Our security experts are constantly finding new, previously unknown (zero-day) vulnerabilities in penetration tests. If these do not directly affect one of our customers, but a manufacturer that is in the public interest, we report details of the found zero-day vulnerability exclusively to the manufacturer of the component. In order to protect their clients, they will be granted a reasonable period of time to resolve the problem and to roll out the corresponding patches on their client systems before details of the vulnerability are published.
The following is an excerpt of relevant zero-day vulnerabilities found by AIT:
- SexyPolling: SQL Injection (Englisch; Date: 08.04.2022)
- ForkCMS: PHP Object Injection
- QCubed: Cross Site Scripting
- QCubed: SQL Injection
- QCubed: PHP Object Injection
- Creative Contact Form: Directory Traversal
- OkayCMS: Unauthenticated remote code execution
- FreeRadius: Privilege Escalation via Logrotate
- Privilege Escalation via Logrotate in Gitlab Omnibus
- LXC CVE-2015-1331 Local Directory Traversal Vulnerability
- LXC '/lxc/attach.c' Remote Code Execution Vulnerability
- LXC CVE-2015-1335 Directory Traversal Vulnerability
- LXC CVE-2016-8649 Directory Traversal Vulnerability