Security Bulletins and Advisories

by Chris Davis, on Sep 10, 2019 5:43:00 AM

ADVISORY SUMMARY OpenEMR is a widely used open source medical records management tool. The latest version at the time of this research was 5.0.1(6), older versions are believed but unconfirmed …

Read Details
Vulnerabilities:Cross-site ScriptingArbitrary Remote Code Execution

by Jason Gay, on Jul 30, 2019 10:16:40 AM

ADVISORY SUMMARY AeroGrow International is a company that produces consumer hydroponic growing hardware for plants (e.g., herbs, vegetables, and flowers). The hardware product can be controlled with a mobile application …

Read Details
Vulnerabilities:Incorrect Access ControlsInsecure Network Transmission

by Priyank Nigam, on Jul 25, 2019 11:22:55 AM

ADVISORY SUMMARY Dolibarr ERP & CRM is an open source and free software package that manages companies, freelancers, and foundations. The project’s official website is The latest version of …

Read Details
Vulnerabilities:Cross-site ScriptingRemote Code Execution

by Chris Davis, on Jul 24, 2019 9:00:00 AM

ADVISORY SUMMARY InterSystems Corporation is a software systems and technology vendor for government, business, and healthcare industries. The InterSystems Caché application is a high-performance object database. The latest version at …

Read Details
Vulnerabilities:Stored Cross-site ScriptingReflected Cross-site Scripting

by Thiago Campos, on May 14, 2019 9:42:57 AM

Product Vendor Tegile Systems/Western Digital Product Description Tegile IntelliFlash is an enterprise storage solution, encompassing flash and hybrid arrays designed to deliver performance and economics for a wide range of …

Read Details
Vulnerabilities:Password Exposure

by Priyank Nigam, on Apr 11, 2019 11:24:16 AM

Note: A full-length proof of concept is intentionally not being disclosed in the below advisory. Product Vendor Greyhound Lines Inc. (owned by FirstGroup America Inc. – a subsidiary of FirstGroup …

Read Details
Vulnerabilities:Insufficient Authentication Controls

by Chris Davis, on Mar 8, 2019 12:41:18 PM

Product Vendor Cantemo AB Product Description Cantemo AB is a software systems and technology vendor for major media outlets. The Cantemo Portal application is a high-performance media asset management tool …

Read Details
Vulnerabilities:Stored Cross-site ScriptingCross-site Scripting

by Matt Hamilton, on Feb 21, 2019 10:42:58 AM

Product Vendor Simple Finance Technology Corp. Product Description Simple – Better Banking is an Android application that provides banking services for The project’s official website is The latest …

Read Details
Vulnerabilities:Sensitive Information Disclosure

by Priyank Nigam, on Feb 19, 2019 12:30:25 PM

Product Vendor National Railroad Passenger Corporation Product Description The Amtrak mobile application acts a personal kiosk for mobile e-ticketing and guest rewards management. The application can be downloaded from the …

Read Details
Vulnerabilities:Sensitive Information DisclosureAuthentication Bypass

by Nicolas Serra, on Feb 4, 2019 8:46:42 AM

Product Description OpenMRS is a collaborative open-source project through which users can develop software to support healthcare in developing countries. In 2017, OpenMRS was implemented on more than 3,000 sites …

Read Details
Vulnerabilities:Insecure Object Deserialization

by Bastien Faure, on Jan 15, 2019 1:09:16 PM

Product Description From the vendor’s website: “Silverpeas is an open source WEB platform that improves the collaboration between the actors of a company or organization.” Silverpeas is widely used by many …

Read Details
Vulnerabilities:Path Traversal

by Alex Leahu, on Nov 30, 2018 11:28:00 AM

Product Description PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as …

Read Details
Vulnerabilities:XXE injection

Vulnerability Disclosure Policy

Bishop Fox takes security issues very seriously. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. More on our Disclosure Policy →

Subscribe to Updates