Neuigkeiten

Blog

• PLAYGROUND

  ROPing our way to RCE

  7. Februar 2025

  From vulnerability to exploit - this post explores the journey of developing an ARM ROP chain to exploit a buffer overflow in uc-http. Dive into the process of reverse engineering, gadget hunting, and crafting a working exploit.

• PLAYGROUND

  Exploiting SSTI in a Modern Spring Boot Application (3.3.4)

  8. Januar 2025

  Learn how to exploit Server-Side Template Injection (SSTI) in a Spring Boot application using the Thymeleaf templating engine. Special focus will be set on bypassing defenses in newer versions.

• PLAYGROUND

  Tutorial: How we learned to love the doc(umentation)

  14. Oktober 2024

  Just read documentation to get RCE?! Our colleague Theresa designed a tutorial guiding you through an OpenVPN exploit scenario — for you to try at home!

• DISCLOSURE

  Beyond the @ Symbol: Exploiting the Flexibility of Email Addresses For Offensive Purposes

  7. Juni 2024

  We exploited an unauthenticated command injection within the spam filter appliance MailCleaner that can be triggered through a malicious email address.

Advisories

• [MZ-25-01] Via Browser for Android

  27. Februar 2025

  Via Browser was affected by a universal cross-site scripting issue.

• [MZ-24-01] MailCleaner

  29. April 2024

  Unauthenticated Command Injection and XSS vulnerabilities in MailCleaner

• [MZ-23-01] Poly VoIP Devices

  29. Dezember 2023

  Several vulnerabilities in Poly VoIP devices

• [MZ-22-03] Passwordstate

  19. Dezember 2022

  Multiple high severity vulnerabilities in Passwordstate by Click Studios