Findings
Core Software vulnerabilities
Here are some vulnerabilities I found, along with (when available) CVE and write-up!
| Software | Versions | Impact | CVE | Write-Up |
| Linux | < 5.8.15 | Privilege Escalation | CVE-2020-27194 | Write Up, Exploit |
| libGD | <= 2.2.5 | PHP imagescale()remote wild free |
HackerOne report | |
| libGD | <= 2.2.5 | PHP “Sandbox” escape | CVE-2019-6977 | Exploit |
| WordPress | <= 5.3.2 | “Sandbox” escape | – | RIPS Blog |
| WordPress | <= 5.0.0 | Unprivileged RCE | CVE-2019-8943 | RIPS Bog |
| WordPress | <= 5.1.0 | CSRF to RCE | CVE-2019-9787 | RIPS Blog |
| WordPress | <= 5.0.0 | Post Priv Esc | CVE-2018-20152 | RIPS Blog |
| WordPress | – | Priv Esc | CVE-2018-20714 | RIPS Blog |
| WordPress | Unprivileged Stored XSS in certain plugins | CVE-2019-16773 | HackerOne report | |
| MyBB | <= 1.8.2 | Unprivileged Stored XSS | CVE-2019-12830 | RIPS Blog |
| MyBB | <= 1.8.2 | Privileged RCE | CVE-2019-12831 | RIPS Blog |
| phpBB3 | <= 3.2.3 | Privileged RCE | CVE-2018-19274 | RIPS Blog |
| Pydio | <= 8.2.1 | Unauthenticated RCE | CVE-2018-20718 | RIPS Blog |
| Shopware | <= 5.4.3 | Privileged RCE | SW-21776 | – |
| Magento | <= 2.3.1 | Unauthenticated Stored XSS in Admin Dashboard | CVE-2019-7877 | RIPS Blog |
| Magento | <= 2.3.0 | Privileged RCE | PRODSECBUG-2261 | RIPS Blog |
| Magento | <= 2.3.0 | Privileged RCE | PRODSECBUG-2256 | – |
| Magento | <= 2.3.1 | Privileged RCE | CVE-2019-7932 | – |
| Magento | <= 2.3.1 | Privileged RCE | CVE-2019-7885 | – |
| Magento | <= 2.3.2 | Authenticated Stored XSS | CVE-2019-8152 | – |
| Magento | <= 2.3.2 | escapeURL()bypass |
CVE-2019-8153 | – |
| Magento | <= 2.3.2 | Potential unauthenticated Stored XSS | CVE-2019-8233 | – |
WordPress Plugin Advent Calendar
During my time at RIPS Tech I had the pleasure of setting up the so called “WordPress Plugin Advent Calendar”. In Germany, like in a lot of countries it is a tradition to give kids a treat every day from the first of December until Christmas eve. At RIPS, we wanted to implement this tradition for the InfoSec people. Each day we either released a vulnerability in a plugin or a core WordPress bug. Many of the plugins featured had millions of active installations and were composed of bugs in eCommerce, forums, Caching etc. Take a look here: RIPS Advent Calendar 2018.
I wrote the Calendar and found a big portion of the vulnerabilities. Credits go out to Dennis Brinkrolf and Karim Elouerghemmi, who were two amazing collegues!
