Fri 22 February 2019
Exploitation and mitigation bypasses for the new Drupal 8 RCE (SA-CORE-2019-003, CVE-2019-6340), targeting the REST module.
Wed 17 May 2017
Few months ago Ambionics Security team had the chance to audit Oracle PeopleSoft solutions. PeopleSoft applications contain a lot of unauthenticated endpoints with several not well documented XXE vulnerabilities. We'll show how you can get a full SYSTEM shell from that.
Thu 06 April 2017
Ambionics Security team discovered a pre-authentication SQL Injection in TYPO3 News module. This module is the 20th most used module of TYPO3 with almost 60,000 downloads.
Wed 08 March 2017
While working on the Drupal module Services, the Ambionics Security team discovered a critical remote code execution vulnerability.
Tue 21 February 2017
Some times ago the Ambionics team encountered a very old instance of Grails which contained a plugin to generate PDFs from Groovy templates. Upon looking for the plugin's source code we discovered an XXE vulnerability.
Fri 20 January 2017
As a new year comes, it is a good time to review two high impact vulnerabilities that were discovered four years apart, but that are in fact rooted in the same piece of code.
Check our offensive & continuous web security assessment service