Findings
Core Software vulnerabilities⌗
An incomplete list of all vulnerabilities I ever found!
| Software | Versions | Impact | CVE | Write-Up |
|---|---|---|---|---|
| Zimbra Mailserver | <= 8.8.15 P31 & 9.0.0 P24 | pre-auth RCE via unrar bug | CVE-2022-30333 | Sonar Blog |
| Zimbra Mailserver | <= 8.8.15 P31 & 9.0.0 P24 | remote, unauthenticated disclosure of clear-text credentials | CVE-2022-27924 | Sonar Blog |
| Horde Webmail | <= 5.2.22 | RCE via opened email | CVE-2022-30287 | Sonar Blog |
| RainLoop Webmail | <= 1.6.0 | XSS in email body | CVE-2022-29360 | Sonar Blog |
| Horde Webmail | <= 5.2.22 | XSS in attachment body | CVE-2022-26874 | Sonar Blog |
| WordPress | < 5.8.3 | Object Injection to Sandbox escape | CVE-2022-21663 | Sonar Blog |
| GoCD Server | <= 21.2.0 | Pre-Auth Stored XSS in Admin Dashboard to RCE | CVE-2021-43288; CVE-2021-43286 | Sonar Blog |
| GoCD Server | <= 21.2.0 | Pre-Auth disclosure of all Secrets | CVE-2021-43287 | Sonar Blog |
| Zimbra | < 8.8.15 | Full-Read SSRF | CVE-2021-35209 | Sonar Blog |
| Zimbra | < 8.8.15 | XSS in email body | CVE-2021-35208 | Sonar Blog |
| CS:GO | N/A | RCE in Game clients when joining a malicious server | N/A | SecretClub Blog |
| MyBB | <= 1.8.26 | Privileged RCE | CVE-2021-27890 | Sonar Blog |
| MyBB | <= 1.8.26 | Unprivileged Stored XSS in PM feature | CVE-2021-27889 | Sonar Blog |
| Linux | < 5.8.15 | Privilege Escalation | CVE-2020-27194 | Write Up, Exploit |
| libGD | <= 2.2.5 | PHP imagescale()remote wild free | HackerOne report | |
| libGD | <= 2.2.5 | PHP “Sandbox” escape | CVE-2019-6977 | Exploit |
| WordPress | <= 5.3.2 | “Sandbox” escape | – | Sonar Blog |
| WordPress | <= 5.0.0 | Unprivileged RCE | CVE-2019-8943 | Sonar Blog |
| WordPress | <= 5.1.0 | CSRF to RCE | CVE-2019-9787 | Sonar Blog |
| WordPress | <= 5.0.0 | Post Priv Esc | CVE-2018-20152 | Sonar Blog |
| WordPress | – | Priv Esc | CVE-2018-20714 | Sonar Blog |
| WordPress | Unprivileged Stored XSS in certain plugins | CVE-2019-16773 | HackerOne report | |
| MyBB | <= 1.8.2 | Unprivileged Stored XSS | CVE-2019-12830 | Sonar Blog |
| MyBB | <= 1.8.2 | Privileged RCE | CVE-2019-12831 | Sonar Blog |
| phpBB3 | <= 3.2.3 | Privileged RCE | CVE-2018-19274 | Sonar Blog |
| Pydio | <= 8.2.1 | Unauthenticated RCE | CVE-2018-20718 | Sonar Blog |
| Shopware | <= 5.4.3 | Privileged RCE | SW-21776 | – |
| Magento | <= 2.3.1 | Unauthenticated Stored XSS in Admin Dashboard | CVE-2019-7877 | Sonar Blog |
| Magento | <= 2.3.0 | Privileged RCE | PRODSECBUG-2261 | Sonar Blog |
| Magento | <= 2.3.0 | Privileged RCE | PRODSECBUG-2256 | – |
| Magento | <= 2.3.1 | Privileged RCE | CVE-2019-7932 | – |
| Magento | <= 2.3.1 | Privileged RCE | CVE-2019-7885 | – |
| Magento | <= 2.3.2 | Authenticated Stored XSS | CVE-2019-8152 | – |
| Magento | <= 2.3.2 | escapeURL()bypass | CVE-2019-8153 | – |
| Magento | <= 2.3.2 | Potential unauthenticated Stored XSS | CVE-2019-8233 | – |
WordPress Plugin Advent Calendar⌗
During my time at RIPS Tech I had the pleasure of setting up the so called “WordPress Plugin Advent Calendar”. In Germany, like in a lot of countries, it is a tradition to give kids a treat every day from the first of December until Christmas eve. At RIPS, we wanted to implement this tradition for the InfoSec people. Each day we either released a vulnerability in a plugin or a core WordPress bug. Many of the plugins featured had millions of active installations and were composed of bugs in eCommerce, forums, Caching etc. Take a look here: RIPS Advent Calendar 2018.
I wrote the Calendar and found a big portion of the vulnerabilities. I received huge amounts of support and help by Dennis Brinkrolf and Karim Elouerghemmi, who were two amazing collegues!
