Vulnerability Report

We regularly uncover Zero Day vulnerabilities in a wide range of applications during our research. Whenever possible we work together with vendors to address the issues, and responsibly disclose details.

Below is a list of vulnerabilities discovered by the team, along with relevant details where supplied by the vendor or third party.

CVE ID Title Date Product
CVE-2019-13143 FB50 Smart Lock Ownership Transfer Vulnerability August 2019 FB50 smart lock
CVE-2018-11714 Authentication Bypass Vulnerability in TP-Link Router June 2018 TP-Link Router
CVE-2017-9080 Remote Code Execution using Unrestricted File Upload in Play SMS 1.4 May 2018 PlaySMS 1.4
CVE-2017-9101 Remote Code Execution using Phonebook import Function in PlaySMS 1.4 May 2017 PlaySMS 1.4
CVE-2017-9100 Admin Dashboard Authentication Bypass for D-Link Router May 2017 D-Link Router
CVE-2017-12853 Changing admin password using cross site request forgery in realtime router August 2017 RealTime Router
CVE-2017-9243 Cross site scripting on Aries QWR-1104 May 2017 Aries QWR-1104 Wireless-NRouter
CVE-2017-9425 Cross Site Scripting(XSS) in Piwigo's Facetag extension Feb 2018 Piwigo Plugin
CVE-2017-9426 SQL Injection via imageID parameter in Piwigo Plugin Feb 2018 Piwigo Plugin
CVE-2017-5594 Authentication Bypass Vulnerability in Pagekit CMS Feb 2018 PageKit CMS
CVE-2017-14618 Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 Sept 2017 phpMyFAQ
CVE-2017-14713 Stored XSSS in EPESI 1.8.2 in the Phonecalls description parameter Sept 2017 EPESI 1.8.2
CVE-2017-14714 Stored XSSS in EPESI 1.8.2 in the Phonecalls subject parameter Sept 2017 EPESI 1.8.2
CVE-2017-14715 Stored XSSS in EPESI 1.8.2 in the Phonecalls Tasks Alerts Title parameter Sept 2017 EPESI 1.8.2
CVE-2017-14716 Stored XSSS in EPESI 1.8.2 in the Phonecalls tasks title parameter Sept 2017 EPESI 1.8.2
CVE-2017-14717 Stored XSSS in EPESI 1.8.2 in the Phonecalls Tasks description parameter Sept 2017 EPESI 1.8.2
CVE-2017-16807 Stored Cross Site Scripting (XSS) vulnerability in Kirby Panel Nov 2017 Kirby Panel
CVE-2017-15879 Unauthenticated CSV Injection in KeystoneJS Oct 2017 KeystoneJS
CVE-2017-15878 Cross Site Scripting (XSS) vulnerability in KeystoneJS via Contact us feature Oct 2017 KeystoneJS
CVE-2017-15284 Stored Cross-Site Scripting Vulnerability in OctoberCMS 1.0.425 (aka Build 425) Oct 2017 OctoberCMS
CVE-2017-14619 Cross-site scripting (XSS) vulnerability in phpMyFAQ to inject arbitrary web script Sept 2017 phpMyFAQ
CVE-2015-8813 Server Side Request Forgery (SSRF) vulnerability in URL parameter of Umbraco March 2017 Umbraco CMS
CVE-2015-8814 cross-site request forgery (CSRF) vulnerability in Umbraco CMS March 2017 Umbraco CMS
CVE-2015-2652 Unauthenticated File Upload in Oracle E-business Suite. July 2015 Oracle E-business

Penetration Testing Reports

Title Date Product
KeyStoneJS Vulnerability Assessment and Penetration Testing Report September 2017 KeyStoneJS Download
Penetration Testing Report for Refinery CMS Feb 2016 Refinery CMS Download
Pagekit Vulnerability Assessment and Penetration Testing Report Jan 2017 Pagekit Download