Monthly Archive: May 2019

An issue was discovered in the administration page in IPBRICK OS 6.3. There are multiple XSS vulnerabilities. Date published : 2019-05-13 https://www.0x90.zone/web/multiple/2019/02/01/Multiple-Vulnerabilities-IPBrick.html

An issue was discovered in the Web Management Console in IPBRICK OS 6.3. There are multiple SQL injections. Date published : 2019-05-13 https://www.0x90.zone/web/multiple/2019/02/01/Multiple-Vulnerabilities-IPBrick.html

An issue was discovered in the administrator interface in IPBRICK OS 6.3. The application doesn’t check for Anti-CSRF tokens, allowing the submission of multiple forms unwillingly by a victim. Date published : 2019-05-13 https://www.0x90.zone/web/multiple/2019/02/01/Multiple-Vulnerabilities-IPBrick.html

Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code. Date published : 2019-05-13 https://ysec.ch/?p=94

An issue was discovered in Polycom Group Series 6.1.6.1 and earlier, HDX 3.1.12 and earlier, and Pano 1.1.1 and earlier. A remote code execution vulnerability exists in the content sharing functionality because of a...

System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter. Date published : 2019-05-13 https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8

Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter. Date published : 2019-05-13 https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8

Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter. Date published : 2019-05-13 https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8

Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. Date published : 2019-05-13 https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8

Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. Date published : 2019-05-13 https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8

Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL. Date published : 2019-05-13...

Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via directory names. Date published : 2019-05-13 https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170

Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting. Date published : 2019-05-13 https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170

Unvalidated URL in Download Manager in Seagate NAS OS version 4.3.15.1 allows attackers to access the loopback interface via a Download URL of 127.0.0.1 or localhost. Date published : 2019-05-13 https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170