... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007

SSD Advisory – Cisco ISE Unauthenticated XSS to Privileged RCE

Vulnerabilities Summary Cisco Identity Services Engine (ISE) contains three vulnerabilities that when exploited allow an unauthenticated attacker to achieve root privileges and execute code remotely. The first is a Stored Cross Site Scripting file upload vulnerability that allows the attacker to upload and execute html pages on victims browser. The second is an already known […]

SSD Advisory – SME Server Unauthenticated XSS To Privileged Remote Code Execution

Vulnerabilities Summary The following advisory describes a vulnerability in SME Server 9.2, which lets an unauthenticated attackers perform XSS attack that leads to remote code execution as root. SME Server is a Linux distribution for small and medium enterprises by Koozali foundation. CVE CVE-2018-18072 Credit An independent security researcher, Karn Ganeshen has reported this vulnerability […]

SSD Advisory – Symfony Framework forward() Remote Code Execution

Vulnerability Summary The following advisory describes a vulnerability found in Symfony 3.4 – a PHP framework that is used to create websites and web applications. Built on top of the Symfony Components. Under certain conditions, the Symfony framework can be abused to trigger RCE in the HttpKernel (http-kernel) component, while forward() is considered by the […]

SSD Advisory – Firefox JavaScript Type Confusion RCE

Vulnerabilities Summary A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write, which leads to remote code execution inside the sandboxed content process when triggered. Vendor Response The reported security vulnerability was fixed in Firefox 62.0.3 and Firefox ESR 60.2.2. CVE CVE-2018-12386 Credit Independent security researchers, […]

SSD Advisory – CloudByte ElastiStor OS Unauthenticated Remote Code Execution

Vulnerabilities Summary The following advisory describes two vulnerabilities found in ElastiCenter, ElastiStor’s management console, File Injection that leads to unauthenticated remote code execution. ElastiCenter is the centralized management tool that you use to configure, monitor, manage, and deploy the services provided by CloudByte ElastiStor. ElastiCenter lets you: Use the Graphical User Interface to manage the […]

SSD Advisory – phpMyAdmin File Inclusion and Remote Code Execution

Vulnerabilities Summary Authenticated users can exploit a file inclusion vulnerability in phpMyAdmin which can then be combined with another vulnerability, to perform Remote Code Execution. In addition, authenticated attackers can view files and execute PHP files that located on the server by exploiting a bug in the part of the code that is responsible for […]

SSD Advisory – TrustPort Management Unauthenticated Remote Code Execution

Vulnerability Summary Multiple vulnerabilities in TrustPort’s management product allow remote unauthenticated attackers to cause the product to execute arbitrary code. TrustPort Management “offers you an effective and practical way to install centrally, configure and update antivirus software in your network and it enables mass administration of TrustPort products. Central administration from TrustPort brings you simple […]