by Naveen Sunkavally | Jun 29, 2022 | Disclosures
CVE-2022-28219 is an unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory. The vulnerability comprises several issues: untrusted Java deserialization,...
by Horizon3.ai | Nov 9, 2021 | Disclosures
A few months ago, while scanning the external attack surface of one of our clients, our autonomous pentesting product NodeZero identified an instance of an application called ResourceSpace exposed to the Internet. ResourceSpace is a digital asset management tool that...
by Horizon3.ai | Mar 8, 2021 | Disclosures
Summary Zabbix is an enterprise IT network and application monitoring solution. In a routine review of its source code, we discovered a CSRF (cross-site request forgery) vulnerability in the authentication component of the Zabbix UI. Using this vulnerability, an...
by Horizon3.ai | Feb 7, 2021 | Disclosures
Summary LibreNMS is an open source solution for network monitoring based on PHP, MySQL and SNMP. While reviewing its source code, we discovered a second-order SQL injection vulnerability, CVE-2020-35700, in the Dashboard feature. This vulnerability is exploitable by...
by Horizon3.ai | Jan 24, 2021 | Disclosures
Summary Mautic is widely used open source software for marketing automation. While researching the application and its source code on Github, we discovered an attack chain whereby an unauthenticated attacker could gain remote code execution privileges on the server...
by Horizon3.ai | Jan 5, 2021 | Disclosures
Summary OrangeHRM is software for Human Resource Management (HRM). In a routine audit of the open source version of OrangeHRM, we discovered a SQL injection vulnerability in the “Buzz” module, an integrated social media tool within the software....