For all those interested, below is a list of the bugs I have discovered and disclosed, along with relevant CVE/ZDI.

Command Injection:

  • Trend Micro InterScan Web Security ManagePatches filename Remote Code Execution Vulnerability
    • http://www.zerodayinitiative.com/advisories/ZDI-16-348/
    • http://esupport.trendmicro.com/solution/en-US/1114185.aspx
  • Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability
    • CVE-2016-5840
    • http://www.zerodayinitiative.com/advisories/ZDI-16-373

SQL Injection:

  • What’s Up Gold “Find Device” search field does not properly neutralize user input
    • CVE-2015-6004
    • https://www.kb.cert.org/vuls/id/176160
    • https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6004
  • Trend Micro Control Manager cgiCMUIDispatcher SQL Injection Remote Code Execution Vulnerability
    • ZDI-16-455
    • http://www.zerodayinitiative.com/advisories/ZDI-16-455
  • Trend Micro Control Manager AdHocQuery_CustomProfiles SQL Injection Remote Code Execution Vulnerability
    • ZDI-16-456
    • http://www.zerodayinitiative.com/advisories/ZDI-16-456
  • <Several undisclosed/protected>

Local File Disclosure:

  • otx.alienvault.com Local File Disclosure
    • http://www.korpritzombie.com/otx-alienvault-com-local-file-disclosure/
  • <One undisclosed>

XXE:

  • Trend Micro Control Manager TreeUserControl_process_tree_event External Entity Processing Information Disclosure Vulnerability
    • ZDI-16-457
    • http://www.zerodayinitiative.com/advisories/ZDI-16-457
  • Trend Micro Control Manager ProductTree External Entity Processing Information Disclosure Vulnerability
    • ZDI-16-458
    • http://www.zerodayinitiative.com/advisories/ZDI-16-458
  • Trend Micro Control Manager DeploymentPlan_Event_Handler External Entity Processing Information Disclosure Vulnerability
    • ZDI-16-459
    • http://www.zerodayinitiative.com/advisories/ZDI-16-459
  • Symantec Management Console Multiple XXE prior to ITMS 8.1 RU1 ITMS 8.0_POST_HF6 & ITMS 7.6_POST_HF7
    • CVE-2017-6323
    • https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170628_00
  • <One undisclosed/protected>

Persistent XSS:

  • Improper Neutralization of Script-Related HTML Tags in What’s Up Gold
    • CVE-2015-6005
    • https://www.kb.cert.org/vuls/id/176160
    • https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6005
  • Symantec Management Console Multiple XSS prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6 & ITMS 7.6_POST_HF7
    • CVE-2017-6322
    • https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170628_00
  • Hack the Pentagon Bug Bounty

Reflected XSS:

  • United Airlines Bug Bounty
  • Hack the Pentagon Bug Bounty
  • Symantec Management Console Multiple XSS prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6 & ITMS 7.6_POST_HF7
    • CVE-2017-6322
    • https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170628_00
  • Dozens of others protected by NDA or undisclosed

XPATH Injection:

  • Trend Micro Control Manager AdHocQuery_SelectView XPATH Injection Information Disclosure Vulnerability
    • ZDI-16-460
    • http://www.zerodayinitiative.com/advisories/ZDI-16-460
  • Trend Micro Control Manager AdHocQuery_SelectView XPATH Injection Information Disclosure Vulnerability (Second one)
    • ZDI-16-461
    • http://www.zerodayinitiative.com/advisories/ZDI-16-461