Cve on Marc-Oliver Munz

CVE-2024-24230 RCE via SSTI in Komm.One CMS 10.4.2.14

Wed, 15 Nov 2023 14:12:02 +0100

TL;DR

I uncovered a critical Remote Code Execution vulnerability in Komm.One’s Content Management System version 10.4.2.14. Initially, I identified a Server-Side Template Injection (SSTI) flaw in the Velocity template engine, leading to the execution of arbitrary code and affecting several hundred sites. It is noteworthy that all vulnerable instances have now been fixed.

CVE-2023-25295 ATO via rXSS in eVEWA3 Community

Wed, 08 Mar 2023 12:00:00 +0100

TL;DR

The GRÜN eVEWA Community versions 31 to 53 were susceptible to a reflected Cross-Site Scripting (rXSS) vulnerability in the login form. This vulnerability enables attackers to acquire escalated privileges by submitting a crafted request to the login panel. To address this issue, a security patch labeled “H1” has been applied across versions 31 to 53.