Rhino Security Labs

Strategic & Technical Blog

CVE-2024-2389:
Command Injection Vulnerability
In Progress Flowmon

David Yesland

After our initial research into other Progress products we decided to take a look at another Progress product, Flowmon. This led to the discovery of an unauthenticated command injection vulnerability, which when coupled with a privilege…

CVE-2024-2448:
Authenticated Command Injection
In Progress Kemp LoadMaster

CVE-2024-1212:
Unauthenticated Command Injection
In Progress Kemp LoadMaster

CVE-2024-23724:
Ghost CMS Stored XSS Leading to Owner Takeover

Tyler Ramsbey

During research on the Ghost CMS application, the Rhino research team identified a Stored Cross-Site Scripting (XSS) vulnerability which can be triggered by a malicious profile image. This can be used for Ghost CMS instance takeover–…