• Spending each day immersed in penetration tests and research into the latest threats, our SpiderLabs® experts occasionally discover new vulnerabilities as a part of their work. When that happens, we follow our established disclosure policy which results in published advisories such as these. Learn more about our disclosure policy.

    SpiderLabs Badge

  • Latest Advisory

    Latest Advisory
    • Advisory TWSL2016-012
    • June 23, 2016

    Multiple Vulnerabilities in Lenovo Solution Center

    The Lenovo Solution Center is a new software application created by Lenovo for Think products. The software allows users to quickly identify the status for system health, network connections and overall system security.

    Read the Advisory  |  Download the Advisory

  • Advisory Archive

  • Advisory Title Date
    TWSL2016-011 Multiple Vulnerabilities in Oracle GlassFish Server Open Source Edition 3.0.1 June 8, 2016 Read  |  Download
    TWSL2016-010 Information Disclosure vulnerability in SAP ASE Installer May 26, 2016 Read  |  Download
    TWSL2016-009 Privilege Escalation Vulnerability in Lenovo Solution Center May 11, 2016 Read  |  Download
    TWSL2016-008 SQL injection vulnerability in SAP ASE May 9, 2016 Read  |  Download
    TWSL2016-007 Multiple Vulnerabilities in Cacti April 20, 2016 Read  |  Download
    TWSL2016-006 Multiple Vulnerabilities in Zen Cart March 25, 2016 Read  |  Download
    TWSL2016-005 Vulnerabilities in DevArt dotConnect for Oracle March 10, 2016 Read  |  Download
    TWSL2016-004 Multiple Vulnerabilities in Magnolia CMS March 9, 2016 Read  |  Download
    TWSL2016-003 Unsafe unlinking of files in Sophos Antivirus March 9, 2016 Read  |  Download
    TWSL2016-002 Multiple Vulnerabilities in iNovah February 18, 2016 Read  |  Download
    TWSL2016-001 Multiple Vulnerabilities in Cisco Meraki January 13, 2016 Read  |  Download
    TWSL2015-024 Multiple Vulnerabilities in Proxmox Mail Gateway December 30, 2015 Read  |  Download
    TWSL2015-023 Missing authorization check in SAP Adaptive Server Enterprise December 9, 2015 Read  |  Download
    TWSL2015-022 Cross-Site Scripting in VMware Virtual Center Appliance (vCSA) Web Application Console November 17, 2015 Read  |  Download
    TWSL2015-021 Joomla SQL Injection Vulnerability October 22, 2015 Read  |  Download
    TWSL2015-020 Unauthenticated Local File Inclusion Vulnerability in Oracle Open Commerce Platform 3.4 October 20, 2015 Read  |  Download
    TWSL2015-019 Privilege escalation vulnerability in Oracle Database October 20, 2015 Read  |  Download
    TWSL2015-018 Service Privilege Elevation in Lenovo System Update 5 October 15, 2015 Read  |  Download
    TWSL2015-017 Reflected File Download in Red Hat Feedhenry October 9, 2015 Read  |  Download
    TWSL2015-016 Path Traversal in Oracle GlassFish Server Open Source Edition August 27, 2015 Read  |  Download
    TWSL2015-015 Multiple Vulnerabilities in SAP Adaptive Server Enterprise July 17, 2015 Read  |  Download
    TWSL2015-014 Account Probing Vulnerability in Oracle Database July 15, 2015 Read  |  Download
    TWSL2015-013 Buffer Overflow Vulnerability in Oracle MySQL July 15, 2015 Read  |  Download
    TWSL2015-012 XSS in Oracle Java Server Faces July 15, 2015 Read  |  Download
    TWSL2015-011 Vulnerability in the pam_unix module in Linux-PAM June 26, 2015 Read  |  Download
    TWSL2015-010 Reflected Cross-site Scripting Vulnerabilities in codeBeamer June 9, 2015 Read  |  Download
    TWSL2015-009 Request Hijacking Bypass Vulnerability In RubyGems June 8, 2015 Read  |  Download
    TWSL2015-008 Multiple Vulnerabilities in SAP Adaptive Server Enterprise May 22, 2015 Read  |  Download
    TWSL2015-007 Request Hijacking Vulnerability In RubyGems May 18, 2015 Read  |  Download
    TWSL2015-006 Multiple Vulnerabilities in QlikView May 13, 2015 Read  |  Download
    TWSL2015-005 Blind SQL injection in XpanceNET April 24, 2015 Read  |  Download
    TWSL2015-004 "Probe" login access vulnerability in SAP ASE April 23, 2015 Read  |  Download
    TWSL2015-003 Multiple Vulnerabilities in SAP Adaptive Server Enterprise March 19, 2015 Read  |  Download
    TWSL2015-002 Cross-Site Scripting in Magnolia CMS February 12, 2015 Read  |  Download
    TWSL2015-001 Multiple Vulnerabilities in IceWarp Mail Server February 12, 2015 Read  |  Download
    TWSL2014-016 Reflected Cross-Site Scripting Vulnerability in VMware Virtual Center Appliance (vCSA) Web Application Console December 5, 2014 Read  |  Download
    TWSL2014-015 Cross Site Scripting Vulnerability in Gizmox WebGui October 29, 2014 Read  |  Download
    TWSL2014-014 Multiple Vulnerabilities in Gerber WebPDM Product Data Management System October 24, 2014 Read  |  Download
    TWSL2014-013 Privilege Escalation Vulnerability and Potential Remote Code Execution in SAP Adaptive Server Enterprise September 12, 2014 Read  |  Download
    TWSL2014-012 Secure Desktop Protection Bypass in 1Password for Windows August 5, 2014 Read  |  Download
    TWSL2014-011 Secure Desktop Protection Bypass in Keepass August 5, 2014 Read  |  Download
    TWSL2014-010 Multiple Vulnerabilities in Wing FTP Server July 2, 2014 Read  |  Download
    TWSL2014-009 Multiple Vulnerabilities in BSS Company Software July 1, 2014 Read  |  Download
    TWSL2014-008 Cross Site Scripting Vulnerability in Cisco ASA May 28, 2014 Read  |  Download
    TWSL2014-007 Multiple Vulnerabilities in Y-Cam May 1, 2014 Read  |  Download
    TWSL2014-006 NetSupport Manager Information Disclosure Vulnerability April 17, 2014 Read  |  Download
    TWSL2014-005 VPN Privilege Escalation Vulnerability in Cisco ASA April 9, 2014 Read  |  Download
    TWSL2014-004 Information Disclosure in the BC Collected Information Export Extension for eZ Publish CMS March 20, 2014 Read  |  Download
    TWSL2014-003 Blind SQL Injection Vulnerability in Tableau Server January 24, 2014 Read  |  Download
    TWSL2014-002 Buffer Overflow Vulnerability in DaumGame ActiveX January 6, 2014 Read  |  Download
    TWSL2014-001 Multiple Vulnerabilities in Franklin Fueling's TS-550 evo January 3, 2014 Read  |  Download
    TWSL2013-034 Path Traversal Vulnerability in WiFi HD Free November 20, 2013 Read  |  Download
    TWSL2013-033 Multiple Vulnerabilities in Easy File Manager November 20, 2013 Read  |  Download
    TWSL2013-032 Path Traversal Vulnerability in FTPDrive November 20, 2013 Read  |  Download
    TWSL2013-031 Information Disclosure Vulnerability in RiskNet Acquirer November 7, 2013 Read  |  Download
    TWSL2013-030 Multiple Vulnerabilities in Quixplorer November 6, 2013 Read  |  Download
    TWSL2013-029 Information Disclosure Vulnerability in QNAP Photo Station September 27, 2013 Read  |  Download
    TWSL2013-028 Persistent Denial of Service Vulnerability in Vino VNC Server September 16, 2013 Read  |  Download
    TWSL2013-027 Multiple Vulnerabilities in ajaXplorer September 5, 2013 Read  |  Download
    TWSL2013-026 Multiple Web Application Vulnerabilities in RockMongo August 16, 2013 Read  |  Download
    TWSL2013-025 Arbitrary File Upload Vulnerability in Official Nmap August 2, 2013 Read  |  Download
    TWSL2013-024 Cross Site Scripting (XSS) vulnerability in McAfee Superscan 4.0 August 2, 2013 Read  |  Download
    TWSL2013-023 Lack of Web and API AuthenticationVulnerability in INSTEON Hub August 1, 2013 Read  |  Download
    TWSL2013-022 No Authentication Vulnerability in Radio Thermostat August 1, 2013 Read  |  Download
    TWSL2013-021 Multiple Vulnerabilities in Karotz Smart Rabbit August 1, 2013 Read  |  Download
    TWSL2013-020 Hard-Coded Bluetooth PIN Vulnerability in LIXIL Satis Toilet August 1, 2013 Read  |  Download
    TWSL2013-018 Multiple Vulnerabilities in OpenEMR July 12, 2013 Read  |  Download
    TWSL2013-007 Multiple Vulnerabilities in VLC Media Player - Web Interface. June 10, 2013 Read  |  Download
    TWSL2013-006 Cross-Site Scripting Vulnerability in Coldbox. June 10, 2013 Read  |  Download
    TWSL2013-008 Command Injection Vulnerabilities in Linksys Routers. May 31, 2013 Read  |  Download
    TWSL2013-002 Multiple XSS Vulnerabilities in The Bug Genie. May 9, 2013 Read  |  Download
    TWSL2013-004 Group Name Enumeration Vulnerability in Cisco IKE Implementation. April 18, 2013 Read  |  Download
    TWSL2012-016 Multiple Vulnerabilities in Bitweaver October 23, 2012 Read  |  Download
    TWSL2012-019 Cross-Site Scripting Vulnerability in Support Incident Tracker August 29, 2012 Read  |  Download
    TWSL2012-014 Multiple Vulnerabilities in Scrutinizer NetFlow and sFlow Analyzer July 27, 2012 Read  |  Download
    TWSL2012-004 Multiple Vulnerabilities in Zen Cart May 3, 2012 Read  |  Download
    TWSL2012-012 Cross-Site Scripting Vulnerability in Support Incident Tracker April 20, 2012 Read  |  Download
    TWSL2012-008 Multiple Vulnerabilities in Scrutinizer NetFlow April 10, 2012 Read  |  Download
    TWSL2012-005 Cross-Site Scripting Vulnerability in osCommerce Platform March 23, 2012 Read  |  Download
    TWSL2012-003 Cross-Site Scripting Vulnerability in Movable Type Publishing Platform February 24, 2012 Read  |  Download
    TWSL2012-002 Multiple Vulnerabilities in WordPress January 24, 2012 Read  |  Download
    TWSL2012-001 Cross-Site Scripting Vulnerability in Textpattern Content Management System January 3, 2012 Read  |  Download
    TWSL2011-019 Cross-Site Scripting Vulnerability in phpMyAdmin December 22, 2011 Read  |  Download
    TWSL2011-018 Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface December 20, 2011 Read  |  Download
    TWSL2011-017 Multiple Vulnerabilities in Merethis Centreon November 4, 2011 Read  |  Download
    TWSL2011-014 Vulnerability in Pantech Web Browser SSL Implementation September 23, 2011 Read  |  Download
    TWSL2011-013 Multiple Vulnerabilities in IceWarp Mail Server September 23, 2011 Read  |  Download
    TWSL2011-008 Focus Stealing Vulnerability in Android August 6, 2011 Read  |  Download
    TWSL2011-007 iOS SSL Implementation Does Not Validate Certificate Chain July 25, 2011 Read  |  Download
    TWSL2011-006 IBM Web Application Firewall Bypass June 21, 2011 Read  |  Download
    TWSL2011-005 Directory Traversal in Trustwave WebDefend Enterprise June 17, 2011 Read  |  Download
    TWSL2011-004 Cross-Site Scripting Vulnerability in ZyXEL ZyWALL 70 Firewall June 10, 2011 Read  |  Download
    TWSL2011-003 Vulnerabilities discovered in Avocent Cyclades ACS Web Manager March 11, 2011 Read  |  Download
    TWSL2011-001 Vulnerabilities in Trustwave WebDefend Enterprise February 15, 2011 Read  |  Download
    TWSL2011-002 Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) February 4, 2011 Read  |  Download
    TWSL2010-008 Clear iSpot/Clearspot CSRF Vulnerabilities December 10, 2010 Read  |  Download
    TWSL2010-007 Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate December 10, 2010 Read  |  Download
    TWSL2010-006 Multiple Vulnerabilities in Camtron CMNC-200 IP Camera November 12, 2010 Read  |  Download
    TWSL2010-005 FreePBX recordings interface allows remote code execution September 23, 2010 Read  |  Download
    TWSL2010-003 Unauthorized access to root NFS export on EMC Celerra Network Attached Storage(NAS) appliance July 29, 2010 Read  |  Download
    TWSL2010-002 Web Service Hijacking in VMWare WebAccess March 30, 2010 Read  |  Download
    TWSL2010-001 View state tampering vulnerabilities in products from Microsoft, Apache, and Sun Microsystems February 3, 2010 Read  |  Download
    TWSL2009-002 Cisco's Adaptive Security Appliance (ASA) Web VPN Multiple Vulnerabilities June 24, 2009 Read  |  Download
    TWSL2009-001 Profense Web Application Firewall and Load Balancer multiple vulnerabilities May 19, 2009 Read  |  Download
  • Trustwave SpiderLabs Vulnerability Disclosure Policy

    Policy Definitions

    • The vendor is the individual, group, or company that maintains the software, hardware, or resources that are related to the vulnerability.
    • The date of contact is the point in time when Trustwave SpiderLabs initially contacts the vendor about the vulnerability.
    • All dates, times, and time zones are relative to location of Trustwave headquarters (Chicago, IL).
    • All day counts are calendar.

    The goals of this disclosure policy are education and risk reduction

    • Education of the vendor about the vulnerability and risk reduction through vendor patch or workaround development.
    • Education of Trustwave SpiderLabs on how the vendor intends to fix the vulnerability and risk reduction through developing protections in Trustwave products and services.
    • Education of the information security community and the public at large about the vulnerability and risk reduction through spreading awareness of a vendor patch / workaround as well as protections and security controls that can prevent exploitation of the vulnerability.

    Policy

    1. The vendor will be given 14 days from the date of contact for an initial response. Should no contact occur by the end of 14 days, Trustwave SpiderLabs will evaluate the risk to our clients and may decide to disclose the vulnerability to its clients, at a minimum.
    2. Trustwave SpiderLabs will provide a best effort to honor requests from the vendor for additional information or help in reproducing the vulnerability. This will include providing configuration details and the scenario in which the vulnerability was discovered.
    3. The vendor is responsible for providing regular status updates (regarding the resolution of the vulnerability). If the vendor discontinues communication at any stage of the process for more than 30 days after date of contact, Trustwave SpiderLabs will view the vendor as non-responsive and will consider public disclosure.
    4. The vendor is encouraged to provide proper credit to Trustwave and to the researcher responsible for discovering the vulnerability. Suggested (minimal) credit would be: "Credit to [researcher name] from the SpiderLabs team at Trustwave for disclosing the vulnerability to [vendor name]."
    5. The vendor is encouraged to coordinate a joint public release/disclosure with Trustwave SpiderLabs so that advisories of the vulnerability and resolution can be made available together.
    6. The vendor will be given a maximum of 90 days after date of contact to release a patch. After 90 days Trustwave SpiderLabs will consider public disclosure.
    7. If a third party publicly discloses the vulnerability during this process, disclosure will be considered to be public and Trustwave SpiderLabs will work with the vendor for immediate disclosure.
    8. If the vulnerability is being actively exploited in the wild Trustwave SpiderLabs will work with vendor on an escalated disclosure timeline potentially less than seven days after date of contact if exploitation is experienced on a wide and public scale.
    9. Proof of concept code or technical explanation of exploitation of a vulnerability that is rated critical may be withheld for up to 14 days after public disclosure to allow time for organizations to protect themselves.