usd AGJul 2, 2025

Unauthenticated RCE in Agorum Core Open!

During their regular security analyses, our pentest professionals from #usdHeroLab examined the open source software #AgorumCoreOpen.

They discovered multiple #vulnerabilities that, when chained together, allow an unauthenticated attacker to achieve full remote code execution with root privileges. This critical flaw enables complete system compromise without prior authentication.

📰👉 Detailed information on the published #SecurityAdvisories can be found here: https://www.usd.de/en/security-advisories-on-agorum-core-open/

#Pentest #Pentesting #moresecurity #RCE #CyberSecurity #InfoSec

Security Advisories on Agorum Core Open | usd AG

Our colleagues discovered critical vulnerabilities in Agorum Core Open that could be exploited to compromise the entire system.

more security. usd AG
usd AGJul 2, 2024
Our #usdHeroLab security analysts have identified a critical #vulnerability in admin panel of #AXIS P1364 Webcam that enables an attacker to create new accounts with administrative privileges.
Vulnerability type: Cross-Site Request Forgery (CSRF) (CWE-352)
👇More details: https://herolab.usd.de/en/security-advisories/usd-2023-0007/
usd AGJun 3, 2024
The #usdHeroLab analysts examined the open source application #WeKan while conducting their security analyses and found a #BrokenAccessControl vulnerability.
🚨Security Risk: High
🧵👇More details
https://herolab.usd.de/en/security-advisories/usd-2023-0008/
usd AGMay 22, 2024
Version 1.3.1 of the #CSTC was released on May 22! It contains lots of new features, improvements and contributions from the community. The CSTC will also be part of the BlackHat USA 2024 Arsenal Labs, looking forward to seeing you! #BHUSA #usdHeroLab #moresecurity https://github.com/usdAG/cstc
GitHub - usdAG/cstc: CSTC is a Burp Suite extension that allows request/response modification using a GUI analogous to CyberChef

CSTC is a Burp Suite extension that allows request/response modification using a GUI analogous to CyberChef - GitHub - usdAG/cstc: CSTC is a Burp Suite extension that allows request/response modif...

GitHub
usd AGMay 3, 2024

Our #usdHeroLab professionals have uncovered a vulnerability in the online store software #Gambio during their #pentests.

Our analysts discovered a vulnerability in the password reset functionality. Exploiting this vulnerability would enable an attacker to change the password for any account and take over, for example, the administrator account of the application.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy.

👉 More details: https://herolab.usd.de/en/security-advisories/usd-2024-0002/

usd AGApr 5, 2024

Our #usdHeroLab analysts examined the #SONIX Technology Webcam during their #pentests.

1️⃣ Vulnerability Type: Incorrect Permission Assignment for Critical Resource (CWE-732)

🚨 Security Risk: High

The vulnerability was reported to the vendor under the Responsible Disclosure Policy.

👉More Details: https://herolab.usd.de/security-advisories/usd-2023-0029/

usd AGMar 12, 2024

#Announcement: On Friday, our #usdHeroLab colleagues published a major release of our BurpSuite Plugin #FlowMate: https://github.com/usdAG/FlowMate/releases/tag/v1.1

During BlackHat USA 2023 and DEF CON 31, our colleagues received a lot of helpful feedback on their #tool: The new version 1.1 contains bug fixes and some new features. In our video, Florian Haag explains the advantages and possible use cases in the context of #WebApplication #Pentests: https://www.youtube.com/watch?v=BJhRhGmDATw

#CheckItOut #Security #Pentesting #Hacking #Tools #Community #moresecurity

Release FlowMate v1.1 · usdAG/FlowMate

Changelog After hard work we are proud to release our next major release of FlowMate! We put a lot of effort into integrating new features and fixing bugs along the way. The changelog below gives a...

GitHub
usd AGFeb 14, 2024

Many cooks spoil the tool? Not in the #usdHeroLab: Our colleagues are constantly developing their own #tools, which are subject to strict quality and optimization processes. In the latest video, Florian Haag introduces you to our BurpSuite plugin Cyber Security Transformation Chef (CSTC) and explains how you can use it.

https://youtu.be/6fjW4iXj5cg?si=fJCfJUfP30k4KhC0

Introduction to the Cyber Security Transformation Chef (CSTC)

YouTube
usd AGFeb 6, 2024

Our #usdHeroLab #Pentest professionals analyzed #FileCloud during their pentests.
1⃣Vulnerability Type: Dependency on Vulnerable Third-Party Component (CWE-1395)
🚨Security Risk: Critical

🧐FileCloud is an enterprise solution for accessing, synchronizing and sharing files hosted on your servers.
The identified vulnerability is related to an outdated Electron dependency. Exploiting this vulnerability could potentially allow attackers to gain unauthorized access to sensitive data stored within the application.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy. More information can be found here 👩‍💻​👩‍💻​👇
https://herolab.usd.de/security-advisories/

usd AGJan 22, 2024

Our #usdHeroLab #Pentest professionals analyzed #Gambio during their pentests.
1⃣Vulnerability Type: several vulnerabilities with partly high risk
🚨Security Risk: Critical
🧵👇 More Details

🧐Gambio is a software designed for running online shops. It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions.

The identified vulnerabilities allowed unauthenticated attackers to execute code on the underlying system, because the application deserializes untrusted data. Other vulnerabilities allowed unauthenticated attackers to perform SQL injection attacks to extract data from the database. Also the application stores the passwords provided during the installation process in cleartext.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy. More information can be found here 🧑‍💻👩‍💻 👇
https://herolab.usd.de/en/security-advisories/