Excerpt of vulnerabilities I found in the last years

Over the past years I’ve found several vulnerabilities on several products/vendors for example, HP, ASUS, BioStar, Telekom, Adobe, Siemens, GDATA, Avast, Comodo, Synology, Wacom and many more. These list is just a short list because not all vulnerabilities have got an CVE number:

2018

• HP Network Automation:

  • CVE-2018-6492 - Cross-Site Scripting (XSS)
  • CVE-2018-6493 - SQL Injection

• SeedDMS:

  • CVE-2018-12939 - Directory Traversal
  • CVE-2018-12940 - Unrestricted File Upload
  • CVE-2018-12941 - Remote Code Execution
  • CVE-2018-12942 - SQL Injection
  • CVE-2018-12943 - Cross-Site Scripting (XSS)
  • CVE-2018-12944 - Persistent Cross-Site Scripting (XSS)

2019

• SITOS Six:

  • CVE-2019-15746 - Command Injection
  • CVE-2019-15747 - Privilege Escalation
  • CVE-2019-15748 - Authorization Bypass
  • CVE-2019-15749 - Account Takeover
  • CVE-2019-15750 - Cross-Site-Scripting (XSS)
  • CVE-2019-15751 - Unrestricted File Upload

• HiDrive Desktop Client:

  • CVE-2019-9486 - Local Privilege Escalation (LPE)

• ASUS Aura Sync:

  • CVE-2019-17603 - Local Privilege Escalation (LPE)

2021

• Synology DSM:
  • Local Privilege Escalation (LPE) vulnerability that I’ve found in Synology DSM <= 6.2.4-25554 back in 2021. This vulnerability has no CVE, no advisory and was not mention in any update. At least an acknowledgement on their page ¯\_(ツ)_/¯.

2022

• Adobe Acrobat Reader DC:
  • CVE-2022-34226 - Out-Of-Bounds Read

2023

• Siemens Tecnomatix Plant Simulation:

  • CVE-2023-27401 - Out-Of-Bounds Read
  • CVE-2023-27402 - Out-Of-Bounds Read
  • CVE-2023-27403 - Out-Of-Bounds Read
  • CVE-2023-27405 - Out-Of-Bounds Read
  • CVE-2023-27399 - Out-Of-Bounds Write
  • CVE-2023-27404 - Stack-based Buffer Overflow

• GDATA Total Security:

  • CVE-2023-27347 - Local Privilege Escalation (LPE)

• VIPRE Antivirus Plus:

  • CVE-2023-32175 - Local Privilege Escalation (LPE)

PS: This idea is shameless stolen from my colleague frycos 😄.