Vulnerabilities and exploits

This is a partial list of CVE that have my name attached to it, as well as some exploits that I have written.

CVE

2020

• CVE-2020-12627: Calibre-Web 0.6.6 allows authentication bypass because of the A0Zr98j/3yX R~XHH!jmN]LWX/,?RT hardcoded secret key, likely leading to an RCE. (fix)

2019

• CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (bug)
• CVE-2019-10907: Password stored as md5 in the remember-me cookie in airsonic (fix)
• CVE-2019-10908: Lack of randomness when generating passwords in airsonic (fix)

2014

• CVE-2014-4731: Non-constant time comparison in FreeRADIUS EAP-PWD implementation (fix)
• CVE-2014-4732: Cryptographic material might be left behind in FreeRADIUM EAP-PWD implementation (fix)
• CVE-2014-4733: Lack of check for sufficient randomness in FreeRADIUS EAP-PWD implementation (fix)

2013

• CVE-2013-7351: Multiple reflected XSS in Shaarli (fix)

Original exploits and vulnz

2019

• no CVE: A significant amount of stored/reflected/DOM XSS in airsonic (fixes)
• no CVE: Authenticated path traversal leading to an RCE in airsonic (fixes)

2017

• no CVE: LibreNMS unauthenticated remote code execution, not even sure if fixed (exploit)
• no CVE: Authentication bypass in Baikal, ~silently fixed (details)
• no CVE: Authenticated arbitrary code execution Baikal, (details)

2016

• no CVE: Observium is terrible, not even sure if fixed (exploit)

Metasploit modules

2017

• CVE-2017-7615: Unauthenticated password reset in MantisBT (exploit)
• CVE-2017-5982: Arbitrary file read in Kodi (exploit)

2015

• CVE-2014-0476: Local root in chkrootkit (exploit)
• CVE-2015-7808: Unauthenticated remote code execution in vBulletin (exploit)
• CVE-2015-5161: Unauthenticated arbitrary file read in Magento (exploit)
• CVE-2015-1397: Unauthenticated remote code execution in Magento (exploit)