... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007

SquirrelMail – Incoming e-Mails Stored XSS

Abstract SquirrelMail allows to display HTML messages provided that non-safe fragments are redacted. An input sanitization vulnerability that can be exploited to perform stored cross-site scripting (XSS) attacks has been discovered. A remote attacker can send a specially crafted e-mail containing malicious HTML and execute arbitrary JavaScript code in the context of the vulnerable webmail […]

Hack2Win eXtreme Warm Up

In our upcoming Hack2Win eXtreme event in Hong Kong we will be asking contest participants to come and try their skills breaking into devices and software, showing their abilities in finding vulnerabilities in iOS and Android, as well as in Chrome and Firefox. In preparation for the event, we are launching a “warm up” event […]

SSD Advisory – QRadar Remote Command Execution

Vulnerability Summary Multiple vulnerabilities in QRadar allow a remote unauthenticated attackers to cause the product to execute arbitrary commands. Each vulnerability on its own is not as strong as their chaining – which allows a user to change from unauthenticated to authenticated access, to running commands, and finally running these commands with root privileges. Vendor […]

SSD Advisory – TrustPort Management Unauthenticated Remote Code Execution

Vulnerability Summary Multiple vulnerabilities in TrustPort’s management product allow remote unauthenticated attackers to cause the product to execute arbitrary code. TrustPort Management “offers you an effective and practical way to install centrally, configure and update antivirus software in your network and it enables mass administration of TrustPort products. Central administration from TrustPort brings you simple […]

SSD Advisory – Western Digital My Cloud Pro Series PR2100 Authenticated RCE

Vulnerability Summary A vulnerability in the Western Digital My Cloud Pro Series PR2100 allows authenticated users to execute commands arbitrary commands. Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor Response The vendor was notified on the 28th of November 2017, and responded that they take security […]

SSD Advisory – VK Messenger (VKontakte) vk:// URI Handler Commands Execution

Vulnerability Summary The following describes a vulnerability in VK Messenger that is triggered via the exploitation of improperly handled URI. VK (VKontakte; [..], meaning InContact) is “an online social media and social networking service. It is available in several languages. VK allows users to message each other publicly or privately, to create groups, public pages […]