Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup

Vendor: ParcelTrack Vendor URL: https://www.parceltrack.de/ Versions affected: ParcelTrack Android Version 3.3, ParcelTrack iOS Version 3.3 Author: Dan Hastings – dan.hastings[at]nccgroup[dot]com Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords … Continue reading Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup

Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches

Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution. The following vulnerabilities were the most relevant identified during the internal research: Unauthenticated Remote Code Execution (CVE-2020-26919)NSDP Authentication Bypass (CVE-2020-35231)Unauthenticated Firmware Update Mechanism … Continue reading Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches

Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)

Current Vendor: Belkin (Linksys) Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL Authors: Manuel Ginés - Manuel.Gines[at]nccgroup[dot]com && Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2021-25310 Risk: 8.8 (High) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective … Continue reading Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)