SICK-2021-031 – John Deere Operations Center – Improper Authorization Allows Exposure of Sensitive Information to an Unauthorized Actor via Farming Equipment VIN API – iOS 5.1.2 and below, Android 5.1.4 and below, Web App
Title SICK-2021-031 - John Deere Operations Center - Improper Authorization Allows Exposure of Sensitive Information to an Unauthorized Actor via...
SICK-2021-012 – John Deere Account Portal – Information Disclosure – Rate Limitless Username Enumeration Via Unauthenticated Availability Look-ups.
Title John Deere Account Portal - Information Disclosure - Rate Limitless Username Enumeration Via Unauthenticated Availability Look-ups. CVE ID Not...
CVE-2021-29662 – Perl module Data::Validate::IP – Improper Input Validation of octal literals in Perl Data::Validate::IP v0.29 and below results in indeterminate SSRF & RFI vulnerabilities.
Title Perl module Data::Validate::IP - Improper Input Validation of octal literals in Perl Data::Validate::IP v0.29 and below results in indeterminate...
Universal “netmask” npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forgery, remote file inclusion, local file inclusion, and more (CVE-2021-28918)
The following research outlines a vulnerability discovered in netmask npm package that is currently used by 278,722+ other projects. The...
CVE-2021-28918 – netmask npm package – Improper Input Validation in netmask npm package v1.1.0 and below of octal literals results in indeterminate SSRF & RFI vulnerabilities.
Title netmask npm package - Improper Input Validation in netmask npm package v1.1.0 and below of octal literals results in...
Finding a Vulnerability in Teamwork Cloud Server (NoMagic, 3DS), Which Is Used By Gov/Enterprise to Design Rockets, Missiles, and Satellites.
Follow me on Twitter @sickcodes: https://twitter.com/sickcodes This research began in early September and I've been waiting on several confirmations to...
CVE-2020-25507 – NoMagic (Dassault Systèmes 3DS) Teamwork Cloud 18.0-19.0 – Incorrect Permissions Assignment for a Critical Resource Allows Arbitrary Code Execution and Local Privilege Escalation to Root.
Title NoMagic (Dassault Systèmes) Teamwork Cloud 18.0-19.0 - Incorrect Permissions Assignment for a Critical Resource Allows Arbitrary Code Execution and...
CVE-2020-28360 – private-ip npm package – Incorrect Regular Expression – Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF.
CVE ID CVE-2020-28360 CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Internal ID SICK-2020-022 Vendor private-ip Project Product private-ip Product Versions: 1.0.5 and below...
Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World’s 3rd Largest TV Manufacturer.
The following piece is the culmination of a three-month long investigation into Smart TVs running Android. Having lived through this...
CVE-2020-28055 – TCL Android Smart TV (All) – Incorrect Permission Assignment for Critical Vendor Resources – TCL Android TV Vendor Configuration & Upgrade Folders World Writable to Local Attacker
Title TCL Android Smart TV (All) - Incorrect Permission Assignment for Critical Vendor Resources - TCL Android TV Vendor Configuration...