Versions Tested: Tiff Server 4.0 Product: https://www.aquaforest.com/en/tiffserver.asp Security Advisories: N/A CVE Numbers: CVE-2020-9323 CVE-2020-9324 CVE-2020-9325 CVSS Score: Unauthenticated File and Directory Enumeration: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:W/RC:C Unauthenticated Arbitrary File Download: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C Unauthenticated SMB Hash Capture […]
No matter how much you think you’ve done to protect your data and systems, common vulnerabilities continue to wreak havoc on enterprises. Cyberattacks are already increasing due to global events, […]
During a recent penetration test for a client, I came across a tool called MigrationTool from Palo Alto Networks. The tool was littered with issues, like the unauthenticated disclosure of passwords, […]
Luckily, it was only a test. During penetration testing for two international companies, our team found numerous vulnerabilities. In both cases we had total control over all systems within the […]
Why Password Managers and MFA are Important in your Security Stack The subject of password strength and complexity requirements has been discussed and debated ad nauseam in the security industry. It is […]
Background: After running into ManageEngine products on a number of penetration tests, we decided to take a closer look at their products and see if there were any vulnerabilities that […]
Background: While conducting a penetration test of a client’s external network, I discovered a way to enumerate users’ in ManageEngine’s ADSelfService Plus application. This allows an attacker to determine the […]
Background: While conducting a penetration test of a client’s external network, I discovered three separate instances of information disclosure in VMware’s Horizon Access Web Portal. An unauthenticated user could access information such […]
Background While conducting a penetration test for a customer, I encountered an unused developer forum using JForum version 2.1.8 and started looking for vulnerabilities within the application. Version Tested: 2.1.8 CVE […]
Background In previous roles focused on malware analysis and defense, a recurring trend observed across the industry has been the rise of fileless malware, particularly the use of mshta.exe as […]