by Florian Nivette, on Sep 17, 2018 1:28:01 PM

The Wallabag application is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an …

Read Details
Vulnerabilities:Stored Cross-site Scripting

by Florian Nivette, on Sep 17, 2018 1:25:59 PM

Product Description Subsonic is an open source web media server that enables the management of media resources such as music or videos. Its official website is www.subsonic.org. The version affected …

Read Details
Vulnerabilities:Stored Cross-site ScriptingReflected Cross-site Scripting

by Florian Nivette, on Aug 30, 2018 12:12:22 PM

Product Description CremeCRM is an open source CRM. It allows organizations to manage business data concerning customers, invoices, orders, and products. Its official website is www.cremecrm.com, and source code can …

Read Details
Vulnerabilities:Stored Cross-site ScriptingReflected Link Manipulation

by Florian Nivette, on Jun 6, 2018 10:45:00 AM

Release Date (Vendor Patch) May 11, 2018 Reported Date May 3, 2018 Vendor Jirafeau Version Affected 3.3.0 Summary Jirafeau is an open source file sharing web application, distributed under an …

Read Details
Vulnerabilities:Stored Cross-site ScriptingReflected Cross-site ScriptingCross-site Request Forgery

by Baker Hamilton, on May 14, 2018 2:29:15 PM

Reported Date January 8, 2018 Vendor SolarWinds Version Affected Serv-U 15.1.6.25 Summary SolarWinds Serv-U MFT 15.1.6.25 assigns authenticated users a low-entropy session token that can be included in requests to …

Read Details
Vulnerabilities:Insufficient Session ID Entropy

by Baker Hamilton, on May 11, 2018 3:52:28 PM

Reported Date January 8, 2018 Vendor SolarWinds Systems Affected Serv-U 15.1.6.25 Summary A denial-of-service vulnerability in SolarWinds Serv-U 15.1.6.25 allows an authenticated user to crash the application (with a NULL …

Read Details
Vulnerabilities:Denial of Service

by Nick Freeman, on Oct 10, 2017 11:33:00 AM

Patch Date: October 10, 2017 Reported Date: March 7, 2017 Vendor Microsoft Corporation Systems Affected Windows 8 through Windows 10, and Windows Server 2012 through 2016. Summary High-risk memory corruption …

Read Details
Vulnerabilities:Memory Corruption

by Zach Julian, on Jun 23, 2017 1:24:27 PM

Patch Date May 25, 2017 Reported Date February 23, 2017 Vendor ATMAIL Systems Affected atmail 7 Summary A stored XSS vulnerability was identified in the webmail component of atmail 7 …

Read Details
Vulnerabilities:Cross-site Scripting

by Baker Hamilton, on May 12, 2017 2:38:58 PM

Patch Date April 10, 2017 Reported Date February 7, 2017 Vendor SolarWinds Systems Affected SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 Summary The Bishop Fox assessment team …

Read Details
Vulnerabilities:Arbitrary Command Injection

by Baker Hamilton, on May 12, 2017 2:26:42 PM

Patch Date April 10, 2017 Reported Date February 7, 2017 Vendor SolarWinds Systems Affected SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 Summary An improper access control vulnerability …

Read Details
Vulnerabilities:Improper Access Control

by Jake Miller, on Dec 21, 2016 9:29:20 AM

Patch Date Dec. 21, 2016 Vendor Cisco Systems Affected Cisco Jabber Guest Server Summary A vulnerability in the Cisco Jabber Guest Server could allow an unauthenticated, remote attacker to initiate …

Read Details
Vulnerabilities:Redirection

by Shubham Shah, on Sep 8, 2016 2:32:42 PM

Release Date Sept. 15, 2016 Patch Date Aug. 26, 2016 Reported Date May 21, 2016 Vendor Accellion Systems Affected Versions of the appliance prior to version kw2016.03.0. Summary Three vulnerabilities …

Read Details
Vulnerabilities:Path TraversalCross-site ScriptingIncorrect Default Permissions

Vulnerability Disclosure Policy

Bishop Fox takes security issues very seriously. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. More on our Disclosure Policy →

Subscribe to Updates