HackerHood, porta avanti una iniziativa di ricerca dei bug (c.d. Bug Hunting) nella quale i ricercatori di sicurezza, all’interno di un gruppo stimolante, rilevano bug di sicurezza su prodotti software ed hardware non documentati che poi vengono trasmessi ai rispettivi vendor attraverso un approccio di Coordinated Vulnerability Disclosure (CVD).
Ad oggi le CVE emesse dal gruppo HackerHood dal 2022 ammonta a 14 CVE.
I credits relativi alle CVE emesse sono del rispettivo ricercatore di sicurezza che le ha trovate. Dovrà essere riportato accanto al suo nome (Member of HackerHood Research Group). Tutte le CVE, una volta emesse, verranno pubblicate sul portale Red Hot Cyber dando ampia visibilità al ricercatore di sicurezza che le ha scoperte.
Per conoscere come aderire al programma invia una email alla casella di posta redazione@redhotcyber.com
CVE-2022-0342
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-0342
CVS Score : 9.8
Descrizione: The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.
Per maggiori dettagli fate riferimento al seguente link
CVE-2024-33905
Telegram
Ricercatore: Pedro Baptista
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-33905
CVS Score : In corso di Valutazione
Descrizione: In Telegram WebK before 2.0.0 (488), a crafted Mini Web App allows XSS via the postMessage web_app_open_link event type.
Per maggiori dettagli fate riferimento al seguente link
CVE-2023-27991
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-27991
CVS Score : 8.8
Descrizione: The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker to execute some OS commands remotely.
Per maggiori dettagli fate riferimento al seguente link
CVE-2022-27909
Jdownload
Ricercatore: Massimo Chirivì
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27909
CVS Score : 4,3
Descrizione: In Joomla component ‘jDownloads 3.9.8.2 Stable’ the remote user can change some parameters in the address bar and see the names of other users’ files
Per maggiori dettagli fate riferimento al seguente link
CVE-2024-7203
Zyxel
Ricercatore: Alessandro Sgreccia & Manuel Roccon
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-7203
CVS Score : 7.2
Descrizione: A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.60 through V5.38 and USG FLEX series firmware versions from V4.60 through V5.38 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.
Per maggiori dettagli fate riferimento al seguente link
CVE-2024-9677
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-9677
CVS Score : 5.5
Descrizione: The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.
Per maggiori dettagli fate riferimento al seguente link
CVE-2024-5960
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-5960
CVS Score : 5.5
Descrizione: An improper privilege management vulnerability in the hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.37 and VPN series firmware versions 4.30 through 5.37 could allow an authenticated local attacker to access the system files on an affected device.
Per maggiori dettagli fate riferimento al seguente link
CVE-2023-5797
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-5797
CVS Score : 5.5
Descrizione: An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, VPN series firmware versions 4.30 through 5.37, NWA50AX firmware version 6.29(ABYW.2), WAC500 firmware version 6.65(ABVS.1), WAX300H firmware version 6.60(ACHF.1), and WBE660S firmware version 6.65(ACGG.1), could allow an authenticated local attacker to access the administrator’s logs on an affected device.
Per maggiori dettagli fate riferimento al seguente link
CVE-2023-5650
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-5650
CVS Score : 5.5
Descrizione: An improper privilege management vulnerability in the ZySH of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.
Per maggiori dettagli fate riferimento al seguente link
CVE-2023-4397
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-4397
CVS Score : 4.4
Descrizione: A buffer overflow vulnerability in the Zyxel ATP series firmware version 5.37, USG FLEX series firmware version 5.37, USG FLEX 50(W) series firmware version 5.37, and USG20(W)-VPN series firmware version 5.37, could allow an authenticated local attacker with administrator privileges to cause denial-of-service (DoS) conditions by executing the CLI command with crafted strings on an affected device.
Per maggiori dettagli fate riferimento al seguente link
CVE-2023-37925
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-37925
CVS Score : 5.5
Descrizione: An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, VPN series firmware versions 4.30 through 5.37, NWA50AX firmware version 6.29(ABYW.2), WAC500 firmware version 6.65(ABVS.1), WAX300H firmware version 6.60(ACHF.1), and WBE660S firmware version 6.65(ACGG.1), could allow an authenticated local attacker to access system files on an affected device.
Per maggiori dettagli fate riferimento al seguente link
CVE-2023-37926
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-37926
CVS Score : 5.5
Descrizione: A buffer overflow vulnerability in the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device.
Per maggiori dettagli fate riferimento al seguente link
CVE-2024-1575
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-1575
CVS Score : 6.5
Descrizione: The improper privilege management vulnerability in the Zyxel WBE660S firmware version 6.70(ACGG.3) and earlier versions could allow an authenticated user to escalate privileges and download the configuration files on a vulnerable device.
Per maggiori dettagli fate riferimento al seguente link
CVE-2023-27990
Zyxel
Ricercatore: Alessandro Sgreccia
Reference NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-27990
CVS Score : 4.8
Descrizione: The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.
Per maggiori dettagli fate riferimento al seguente link