Advisories

Advisory

Froala Editor, Version 3.2.6 Advisory

Jun 2, 2021

One high risk XSS vulnerability was identified within the Froala application.

By Chris Davis

Advisory

Emerging Threat Notification: F5 Networks Vulnerabilities for BIG-IP and BIG-IQ Products

Mar 11, 2021

F5 Networks released security advisories for critical vulnerabilities affecting the BIG-IP and BIG-IQ products. Install the security update immediately.

By Justin Rhinehart

Advisory

Mautic Version <=3.2.2 Advisory

Jan 15, 2021

Bishop Fox advisory on Mautic application version 3.2.2. The Mautic application is affected by stored cross-site scripting (XSS) vulnerabilities.

By Dardan Prebreza

Advisory

CRAN Version 4.0.2 Advisory

Jan 11, 2021

Bishop Fox advisory on CRAN package manager version 4.0.2. A medium severity path traversal vulnerability was found in the CRAN package manager.

By Chris Davis, Joe DeMesy

Advisory

OpenClinic Version 0.8.2 Advisory

Dec 1, 2020

Bishop Fox advisory on OpenClinic medical records software V. 0.8.2, including high risk missing authentication and insecure file upload vulnerabilities.

By Gerben Kleijn

Advisory

Security Advisory: Immuta Version 2.8.2

Nov 4, 2020

Four vulnerabilities were identified within Immuta including XSS, content injection, insufficient authorization controls and improper session management.

By Chris Davis

Advisory

Winston Privacy Version 1.5.4

Oct 27, 2020

Advisory on nine vulnerabilities in the Winston Privacy VPN version 1.5.4 including critical risk command injection & high risk cross-site request forgery.

By Chris Davis

Advisory

Zamzar API Advisory

Aug 27, 2020

A high risk vulnerability allowing for server side forgery request (SSRF) and local file inclusion as the root user was found in the Zamzar API.

By Chris Flanagan

Advisory

TinyMCE, Version 5.2.1 Advisory

Aug 12, 2020

Bishop Fox advisory on TinyMCE application in version 5.2.1. One high risk cross-site scripting vulnerability was found in the application.

By George Steketee, Chris Davis

Advisory

LibreHealth Version 2.0.0

Jul 14, 2020

Bishop Fox advisory on five vulnerabilities in LibreHealth application 2.0.0 including SQL injection, cross-site scripting and cross-site request forgery.

By Chris Davis

Advisory

SecureAuth Version 9.3

Jun 19, 2020

Bishop Fox's Chris Davis and Robert Punnett identified a client-side template injection vulnerability in the SecureAuth application version 9.3.

By Chris Davis, Robert Punnett

Advisory

DigDash Enterprise: Versions 2018R2-2020R1

Jun 15, 2020

Bishop Fox advisory on three vulnerabilities in DigDash Version 2018 including server-side request forgery, cross-site scripting and content injection.

By Florian Nivette

Advisory

OOB to RCE: Exploitation of the Hobbes Functional Interpreter

Jun 12, 2020

Morgan Stanley's Hobbes lacks bounds checking, allowing exploitation of an OOB read/write vulnerability that leads to both local and remote code execution.

By Jake Miller

Advisory

Twisted Version 19.10.0

Mar 11, 2020

Bishop Fox advisory on two HTTP request splitting (HTTP request smuggling) high risk vulnerabilities that were identified in Twisted Web version 19.10.0

By Jake Miller

Advisory

From Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains

Mar 4, 2020

Matt Hamilton published a security advisory about homograph domain names on gTLDs as well as subdomains within SaaS companies using homoglyph characters.

By Bishop Fox

Advisory

ConnectWise Control 19.3.25270.7185 - Eight Vulnerabilities, Including Critical

Jan 22, 2020

This advisory from the Bishop Fox research team highlights eight vulnerabilities, including critical, in the ConnectWise Control application, version 19.3.25270.7185.

By Daniel Wood

Advisory

Big Monitoring Fabric Application

Dec 30, 2019

High-risk vulnerabilities in the Big Monitoring Fabric app that would grant a remote attacker admin access and SSH console access to the affected system.

By Chris Davis

Advisory

Dradis Pro Version 3.4.1

Dec 30, 2019

Dradis Pro app was affected by an insecure direct object reference vulnerability allowing a user to extract project content and disclose information.

By Florian Nivette

Advisory

Solismed Version 3.3SP1

Dec 9, 2019

Bishop Fox's Chris Davis discovered several vulnerabilities in the Solismed application version 3.3SP1, which you can read about in this advisory.

By Chris Davis

Advisory

OpenEMR 5.0.1(6) - RCE and XSS

Sep 10, 2019

Bishop Fox researcher Chris Davis discovered a high-risk vulnerability in OpenEMR, an open source healthcare software application.

By Chris Davis

Advisory

AeroGarden Version 1.3.1 - Multiple Vulnerabilities

Jul 30, 2019

Vulnerabilities in the Aerogarden mobile app would allow an attacker to inflict damage to plant life and/or capture traffic to access the users’ account information.

By Jason Gay

Advisory

Dolibarr Version 9.0.1 — Multiple Vulnerabilities

Jul 25, 2019

Bishop Fox researcher Priyank Nigam identified 3 high-risk security vulnerabilities in Dolibarr version 9.0.1. These vulnerabilities include RCE + XSS.

By Priyank Nigam

Advisory

InterSystems Cache 2017.2.2.865.0 and 2018.1.2 Multiple Vulnerabilities

Jul 24, 2019

Chris Davis identified several high-risk security vulnerabilities in the Intersystem Cache. This security advisory details the exploits and the solutions.

By Chris Davis

Advisory

Tegile Intelliflash OS Version 3.7.0.8.180413 (GA) - Password Disclosure

May 14, 2019

The Tegile IntelliFlash OS was affected by a password disclosure vulnerability, which is explained in Thiago Campos' advisory.

By Thiago Campos