SBA Security Advisory – Paradox IP150 Internet Module Cross-Site Request Forgery (CVE-2024-5676)

June 19, 2024

The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method GET to introduce changes in the system. Read More

SBA Security Advisory – CraftCMS Plugin – Two-Factor Authentication – TOTP token Stays Valid After Use (CVE-2024-5658)

June 6, 2024

The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period. Read More

SBA Security Advisory – CraftCMS Plugin – Two-Factor Authentication – Password Hash Disclosure (CVE-2024-5657)

June 6, 2024

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. Read More

SBA Research has been authorized by the CVE® Program as a CVE Numbering Authority (CNA)!

June 5, 2024

We’re proud to share that SBA Research has been appointed as one of Austria’s few CVE Numbering Authorities (CNAs). This designation recognizes our commitment to cybersecurity excellence. With only three other authorities in Austria, being authorized as a CVE Numbering Authority underscores our expertise and dedication… Read More

SBA Research has been authorized by the CVE® Program as a CVE Numbering Authority (CNA)!

SBA Security Advisory – CloudLinux CageFS – Insufficiently Restricted Proxy Command (CVE-2020-36772)

January 26, 2024

CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment. We recommend to update CloudLinux CageFS to version 7.1.1-1 or later. For further details, see the full security advisory. Read More

SBA Security Advisory – CloudLinux CageFS – Token Disclosure (CVE-2020-36771)

January 26, 2024

CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a command line argument. In some configurations this allows local users to view the authentication token via the process list and gain code execution as another user. We recommend to update CloudLinux CageFS to version 7.1.2-2 or later. For further details, see the full security advisory. Read More

SBA Security Advisory – MOKOSmart MKGW1 Gateway – Improper Session Management (CVE-2023-51059)

December 21, 2023

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 do not provide an adequate session management for the administrative web interface. This allows adjacent attackers with access to the management network to read and modify the configuration of the device. Read More

SBA Security Advisory – Vtiger CRM – Stored Cross-Site Scripting (CVE-2022-38335)

September 28, 2022

Vtiger CRM 7.4.0 or below is prone to a stored cross-site scripting vulnerability in the email templates module due to insufficient sanitizing. Read More

SBA Security Advisory – Shibboleth Identity Provider OIDC OP Plugin – Server-Side Request Forgery (CVE-2022-24129)

February 1, 2022

Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the request_uri parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services. We recommend to update Shibboleth Identity Provider OIDC OP plugin to version 3.0.4 or later. For further details, see the full security advisory. Read More

SBA Security Advisory – Monsta FTP – Stored Cross-Site Scripting (CVE-2020-14055)

July 1, 2020

Monsta FTP 2.10.1 or below is prone to a stored cross-site scripting vulnerability in the language setting due to insufficient output encoding. Read More

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

SBA Research is a research center for Information Security
funded partly by the national initiative for COMET Competence Centers for Excellent Technologies.

Tag: Security Advisory