SSD Advisory – Odoo CRM Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describe arbitrary Python code execution found in Odoo CRM version 10.0

Odoo is a suite of open source business apps that cover all your company needs: CRM, eCommerce, accounting, inventory, point of sale, project management, etc. Odoo’s unique value proposition is to be at the same time very easy to use and fully integrated.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Odoo has done a private disclosure for the issue we reported, and the patch was merged in all supported branches.

The full public disclosure will be available at https://github.com/odoo/odoo/issues/17898.

Continue reading SSD Advisory – Odoo CRM Code Execution

SSD Advisory – ManageEngine Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes Unrestricted File Upload vulnerability that leads to Code Execution found in ManageEngine Firewall Analyzer and ManageEngine OpManager.

ManageEngine Firewall Analyzer is a browser-based firewall/VPN/proxy server reporting solution that uses a built-in syslog server to store, analyze, and report on these logs. Firewall Analyzer provides daily, weekly, monthly, and yearly reports on firewall traffic, security breaches, and more. This helps network administrators to proactively secure networks before security threats arise, avoid network abuses, manage bandwidth requirements, monitor web site visits, and ensure appropriate usage of networks by employees.

ManageEngine OpManager is a comprehensive network monitoring software that provides the network administrators with an integrated console for managing routers, firewalls, servers, switches, and printers. OpManager offers extensive fault management and performance management functionality. It provides handy but powerful Customizable Dashboards and CCTV views that display the immediate status of your devices, at-a-glance reports, business views etc. OpManager also provides a lot of out-of-the-box graphs and reports, which give a wealth of information to the network administrators about the health of their networks, servers and applications.

Credit
An independent security researcher, Yasser Ali (https://yasserali.com), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
ManageEngine has released patches to address these vulnerabilities and issued the following advisory: https://desk.zoho.com/portal/manageengine/kb/articles/latest-consolidated-patch

Continue reading SSD Advisory – ManageEngine Code Execution

SSD Advisory – Sentora Web Hosting Control Panel Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Sentora Web Hosting Control Panel that lead to remote code execution.

Sentora is a free to download and use web hosting control panel developed for Linux, UNIX and BSD based servers or computers. The Sentora software can turn a domestic or commercial server into a fully fledged, easy to use and manage web hosting server.

The vulnerabilities found in Sentora Web Hosting Control Panel are:

  • Authenticated Code Execution
  • Privilege Escalation

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Response
The vendor has released an new version of the product which addressed the vulnerabilities.

Continue reading SSD Advisory – Sentora Web Hosting Control Panel Multiple Vulnerabilities

SSD Advisory – Horde Groupware Webmail Multiple Remote Code Execution Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Horde Groupware Webmail.

Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo, Gollem, and Trean.

It can be extended with any of the released Horde applications or the applications that are still in development, like a bookmark manager or a file manager.

Affected versions: Horde 5, 4 and 3

The vulnerabilities found in Horde Groupware Webmail are:

  • Authentication Remote Code Execution
  • Unauthentication Remote Code Execution

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Horde has released a patch to address the vulnerabilities.

For more information: https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html

Continue reading SSD Advisory – Horde Groupware Webmail Multiple Remote Code Execution Vulnerabilities