Security Advisories

The following is a list of published vulnerabilities by OSI Security staff;

• Apache Tomcat & Symantec PGP Web Email Protection - Directory Traversal vulnerability (fixed July 2020).
• Mitel MiCollab - SQL Injection (fixed June 2019).
• Apache http mod_speling HTTP Referrer Cross-site scripting vulnerability.
• Trend Micro Hosted Email Security (HES) - Email Interception and Direct Object Reference.
• SmartJobBoard - Cross-site scripting, personal information disclosure and PHPMailer package vulnerabilities.
• SilverStripe CMS - Path Disclosure.
• Tweek!DM Document Management Authentication bypass, SQL injection vulnerabilities.
• Computer Associates API Gateway CRLF Response Splitting, Directory Traversal vulnerabilities.
• AcoraCMS browser redirect and Cross-site scripting vulnerabilities.
• Kaseya information disclosure vulnerability.
• iPlatinum iOneView Multiple Parameter Reflected XSS.
• Lantern CMS Path Disclosure, SQL Injection, Reflected XSS.
• Manhattan Software IWMS (Integrated Workplace Management System) XML External Entity (XXE) Injection File Disclosure.
• Obsecure360 Framework SQL Injection, Path Disclosure, Reflected XSS.
• Ultra Electronics / AEP Networks - SSL VPN (Netilla / Series A / Ultra Protect) Vulnerabilities.
• Moodle URL Manipulation Remote Account Information Disclosure.
• Inchoo Facebook Connect Extension for Magento Parameter XSS.
• AirWatch Self Service Portal Username Parameter LDAP Injection.
• Avaya Radvision SCOPIA Desktop dlg_loginownerid.jsp ownerid SQL Injection.
• Lotus Protector for Mail Security remote code execution.
• Kaseya Parameter Reflected XSS, Enumeration and Bruteforce Weakness.
• CheckPoint Firewall - SecuRemote Hostname and SmartCenter Information Disclosure.
• Squiz Matrix - User Account Enumeration.
• Cyberoam UTM - Authenticated Cross-site Scripting.
• JFreeChart - Path Disclosure.
• Squiz Matrix - Cross Site Scripting.
• Civica Spydus Library Management System - Cross Site Scripting.
• LANSA aXes Web Terminal (TN5250) Cross-Site Scripting.
• Paessler - PRTG Traffic Grapher Cross Site Scripting.
• Blue Arc Group - IgnitionSuite Web Content Management System Information Disclosure / Unauthenticated Unsubscription.
• Iomega StorCenter Pro Session Identifier Prediction Weakness.
• SonicWALL SSL-VPN cgi-bin/welcome/VirtualOffice err Parameter Remote Format String.
• ContentKeeper Authentication Bypass, Remote Code Execution & Privilege Escalation.
• ConnX frmLoginPwdReminderPopup.aspx txtEmail Parameter SQL Injection.
• Asbru Web Content Management - SQL Injection and XSS.
• Microsoft Windows Installer msiexec.exe /uninstall Option GUID Value Overflow.
• Tumbleweed SecureTransport FileTransfer ActiveX TransferFile() Method remoteFile Variable Overflow.
• RemotelyAnywhere HTTP Service /img/ XSS.
• webMethods Glue Management Console resource Parameter Traversal Arbitrary File Access.
• Google Mini Search Appliance client Parameter Path Disclosure.
• ContentKeeper cgi-bin/ck/changepw.cgi Cleartext Password Disclosure.
• MySource Matrix sq_remote_page_url Function Unauthorised Proxy and Cross Site Scripting.
• Computer Associates eTrust Security Command Center - Multiple Vulnerabilities.
• Apple Safari Javascript Crafted Function Body DoS.