CVE

The author has identified several CVEs and has collaborated with friends and colleagues within the organization to identify some of them. Below is a list of the identified CVEs:

1. ClipBucket
   • CVE: CVE-2018-7664, CVE- 2018-7665 and CVE-2018-7666
   • Vulnerabilities: OS Command Injection, Arbitrary File Upload and SQL Injection
   • Reference: https://sec-consult.com/vulnerability-lab/advisory/os-command-injection-arbitrary-file-upload-sql-injection-in-clipbucket
   • Reference: https://portswigger.net/daily-swig/sec-consult-broadcasts-raft-of-clipbucket-vulnerabilities
2. I, Librarian PDF Manager
   • CVE: CVE-2017-1000234, CVE-2017-1000235, CVE-2017-1000236 and CVE-2017-1000237
   • Vulnerabilities: OS Command Injection, SSRF, Directory Enumeration and Reflected XSS
   • Reference: https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-19/
   • Reference: https://i-librarian.net/article.php?id=9
3. InvoicePlane
   • CVE: CVE- 2017-1000238 and CVE- 2017-1000239
   • Vulnerabilities: Arbitrary File Upload and Stored XSS
   • Reference: https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-stored-xss/
4. MyBB Forum
   • CVE: CVE-2017-7566
   • Vulnerability: Server Side Request Forgery (SSRF)
   • Reference: https://sec-consult.com/vulnerability-lab/advisory/server-side-request-forgery-ssrf-vulnerability/
   • Reference: https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/
5. MyBiz MyProcureNet
   • CVE: VE-2018- 11090 and CVE-2018-11091
   • Vulnerabilities: Arbitrary File Upload and Refelected Cross-site Scripting
   • Reference: https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-cross-site-scripting-in-mybiz-myprocurenet/
   • Reference: https://portswigger.net/daily-swig/critical-flaw-found-in-mybiz-procurement-software
6. OpenEMR
   • CVE: CVE-2018-1000019 and CVE-2018-1000020
   • Vulnerabilities: OS Command Injection and Reflected Cross Site Scripting
   • Reference: https://sec-consult.com/vulnerability-lab/advisory/os-command-injection-reflected-cross-site-scripting-in-openemr/
7. phpBB
   • CVE: CVE-2 017-1000419
   • Vulnerability: Server Side Request Forgery (SSRF)
   • Reference: https://sec-consult.com/vulnerability-lab/advisory/phpbb-server-side-request-forgery-vulnerability/
   • Reference: https://www.phpbb.com/community/viewtopic.php?f=14&p=14782136