Publicly Released Advisories

Informatica Powercenter Admin XSS

This advisory was given on Hackerone to the vendor as a bug bounty referenced #448831 . It allowed for a semi-permanent XSS to be leveraged to conduct credential theft on the administration interface.
The hall of fame mention is here

Multiple XSS on Phproject

This Exploits some filters were missing in the view templates where dynamic content was being passed allowing for stored XSS which could be leveraged to steal administrative sessions. This issue arose because XSS Filters weren't enabled consistently in the framework.

Arbitrary File Access (CVE-2017-9883)

This attack encompassed an issue with the webserver (BOA Web Server 0.94.14) commonly used in embedded devices; in this particular instance it could be leveraged to pull OS files from cameras via an unfiltered FILECAMERA parameter.

Arbitrary File Download on WP Plugin

The Plugin WordPress Plugin Membership Simplified v1.58 allows for download of files without authentication. This allowed for download of configuration files. The issue was in the download_file parameter which lacked a restriction of files and folders to use.

RCE on Multiple WP Plugins

A number of plugins contained an RCE based on the mode they did file uploads; this script lead to multiple CVE's as listed below for plugins affected:
1. Zen App Mobile Native <=3.0 (CVE-2017-6104)
2. WordPress Plugin webapp-builder v2.0 (CVE-2017-1002002)
3. WordPress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 (CVE-2017-1002003)
4. WordPress Plugin mobile-app-builder-by-wappress v1.05 (CVE-2017-1002001)
5. WordPress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000)

Arbitrary File Download Book Plugin

The Plugin WordPress Aspose Cloud eBook Generator allows for download of files without authentication. The plugin contains a feature to download generated e-books.
This feature inadvertently enabled the retrieval of configuration files, highlighting a specific concern in the context of the file parameter.

Within the code of the aspose_posts_exporter_download.php file, a deficiency became evident as it lacked appropriate constraints on permissible files and folders for utilization allowing for critical configuration files to be downloaded after a directory traversal which escalates the attack beyond the application itself to the backend database.

RCE on WP User Frontend

The plugin WP User Frontend Plugin which is a membership plugin was found to lack filters in how it uploaded files via the wpuf_file paramter; this allowed a user to successfully upload an executable file on the backend and call the web shell via the media folders. The issue affected plugins with version < 2.3.11