advisory – Insinuator.net

May 8, 2025 by Matthias Ortmann

Disclosure: Input Validation Vulnerabilities in Microsoft Bookings

In a recent customer project, we discovered vulnerabilities in Microsoft Bookings, an online appointment scheduling tool integrated into Microsoft 365, allowing companies to have customers book meetings in available times themselves. The findings originate from insufficient input validation on the public meeting scheduling endpoint. Although Microsoft has largely mitigated this vulnerability, our analysis provides important insights into potential risks and areas for improvement.

Continue reading “Disclosure: Input Validation Vulnerabilities in Microsoft Bookings”

Breaking

May 5, 2025 by Florian Port

Full Disclosure: Multiple Rundeck Job Command Injections

During a red-teaming-style customer project, we managed to get access to an Rundeck API token. Rundeck is a job scheduler and runbook automation platform designed to automate routine IT tasks across multiple systems. At first, we were excited about this API token because if we could create new Rundeck jobs, we could execute arbitrary code on the Rundeck nodes and move laterally from there. However, it turned out that with this token we only had permissions to run existing jobs.

Continue reading “Full Disclosure: Multiple Rundeck Job Command Injections”

Breaking

March 31, 2025 by Gregor Debus

CVE-2024-11035: Minor Security Issues in VMware Carbon Black Cloud

We recently conducted a security assessment of VMware Carbon Black Cloud, a unified SaaS solution that integrates endpoint detection and response (EDR), anti-virus, and vulnerability management capabilities. As part of our evaluation, we tested the solution’s ability to detect and prevent malicious activity on Windows and Linux systems. Our analysis focused on the Carbon Black agents for these platforms, and although we did not identify any critical vulnerabilities, we want to share some of the findings in this blog post.

Continue reading “CVE-2024-11035: Minor Security Issues in VMware Carbon Black Cloud”

Breaking

November 27, 2024 by Marius Walter

Vulnerability Disclosure: Command Injection in Kemp LoadMaster Load Balancer (CVE-2024-7591)

While conducting security research, I identified a critical vulnerability in Kemp’s LoadMaster Load Balancer. This vulnerability is a Command Injection and allows full system compromise. It requires no authentication and can be exploited remotely by having access to the Web User Interface (WUI). Kemp found that all LoadMaster versions up to and including version 7.2.60.0 and also the multi-tenant hypervisors up to and including version 7.1.35.11 are affected.

Kemp LoadMaster is a widely used Load Balancing Application that can commonly be seen in customer engagements. Therefore, we decided to take a closer look as part of our regular research projects.

As promised in the Announcement: Progress / Kemp LoadMaster CVE-2024-7591, I will go into detail about how I identified the vulnerability, where the vulnerable part of the code is, how the vulnerability can be exploited, and finally, how the vendor fixed this vulnerability.

Continue reading “Vulnerability Disclosure: Command Injection in Kemp LoadMaster Load Balancer (CVE-2024-7591)”

Breaking

May 22, 2024 by Daniel Schlecht

Security Advisory: Achieving PHP Code Execution in ILIAS eLearning LMS before v7.30/v8.11/v9.1

During my Bachelor’s thesis, I identified several XSS vulnerabilities and a PHP Code Execution vulnerability via an insecure file upload in the learning management system (LMS) ILIAS. The XSS vulnerability can be chained with the code execution vulnerability so that attackers with tutor privileges in at least one course can perform this exploit chain.

Continue reading “Security Advisory: Achieving PHP Code Execution in ILIAS eLearning LMS before v7.30/v8.11/v9.1”

Breaking

October 10, 2023 by Nils Emmerich

Lua-Resty-JWT Authentication Bypass

I was writing some challenges for PacketWars at TROOPERS22. One was intended to be a JWT key confusion challenge where the public key from an RSA JWT should be recovered and used to sign a symmetric JWT. For that, I was searching for a library vulnerable to JWT key confusion by default and found lua-resty-jwt. The original repository by SkyLothar is not maintained and different from the library that is installed with the LuaRocks package manager. The investigated library is a fork of the original repository, maintained by cdbattags in version 0.2.3 and was downloaded more than 4.8 million times according to LuaRocks.

While looking at the source code I found a way to circumvent authentication entirely.

Continue reading “Lua-Resty-JWT Authentication Bypass”

Breaking

September 20, 2019 by Nils Emmerich

Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)

Recently, I discovered a sandbox breakout in the Groovy Sandbox used by the Jenkins script-security Plugin in their Pipeline Plugin for build scripts. We responsibly disclosed this vulnerability and in the current version of Jenkins it has been fixed and the according Jenkins Security Advisory 2019-09-12 has been published. In this blogpost I want to report a bit on the technical details of the vulnerability.

Continue reading “Jenkins – Groovy Sandbox breakout (SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400)”

Breaking

July 4, 2019 by Oliver Matula

Security Advisories for Cisco ACI

Again, Cisco released security advisories for their software-defined networking (SDN) solution called Application Centric Infrastructure (ACI). As before (see blog post here), the published advisories originated from research performed in our ACI lab. Continue reading “Security Advisories for Cisco ACI”

Breaking

November 14, 2018 by Tillmann Oßwald

Multiple Vulnerabilities in Nexus Repository Manager

Recently, we identified security issues in the Nexus Repository Manager software developed by Sonatype. The tested versions were OSS 3.12.1-01 and OSS 3.13.1-01.

The following issues could be identified:

Multiple Cross-Site Scripting (CVE-2018-16619)
Missing Access Controls (CVE-2018-16620)
Java Expression Language Injection (CVE-2018-16621)

Continue reading “Multiple Vulnerabilities in Nexus Repository Manager”

Breaking

May 16, 2018 by Florian Grunow

Security of Busch-Jaeger IP Gateway

IoT is everywhere right now and there are a lot of products out there. I have been looking at an IP Gateway lately and found some serious issues. The Busch-Welcome IP-Gateway from Busch-Jaeger is one of the devices that bridges the gap between sensors and actors in your smart home and the network/Internet. It enables the communication to a door control system that implements various smart home functions. The device itself is offering an HTTP service to configure it, which is protected by a username and password. Some folks even actually expose the device and its login to the Internet. I tried to configure one of these lately and stumbled upon some security issues that I would like to discuss in this blog post.
Continue reading “Security of Busch-Jaeger IP Gateway”