Securelayer 7 - Security Advisory

Vulnerability Report
Pentest Reports

VULNERABILITY REPORT

We regularly uncover Zero Day vulnerabilities in a wide range of applications during our research. Whenever possible we work together with vendors to address the issues, and responsibly disclose details.

Below is a list of vulnerabilities discovered by the team, along with relevant details where supplied by the vendor or third party.

ID	Title	Date	Product
CVE-2023-37581	Spring AI MariaDB Filter Enables SQL Injection and Access Control Bypass	Mar 2026	Spring AI
CVE-2026-22729	Spring AI JSONPath Injection Enables Access Control Bypass	Mar 2026	Spring AI
CVE-2026-24291	Windows Accessibility Infrastructure Flaw Enables Local Privilege Escalation	Mar 2026	Microsoft Windows
CVE-2026-25049	n8n Sandbox Escape via Expression Handling Enables Remote Code Execution	Feb 2026	n8n
CVE-2025-68613	n8n Expression Injection Flaw Enables Remote Code Execution	Dec 2025	n8n
CVE-2025-55182	React Server Components Deserialization Flaw Enables Remote Code Execution	Dec 2025	React Server Components (React)
CVE-2025-6019	libblockdev Flaw in udisksd Interaction Enables Local Privilege Escalation	June 2025	Linux Storage Library
CVE-2025-4318	Remote Code Execution in AWS Amplify Studio via Component Injection Flaw	May 2025	AWS Amplify Studio
CVE-2025-32433	Erlang/OTP SSH Flaw Enables Remote Code Execution via Pre-Auth Exploit	April 2025	Erlang/OTP SSH
CVE-2025-2783	Mojo IPC Sandbox Escape in Chrome Enables Remote Code Execution	March 2025	Google Chrome
CVE-2025-25364	Command Injection in Speedify VPN Enables macOS Privilege Escalation	Feb 2025	Speedify
CVE-2025-1094	Critical SQL Injection vulnerability in PostgreSQL 14.15	Feb 2025	PostgreSQL
CVE-2024-50379	Time-of-Check to Time-of-Use (TOCTOU) race condition in Apache Tomcat	Dec 2024	Apache Tomcat
CVE-2023-37581	Stored Cross Site Scripting (XSS) Vulnerability in Weblog Setting of Apache Roller	August 2023	Apache Roller
PSV-2018-0182	Security Advisory for Denial of Service on Some Routers and Gateways	Dec 2019	NETGEAR
CVE-2019-13143	FB50 Smart Lock Ownership Transfer Vulnerability	August 2019	FB50 smart lock
CVE-2018-11714	Authentication Bypass Vulnerability in TP-Link Router	June 2018	TP-Link Router
CVE-2017-9080	Remote Code Execution using Unrestricted File Upload in Play SMS 1.4	May 2018	PlaySMS 1.4
CVE-2017-9101	Remote Code Execution using Phonebook import Function in PlaySMS 1.4	May 2017	PlaySMS 1.4
CVE-2017-9100	Admin Dashboard Authentication Bypass for D-Link Router	May 2017	D-Link Router
CVE-2017-12853	Changing admin password using cross site request forgery in realtime router	August 2017	RealTime Router
CVE-2017-9243	Cross site scripting on Aries QWR-1104	May 2017	Aries QWR-1104 Wireless-NRouter
CVE-2017-9425	Cross Site Scripting(XSS) in Piwigo's Facetag extension	Feb 2018	Piwigo Plugin
CVE-2017-9426	SQL Injection via imageID parameter in Piwigo Plugin	Feb 2018	Piwigo Plugin
CVE-2017-5594	Authentication Bypass Vulnerability in Pagekit CMS	Feb 2018	PageKit CMS
CVE-2017-14618	Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8	Sept 2017	phpMyFAQ
CVE-2017-14713	Stored XSSS in EPESI 1.8.2 in the Phonecalls description parameter	Sept 2017	EPESI 1.8.2
CVE-2017-14714	Stored XSSS in EPESI 1.8.2 in the Phonecalls subject parameter	Sept 2017	EPESI 1.8.2
CVE-2017-14715	Stored XSSS in EPESI 1.8.2 in the Phonecalls Tasks Alerts Title parameter	Sept 2017	EPESI 1.8.2
CVE-2017-14716	Stored XSSS in EPESI 1.8.2 in the Phonecalls tasks title parameter	Sept 2017	EPESI 1.8.2
CVE-2017-14717	Stored XSSS in EPESI 1.8.2 in the Phonecalls Tasks description parameter	Sept 2017	EPESI 1.8.2
CVE-2017-16807	Stored Cross Site Scripting (XSS) vulnerability in Kirby Panel	Nov 2017	Kirby Panel
CVE-2017-15879	Unauthenticated CSV Injection in KeystoneJS	Oct 2017	KeystoneJS
CVE-2017-15878	Cross Site Scripting (XSS) vulnerability in KeystoneJS via Contact us feature	Oct 2017	KeystoneJS
CVE-2017-15284	Stored Cross-Site Scripting Vulnerability in OctoberCMS 1.0.425 (aka Build 425)	Oct 2017	OctoberCMS
CVE-2017-14619	Cross-site scripting (XSS) vulnerability in phpMyFAQ to inject arbitrary web script	Sept 2017	phpMyFAQ
CVE-2015-8813	Server Side Request Forgery (SSRF) vulnerability in URL parameter of Umbraco	March 2017	Umbraco CMS
CVE-2015-8814	cross-site request forgery (CSRF) vulnerability in Umbraco CMS	March 2017	Umbraco CMS
CVE-2015-2652	Unauthenticated File Upload in Oracle E-business Suite.	July 2015	Oracle E-business

PENETRATION TESTING REPORTS

Title	Date	Product
Real Media Library WordPress Plugin Penetration Testing Report	Jan 2023	Real Media
Kimai Time Tracking Web Application Penetration Testing Report	Jan 2023	Kimai
KeyStoneJS Vulnerability Assessment and Penetration Testing Report	September 2017	KeyStoneJS
Pagekit Vulnerability Assessment and Penetration Testing Report	Jan 2017	Pagekit
Penetration Testing Report for Refinery CMS	Feb 2016	Refinery CMS

Introducing BugDazz - The modern pentest solution

ADVISORIES AND ACKNOWLEDGEMENTS

VULNERABILITY REPORT

PENETRATION TESTING REPORTS