Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

SBA Security Advisory – Cyberduck and Mountain Duck – Weak Hash Algorithm for Certificate Fingerprint (CVE-2025-41256)

June 25, 2025

Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate's fingerprint is stored as SHA-1, although SHA-1 is considered weak and should be replaced with SHA-256 or SHA-512. ... Read More

SBA Security Advisory – Cyberduck and Mountain Duck – Improper Certificate Store Handling (CVE-2025-41255)

June 25, 2025

Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessary installing it to the Windows Certificate Store of the current user without any restrictions. This potentially allows attackers to bypass certificate-based authentication or authorization of other programs that trust this certificate store. ... Read More

SBA Security Advisory – Null pointer dereference in MediaTek Modem (CVE-2025-20647)

June 6, 2025

In the Mediatek modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Read More

SBA Security Advisory – Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page (CVE-2024-13919)

March 10, 2025

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. Read More

SBA Security Advisory – Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page (CVE-2024-13918)

March 10, 2025

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. Read More

SBA Security Advisory – Mediatek Modem – Selection of less-secure algorithm during negotiation ‘algorithm downgrade’ (CVE-2024-20069)

July 31, 2024

Vulnerability Overview In the modem, the client can be forced into accepting a less secure key exchange algorithm during the VoWiFi IKE handshake due to a missing downgrade check on the proposed Diffie-Hellman (DH) group. This could lead to remote information disclosure with no additional execution privileges needed. User interaction… Read More

SBA Security Advisory – ZTE ZXUN-ePDG – Use of non-unique cryptographic keys under default configuration (CVE-2024-22064)

July 31, 2024

Vulnerability Overview ZTE ZXUN-ePDG product, which serves as the network node of the VoWiFi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection (IKE) with the mobile devices connecting over the internet. If the set of keys are leaked or cracked, the… Read More

SBA Security Advisory – Craft CMS – TOTP Token Stays Valid After Use (CVE-2024-41800)

July 26, 2024

The Craft CMS from version 5.0.0-beta.1 through 5.2.2 allows reuse of TOTP tokens multiple times within the validity period. ... Read More

SBA Security Advisory – Paradox IP150 Internet Module – Cross-Site Request Forgery (CVE-2024-5676)

June 19, 2024

The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method GET to introduce changes in the system. Read More

SBA Security Advisory – CraftCMS Plugin – Two-Factor Authentication – TOTP token Stays Valid After Use (CVE-2024-5658)

June 6, 2024

The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period. Read More

SBA Research is a research center for Information Security
funded partly by the national initiative for COMET Competence Centers for Excellent Technologies.

Tag: Security Advisory