Advisories

Each great research deserves

some great advisories.

Research is one of Shielder’s pillars. The company invests from 25% to 100% of their employees' work time in training and security research and they pay back with these great advisories.

Bitwarden Server 1.35.1 is affected by a blind Server-Side Request Forgery (SSRF): an authenticated attacker can trigger arbitrary HTTP GET requests, even to locally exposed services, by adding a credential for a malicious domain.

Read more

Chadha PHPKB 9.0 Enterprise Edition is affected by an arbitrary file disclosure: installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.

Read more

LibreNMS 1.65 is affected by an authenticated command-injection vulnerability in the "/about" API endpoint. A "normal" privileges attacker can gain Remote Code Execution (RCE) on the LibreNMS host.

Read more

LibreNMS 1.65 is affected by an authenticated command-injection vulnerability via the HTTP GET "title" parameter in the "/graph.php" API endpoint. A "normal" privileges attacker can gain Remote Code Execution (RCE) on the LibreNMS host.

Read more

LibreNMS 1.65 is affected by a SQL Injection vulnerability via the 'address' parameter in the '/ajax_table.phpì API endpoint. A 'normal' privileges attacker can gain access to the database in use by LibreNMS.

Read more

LibreNMS 1.65 is affected by multiple SQL Injection vulnerabilities via the 'searchPhrase' parameter in the '/ajax_table.php' API endpoint. A 'normal' privileges attacker can gain access to the database in use by LibreNMS.

Read more

LibreNMS 1.65 is affected by multiple SQL Injection vulnerabilities via the `sort` parameter in the '/ajax_table.php' API endpoint. A 'normal' privileges attacker can gain access to the database in use by LibreNMS.

Read more

Horde Gollem 3.0.12, as used in Horde Groupware Webmail Edition 5.2.22, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality. An attacker can obtain access to a victim’s webmail account by making them visit a malicious URL.

Read more

The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.

Read more

CVE-2019-9164: a command injection vulnerability in Nagios XI before 5.5.11 allows authenticated users to execute arbitrary remote commands via a new autodiscovery job.

Read more