Core Software vulnerabilities

Here are some vulnerabilities I found, along with (when available) CVE and write-up!

Software Versions Impact CVE Write-Up
Linux < 5.8.15 Privilege Escalation CVE-2020-27194 Write Up, Exploit
libGD <= 2.2.5 PHP imagescale()remote wild free HackerOne report
libGD <= 2.2.5 PHP “Sandbox” escape CVE-2019-6977 Exploit
WordPress <= 5.3.2 “Sandbox” escape RIPS Blog
WordPress <= 5.0.0 Unprivileged RCE CVE-2019-8943 RIPS Bog
WordPress <= 5.1.0 CSRF to RCE CVE-2019-9787 RIPS Blog
WordPress <= 5.0.0 Post Priv Esc CVE-2018-20152 RIPS Blog
WordPress Priv Esc CVE-2018-20714 RIPS Blog
WordPress Unprivileged Stored XSS in certain plugins CVE-2019-16773 HackerOne report
MyBB <= 1.8.2 Unprivileged Stored XSS CVE-2019-12830 RIPS Blog
MyBB <= 1.8.2 Privileged RCE CVE-2019-12831 RIPS Blog
phpBB3 <= 3.2.3 Privileged RCE CVE-2018-19274 RIPS Blog
Pydio <= 8.2.1 Unauthenticated RCE CVE-2018-20718 RIPS Blog
Shopware <= 5.4.3 Privileged RCE SW-21776
Magento <= 2.3.1 Unauthenticated Stored XSS in Admin Dashboard CVE-2019-7877 RIPS Blog
Magento <= 2.3.0 Privileged RCE PRODSECBUG-2261 RIPS Blog
Magento <= 2.3.0 Privileged RCE PRODSECBUG-2256
Magento <= 2.3.1 Privileged RCE CVE-2019-7932
Magento <= 2.3.1 Privileged RCE CVE-2019-7885
Magento <= 2.3.2 Authenticated Stored XSS CVE-2019-8152
Magento <= 2.3.2 escapeURL()bypass CVE-2019-8153
Magento <= 2.3.2 Potential unauthenticated Stored XSS CVE-2019-8233

WordPress Plugin Advent Calendar

During my time at RIPS Tech I had the pleasure of setting up the so called “WordPress Plugin Advent Calendar”. In Germany, like in a lot of countries it is a tradition to give kids a treat every day from the first of December until Christmas eve. At RIPS, we wanted to implement this tradition for the InfoSec people. Each day we either released a vulnerability in a plugin or a core WordPress bug. Many of the plugins featured had millions of active installations and were composed of bugs in eCommerce, forums, Caching etc. Take a look here: RIPS Advent Calendar 2018.

I wrote the Calendar and found a big portion of the vulnerabilities. Credits go out to Dennis Brinkrolf and Karim Elouerghemmi, who were two amazing collegues!