Hall of Fame
“It takes 20 years to build a reputation and five minutes to ruin it.”
Warren Buffett
Our security researchers have discovered and responsibly disclosed numerous vulnerabilities in various systems and applications. This hall of fame showcases our team's contributions to making the digital world safer.
Title
Below is a list of publicly disclosed vulnerabilities discovered by our security research team.
| CVE | Title | CVSS | Severity | Advisory |
|---|---|---|---|---|
| CVE-2024-46084 | Scriptcase 9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_unzip function. | 8.0 | 🟠 High | |
| CVE-2024-46083 | Scriptcase v9.10.023 and before is vulnerable to Cross‑Site Scripting (XSS). An authenticated user can craft malicious payloads using the messages feature, which allows the injection of malicious… | 5.4 | 🟡 Medium | |
| CVE-2024-46082 | Scriptcase v9.10.023 and before is vulnerable to Cross‑Site Scripting (XSS) in nm_cor.php via the form and field parameters. | 5.4 | 🟡 Medium | |
| CVE-2024-46081 | Scriptcase v9.10.023 and before is vulnerable to Cross‑Site Scripting (XSS). | 5.4 | 🟡 Medium | |
| CVE-2024-46080 | Scriptcase v9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_zip function. | 8.0 | 🟠 High | |
| CVE-2024-46079 | Scriptcase v9.10.023 and before is vulnerable to Cross‑Site Scripting (XSS) in proj_new.php. | 6.1 | 🟡 Medium | |
| CVE-2024-46330 | VONETS VAP11G-300 v3.3.23.6.9 contains a command‑injection vulnerability via the iptablesWebsFilterRun object. | 7.4 | 🟠 High | |
| CVE-2024-46329 | VONETS VAP11G-300 v3.3.23.6.9 contains a command‑injection vulnerability via the SystemCommand object. | 8.0 | 🟠 High | |
| CVE-2024-46328 | VONETS VAP11G-300 v3.3.23.6.9 contains hard‑coded credentials for several privileged accounts, including root. | 8.0 | 🟠 High | |
| CVE-2024-46327 | An issue in the Http_handle object of VONETS VAP11G-300 v3.3.23.6.9 allows attackers to access sensitive files via directory traversal. | 5.7 | 🟡 Medium | |
| CVE-2022-25062 | TP‑LINK TL‑WR840N(ES)_V6.20_180709 contains an integer‑overflow vulnerability in dm_checkString, allowing DoS via crafted HTTP requests. | 7.5 | 🟠 High | N/A |
| CVE-2022-25064 | TP‑LINK TL‑WR840N(ES)_V6.20_180709 contains a Remote Code Execution (RCE) vulnerability via oal_wan6_setIpAddr. | 9.8 | 🔴 Critical | N/A |
| CVE-2022-25061 | TP‑LINK TL‑WR840N(ES)_V6.20_180709 contains a command‑injection vulnerability via oal_setIp6DefaultRoute. | 9.8 | 🔴 Critical | N/A |
| CVE-2022-25060 | TP‑LINK TL‑WR840N(ES)_V6.20_180709 contains a command‑injection vulnerability via oal_startPing. | 9.8 | 🔴 Critical | N/A |
| CVE-2021-44132 | A command‑injection vulnerability in formImportOMCIShell of C‑DATA ONU4FERW V2.1.13_X139 allows arbitrary command execution via a crafted file. | 7.8 | 🟠 High | N/A |
| CVE-2022-29337 | C‑DATA FD702XW‑X‑R430 v2.1.13_X001 contains a command‑injection vulnerability via the va_cmd parameter in formlanipv6, allowing arbitrary commands via crafted HTTP requests. | 9.8 | 🔴 Critical | N/A |
| CVE-2015-9540 | Chamilo LMS through 1.9.10.2 allows an open redirect via link_goto.php?link_url=, related to CVE‑2015‑5503. | 6.1 | 🟡 Medium | N/A |