Rhino Security Labs

Strategic Blog

CVE-2024-1212:
Unauthenticated Command Injection
In Progress Kemp LoadMaster

David Yesland
March 19, 2024

While researching the Progress Kemp LoadMaster load balancer we discovered an unauthenticated command injection in the administrator web interface of the appliance. This allowed full compromise of the LoadMaster if you could reach the…

Attacking AWS Cognito with Pacu (p2)

CVE-2022-26113: FortiClient Arbitrary File Write As SYSTEM

CVE-2022-25237: Bonitasoft Authorization Bypass and RCE

David Yesland

Bonita Web 2021.2 is affected by an authentication/authorization bypass vulnerability due to an overly broad filter pattern used in the API authorization filters.
By appending a crafted string to the API URL, users with no privileges can…