Security Advisories
Vulnerabilities identified by Horizon during security assessments and research activities
Vulnerabilities identified by Horizon during security assessments and research activities
Horizon Security identified multiple Cross-Site Scripting (Stored) vulnerabilities in the management web interface exposed by some DrayTek router models. These vulnerabilities can allow an unauthenticated attacker, able to reach the home page of the interface, to inject and store malicious JavaScript code via vulnerable CGI scripts.
Thursday, 2 March 2023
Horizon Security Staff
Horizon Security discovered a Server-side request forgery (SSRF) vulnerability in ManageEngine AdSelfService Plus version 6013 and lower which allows an attacker to perform a privilege escalation attack.
Friday, 19 February 2021Horizon Security Staff
Horizon Security discovered an unquoted service path vulnerability which may allow a local user to perform a privilege escalation attacks.
Friday, 10 April 2020Horizon Security Staff
Horizon Security identified multiple XSS and CSRF vulnerabilities in the administrative interface, REST API, workspace client and openspace client of ActiveMatrix BPM. These vulnerabilities may allow an attacker to execute JavaScript code in the user browser and may trick the authenticated users of the web application into executing actions of the attacker's choosing.
Tuesday, 21 May 2019Horizon Security Staff
Horizon Security identified an XSS vulnerability in the web interface widget of Aruba Instant, which allows an attacker to execute JavaScript code in the user browser within the context of the web application.
Thursday, 28 February 2019Horizon Security Staff
Horizon Security discovered a command injection that lead to remote code execution in Xerox's AltaLink printers.
Monday, 28 January 2019Horizon Security Staff
Microsoft Sharepoint On-Premise and Online are affected by an Open Redirect vulnerability, that can be used to carry out phishing attacks.
Friday, 28 December 2018Horizon Security Staff
Horizon Security discovered a command injection that lead to remote code execution in Fastweb's FastGate router.
Thursday, 13 December 2018Horizon Security Staff
Horizon Security identified an XSS vulnerability in the "feed RSS" widget of Telligent Community application, which allows an attacker to execute JavaScript code in the user browser within the context of the web application.
Wednesday, 21 November 2018Horizon Security Staff
Horizon Security identified multiple Cross-Site Scripting vulnerabilities in Oracle PeopleSoft, which allows an attacker to execute JavaScript code in the user browser within the context of the web application.
Tuesday, 16 October 2018Horizon Security Staff
Horizon Security identified multiple Cross-Site Scripting vulnerabilities in IBM Websphere Portal, which allows an attacker to execute JavaScript code in the user browser within the context of the web application.
Tuesday, 25 September 2018Horizon Security Staff
Horizon Security identified that Avaya Aura® Orchestration Designer is vulnerable to Cross-site request forgery attacks, which allows attacker to force an unware victim user to perform administrative tasks (e.g. user creation, password change)
Friday, 21 September 2018Horizon Security Staff
Horizon Security identified a SQL injection vulnerability in RSA Archer, which allows an attacker to execute arbitrary commands against the database, for example to extract reserved data.
Friday, 31 August 2018Horizon Security Staff