Telekom Security

Remote code execution in LDAP Account manager through CVE-2024-23333 (Exploiting web applications Part I)

During red teaming engagements, the first step is to gain a foothold in the client’s network. That might happen through a phishing attempt, malicious payloads, physical access to the client’s site or an assumed breach. But what happens once you got access to the network?

Continue Reading →

Remote buffer overflow vulnerability in SharkSSL TLS handshake processing

A new remote buffer overflow vulnerability was discovered in the latest version of the SharkSSL library from 05.05.2024 (https://github.com/RealTimeLogic/SharkSSL) by security evaluators of Deutsche Telekom Security GmbH and Deutsche Telekom AG with modern fuzzing methods.

Continue Reading →

Tuta Mail Vulnerability - Client Information Leak

An client information leak vulnerability (CVE-2024-23330) has been identified in Tuta Mail. This vulnerability could leak client information by loading external resources in the mail even if disabled.

Continue Reading →

Tuta Mail Vulnerability - DoS

A denial of service vulnerability (CVE-2024-23655) has been identified in Tuta Mail. This vulnerability could prevent users from accessing and reading received mails when an attacker sends a manipulated mail.

Continue Reading →

Apple ARKit Vulnerability - Heap Overflow

A heap corruption vulnerability (CVE-2024-44126) has been identified in several Apple products that use the ARKit component. This vulnerability could compromise the security of devices when processing a specially crafted file.

Continue Reading →

Remote buffer overflow vulnerability in SharkSSL TLS Client Key Exchange handshake processing

A new remote buffer overflow vulnerability (CVE-2024-48075) was discovered in the latest version of the SharkSSL library from 09.09.2024 (https://github.com/RealTimeLogic/SharkSSL) by security evaluators of Deutsche Telekom Security GmbH and Deutsche Telekom AG with modern fuzzing methods.

View the full advisory

Continue Reading →

Collabora Office for Android - JavaScript Injection via Links

A JavaScript Injection vulnerability (CVE-2024-45045) has been identified in Collabora Office for Android, allowing an attacker to execute arbitrary JavaScript within the context of the Android App when a victim opens a specially crafted document.

Continue Reading →

Moodle - Reflected XSS Vulnerability via H5P error message

A reflected cross-site scripting (XSS) vulnerability (CVE-2024-43439) has been identified in Moodle, allowing an attacker to execute arbitrary JavaScript within the context of a Moodle website when a victim visits a specially crafted link.

Continue Reading →