RedTeam Pentesting Security Advisories

Cross-Site Scripting in Nextcloud: Development files shipped in files_pdfviewer app

Nextcloud’s PDF viewer uses an outdated version of PDF.js vulnerable to CVE-2024-4367.

Attackers with regular user access to a Nextcloud instance are able to prepare a special link. If this link is visited by other logged-in users a cross-site scripting is executed and attackers get access to that users’ files.

Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers

RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain NT AUTHORITY\SYSTEM privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers.

Shopware Unfixed SQL Injection in Security Plugin 6

Shopware is affected by a known SQL injection in older Shopware versions which is fixed in newer Shopware releases. For customers who can not upgrade the main Shopware version the Shopware AG offers the security plugin which patches known vulnerabilities in old Shopware versions.

Docusnap Inventory Files Encrypted with Static Key

Inventory files created by Docusnap, containing information like installed programs, firewall rules and local administrators, are encrypted with a static key. The decryption key can be obtained easily from the .NET application, downloadable from the vendor’s website. When following Docusnap’s installation instructions for Windows Domains, every domain user has read access to these files.

Moodle: Remote Code Execution via Calculated Questions

Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.

WatchGuard SSO Client Denial-of-Service

Attackers can issue malformed commands to WatchGuard SSO clients in order to crash the respective service.

WatchGuard SSO Agent Telnet Authentication Bypass

The WatchGuard SSO Agent exposes a Telnet interface on TCP port 4114 which is vulnerable to an authentication bypass granting unauthenticated attackers access to management commands.

WatchGuard SSO Protocol is Unencrypted and Unauthenticated

The protocol that is used by the WatchGuard Single Sign-On (SSO) agent to communicate with the respective client services is neither encrypted, nor authenticated. The unprotected information that is communicated is used to decide which firewall rules should be applied for the given host. Consequently, attackers can relay connections to other clients in order to apply the firewall rules of the relay target to their own host. Similarly, attackers could implement their own protocol client to send arbitrary account and group information to the agent in order to lift firewall restrictions. It is also possible for attackers to extract information such as logs or the list of logged-on users and their groups from hosts that run the client service.

Milesight UG67: World Writeable Webroot Allows for Privilege Escalation

Attackers with any user account on a Milesight UG67 LoRaWAN Gateway can gain full root access by manipulation of the webroot.

Milesight UG67: UBUS Allows for Privilege Escalation

Attackers who which can execute commands on a Milesight UG67 LoRaWAN Gateway can gain full root access by using ubus features.

Milesight UG67: Circumvention of User Account Restrictions using SSH Port Forwarding

It is possible to gain full shell access with restricted user accounts on the Milesight UG67 LoRaWAN Gateway by abusing SSH port forwarding and the PostgreSQL server.

Milesight UG67: Undocumented Default Password

The Milesight UG67 Outdoor LoRaWAN Gateway has an undocumented user account ‘pyuser’ with the guessable password ‘ur123456’.

Milesight UG67: Privileged Access Using USB Console

Attackers with physical access to the Milesight UG67 Outdoor LoRaWAN Gateway are able to gain full control over the installed operating system using an unprotected USB console.

Aptos Wisal Payroll Accounting Uses Hardcoded Database Credentials

Aptos WISAL payroll accounting uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. This allows attackers in a machine-in-the-middle position read and write access to personally identifiable information (PII) and especially payroll data and the ability to impersonate legitimate users with respect to the audit log.

D-Link DAP-X1860: Remote Command Injection

The Wi-Fi network scanning functionality of the D-Link DAP-X1860 range extender is susceptible to remote command injection. Attackers who create a Wi-Fi network with a crafted SSID in range of the extender can run shell commands during the setup process or when using the network scan function of the range extender.

Pydio Cells: Server-Side Request Forgery

For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job “remote-download” can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells.

Pydio Cells: Cross-Site Scripting via File Download

Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript (https://aws.amazon.com/sdk-for-javascript/). The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScript code is executed when the URL is opened in a browser, leading to a cross-site scripting vulnerability.

Pydio Cells: Unauthorised Role Assignments

Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

Session Token Enumeration in RWS WorldServer

Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions.

STARFACE: Authentication with Password Hash Possible

RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application’s database generally has become best practice to protect users’ passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.

Skyhigh Security Secure Web Gateway: Cross-Site Scripting in Single Sign-On Plugin

RedTeam Pentesting identified a vulnerability which allows attackers to craft URLs to any third-party website that result in arbitrary content to be injected into the response when accessed through the Secure Web Gateway. While it is possible to inject arbitrary content types, the primary risk arises from JavaScript code allowing for cross-site scripting.

Skyhigh Security Secure Web Gateway: Information Disclosure Due to Same Origin Policy Bypass on Block Page

When HTTP traffic is blocked by the Secure Web Gateway, a block page containing relevant information is returned by the Secure Web Gateway in place of the actual server response. Consequently, the browser assumes that the block page is the actual server response such that the Same Origin Policy cannot be applied correctly. For example, if a third-party website performs a request to its own origin which is blocked, the Same Origin Policy will not restrict access to the block page such that the potentially sensitive information contained in the block page can be accessed by the website’s JavaScript code.

Credential Disclosure in Web Interface of Crestron Device

When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface.

Auerswald COMpact Multiple Backdoors

RedTeam Pentesting discovered several backdoors in the firmware for the Auerswald COMpact 5500R PBX. These backdoors allow attackers who are able to access the web-based management application full administrative access to the device.

Auerswald COMpact Arbitrary File Disclosure

RedTeam Pentesting discovered a vulnerability in the web-based management interface of the Auerswald COMpact 5500R PBX which allows users with the “sub-admin” privilege to access any files on the PBX’s file system.

Auerswald COMpact Privilege Escalation

RedTeam Pentesting discovered a vulnerability in the web-based management interface of the Auerswald COMpact 5500R PBX which allows low-privileged users to access passwords of administrative user accounts.

Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass

RedTeam Pentesting discovered a vulnerability in the web-based configuration management interface of the Auerswald COMfortel 1400 and 2600 IP desktop phones. The vulnerability allows accessing configuration data and settings in the web-based management interface without authentication.

Missing Authentication in ZKTeco ZEM/ZMM Web Interface

The ZKTeco time attendance device does not require authentication to use the web interface, exposing the database of employees and their credentials.

XML External Entity Expansion in MobileTogether Server

RedTeam Pentesting discovered a vulnerability in the MobileTogether server which allows users with access to at least one app to read arbitrary, non-binary files from the file system and perform server-side requests. The vulnerability can also be used to deny availability of the system. As an example, this advisory shows the compromise of the server’s certificate and private key.

Cross-Site Scripting in myfactory.FMS

During a penetration test, a reflected cross-site scripting vulnerability (XSS) was found in the myfactory.FMS login form. If a user opens an attacker-prepared link to the application, attackers can run arbitrary JavaScript code in the user’s browser.

Arbitrary File Disclosure and Server-Side Request Forgery in BigBlueButton

RRedTeam Pentesting discovered a vulnerability in the BigBlueButton web conferencing system which allows participants of a conference with permissions to upload presentations to read arbitrary files from the file system and perform server-side requests. This leads to administrative access to the BigBlueButton instance.

Inconsistent Behavior of Go's CGI and FastCGI Transport May Lead to Cross-Site Scripting

The CGI and FastCGI implementations in the Go standard library behave differently from the HTTP server implementation when serving content. In contrast to the documented behavior, they may return non-HTML data as HTML. This may lead to cross-site scripting vulnerabilities even if uploaded data has been validated during upload.

FRITZ!Box DNS Rebinding Protection Bypass

RedTeam Pentesting discovered a vulnerability in FRITZ!Box router devices which allows to resolve DNS answers that point to IP addresses in the private local network, despite the DNS rebinding protection mechanism.

Denial of Service in D-Link DSR-250N

RedTeam Pentesting discovered a Denial-of-Service vulnerability in the D-Link DSR-250N device which allows unauthenticated attackers in the same local network to execute a CGI script which reboots the device.

Credential Disclosure in WatchGuard Fireware AD Helper Component

RedTeam Pentesting discovered a credential-disclosure vulnerability in the AD Helper component of the WatchGuard Fireware Threat Detection and Response (TDR) service, which allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext.

IceWarp: Cross-Site Scripting in Notes

During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to cross-site scripting attacks in notes for objects. If attackers with access to the IceWarp system provide a manipulated object that is displayed by users, they can run arbitrary JavaScript code in the users’ browsers.

IceWarp: Cross-Site Scripting in Notes for Contacts

During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to user-assisted cross-site scripting attacks in its contact module. If IceWarp users import a manipulated vcard, for example from an email, attackers can run arbitrary JavaScript code in the users’ browsers.

Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC

As part of its features, the Carel pCOWeb card exposes a Modbus interface to the network. By design, Modbus does not provide authentication, allowing to control the affected system.

Unsafe Storage of Credentials in Carel pCOWeb HVAC

The Carel pCOWeb card stores password hashes in the file “/etc/passwd”, allowing privilege escalation by authenticated users. Additionally, plaintext copies of the passwords are stored.

Information Disclosure in REDDOXX Appliance

RedTeam Pentesting discovered an Information Disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated attackers to gain information about the internal network the appliance is part of.

Code Execution via Insecure Shell Function getopt_simple

RedTeam Pentesting discovered that the shell function “getopt_simple”, as presented in the “Advanced Bash-Scripting Guide”, allows execution of attacker-controlled commands.

Cisco RV320 Command Injection

RedTeam Pentesting discovered a command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router which was inadequately patched by the vendor.

Cisco RV320 Unauthenticated Diagnostic Data Retrieval

RedTeam Pentesting discovered that the Cisco RV320 router still exposes sensitive diagnostic data without authentication via the device’s web interface due to an inadequate fix by the vendor.

Cisco RV320 Unauthenticated Configuration Export

RedTeam Pentesting discovered that the configuration of a Cisco RV320 router can still be exported without authentication via the device’s web interface due to an inadequate fix by the vendor.

Directory Traversal in Cisco Expressway Gateway

RedTeam Pentesting discovered a directory traversal vulnerability in Cisco Expressway which enables access to administrative web interfaces.

Cisco RV320 Command Injection

RedTeam Pentesting discovered a command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router.

Cisco RV320 Unauthenticated Diagnostic Data Retrieval

RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device’s web interface.

Cisco RV320 Unauthenticated Configuration Export

RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device’s web interface.

Arbitrary Redirect in Tuleap

RedTeam Pentesting discovered an arbitrary redirect vulnerability in the redirect mechanism of the application lifecycle management platform Tuleap.

CyberArk Password Vault Memory Disclosure

Data in the CyberArk Password Vault may be accessed through a proprietary network protocol. While answering to a client’s logon request, the vault discloses around 50 bytes of its memory to the client.

CyberArk Password Vault Web Access Remote Code Execution

The CyberArk Password Vault Web Access application uses authentication tokens which consist of serialized .NET objects. By crafting manipulated tokens, attackers are able to gain unauthenticated remote code execution on the web server.

Truncation of SAML Attributes in Shibboleth 2

RedTeam Pentesting discovered that the shibd service of Shibboleth 2 does not extract SAML attribute values in a robust manner. By inserting XML entities into a SAML response, attackers may truncate attribute values without breaking the document’s signature. This might lead to a complete bypass of authorisation mechanisms.

Shopware Cart Accessible by Third-Party Websites

RedTeam Pentesting discovered that the shopping cart implemented by Shopware offers an insecure API. Malicious, third-party websites may abuse this API to list, add or remove products from a user’s cart.

Remote Command Execution in PDNS Manager

RedTeam Pentesting discovered that PDNS Manager is vulnerable to a remote command execution vulnerability, if for any reason the configuration file config/config-user.php does not exist.

Remote Command Execution as root in REDDOXX Appliance

RedTeam Pentesting discovered a remote command execution vulnerability in the REDDOXX appliance software, which allows attackers to execute arbitrary command with root privileges while unauthenticated.

Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance

RedTeam Pentesting discovered a vulnerability which allows attackers unauthenticated access to the diagnostic functions of the administrative interface of the REDDOXX appliance. The functions allow, for example, to capture network traffic on the appliance’s interfaces.

Undocumented Administrative Service Account in REDDOXX Appliance

RedTeam Pentesting discovered an undocumented service account in the REDDOXX appliance software, which allows attackers to access the administrative interface of the appliance and change its configuration.

Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance

RedTeam Pentesting discovered an arbitrary file disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated attackers to list directory contents and download arbitrary files from the affected system with root permissions.

Unauthenticated Extraction of Session-IDs in REDDOXX Appliance

RedTeam Pentesting discovered an information disclosure vulnerabilty in the REDDOXX appliance software, which allows unauthenticated attackers to extract valid session IDs.

Unauthenticated Arbitrary File Disclosure in REDDOXX Appliance

RedTeam Pentesting discovered an arbitrary file disclosure vulnerability in the REDDOXX appliance software, which allows unauthenticated attackers to download arbitrary files from the affected system.

Cross-Site Scripting in REDDOXX Appliance

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the REDDOXX appliance software, which allows attackers to inject arbitrary JavaScript code via a crafted URL.

XML External Entity Expansion in Ladon Webservice

Attackers who can send SOAP messages to a Ladon webservice via the HTTP interface of the Ladon webservice can exploit an XML external entity expansion vulnerability and read local files, forge server side requests or overload the service with exponentially growing memory payloads.

Cross-Site Scripting in TYPO3 Formhandler Extension

RedTeam Pentesting discovered a cross-site scripting vulnerability (XSS) in the TYPO3 extension Formhandler.

Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution

A vulnerability within the Relay Ajax Directory Manager web application allows unauthenticated attackers to upload arbitrary files to the web server running the web application.

Websockify: Remote Code Execution via Buffer Overflow

RedTeam Pentesting discovered a buffer overflow vulnerability in the C implementation of Websockify, which allows attackers to execute arbitrary code.

Less.js: Compilation of Untrusted LESS Files May Lead to Code Execution through the JavaScript Less Compiler

RedTeam Pentesting discovered behaviour in the Less.js compiler, which allows execution of arbitrary code if an untrusted LESS file is compiled.

Cross-site Scripting in Securimage 3.6.2

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the Securimage CAPTCHA software, which allows attackers to inject arbitrary JavaScript code via a crafted URL.

Padding Oracle in Apache mod_session_crypto

During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in mod_session_crypto of the Apache web server. This vulnerability can be exploited to decrypt the session data and even encrypt attacker-specified data.

Symfony PHP Framework: Session Fixation In "Remember Me" Login Functionality

A session fixation vulnerability within the Symfony web application framework’s “Remember Me” login functionality allows an attacker to impersonate the victim towards the web application if the session ID value was previously known to the attacker.

XML External Entity Expansion in Paessler PRTG Network Monitor

Authenticated users who can create new HTTP XML/REST Value sensors in PRTG Network Monitor can read local files on the PRTG host system via XML external entity expansion.

WebClientPrint Processor 2.0: No Validation of TLS Certificates

RedTeam Pentesting discovered that WebClientPrint Processor (WCPP) does not validate TLS certificates when initiating HTTPS connections. Thus, a man-in-the-middle attacker may intercept and/or modify HTTPS traffic in transit. This may result in a disclosure of sensitive information and the integrity of printed documents cannot be guaranteed.

WebClientPrint Processor 2.0: Unauthorised Proxy Modification

RedTeam Pentesting discovered that attackers can configure a proxy host and port to be used when fetching print jobs with WebClientPrint Processor (WCPP). This proxy setting may be distributed via specially crafted websites and is set without any user interaction as soon as the website is accessed.

WebClientPrint Processor 2.0: Remote Code Execution via Updates

RedTeam Pentesting discovered that rogue updates trigger a remote code execution vulnerability in WebClientPrint Processor (WCPP). These updates may be distributed through specially crafted websites and are processed without any user interaction as soon as the website is accessed. However, the browser must run with administrative privileges.

WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs

RedTeam Pentesting discovered that malicious print jobs can be used to trigger a remote code execution vulnerability in WebClientPrint Processor (WCPP). These print jobs may be distributed via specially crafted websites and are processed without any user interaction as soon as the website is accessed.

Buffalo LinkStation Authentication Bypass

An authentication bypass vulnerability in the web interface of a Buffalo LinkStation Duo Network Attached Storage (NAS) device allows unauthenticated attackers to gain administrative privileges. This puts the confidentiality and integrity of the stored data as well as the integrity of the device configuration at high risk.

o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials

The o2 Auto Configuration Server (ACS) discloses VoIP/SIP credentials of arbitrary customers when receiving manipulated CWMP packets. These credentials can then be used by an attacker to register any VoIP number of the victim. This enables the attacker to place and receive calls on behalf of the attacked user.

Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery

During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. The management web interface has no protection against cross-site request forgery attacks. This allows specially crafted web pages to change the switch configuration and create users, if an administrator accesses the website while being authenticated in the management web interface.

Alcatel-Lucent OmniSwitch Web Interface Weak Session ID

During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. This interface uses easily guessable session IDs, which allows attackers to authenticate as a currently logged-in user and perform administrative tasks.

SQL Injection in TYPO3 Extension Akronymmanager

An SQL injection vulnerability in the TYPO3 extension “Akronymmanager” allows authenticated attackers to inject SQL statements and thereby read data from the TYPO3 database.

AVM FRITZ!Box: Remote Code Execution via Buffer Overflow

RedTeam Pentesting discovered that several models of the AVM FRITZ!Box are vulnerable to a stack-based buffer overflow, which allows attackers to execute arbitrary code on the device.

Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite

During a penetration test, RedTeam Pentesting discovered a Directory Traversal vulnerability in hybris Commerce software suite. This vulnerability allows attackers to download arbitrary files of any size from the affected system.

Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the Tapatalk plugin for the WoltLab Burning Board forum software, which allows attackers to inject arbitrary JavaScript code via URL parameters.

AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images

The firmware upgrade process of the FRITZ!Box 7490 is flawed. Specially crafted firmware images can overwrite critical files. Arbitrary code can get executed if an attempt is made to install such a manipulated firmware.

Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page

During a penetration test, RedTeam Pentesting discovered that the IBM Endpoint Manager Relay Diagnostics page allows anybody to persistently store HTML and JavaScript code that is executed when the page is opened in a browser.

Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management Components

During a penetration test, RedTeam Pentesting discovered that several IBM Endpoint Manager Components are based on Ruby on Rails and use static secret_token values. With these values, attackers can create valid session cookies containing marshalled objects of their choosing. This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie.

EntryPass N5200 Credentials Disclosure

EntryPass N5200 Active Network Control Panels allow the unauthenticated downloading of information that includes the current administrative username and password.

AVM FRITZ!Box: Firmware Signature Bypass

The signature check of FRITZ!Box firmware images is flawed. Malicious code can be injected into firmware images without breaking the RSA signature. The code will be executed either if a manipulated firmware image is uploaded by the victim or if the victim confirms an update on the webinterface during a MITM attack.

Information Disclosure in TYPO3 Extension ke_questionnaire

The TYPO3 extension ke_questionnaire stores answered questionnaires in a publicly reachable directory on the webserver with filenames that are easily guessable.

Python CGIHTTPServer File Disclosure and Potential Code Execution

The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script’s source code or execute arbitrary CGI scripts in the server’s document root.

Remote Code Execution in TYPO3 Extension ke_dompdf

During a penetration test RedTeam Pentesting discovered a remote code execution vulnerability in the TYPO3 extension ke_dompdf, which allows attackers to execute arbitrary PHP commands in the context of the webserver.

Directory Traversal in DevExpress ASP.NET File Manager

During a penetration test RedTeam Pentesting discovered a directory traversal vulnerability in DevExpress’ ASP.NET File Manager and File Upload. Attackers are able to read arbitrary files by specifying a relative path.

SQL Injection in webEdition CMS File Browser

RedTeam Pentesting discovered an SQL injection vulnerability in the file browser component of webEdition CMS during a penetration test. Unauthenticated attackers can get read-only access on the SQL database used by webEdition and read for example password hashes used by administrative accounts.

Remote Command Execution in webEdition CMS Installer Script

RedTeam Pentesting discovered a remote command execution vulnerability in the installer script of the webEdition CMS during a penetration test. If the installer script is not manually removed after installation, attackers cannot only reinstall webEdition, but also gain remote command execution.

Metadata Information Disclosure in OrbiTeam BSCW

RedTeam Pentesting discovered an information disclosure vulnerability in OrbiTeam’s BSCW collaboration software. An unauthenticated attacker can disclose metadata about internal objects which are stored in BSCW.

rexx Recruitment Cross-Site Scripting in User Registration

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in rexx Recruitment’s user registration page during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the rexx Recruitment installation’s domain.

McAfee ePolicy Orchestrator XML External Entity Expansion in Dashboard

RedTeam Pentesting identified an XML external entity expansion vulnerability in McAfee ePolicy Orchestrator’s (ePO) dashboard feature. Users with the ability to create new dashboards in the ePO web interface who exploit this vulnerability can read local files on the ePO server, including sensitive data like the ePO database configuration.

Endeca Latitude Cross-Site Scripting

RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Endeca Latitude. By exploiting this vulnerability an attacker is able to execute arbitrary JavaScript code in the context of other Endeca Latitude users.

Endeca Latitude Cross-Site Request Forgery

RedTeam Pentesting discovered a Cross-Site Request Forgery (CSRF) vulnerability in Endeca Latitude. Using this vulnerability, an attacker might be able to change several different settings of the Endeca Latitude instance or disable it entirely.

Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution

During a penetration test a typical misconfiguration was found in the way Dovecot is used as a local delivery agent by Exim. A common use case for the Dovecot IMAP and POP3 server is the use of Dovecot as a local delivery agent for Exim. The Dovecot documentation contains an example using a dangerous configuration option for Exim, which leads to a remote command execution vulnerability in Exim.

php-decoda: Cross-Site Scripting in Video Tags

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the PHP markup parser Decoda. This allows attackers that should be restricted to the markup supported by Decoda to specify a JavaScript event handler for an iframe tag. Depending on the usage of Decoda, this allows attackers to execute JavaScript code in the context of other users in a web application that uses Decoda.

Bugzilla: Cross-Site Scripting in Chart Generator

RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Bugzilla’s chart generator during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the Bugzilla installation’s domain.

Owl Intranet Engine: Information Disclosure and Unsalted Password Hashes

The Owl Intranet Engine uses no salting in the password hashing procedure. Furthermore, users in the “Administrators” group are able to see the MD5 password hashes of every user using the web interface.

Owl Intranet Engine: Authentication Bypass

During a penetration test, RedTeam Pentesting discovered an Authentication Bypass vulnerability in the Owl Intranet Engine, which allows unauthenticated users administrative access to the affected systems.

Client Side Authorization ZyXEL ZyWALL USG Appliances Web Interface

The ZyXEL ZyWALL USG appliances perform parts of the authorization for their management web interface on the client side using JavaScript. By setting the JavaScript variable “isAdmin” to “true”, a user with limited access gets full access to the web interface.

Authentication Bypass in Configuration Import and Export of ZyXEL ZyWALL USG Appliances

Unauthenticated users with access to the management web interface of certain ZyXEL ZyWALL USG appliances can download and upload configuration files, that are applied automatically.

SugarCRM list privilege restriction bypass

RedTeam Pentesting discovered a vulnerability in SugarCRM that allows logged in users to bypass restrictions of their list privilege, allowing to list all entries.

nostromo nhttpd directory traversal leading to arbitrary command execution

During a penetration test, RedTeam Pentesting discovered a directory traversal vulnerability leading to arbitrary command execution in the nostromo HTTP server.

Geo++(R) GNCASTER: Faulty implementation of HTTP Digest Authentication

During a penetration test, RedTeam Pentesting discovered that the GNCaster software has multiple bugs in its implementation of HTTP Digest Authentication.

Geo++(R) GNCASTER: Insecure handling of NMEA-data

During a penetration test, RedTeam Pentesting discovered that the GNCaster software does not handle NMEA-data correctly. An attacker that has valid login credentials can use this to crash the server software or potentially execute code on the server.

Geo++(R) GNCASTER: Insecure handling of long URLs

During a penetration test, RedTeam Pentesting discovered that the GNCASTER software does not handle long URLs correctly. An attacker can use this to crash the server software or potentially execute code on the server.

Papoo CMS: Authenticated Arbitrary Code Execution

The Papoo CMS allows authenticated users to upload GIF, JPG and PNG images if they have the “upload images” privilege, which is true for all default groups that can access the administrative interface. The CMS checks the uploaded images only for their header, but not for the file extension. It is therefore possible to upload images with the file extension “.php” and a valid image header. By embedding PHP code into the image (e.g. by using the GIF comments field), arbitrary code can be executed when requesting the image.

IceWarp WebMail Server: Client-Side Specification of "Forgot Password" eMail Content

During a penetration test, RedTeam Pentesting discovered that the emails sent by the IceWarp WebMail Server when using the “Forgot Password” function are generated on the client side. Furthermore, the server expands certain keywords in these emails to users’ full names, usernames and passwords. This allows for advanced social engineering attacks and the potential disclosure of usernames and passwords.

IceWarp WebMail Server: SQL Injection in Groupware Component

During a penetration test RedTeam Pentesting discovered multiple SQL-Injections in the IceWarp WebMail Server. Attackers that are in control of a user account for the web-based email and groupware components are able to execute arbitrary SQL SELECT statements and therefore read any data from the DBMS that are accessible by the Icewarp eMail Server.

IceWarp WebMail Server: User-assisted Cross Site Scripting in RSS Feed Reader

During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to user-assisted Cross Site Scripting attacks in its RSS feed reader. If attackers control or compromise an RSS feed users are subscribed to, they can run arbitrary JavaScript code in the users’ browsers by embedding it within the feed.

IceWarp WebMail Server: Cross Site Scripting in Email View

During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to Cross Site Scripting attacks in its email view. This enables attackers to send emails with embedded JavaScript code, for example, to steal users’ session IDs.

SQL-Injections in Mapbender

During a penetration test RedTeam Pentesting discovered multiple SQL-Injections in Mapbender. A remote attacker is able to execute arbitrary SQL commands and therefore can get e.g. valid usernames and password hashes of the Mapbender users.

Remote Command Execution in Mapbender

During a penetration test RedTeam Pentesting discovered a remote command execution vulnerability in Mapbender. An unauthorized user can create arbitrary PHP-files on the Mapbender webserver, which can later be executed.

ActiveWeb Contentserver CMS Editor Permission Settings Problem

RedTeam Pentesting discovered a problem with the permission settings in the management interface of the activeWeb contentserver CMS during a penetration test. The ability of an editor to create and edit documents can be restricted to specific folders. RedTeam Pentesting was still able to create arbitrary documents in all directories, regardless of the restrictions set on the editor account.

ActiveWeb Contentserver CMS Clientside Filtering of Page Editor Content

RedTeam Pentesting discovered a design vulnerability in the page editor of the activeWeb contentserver CMS during a penetration test. Filtering of user content, e.g. to prevent the usage of Javascript code, is done on the client side. By manipulating the POST request, the filtering can be circumvented.

ActiveWeb Contentserver CMS Multiple Cross Site Scriptings

RedTeam Pentesting discovered three Cross Site Scripting vulnerabilities in the activeWeb contentserver CMS during a penetration test. One of the Cross Site Scriptings is persistent.

ActiveWeb Contentserver CMS SQL Injection Management Interface

RedTeam Pentesting discovered an SQL Injection in the picture_real_edit.asp script of the activeWeb contentserver CMS during a penetration test. An editor with the permission to edit pictures can exploit this by injecting arbitrary commands into the “id” variable used to fetch an image from the database.

Fujitsu-Siemens PRIMERGY BX300 Switch Blade Information Disclosure

RedTeam Pentesting discovered an information disclosure in the Fujitsu-Siemens BX300 Switch Blade during a penetration test. By accessing URLs of the web interface directly and aborting the authentication dialog, one is able to access the restricted management interface without proper authentication, having read-only access.

Fujitsu-Siemens ServerView Remote Command Execution

RedTeam Pentesting discovered a remote command execution in the Fujitsu-Siemens ServerView during a penetration test. The DBAsciiAccess CGI script is vulnerable to a remote command execution because of a parameter which is not properly sanitized. An attacker may run arbitrary commands on the server with the permissions of the webserver user.

Alcatel-Lucent OmniPCX Remote Command Execution

RedTeam Pentesting discovered a remote command execution in the Alcatel-Lucent OmniPCX during a penetration test. The masterCGI script of the OmniPXC integrated communication solution web interface is vulnerable to a remote command execution. Attackers can run arbitrary commands with the permissions of the web application user.

Authentication bypass in BytesFall Explorer

A malicious user can bypass authentication and take over the role of the administrator of BytesFall Explorer by using an SQL injection. Several other SQL injections are possible.

Remote command execution in planetGallery

An admin of planetGallery is allowed to create new galleries and upload images. Because of a vulnerable regular expression, he may also upload PHP scripts and thereby execute arbitrary commands with the privileges of PHP.

Unauthorized password recovery in phpBannerExchange

RedTeam identified an SQL injection that can be triggered due to a bad user input sanitization in phpBannerExchange. It is possible to recover a password of an user and thereby overtake his account.

Authentication bypass in phpBannerExchange

RedTeam identified two SQL injections in phpBannerExchange. It is possible to bypass user authentication with them.

Perlpodder Remote Arbitrary Command Execution

RedTeam identified a security flaw in perlpodder which makes it possible for a malicious podcast server to execute arbitrary shell commands on the victim’s client.

Prodder Remote Arbitrary Command Execution

RedTeam identified a security flaw in prodder which makes it possible for a malicious podcast server to execute arbitrary shell commands on the victim’s client.

PAJAX Remote Code Injection and File Inclusion Vulnerability

RedTeam has identified two security flaws in PAJAX. It is possible to execute arbitrary PHP code from unchecked user input. Additionally, it is possible to include arbitrary files on the server ending in “.class.php”.

Time modification flaw in BSD securelevels on NetBSD and Linux

The implementations of securelevels on NetBSD and Linux contain an integer overflow, allowing the protection of system time to be completely circumvented.

BSD Securelevels: Circumventing protection of files flagged immutable

By mounting an arbitrary filesystem, it is possible to mask files flagged immutable with any user-defined files.

New banking security system iTAN not as secure as claimed

The new iTAN security feature for online banking promoted by german banks does not protect against phishing attacks and trojans as claimed.

Sophos does not recognize keylogger after string alteration

During a Penetrationtest RedTeam found out that Sophos Anti-Virus (SAV for short) won’t recognize a keylogger as malware, after alteration of a string in the keylogger’s binary.

Pico Server (pServ) Local Information Disclosure

RedTeam found a local information disclosure vulnerability in Pico Server (pServ) which results in a local user reading all files on the server with pServ’s permissions.

Pico Server (pServ) Information Disclosure Of CGI Sources

RedTeam found a Information Disclosure vulnerability in Pico Server (pServ) which gives an attacker the ability to read all files from cgi-bin.

Pico Server (pServ) Remote Command Injection

RedTeam found a remote command injection in Pico Server (pServ) which results in a remote attacker being able to issue arbitrary commands on the server.

o2 Germany promotes SMS-Phishing

RedTeam likes to point out that certain text messages (“SMS”) recently sent by the cellphone network operator “o2 Germany” to some of its customers might promote SMS-Phishing. RedTeam expects SMS-Phishing to spread even more and become a severe problem.

JPEG EXIF information disclosure

RedTeam likes to raise awareness of common Information Disclosure via JPEG EXIF thumbnail images in common image processing software.

Cross Site Scripting Vulnerability in Openconf Conference Management Software

RedTeam found a cross site scripting vulnerability in openconf which results in possible session takeover.

Awstats official workaround flaw

RedTeam found a flaw in the official workaround for the remote command execution vulnerability in awstats discovered by iDefense.

Directory traversal in CitrusDB

RedTeam found a directory traversal vulnerability in CitrusDB which results in inclusion of any accessible local .php file.

SQL-Injection in CitrusDB

RedTeam found an SQL-Injection vulnerability in CitrusDB.

Upload Authorization bypass in CitrusDB

RedTeam found an authorization bypass vulnerability in CitrusDB which results in upload of fake credit card data, SQL-Injection and disclosure of credit card data.

Authentication bypass in CitrusDB

RedTeam found an authentication bypass vulnerability in CitrusDB which can result in complete corruption of the installed CitrusDB application.

Credit Card data disclosure in CitrusDB

RedTeam found an information disclosure vulnerability in CitrusDB which can result in disclosure of credit card information.