MITRE CVE Numbering Authority

I ‘m proud to announce that “MITRE CVE Numbering Authority” has assigned me eleven (11) CVE numbers for vulnerabilities that I’ve discovered in last days. In details:

DFLabs PTK <= 1.0.5:

  • CVE-2012-1415 for Multiple Vulnerabilities (Steal Authentication Credentials)

Fork CMS <= 3.2.5:

  • CVE-2012-1306 for “Delete Admins or Users” and “Delete Web Pages” issues.
  • CVE-2012-1307 for “poor logic to manage sessions” form_token issue.
  • CVE-2012-1304 for XSS into private/en/blog/settings and private/en/users/index issues.
  • CVE-2012-1305 for XSS into private/en/pages/settings issue.

D-Link DSL-2640B (ADSL Router):

  • CVE-2012-1308 for CSRF Vulnerability
  • CVE-2012-1309 for Authentication Bypass

 ContaoCMS (fka TYPOlight) <= 2.11:

  • CVE-2012-1297 for CSRF (Delete Admin- Delete Article)

SyndeoCMS <= 3.0:

  • CVE-2012-1203 for CSRF Vulnerability

SocialCMS <= 1.0.2:

  • CVE-2012-1416 for CSRF Vulnerabilities

PlumeCMS <= 1.2.4:

  • CVE-2012-1414 for CSRF Vulnerability

Secunia – Contao cms (fka TYPOlight) CSRF Vulnerability

Secunia has published my new security Adsvisory regarding a new vulnerability found in latest release (and lower) of Contao CMS(fka TYPOlight). This vulnerability allows an attacker to delete administrator/users, articles, news, newsletter andmodify many other parameters.

To read Secunia’s Advisory:

To learn more about my Original Advisory:

Secunia – Webfolio cms CSRF Vulnerability

Today Secunia published a my security Adsvisory regarding a new vulnerability found in Webfolio CMS which allows to add a new administrator account, modify published web pages and change many other parameters of latest release (and below) of Webfolio CMS.

To read Secunia’s Advisory:

For know more about my original Advisory:

WebfolioCMS <= 1.1.4 CSRF (Add Admin/Modify Pages)

Today I’ve discovered a new CSRF vulnerability which affects WebfolioCMS 1.1.4 (and lower) and which allows to modify any parameter. In my Advisory I’ve demonstrated how to add a new administrator account and how to modify a published web page.

Download my Original Advisory

Some other pubblication related to this vulnerability:

IBM X-Force published my SyndeoCMS Advisory

Yesterday IBM X-Force published my Advisory regarding a new CSRF vulneability that I’ve found in SyndeoCMS
This vulnerability allows an attacker to change administrator password and gain access to the system.

IBM classified this vulnerability as “Highly Exploitable”.

For more details about IBM X-Force publication:

ContaoCMS (fka TYPOlight) 2.11 CSRF (Delete Admin- Delete Article)

ContaoCMS (fka TYPOlight) 2.11 version (and lower) in affected by a CSRF vulnerability which allows to delete administrator/users, delete article, news, newsletter and so on.
I’ve created an Advisory describing this vulnerability and the methods to exploit it:
ContaoCMS Ivano Binetti’s Advisory

Other web sites have reported my security Advisory:



IBM X-Force published my PlumeCMS Advisory

Few days ago I discovered a new CSRF vulnerability ( which affects all versions – included latest (1.2.4) – of Pluse CMS.
Today IBM X-Force published my Advisory and classified the “Exploitability:” of this vulnerability as “High”.
Fore more details: