SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies.
In the Mediatek modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Read More
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. Read More
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. Read More
Vulnerability Overview In the modem, the client can be forced into accepting a less secure key exchange algorithm during the VoWiFi IKE handshake due to a missing downgrade check on the proposed Diffie-Hellman (DH) group. This could lead to remote information disclosure with no additional execution privileges needed. User interaction… Read More
Vulnerability Overview ZTE ZXUN-ePDG product, which serves as the network node of the VoWiFi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection (IKE) with the mobile devices connecting over the internet. If the set of keys are leaked or cracked, the… Read More
The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method GET to introduce changes in the system. Read More
The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. Read More
We’re proud to share that SBA Research has been appointed as one of Austria’s few CVE Numbering Authorities (CNAs). This designation recognizes our commitment to cybersecurity excellence. With only three other authorities in Austria, being authorized as a CVE Numbering Authority underscores our expertise and dedication… Read More
From September 19 to 21, around 65 talented and curious women and FINTA* immersed themselves in the exciting world of cybersecurity at the University of Vienna. This continuing education and networking program is unique in Europe and is designed to make it easier to enter and advance in IT security. ... ∞
The 20th International Conference on Availability, Reliability, and Security (ARES 2025) took center stage in Ghent, Belgium, from August 11-14, 2025, offering a platform for experts and enthusiasts to explore the latest developments in the field. Co-located with ARES 2025 was the 8th International Symposium for Industrial Control System & SCADA Cyber Security Research.... ∞