Advisories

A chronological list of vulnerabilities published by STAR Labs researchers, with technical details, affected versions, and disclosure timelines.

Advisory Nov 01, 2023

(CVE-2023-1718) Bitrix24 Denial-of-Service (DoS) via Improper File Stream Access

Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 …

ByLam Jun Rong & Li Jiantao

Advisory Nov 01, 2023

(CVE-2023-1719) Bitrix24 Insecure Global Variable Extraction

Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 …

ByLam Jun Rong & Li Jiantao

Advisory Nov 01, 2023

(CVE-2023-1720) Bitrix24 Stored Cross-Site Scripting (XSS) via File Upload

Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 …

ByLam Jun Rong & Li Jiantao

Advisory Oct 11, 2023

(CVE-2023-4197) Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE

Summary: Product Dolibarr ERP CRM Vendor Dolibarr Severity High Affected Versions <= 18.0.1 Tested Versions 17.0.1, 18.0.1 CVE Identifier CVE-2023-4197 CVE …

ByPoh Jia Hao

Advisory Oct 11, 2023

(CVE-2023-4198) Dolibarr ERP CRM (<= 17.0.3) Improper Access Control

Summary: Product Dolibarr ERP CRM Vendor Dolibarr Severity High Affected Versions <= 17.0.3 Tested Versions 17.0.1, 17.0.3 CVE Identifier CVE-2023-4198 CVE …

ByPoh Jia Hao

Advisory Sep 29, 2023

(CVE-2023-30591) NodeBB Pre-Authentication Denial-of-Service

Summary: Product NodeBB Vendor NodeBB Severity High - Unprivileged attackers are able to cause NodeBB to crash and exit permanently Affected Versions < …

ByNgo Wei Lin

Advisory Sep 18, 2023

(CVE-2023-2315) Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2

Summary: Product OpenCart Vendor OpenCart Severity High - Adversaries may exploit software vulnerabilities to empty any file on the server with write …

ByPoh Jia Hao

Advisory Aug 28, 2023

(CVE-2023-2016) Attendize <= 2.8.0 Authenticated TOCTOU Allows Multiple Refunds Per Order

Summary: Product Attendize Vendor Attendize Severity Medium - Adversaries may exploit software vulnerabilities to achieve monetary gains. Affected Versions …

ByPoh Jia Hao

Advisory Aug 22, 2023

(CVE-2023-32523) Trend Micro Mobile Security (Enterprise) 9.8 SP5 (<= Critical Patch 3) Unauthenticated RCE

Summary: Product Trend Micro Mobile Security (Enterprise) 9.8 SP5 Vendor Trend Micro Severity Critical Affected Versions Trend Micro Mobile Security …

ByPoh Jia Hao

Advisory Aug 22, 2023

(CVE-2023-32524) Trend Micro Mobile Security (Enterprise) 9.8 SP5 (<= Critical Patch 3) Unauthenticated RCE

Summary: Product Trend Micro Mobile Security (Enterprise) 9.8 SP5 Vendor Trend Micro Severity Critical Affected Versions Trend Micro Mobile Security …

ByPoh Jia Hao