contact the German branch of WatchGuard 2020-02-27 Contacted the Dutch branch of WatchGuard 2020-02-28 Contact to ADHelper QA Team Lead established 2020-03-02 Advisory draft sent for verification 2020-03-10 Vendor released fixed version and blog post 2020-03-11 CVE ID requested 2020-03-1

[FD] [RT-SA-2020-004] Inconsistent Behavior of Go's CGI and FastCGI Transport May Lead to Cross-Site Scripting

2020-09-02 Thread RedTeam Pentesting GmbH
ttps://pkg.go.dev/net/http/?tab=doc#ResponseWriter [2] https://pkg.go.dev/net/http/httptest?tab=doc#ResponseRecorder [3] https://mimesniff.spec.whatwg.org/ [4] https://github.com/golang/go/blob/ba9e10889976025ee1d027db6b1cad383ec56de8/src/net/http/cgi/child.go#L196-L199 [5] https://github.com/go

[FD] [RT-SA-2020-003] FRITZ!Box DNS Rebinding Protection Bypass

2020-10-19 Thread RedTeam Pentesting GmbH
otified of another problematic IP 2020-08-06 Vendor provided fixed version to RedTeam Pentesting 2020-10-06 Vendor starts distribution of fixed version for selected devices 2020-10-19 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual

[FD] [RT-SA-2020-002] Denial of Service in D-Link DSR-250N

2020-10-08 Thread RedTeam Pentesting GmbH
upport.dlink.com/ProductInfo.aspx?m=DSR-250N RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed

[FD] [RT-SA-2020-005] Arbitrary File Disclosure and Server-Side Request Forgery in BigBlueButton

2020-10-21 Thread RedTeam Pentesting GmbH
tations [7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in

[FD] [RT-SA-2021-002] XML External Entity Expansion in MobileTogether Server

2021-08-10 Thread RedTeam Pentesting GmbH
session of an account for a MobileTogether Server with access to at least one app are able to read files from the server system, conduct HTTP requests to external and internal systems and can also deny the availability of the service. Access might also be possible through default credentials or

[FD] [RT-SA-2021-001] Cross-Site Scripting in myfactory.FMS

2021-10-13 Thread RedTeam Pentesting GmbH
s that no advisory should be released. Vendor acknowledges public release after 90 days. 2021-10-04 Customer confirms update to fixed version 2021-10-13 Advisory released References == [0] https://www.myfactory.com/myfactoryfms.aspx RedTeam Pentesting GmbH =

[FD] [RT-SA-2021-007] Auerswald COMpact Multiple Backdoors

2021-12-06 Thread RedTeam Pentesting GmbH
d disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-05 Vendor provides access to device with fixed firmware 2021-10-11 Vendor provides fixed firmware 2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-12-06 Advis

[FD] [RT-SA-2021-006] Auerswald COMpact Arbitrary File Disclosure

2021-12-06 Thread RedTeam Pentesting GmbH
and use functions not available to "sub-admin" users, like firmware updates. All in all, this vulnerability is therefore rated to have a medium risk potential. Timeline 2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notif

[FD] [RT-SA-2021-005] Auerswald COMpact Privilege Escalation

2021-12-06 Thread RedTeam Pentesting GmbH
wly acquired credentials, attackers can access configuration settings and most other functions. They can then for example create new SIP credentials and use them to call premium rate phone lines they operate to generate revenue. They can monitor and even redirect all incoming and outgoing

[FD] [RT-SA-2021-004] Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass

2021-12-06 Thread RedTeam Pentesting GmbH
e call premium rate phone lines they operate to generate revenue. They can also configure a device they control as the PBX in the phone, so all incoming and outgoing phone calls are intercepted and can be recorded. The device also contains a function to record all Ethernet data traffic, which is likel

[FD] [RT-SA-2021-009] Credential Disclosure in Web Interface of Crestron Device

2022-01-12 Thread RedTeam Pentesting GmbH
uot;The device in question doesn't support Crestron's security practices. We recommend the HD-MD-4KZ alternative." 2021-12-22 Requested confirmation, that the vulnerability will not be addressed. 2021-12-28 Vendor confirms that the vulnerability will not be corrected. 2022-01-

[FD] [RT-SA-2021-003] Missing Authentication in ZKTeco ZEM/ZMM Web Interface

2022-10-24 Thread RedTeam Pentesting GmbH
1-07-12 Customer approved disclosure to vendor 2021-07-16 Vendor notified 2021-08-20 Vendor provides fixed firmware 2022-09-29 Customer approved release of advisory 2022-10-10 CVE ID requested 2022-10-15 CVE ID assigned 2022-10-24 Advisory published References == https://zkteco.eu/c

[FD] [RT-SA-2022-002] Skyhigh Security Secure Web Gateway: Cross-Site Scripting in Single Sign-On Plugin

2023-01-26 Thread RedTeam Pentesting GmbH
20 Customer approved disclosure to vendor 2022-10-20 Vulnerability was disclosed to the vendor 2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and 12.0.1. 2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH RedTeam Pentesting GmbH === Re

[FD] [RT-SA-2023-001] Session Token Enumeration in RWS WorldServer

2023-07-19 Thread RedTeam Pentesting GmbH
mPentesting/monsoon [2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security

[FD] [RT-SA-2023-004] Pydio Cells: Cross-Site Scripting via File Download

2023-05-30 Thread RedTeam Pentesting GmbH
approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References == [1] https://

[FD] [RT-SA-2023-003] Pydio Cells: Unauthorised Role Assignments

2023-05-30 Thread RedTeam Pentesting GmbH
to a version without the vulnerability. Security Risk = Attackers with access to any regular user account for a Pydio Cells instance can extend their privileges by creating a new external user with all roles assigned. Subsequently, they can access all folders and files in any cel

[FD] [RT-SA-2023-005] Pydio Cells: Server-Side Request Forgery

2023-05-30 Thread RedTeam Pentesting GmbH
pose a significant risk. In other circumstances, the risk could be negligible. Therefore, overall the vulnerability is rated as a medium risk. Timeline 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE I

[FD] [RT-SA-2022-004] STARFACE: Authentication with Password Hash Possible

2023-06-01 Thread RedTeam Pentesting GmbH
ed on another system. Furthermore, the login via password hash allows attackers for permanent unauthorised access to the web interface even if system access was obtained only temporarily. Due to the prerequisites of obtaining access to password hashes, the vulnerability poses a low risk only. T