Skip to content

Latest commit

 

History

History
42 lines (32 loc) · 2.61 KB

README.md

File metadata and controls

42 lines (32 loc) · 2.61 KB

IT Security Publications

Security vulnerabilities identified in personal and collaborative cybersecurity research.

November, 2021 - Nagios Cross-Platform Agent (NCPA)

Product: Nagios Cross-Platform Agent (NCPA)
Vendor: Nagios Enterprises
Affected Version(s): 2.0 to 2.3.1
Author(s): Altion Malka (CENSUS Labs)
Reference(s): CVE-2021-43584.md, NagiosEnterprises/ncpa#830
Security Vulnerabilities:

  • CVE-2021-43584 - DOM-based XSS via 'name' element of 'Tail Event Logs' functionality in Nagios Cross-Platform Agent (NCPA) versions 2.0 to 2.3.1

This vulnerability was introduced in NCPA version 2.0 and it was applicable up until version 2.3.1.

April 5, 2021 - Pentaho Business Analytics

Product: Pentaho Business Analytics
Vendor: Hitachi Vantara
Affected Version(s): 9.1.0.0 build 324
Author(s): Alberto Favero (HawSec) & Altion Malka
Reference(s): HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf
Security Vulnerabilities:

  • CVE-2021-31599 - Remote Code Execution through Pentaho Report Bundles
  • CVE-2021-34684 - Unauthenticated SQL Injection via Dashboard Editor at '/api/repos/dashboards/editor' endpoint
  • CVE-2021-31601 - Insufficient Access Control of Data Source Management Service
  • CVE-2021-31602 - Authentication Bypass of Spring APIs
  • CVE-2021-31600 - Jackrabbit User Enumeration
  • CVE-2021-34685 - Bypass of Filename Extension Restrictions at '/pentaho/UploadService' endpoint

May 9, 2017 - deepin-session-ui

Product: deepin-session-ui
Vendor: Deepin (Wuhan deepin Technology Co.,Ltd.)
Affected Version(s): 4.0.6
Author(s): Altion Malka
Reference(s): Local Authentication Bypass in deepin-session-ui.md
Security Vulnerabilities:

  • Local Authentication Bypass in deepin-session-ui 4.0.6