Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

SBA Security Advisory – CraftCMS Plugin – Two-Factor Authentication – Password Hash Disclosure (CVE-2024-5657)

June 6, 2024

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. Read More

SBA Research has been authorized by the CVE® Program as a CVE Numbering Authority (CNA)!

June 5, 2024

We’re proud to share that SBA Research has been appointed as one of Austria’s few CVE Numbering Authorities (CNAs). This designation recognizes our commitment to cybersecurity excellence. With only three other authorities in Austria, being authorized as a CVE Numbering Authority underscores our expertise and dedication… Read More

SBA Research has been authorized by the CVE® Program as a CVE Numbering Authority (CNA)!

SBA Security Advisory – CloudLinux CageFS – Insufficiently Restricted Proxy Command (CVE-2020-36772)

January 26, 2024

CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment. We recommend to update CloudLinux CageFS to version 7.1.1-1 or later. For further details, see the full security advisory. Read More

SBA Security Advisory – CloudLinux CageFS – Token Disclosure (CVE-2020-36771)

January 26, 2024

CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a command line argument. In some configurations this allows local users to view the authentication token via the process list and gain code execution as another user. We recommend to update CloudLinux CageFS to version 7.1.2-2 or later. For further details, see the full security advisory. Read More

SBA Security Advisory – MOKOSmart MKGW1 Gateway – Improper Session Management (CVE-2023-51059)

December 21, 2023

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 do not provide an adequate session management for the administrative web interface. This allows adjacent attackers with access to the management network to read and modify the configuration of the device. Read More

SBA Security Advisory – Vtiger CRM – Stored Cross-Site Scripting (CVE-2022-38335)

September 28, 2022

Vtiger CRM 7.4.0 or below is prone to a stored cross-site scripting vulnerability in the email templates module due to insufficient sanitizing. Read More

SBA Security Advisory – Shibboleth Identity Provider OIDC OP Plugin – Server-Side Request Forgery (CVE-2022-24129)

February 1, 2022

Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the request_uri parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services. We recommend to update Shibboleth Identity Provider OIDC OP plugin to version 3.0.4 or later. For further details, see the full security advisory. Read More

SBA Security Advisory – Monsta FTP – Stored Cross-Site Scripting (CVE-2020-14055)

July 1, 2020

Monsta FTP 2.10.1 or below is prone to a stored cross-site scripting vulnerability in the language setting due to insufficient output encoding. Read More

SBA Security Advisory – Monsta FTP – Server-Side Request Forgery (CVE-2020-14056)

July 1, 2020

Monsta FTP 2.10.1 or below is prone to a server-side request forgery vulnerability due to insufficient restriction of the web fetch functionality. This allows attackers to read arbitrary local files and interact with arbitrary third-party services. Read More

SBA Security Advisory – Monsta FTP – Arbitrary File Read and Write (CVE-2020-14057)

July 1, 2020

Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote code execution in common deployments. Read More

SBA Research is a research center for Information Security
funded partly by the national initiative for COMET Competence Centers for Excellent Technologies.

Tag: Security Advisory

SBA Security Advisory – CraftCMS Plugin – Two-Factor Authentication – Password Hash Disclosure (CVE-2024-5657)

SBA Research has been authorized by the CVE® Program as a CVE Numbering Authority (CNA)!

SBA Security Advisory – CloudLinux CageFS – Insufficiently Restricted Proxy Command (CVE-2020-36772)

SBA Security Advisory – CloudLinux CageFS – Token Disclosure (CVE-2020-36771)

SBA Security Advisory – MOKOSmart MKGW1 Gateway – Improper Session Management (CVE-2023-51059)

SBA Security Advisory – Vtiger CRM – Stored Cross-Site Scripting (CVE-2022-38335)

SBA Security Advisory – Shibboleth Identity Provider OIDC OP Plugin – Server-Side Request Forgery (CVE-2022-24129)

SBA Security Advisory – Monsta FTP – Stored Cross-Site Scripting (CVE-2020-14055)

SBA Security Advisory – Monsta FTP – Server-Side Request Forgery (CVE-2020-14056)

SBA Security Advisory – Monsta FTP – Arbitrary File Read and Write (CVE-2020-14057)

SBA Newsletter

Upcoming events @ SBA

SBA Research at a glance

Highlights of the past years:

Privacy settings

SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies.

Tag: Security Advisory

SBA Newsletter

Highlights of the past years:

SBA Research is a research center for Information Security
funded partly by the national initiative for COMET Competence Centers for Excellent Technologies.