AFINE Team contribution

Research

Date		CVE	Topic	Details
28/06/2024	⚠️	CVE-2024-28797	Stored Cross-site Scripting in IBM InfoSphere DataStage Designer < 11.7.4	Link
28/06/2024	⚠️	CVE-2024-28795	Stored Cross-site Scripting in IBM InfoSphere Information Server < 11.7	Link
28/06/2024	⚠️	CVE-2024-28794	Stored Cross-site Scripting in IBM InfoSphere Information Server < 11.7	Link
28/06/2024	⚠️	CVE-2024-5737	AdmirorFrames Joomla! Extension < 5.0 - HTML Injection	Link
28/06/2024	⚠️	CVE-2024-5736	AdmirorFrames Joomla! Extension < 5.0 - Server-Side Request Forgery	Link
28/06/2024	⚠️	CVE-2024-5735	AdmirorFrames Joomla! Extension < 5.0 - Full Path Disclosure	Link
24/05/2024	⚠️	CVE-2024-2218	LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS	Link
08/05/2024	⚠️	CVE-2024-3050	Site Reviews < 7.0.0 - IP Spoofing	Link
09/05/2024	⚠️	CVE-2024-3459	KioWare for Windows environment escape	Link
09/05/2024	⚠️	CVE-2024-3460	KioWare for Windows security control bypass	Link
09/05/2024	⚠️	CVE-2024-3461	KioWare for Windows PIN brute force	Link
18/03/2024	⚠️	CVE-2024-1606	HTML injection in BMC Control-M	Link
18/03/2024	⚠️	CVE-2024-1605	DLL side-loading in BMC Control-M	Link
18/03/2024	⚠️	CVE-2024-1604	Incorrect authorization in BMC Control-M	Link
14/02/2024	⚠️	CVE-2024-0010	PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Portal	Link
07/02/2024	⚠️	CVE-2024-24816	Cross-site scripting (XSS) in CKEditor4 samples with the preview feature enabled	Link
11/01/2024	⚠️	CVE-2023-5118	Stored XSS in Kofax Capture software	Link
21/12/2023	⚠️	CVE-2023-4925	Easy Forms for Mailchimp <= 6.8.10 - Admin+ Stored Cross-Site Scripting	Link
12/12/2023	⚠️	CVE-2023-45184	Decryption key disclosure in IBM i Access Client Solutions due to improper authority checks	Link
12/12/2023	⚠️	CVE-2023-45182	Possibility to decrypt password-encryption key in IBM i Access Client Solutions allowing attacker to obtain passwords to other systems	Link
12/12/2023	⚠️	CVE-2023-45185	Remote Code Execution in IBM i Access Client Solutions	Link
12/12/2023	⚠️	CVE-2023-4932	Reflected Cross-Site Scripting in SAS 9.4	Link
06/11/2023	⚠️	CVE-2023-5958	POST SMTP Mailer < 2.7.1 - Unauthenticated Cross-site Scripting	Link
06/11/2023	⚠️	CVE-2023-5209	Bookly < 22.5 - Admin+ Stored XSS	Link
08/08/2023	⚠️	CVE-2023-35359	Windows Kernel Elevation of Privilege Vulnerability	Link
25/07/2023	⚠️	CVE-2023-39062	Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8	Link
02/10/2023	⚠️	CVE-2023-38419	Denial of Service of Big-IQ iControl SOAP daemon by an attacker with guest privileges	Link
02/10/2023	⚠️	CVE-2023-38138	Reflected Cross-site Scripting in BIG-IP Configuration utility	Link
13/06/2023	⚠️	CVE-2023-35840	elFinder < 2.1.62 - Path Traversal vulnerability in PHP LocalVolumeDriver connector	Link
20/03/2023	⚠️	CVE-2023-1478	Hummingbird < 3.4.2 - Unauthenticated Path Traversal	Link
16/03/2023	⚠️	CVE-2023-28530	IBM Cognos Analytics - Stored cross-site scripting caused by improper validation of SVG Files in Custom Visualizations	Link
18/10/2022	⚠️	CVE-2022-40746	OwnCloud URL spoofing in password reset mail	Link
16/09/2022	⚠️	CVE-2022-40746	IBM i Access Client Solutions is vulnerable to DLL hijacking when run on a Windows operating system	Link
25/07/2022	⚠️	CVE-2022-36433	Cross-site Scripting (XSS) in blog-post creation functionality in Amasty Blog Pro for Magento 2	Link
25/07/2022	⚠️	CVE-2022-36432	Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2	Link
11/07/2022	⚠️	CVE-2022-35501	Stored Cross-site Scripting (XSS) in blog-post creation functionality in Amasty Blog Pro for Magento 2	Link
11/07/2022	⚠️	CVE-2022-35500	Stored Cross-site Scripting (XSS) in leave comment functionality in Amasty Blog Pro for Magento 2	Link
11/07/2022	⚠️	CVE-2022-35642	IBM InfoSphere Information Server is vulnerable to stored cross-site scripting	Link
12/05/2022	⚠️	CVE-2022-30615	IBM InfoSphere Information Server is vulnerable to cross-site scripting	Link
28/06/2021	⚠️	CVE-2021-34254	Open Redirection (OurUmbraco)	Link
16/06/2021	⚠️	CVE-2021-3584	Server-side remote code execution (Foreman)	Link
08/06/2021	⚠️	CVE-2021-1675	Windows Print Spooler Elevation of Privilege Vulnerability	Link
07/06/2021	⚠️	CVE-2021-24378	Authenticated Stored XSS (Autoptimize)	Link
07/06/2021	⚠️	CVE-2021-24377	Race Condition leading to RCE (Autoptimize)	Link
07/06/2021	⚠️	CVE-2021-24376	Arbitrary File Upload (Autoptimize)	Link
13/05/2021	⚠️	CVE-2021-21559	Dell EMC NetWorker Security Update for Multiple Vulnerabilities	Link
13/05/2021	⚠️	CVE-2021-21558	Dell EMC NetWorker Security Update for Multiple Vulnerabilities	Link
25/09/2020	⚠️	CVE-2020-25130	SQL Injection (Observium)	Link
25/09/2020	⚠️	CVE-2020-25131	Cross-Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25132	SQL Injection (Observium)	Link
25/09/2020	⚠️	CVE-2020-25133	Authenticated Directory Traversal And Local File Inclusion (Observium)	Link
25/09/2020	⚠️	CVE-2020-25134	Authenticated Directory Traversal And Local File Inclusion (Observium)	Link
25/09/2020	⚠️	CVE-2020-25135	Cross-Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25136	Authenticated Directory Traversal And Local File Inclusion (Observium)	Link
25/09/2020	⚠️	CVE-2020-25137	Cross Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25138	Cross Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25139	Cross Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25140	Cross Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25141	Cross Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25142	Cross Site Request Forgery (CSRF) (Observium)	Link
25/09/2020	⚠️	CVE-2020-25143	SQL Injection (Observium)	Link
25/09/2020	⚠️	CVE-2020-25144	Authenticated Directory Traversal And Local File Inclusion (Observium)	Link
25/09/2020	⚠️	CVE-2020-25145	Authenticated Directory Traversal And Local File Inclusion (Observium)	Link
25/09/2020	⚠️	CVE-2020-25146	Cross Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25147	SQL Injection (Observium)	Link
25/09/2020	⚠️	CVE-2020-25148	Cross Site Scripting (Observium)	Link
25/09/2020	⚠️	CVE-2020-25149	Authenticated Directory Traversal And Local File Inclusion (Observium)	Link
03/09/2020	⚠️	CVE-2020-25102	Cross-Site Scripting (SilverStripe Advanced Reports Module)	Link
26/08/2020	⚠️	CVE-2020-5920	F5 BIG-IP AFM SQL Injection	Link
11/08/2020	⚠️	CVE-2020-1569	Microsoft Edge Memory Corruption	Link
17/07/2020	⚠️	CVE-2020-15596	Touchpad driver DLL Hijacking	Link
29/05/2020	⚠️	CVE-2020-13700	wp plugin acf-to-rest-api Insecure direct object reference via permalinks manipulation	Link
25/05/2020	⚠️	CVE-2020-13484	Bitrix CRM unauthenticated server side request forgery	Link
25/05/2020	⚠️	CVE-2020-13483	Bitrix CRM XSS / WAF bypass	Link
24/05/2020	⚠️	CVE-2020-13443	ExpressionEngine Remote Command Execution via unrestricted file upload	Link
21/04/2020	⚠️	CVE-2020-11976	Apache Wicket Directory traversal due to guard protection bypass - read wicket markup file source	Link
13/01/2020	⚠️	CVE-2020-6856	JOC Cockpit, Jobscheduler, XML External Entity	Link
13/01/2020	⚠️	CVE-2020-6855	JOC Cockpit, Jobscheduler, Denial of Service	Link
13/01/2020	⚠️	CVE-2020-6854	JOC Cockpit, Jobscheduler, Multiple Stored Cross Site Scripting	Link
20/11/2019	⚠️	CVE-2019-19129	Afterlogic WebMail Pro 8.3.11 Remote Stored XSS via an attachment name.	Link
05/08/2019	⚠️	CVE-2019-14521	Arbitrary File Upload leading to RCE (Energy Logserver)	Link
17/07/2019	⚠️	CVE-2020-5907	TMOS Shell privilege escalation vulnerability	Link
26/03/2019	⚠️	CVE-2019-10070	Apache Atlas, Stored Cross Site Scripting	Link

Articles

Date		Topic	Details
13/06/2021	📔	Bezpieczeństwo AWS – jak zacząć? (i po co)	Link
07/06/2021	📔	Bezpieczeństwo Kubernetesa – ćwiczenia z Kubernetes Goat	Link
25/05/2021	📔	Analiza statyczna plików wykonywalnych	Link
13/05/2021	📔	Wyłudzenia portfeli kryptowalut, czyli kolejna odsłona socjotechniki	Link
10/05/2021	📔	JIRA CVE-2019-11581 – budujemy exploita 1-day!	Link
09/05/2021	📔	Workplace by Facebook: bug bounty za 100000 PLN	Link
01/05/2021	📔	Darmowe szkolenie Burp Suite Community – pozostałe części	Link
25/04/2021	📔	Malware Sysrv – jak sprawdzić, czy go nie złapaliśmy i dlaczego patchowanie jest ważne	Link
17/04/2021	📔	Czy Twoja JIRA jest bezpieczna? Sprawdź!	Link
15/04/2021	📔	Szkolenie Burp Suite Community – część 4 – target	Link
13/04/2021	📔	Szkolenie Burp Suite Community – część 3 – proxy i scope	Link
06/04/2021	📔	Burp Suite Community – szkolenie – część 2	Link
06/04/2021	📔	Burp Suite Community – szkolenie – część 1	Link
05/04/2021	📔	Automation of the reconnaissance phase during Web Application Penetration Testing III	Link
21/03/2021	📔	Automation of the reconnaissance phase during Web Application Penetration Testing II	Link
19/03/2021	📔	Atakowanie GDPR (RODO)	Link
15/03/2021	📔	Automation of the reconnaissance phase during Web Application Penetration Testing I	Link
14/03/2021	📔	Github Dorks – czyli ofensywny OSINT na GitHubie	Link
08/03/2021	📔	Podatność Subdomain Takeover – czym jest i jak jej szukać?	Link
08/02/2021	📔	Testing and exploiting Java Deserialization in 2021	Link
08/10/2020	📔	Java RMI for pentesters part two — reconnaissance & attack against non-JMX registries	Link
27/09/2020	📔	Java RMI for pentesters: structure, recon and communication (non-JMX Registries)	Link
28/07/2020	📔	Windows – backdooring – część III	Link
19/07/2020	📔	Windows – backdooring – część II	Link
12/04/2020	📔	Windows – backdooring – część I	Link
31/01/2020	📔	SLAE Course & Exam Review	Link
16/01/2020	📔	Active Directory Cheat Sheet	Link

Conferences

Date		Topic	Details
09/04/2021	🎥	Smart Web Fuzzing, czyli jakie powierzchnie ataku możemy półautomatyzować — Łukasz Mikuła, Warszawskie Dni Informatyki	Link
11/09/2020	🎥	Współczesna infrastruktura Red Teamowa — Łukasz Mikuła, Piotr Madej, Security Case Study	Link
27/02/2020	🎥	Phishing - jak malware trafia do Twojej organizacji — Piotr Madej, OWASP Katowice	Link
29/01/2020	🎥	O pracy pentestera — Piotr Madej, 17 53c - Gliwice Cybersecurity Meetup Group	Link
14/12/2019	🎥	COM to me, baby — Łukasz Mikuła, WTH Conference	Link
14/12/2019	🎥	Logiczne podatności w systemie Windows — Michał Bazyli, WTH Conference	Link