Research & Vulnerability Disclosures

May 28, 2020

1 min read

Remote Code Execution (RCE) & SQL Injection (SQLi)

Bruno IDE - Remote Code Execution (CVE-2024-48463)
SeSuite - Remote Code Execution (CVE-2023-26877)
Typesetter CMS - Remote Code Execution (CVE-2020-25790)
Piwigo - SQL Injection (CVE-2023-26876)
- Official module published in the Metasploit Framework.

Cross-Site Scripting (XSS) & Cross-Site Request Forgery (CSRF)

LumisXP - Unauthenticated XSS (CVE-2024-33329, CVE-2024-33328, CVE-2024-33327)
phpIPAM - CSRF to Stored XSS (CVE-2021-46426)
LiquidFiles - Stored XSS (CVE-2021-30140)
Wordpress (Envira Gallery) - Stored XSS (CVE-2020-35581)
Gila CMS - Reflected XSS (CVE-2019-20803) & CSRF (CVE-2019-20804)
Piwigo - Stored XSS (CVE-2019-13364) & CSRF (CVE-2019-13363)

Other Vulnerabilities

LumisXP - Information Disclosure & IDOR (CVE-2024-33326)
Wordpress (WPvivid Backup) - Path Traversal (CVE-2022-2863)