Vulnerability Report

We regularly uncover Zero Day vulnerabilities in a wide range of applications during our research. Whenever possible we work together with vendors to address the issues, and responsibly disclose details.

Below is a list of vulnerabilities discovered by the team, along with relevant details where supplied by the vendor or third party.

CVE ID Title Date Product
CVE-2019-13143 FB50 Smart Lock Ownership Transfer Vulnerability August 2019 FB50 smart lock
CVE-2018-11714 Authentication Bypass Vulnerability in TP-Link Router June 2018 TP-Link Router
CVE-2017-9080 Remote Code Execution using Unrestricted File Upload in Play SMS 1.4 May 2018 PlaySMS 1.4
CVE-2017-9101 Remote Code Execution using Phonebook import Function in PlaySMS 1.4 May 2017 PlaySMS 1.4
CVE-2017-9100 Admin Dashboard Authentication Bypass for D-Link Router May 2017 D-Link Router
CVE-2017-12853 Changing admin password using cross site request forgery in realtime router August 2017 RealTime Router
CVE-2017-9243 Cross site scripting on Aries QWR-1104 May 2017 Aries QWR-1104 Wireless-NRouter
CVE-2017-9425 Cross Site Scripting(XSS) in Piwigo's Facetag extension Feb 2018 Piwigo Plugin
CVE-2017-9426 SQL Injection via imageID parameter in Piwigo Plugin Feb 2018 Piwigo Plugin
CVE-2017-5594 Authentication Bypass Vulnerability in Pagekit CMS Feb 2018 PageKit CMS
CVE-2017-14618 Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 Sept 2017 phpMyFAQ
CVE-2017-14713 Stored XSSS in EPESI 1.8.2 in the Phonecalls description parameter Sept 2017 EPESI 1.8.2
CVE-2017-14714 Stored XSSS in EPESI 1.8.2 in the Phonecalls subject parameter Sept 2017 EPESI 1.8.2
CVE-2017-14715 Stored XSSS in EPESI 1.8.2 in the Phonecalls Tasks Alerts Title parameter Sept 2017 EPESI 1.8.2
CVE-2017-14716 Stored XSSS in EPESI 1.8.2 in the Phonecalls tasks title parameter Sept 2017 EPESI 1.8.2
CVE-2017-14717 Stored XSSS in EPESI 1.8.2 in the Phonecalls Tasks description parameter Sept 2017 EPESI 1.8.2
CVE-2017-16807 Stored Cross Site Scripting (XSS) vulnerability in Kirby Panel Nov 2017 Kirby Panel
CVE-2017-15879 Unauthenticated CSV Injection in KeystoneJS Oct 2017 KeystoneJS
CVE-2017-15878 Cross Site Scripting (XSS) vulnerability in KeystoneJS via Contact us feature Oct 2017 KeystoneJS
CVE-2017-15284 Stored Cross-Site Scripting Vulnerability in OctoberCMS 1.0.425 (aka Build 425) Oct 2017 OctoberCMS
CVE-2017-14619 Cross-site scripting (XSS) vulnerability in phpMyFAQ to inject arbitrary web script Sept 2017 phpMyFAQ
CVE-2015-8813 Server Side Request Forgery (SSRF) vulnerability in URL parameter of Umbraco March 2017 Umbraco CMS
CVE-2015-8814 cross-site request forgery (CSRF) vulnerability in Umbraco CMS March 2017 Umbraco CMS
CVE-2015-2652 Unauthenticated File Upload in Oracle E-business Suite. July 2015 Oracle E-business