Advisories

Advisory

Greyhound Critical Vulnerabilities - Road Rewards Program

Apr 11, 2019

Critical vulnerabilities were identified in the Greyhound APIs primarily due to insufficient authentication controls. Exploitation of these could result in the exposure of personally identifiable information.

By Priyank Nigam

Advisory

Cantemo Portal Version 3.8.4 - Cross-Site Scripting

Mar 8, 2019

Cantemo AB is a software systems and technology vendor for major media outlets. Chris Davis identified a high-risk vulnerability in it.

By Chris Davis

Advisory

Simple – Better Banking (Android) v. 2.45.0 – 2.45.3 - Sensitive Information Disclosure

Feb 21, 2019

The Simple – Better Banking Android application was affected by an information disclosure vulnerability, which you can read about in this advisory.

By Matt Hamilton

Advisory

Amtrak Mobile APIs - Multiple Vulnerabilities

Feb 19, 2019

The Amtrak mobile APIs are affected by vulnerabilities that can lead to exposed PII and partial payment data for Amtrak guests.

By Priyank Nigam

Advisory

OpenMRS - Insecure Object Deserialization

Feb 4, 2019

This write-up details a critical Bishop Fox-identified vulnerability in OpenMRS, a collaborative open-source healthcare project.

By Nicolas Serra

Advisory

Silverpeas 5.15 To 6.0.2: Path Traversal

Jan 15, 2019

A Bishop Fox researcher discovered a critical vulnerability in the Silverpeas application, a popular open source WEB platform that services multiple high-profile French organizations.

By Bastien Faure

Advisory

PhpSpreadsheet Versions<=1.5.0 - XXE injection

Nov 30, 2018

Bishop Fox researcher Alex Leahu found an XML External Entity (XXE) Injection vulnerability in the PhpSpreadsheet library.

By Alex Leahu

Advisory

YunoHost 2.7.2 to 2.7.14 - Multiple Vulnerabilities

Oct 30, 2018

YunoHost is an application that is used to manage applications hosted on a Linux server; Florian Nivette identified several vulnerabilities in it.

By Florian Nivette

Advisory

Eaton UPS 9PX 8000 SP - Multiple Vulnerabilities

Oct 19, 2018

Bishop Fox researchers identified three security vulnerabilities in the Eaton power management appliance manufactured by Eaton Corporation Plc.

By Kelly Albrink

Advisory

SV3C L-Series HD Camera – Multiple Vulnerabilities

Oct 16, 2018

This security advisory describes several vulnerabilities found in the SV3C L-Series HD Camera, version 2.3.4.2103-S50-NTD-B20170823B and below.

By Jefferino Siqueria

Advisory

Wallabag 2.2.3 to 2.3.2 - Stored Cross-Site Scripting

Sep 17, 2018

Wallabag is an open source RSS reader application, distributed under an MIT license. A Bishop Fox researcher identified a stored cross-site scripting vulnerability in it.

By Florian Nivette

Advisory

Subsonic 6.1.1 - Multiple Vulnerabilities

Sep 17, 2018

Florian Nivette identified several vulnerabilities in Subsonic, an open source web media server that enables the management of media resources.

By Florian Nivette

Advisory

CremeCRM 1.6.12 - Multiple Vulnerabilities

Aug 30, 2018

Two vulnerabilities were identified in CremeCRM: 29 instances of stored cross-site scripting and one instance of reflected link manipulation.

By Florian Nivette

Advisory

Jirafeau Version 3.3.0 – Multiple Vulnerabilities

Jun 6, 2018

Bishop Fox researcher Florian Nivette identified multiple vulnerabilities in Jirafeau Version 3.3.0. This write-up discusses the exploits and their implications.

By Florian Nivette

Advisory

SolarWinds Serv-U Managed File Transfer – Insufficient Session ID Entropy

May 14, 2018

This security advisory describes a high-risk vulnerability found by Bishop Fox researcher Baker Hamilton in SolarWinds Serv-U Managed File Transfer.

By Baker Hamilton

Advisory

SolarWinds Serv-U Managed File Transfer – Denial of Service

May 11, 2018

This Bishop Fox security advisory details a denial-of-service vulnerability in SolarWinds Serv-U 15.1.6.25.

By Baker Hamilton

Advisory

Windows DNS Client – Memory Corruption Vulnerabilities

Oct 10, 2017

CVE-2017-11779 could lead to takeover of user’s device - this technical write-up covers implications, the actual exploit, and remediation steps.

By Nick Freeman

Advisory

atmail 7 Stored XSS Vulnerability

Jun 23, 2017

A stored XSS vulnerability was identified in the webmail component of atmail 7. This security advisory by Zach Julian discusses it in detail.

By Zach Julian

Advisory

SolarWinds Log & Event Manager - Improper Access Control

May 12, 2017

An improper access control vulnerability was discovered by Baker Hamilton in the SolarWinds’ Log & Event Manager (LEM) management console (CMC).

By Baker Hamilton

Advisory

SolarWinds Log & Event Manager - Arbitrary Command Injection

May 12, 2017

The Bishop Fox assessment team discovered an arbitrary command injection vulnerability within the SolarWinds’ Log & Event Manager (LEM) management console (CMC).

By Baker Hamilton

Advisory

Cisco Jabber Guest Server HTTP URL Redirection Vulnerability

Dec 21, 2016

A vulnerability in the Cisco Jabber Guest Server could allow an unauthenticated, remote attacker to initiate connections to arbitrary hosts.

By Jake Miller

Advisory

Accellion Kiteworks Multiple Vulnerabilities

Sep 8, 2016

Three vulnerabilities were discovered in the Accellion Kiteworks appliance. The three vulnerabilities are described in this Bishop Fox security advisory.

By Shubham Shah

Advisory

OS X Messages (iMessage): XSS & File Disclosure

Apr 8, 2016

This is the official Bishop Fox security advisory for the OS X Messages (iMessage) vulnerability, discovered in early 2016 and subsequently patched by Apple.

By Joe DeMesy, Shubham Shah, and Matthew Bryant

Advisory

CA Single Sign-On Unspecified High-Risk Vulnerabilities Advisory

Mar 23, 2016

Two high-risk vulnerabilities were discovered in CA Technologies Single Sign-On (formerly CA SiteMinder®) application. A denial-of-service attack and ...

By Mike Brooks