Rhino Security Labs

Strategic & Technical Blog

Command Injection Vulnerability
In Progress Flowmon

David Yesland

After our initial research into other Progress products we decided to take a look at another Progress product, Flowmon. This led to the discovery of an unauthenticated command injection vulnerability, which when coupled with a privilege…

Authenticated Command Injection
In Progress Kemp LoadMaster

Unauthenticated Command Injection
In Progress Kemp LoadMaster

Ghost CMS Stored XSS Leading to Owner Takeover

Tyler Ramsbey

During research on the Ghost CMS application, the Rhino research team identified a Stored Cross-Site Scripting (XSS) vulnerability which can be triggered by a malicious profile image. This can be used for Ghost CMS instance takeover–…