23 Oct 2020

Report de l’évènement Hack In Paris, du 2 juin au 2 juillet 2021

Compte tenu de la reprise de l’épidémie COVID-19 à l’échelle mondiale, nous avons dû prendre la lourde décision de reporter l’évènement annuel Hack In Paris qui aura lieu 28 juin au 2 juillet 2021, à la Maison de la Chimie.

21 Sep 2020

[CVE-2020-24389] Remote Code Execution on Drag and Drop Multiple File Upload – Contact Form 7

Drag and Drop Multiple File Uploader is a simple, straightforward WordPress plugin extension for Contact Form7, which allows the user to upload multiple files using the drag-and-drop feature or the common browse-file of your webform.

We discovered a remote code execution vulnerability in this plugin, because the validation of dangerous file extensions fails.

12 Aug 2020

[CVE-2020-17364] USVN stored XSS

User-Friendly USVN is a web interface written in PHP used to configure Subversion repositories.

We found a stored XSS vulnerability inside the commit module, that could allow an attacker to execute JavaScript into the client application and take over user web browsers.

12 Aug 2020

[CVE-2020-17363] USVN Remote code execution

User-Friendly USVN is a web interface written in PHP used to configure Subversion repositories.

We could execute code remotely, through an OS command injection inside the Timeline module. It can be used by an authenticated user to execute arbitrary command against the operating system.

05 Aug 2020

[CVE-2020-9036] Jeedom XSS leading to Remote Code Execution

Jeedom is a home automation solution used in IoT.

We discovered an XSS (cross-site-scripting) injection that can lead to a remote code execution.

09 Jun 2020

[CVE-2020-13404] Remote system command injection in Atos-Magento module

A system command injection vulnerability has been introduced in the Atos-Magento module version 3.0.0. This module manage the remote ATOS payment solution for Magento 1.x (1.7+) e-commerce websites.

04 Jun 2020

Nos mesures pour assurer votre santé et votre sécurité lors de nos prestations d'audits

Découvrez les mesures mises en oeuvre pour assurer votre santé et votre sécurité lors de nos prestations d'audits

25 May 2020

Abusing PackageKit on Fedora/CentOS for fun & profit (from wheel to root).

This article describes an exploitation path of PackageKit settings in Fedora/CentOS, to achieve local privilege escalation to root without any user interaction.

The scenario uses vulnerabilities in both the default configuration of PackageKit and some packages.

25 May 2020

[CVE-2020-10936] SYMPA Privileges escalation to root

We found a way to escalate our privileges to root, exploiting a vulnerability in the way that a setsuid binary can be abused to load malicious Perl libraries.

25 May 2020

[CVE-2020-12050] Fedora/Red Hat/CentOS local privilege escalation through a race condition in the sqliteODBC installer script

A vulnerability has been introduced in the package that installs sqliteODBC in Red Hat / CentOS / Fedora distributions.

It is a race condition that allows local users to escalate their privileges to root permissions.

Les actualités

Contactez-nous

Actualités