Hi
I am Tejas Pingulkar
Security Researcher 

Popular posts from this blog

CVE-2020-13474: NCH Express Accounts- Privilege Escalation

Image
  Vulnerable Software:  NCH  Express Accounts Vulnerability:  Privilege Escalation Affected Version:   8.24 and prior Vendor Homepage:   https://www.nchsoftware.com/ CVE:  CVE-2020-13474 CVE Author:  Tejas Nitin Pingulkar Exploit Available:   Y es About Affected Software Express Accounts is professional business accounting software, perfect for small businesses needing to document and report on incoming and outgoing cash flow including sales, receipts, payments and purchases. Additional Information NCH express Accounts software allows to access it over the web. A web interface provides 3 types of user Administrator User Viewer The administrator user has access to all modules including Create new invoice,  Create new quote, Create new sales order, Create new purchase order, Apply customers payment, View Credit notes, Enter new account payable, view chart of accounts, Make a payment, Receive a payment, Add new item, Add new customer, ...
Read more

CVE-2020-23446 Verint Workforce Optimization (WFO)

Image
Vulnerable Software :  Verint Workforce Optimization (WFO) Vulnerability :   Unauthenticated Information Disclosure via API Affected Version:  15.1 (15.1.0.37634) Vendor Homepage: Link CVE:   2020-23446 CVE Author:  Tejas Nitin Pingulkar Exploit Available:   POC Available About Affected Software: Verint Workforce Optimization is a suite of unified software and services for capturing interactions and managing the performance of employees across the enterprise or in targeted areas of your business, including: Back-office operations Branch operations Contact centers Financial trading rooms Additional Information : Verint WFO application provides functionality to download topology reports to authenticated users, however, using direct object reference/API unauthenticated attacker can obtain reports. Exploit: Access URL :   [IP/Domain]/wfo/rest/em-api/v1/topology/ generation Note: only most recently generated report can be obtained by the attacker Patch...
Read more

CVE-2020-13480-Verint-HTML Injection

Image
Vulnerable Software : Verint Workforce Optimization (WFO) Vulnerability:  HTML Injection Affected Version:  15.2 Vendor Homepage:    https://www.verint.com CVE:  CVE-2020-13480 CVE Author:  Tejas Nitin Pingulkar Exploit Available:  POC Available About Affected Software Verint Workforce Optimization is a suite of unified software and services for capturing interactions and managing the performance of employees across the enterprise or in targeted areas of your business, including: Back-office operations Branch operations Contact centers Financial trading rooms Additional Information Verint WFO application provides functionality to send receive emails within an application. However application fails to sanitize user input. Exploit: 1. Open send email function  2. Write your payload inside the body POC: Timeline: Initial Email Sent: 21 May 2020 — No response Followup 2: 25 May 2020 — No response Followup 3: 26 May 2020 — No response CVE Generate...
Read more