VULNERABILITY REPORT

We regularly uncover Zero Day vulnerabilities in a wide range of applications during our research. Whenever possible we work together with vendors to address the issues, and responsibly disclose details.

Below is a list of vulnerabilities discovered by the team, along with relevant details where supplied by the vendor or third party.

ID Title Date Product
CVE-2023-37581 Stored Cross Site Scripting (XSS) Vulnerability in Weblog Setting of Apache Roller August 2023 Apache Roller
PSV-2020-0595 Security Advisory for Post-Authentication Command Injection on Some Routers March 2021 NETGEAR
PSV-2018-0182 Security Advisory for Denial of Service on Some Routers and Gateways Dec 2019 NETGEAR
CVE-2019-13143 FB50 Smart Lock Ownership Transfer Vulnerability August 2019 FB50 smart lock
CVE-2018-11714 Authentication Bypass Vulnerability in TP-Link Router June 2018 TP-Link Router
CVE-2017-9080 Remote Code Execution using Unrestricted File Upload in Play SMS 1.4 May 2018 PlaySMS 1.4
CVE-2017-9101 Remote Code Execution using Phonebook import Function in PlaySMS 1.4 May 2017 PlaySMS 1.4
CVE-2017-9100 Admin Dashboard Authentication Bypass for D-Link Router May 2017 D-Link Router
CVE-2017-12853 Changing admin password using cross site request forgery in realtime router August 2017 RealTime Router
CVE-2017-9243 Cross site scripting on Aries QWR-1104 May 2017 Aries QWR-1104 Wireless-NRouter
CVE-2017-9425 Cross Site Scripting(XSS) in Piwigo's Facetag extension Feb 2018 Piwigo Plugin
CVE-2017-9426 SQL Injection via imageID parameter in Piwigo Plugin Feb 2018 Piwigo Plugin
CVE-2017-5594 Authentication Bypass Vulnerability in Pagekit CMS Feb 2018 PageKit CMS
CVE-2017-14618 Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 Sept 2017 phpMyFAQ
CVE-2017-14713 Stored XSSS in EPESI 1.8.2 in the Phonecalls description parameter Sept 2017 EPESI 1.8.2
CVE-2017-14714 Stored XSSS in EPESI 1.8.2 in the Phonecalls subject parameter Sept 2017 EPESI 1.8.2
CVE-2017-14715 Stored XSSS in EPESI 1.8.2 in the Phonecalls Tasks Alerts Title parameter Sept 2017 EPESI 1.8.2
CVE-2017-14716 Stored XSSS in EPESI 1.8.2 in the Phonecalls tasks title parameter Sept 2017 EPESI 1.8.2
CVE-2017-14717 Stored XSSS in EPESI 1.8.2 in the Phonecalls Tasks description parameter Sept 2017 EPESI 1.8.2
CVE-2017-16807 Stored Cross Site Scripting (XSS) vulnerability in Kirby Panel Nov 2017 Kirby Panel
CVE-2017-15879 Unauthenticated CSV Injection in KeystoneJS Oct 2017 KeystoneJS
CVE-2017-15878 Cross Site Scripting (XSS) vulnerability in KeystoneJS via Contact us feature Oct 2017 KeystoneJS
CVE-2017-15284 Stored Cross-Site Scripting Vulnerability in OctoberCMS 1.0.425 (aka Build 425) Oct 2017 OctoberCMS
CVE-2017-14619 Cross-site scripting (XSS) vulnerability in phpMyFAQ to inject arbitrary web script Sept 2017 phpMyFAQ
CVE-2015-8813 Server Side Request Forgery (SSRF) vulnerability in URL parameter of Umbraco March 2017 Umbraco CMS
CVE-2015-8814 cross-site request forgery (CSRF) vulnerability in Umbraco CMS March 2017 Umbraco CMS
CVE-2015-2652 Unauthenticated File Upload in Oracle E-business Suite. July 2015 Oracle E-business

PENETRATION TESTING REPORTS

Title Date Product
Real Media Library WordPress Plugin Penetration Testing Report Jan 2023 Real Media
Kimai Time Tracking Web Application Penetration Testing Report Jan 2023 Kimai
KeyStoneJS Vulnerability Assessment and Penetration Testing Report September 2017 KeyStoneJS
Pagekit Vulnerability Assessment and Penetration Testing Report Jan 2017 Pagekit
Penetration Testing Report for Refinery CMS Feb 2016 Refinery CMS