Advisories, Exploits. Security vulnerabilities (not restricted under NDA) that I have discovered over time in various software.
- Huawei Theme Manager Arbitrary Code Execution (HWPSIRT-2019-12158)
- Next.JS < 9.3.2 Path Traversal (CVE-2020-5284)
- Signature Validation Bypass Leading to RCE In Electron-Updater
- Discord Desktop Arbitrary IPC via Insecure Preload
- WireApp Desktop Arbitrary File Write via Insecure Preload
- Mattermost Desktop Missing contextIsolation XSS to RCE
- Saml_idp - AssertionConsumerServiceURL Allows Account Takeover/Information Leakage (CVE-2018-18604)
- Electron Windows Protocol Handler MITM/RCE (CVE-2018-1000006 bypass)
- Apache Commons Jelly XML External Entity (CVE-2017-12621)
- QNAP QTS 4.3.3 arbitrary file retrieval in QTS File Station
- Github's Electron nodeIntegration bypass. From XSS to RCE (CVE-2017-12581)
- Lighttpd mod_secdownload timing attack (CVE-2016-6166)
- Play Framework JavaScript reverse router XSS (CVE-2016-6165)
- Oracle Glassfish insecure Math.Random() used for the default AJP secret token (CVE-2016-0453)
- Oracle Glassfish incorrect check for AJP secret token (CVE-2016-0441)
- Ubiquiti Networks mFi Controller authentication bypass. Vulnerability analysis and unofficial patch.
- Hudson XML API processing External Entity injection (CVE-2015-8031)
- Play Framework Http-Only cookie bypass (CVE-2015-2156)
- Jenkins reflected XSS (CVE-2015-1813)
- QNAP QTS 4.1 unauthenticated remote code execution
- Multiple vulnerabilities in MODX Evolution 1.0.14, leading to arbitrary code execution
- Multiple vulnerabilities in Ntopng <= 1.2.0 (CVE-2014-5511, CVE-2014-5512, CVE-2014-5513, CVE-2014-5514, CVE-2014-5515)
- JavaMail Message-Id leaks current user and hostname
- XML External Entity in NewRelic Java agent via 'get_agent_commands:instrumentation_update'
- Multiple vulnerabilities in Ubiquiti UniFi Controller v3.1.4
- Node.js Connect CSRF bypass abusing MethodOverride
- LiftWeb JsonParser exception information leakage (CVE-2013-3300)
- Meraki Dashboard splash page stored XSS. From XSS to full cloud compromise.
- Jenkins branch name stored XSS (CVE-2013-2033)
- HP Fortify Software Security Center unauthenticated remote information disclosure (CVE-2012-3249)
- HP Fortify Software Security Center remote information disclosure (CVE-2012-3248)
- JBoss JMXInvokerServlet remote command execution
- SBLIM cmpi-base UnixProcessProvider shell command injection
- ActiveMQ failover denial of service (CVE-2011-4905)
- Adobe Flex SDK resourceModuleURLs SOP bypass (CVE-2011-2461, APSB11-25)
- Barracuda WebApp Firewall virtual applicance rooting
- PHP Exif 64bit casting vulnerability (CVE-2011-0708)
- NetSupport Manager client control hostname remote overflow (CVE-2011-0404)
- Citrix Online (signed applet) code execution vulnerability (ZDI-CAN-974)
- Zend Server Java Bridge design flaw remote code execution (ZDI-11-113)
- TYPO3 unauthenticated arbitrary file retrieval. For further details, check this blog post. (CVE-2010-5099)
- CUPS memory access error (CVE-2010-1748)
- Sun Java Web Console serialized object injection via JSF view state
- VMware Web Access relay port scanner (CVE-2010-0686)
- PHP undefined array index XSS
- SpamTitan v5.x multiple vulnerabilities
- Apache Tomcat UTF-7 XSS
- ZeroShell <= 1.0beta11 remote code execution (CVE-2009-0545)
- IBM WebSphere Application Server (WAS) admin console arbitrary file access (CVE-2009-0391)
- Sun Java Web Console multiple XSS (CVE-2009-2283)
- Oracle Secure Backup Admin Server 10.3 authentication bypass and code execution (CVE-2009-1977, CVE-2009-1978)
- Entuity EotS CGI information disclosure
- Entuity EotS multiple input validation vulnerabilities. For further details, check this blog post.
- Mortbay Jetty <= 7.0.0-pre5 dispatcher servlet denial of service
- DFLabs PTK local command execution vulnerability (CVE-2008-6793)
- 3Com OfficeConnect wireless cable/DSL router authentication bypass
- Nokia Browser array sorting denial of service
- Philips VOIP841 multiple vulnerabilities (CVE-2008-4874, CVE-2008-4875, CVE-2008-4876)
- HP System Management Homepage (SMH) "unspecified" XSS. Vulnerability analysis. Issue disclosed by the vendor.
- Simple PHP Blog multiple vulnerabilities (CVE-2007-5071, CVE-2007-5072)
- GCALDaemon remote denial of service (CVE-2007-4980)
- Boa HTTP Basic authentication bypass (CVE-2007-4915)
- Multiple vulnerabilities in Hummingbird Collaboration (CVE-2006-0172, CVE-2006-0173, CVE-2006-0174)
- Siemens Santis 50 authentication bypass (CVE-2005-2424)