Core Software vulnerabilities

An incomplete list of all vulnerabilities I ever found!

Zimbra Mailserver<= 8.8.15 P31 & 9.0.0 P24pre-auth RCE via unrar bugCVE-2022-30333Sonar Blog
Zimbra Mailserver<= 8.8.15 P31 & 9.0.0 P24remote, unauthenticated disclosure of clear-text credentialsCVE-2022-27924Sonar Blog
Horde Webmail<= 5.2.22RCE via opened emailCVE-2022-30287Sonar Blog
RainLoop Webmail<= 1.6.0XSS in email bodyCVE-2022-29360Sonar Blog
Horde Webmail<= 5.2.22XSS in attachment bodyCVE-2022-26874Sonar Blog
WordPress< 5.8.3Object Injection to Sandbox escapeCVE-2022-21663Sonar Blog
GoCD Server<= 21.2.0Pre-Auth Stored XSS in Admin Dashboard to RCECVE-2021-43288; CVE-2021-43286Sonar Blog
GoCD Server<= 21.2.0Pre-Auth disclosure of all SecretsCVE-2021-43287Sonar Blog
Zimbra< 8.8.15Full-Read SSRFCVE-2021-35209Sonar Blog
Zimbra< 8.8.15XSS in email bodyCVE-2021-35208Sonar Blog
CS:GON/ARCE in Game clients when joining a malicious serverN/ASecretClub Blog
MyBB<= 1.8.26Privileged RCECVE-2021-27890Sonar Blog
MyBB<= 1.8.26Unprivileged Stored XSS in PM featureCVE-2021-27889Sonar Blog
Linux< 5.8.15Privilege EscalationCVE-2020-27194Write Up, Exploit
libGD<= 2.2.5PHP imagescale()remote wild freeHackerOne report
libGD<= 2.2.5PHP “Sandbox” escapeCVE-2019-6977Exploit
WordPress<= 5.3.2“Sandbox” escapeSonar Blog
WordPress<= 5.0.0Unprivileged RCECVE-2019-8943Sonar Blog
WordPress<= 5.1.0CSRF to RCECVE-2019-9787Sonar Blog
WordPress<= 5.0.0Post Priv EscCVE-2018-20152Sonar Blog
WordPressPriv EscCVE-2018-20714Sonar Blog
WordPressUnprivileged Stored XSS in certain pluginsCVE-2019-16773HackerOne report
MyBB<= 1.8.2Unprivileged Stored XSSCVE-2019-12830Sonar Blog
MyBB<= 1.8.2Privileged RCECVE-2019-12831Sonar Blog
phpBB3<= 3.2.3Privileged RCECVE-2018-19274Sonar Blog
Pydio<= 8.2.1Unauthenticated RCECVE-2018-20718Sonar Blog
Shopware<= 5.4.3Privileged RCESW-21776
Magento<= 2.3.1Unauthenticated Stored XSS in Admin DashboardCVE-2019-7877Sonar Blog
Magento<= 2.3.0Privileged RCEPRODSECBUG-2261Sonar Blog
Magento<= 2.3.0Privileged RCEPRODSECBUG-2256
Magento<= 2.3.1Privileged RCECVE-2019-7932
Magento<= 2.3.1Privileged RCECVE-2019-7885
Magento<= 2.3.2Authenticated Stored XSSCVE-2019-8152
Magento<= 2.3.2escapeURL()bypassCVE-2019-8153
Magento<= 2.3.2Potential unauthenticated Stored XSSCVE-2019-8233

WordPress Plugin Advent Calendar

During my time at RIPS Tech I had the pleasure of setting up the so called “WordPress Plugin Advent Calendar”. In Germany, like in a lot of countries, it is a tradition to give kids a treat every day from the first of December until Christmas eve. At RIPS, we wanted to implement this tradition for the InfoSec people. Each day we either released a vulnerability in a plugin or a core WordPress bug. Many of the plugins featured had millions of active installations and were composed of bugs in eCommerce, forums, Caching etc. Take a look here: RIPS Advent Calendar 2018.

I wrote the Calendar and found a big portion of the vulnerabilities. I received huge amounts of support and help by Dennis Brinkrolf and Karim Elouerghemmi, who were two amazing collegues!