lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Sep 2020 14:17:52 -0700 From: Ken <catatonicprime@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Regarding the semi-recent OnBase vulnerabilities In response to the recent OnBase v19.8.9.1000 and v18.0.0.32 vulnerability disclosures a few weeks ago, Hyland has maintained they have been unable to replicate the issues. Moreover they assert that the disclosures from Adaptive Security Consulting on behalf of one of their mutual clients were never received. I am, probably like many of us, wary of a corporate entity claiming a researcher is inaccurate in their disclosures. I believe pretty fully that these vulnerabilities exist in these specific releases. But, I've spent some time hunting in a later version that I have access to and I have been unable to find the somewhat rampant sounding bugs. So I'm thinking they may be patched in later versions? I've been hunting in the mobile endpoints, in the web endpoints, I haven't had success intercepting traffic in thick client though - but that's definitely gotta be a PEBKAC issue for myself. So, my burning question(s) for the list is, what's the truth? How far does it extend? Does it stop at the reported versions? Less than that? Has anyone been able to independently verify them? I'm hoping the researchers are willing to share additional details in lieu of the continued response from Hyland that they too can not find them; and I'm sure any additional guidance would be helpful to anyone trying to patch manage these systems. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists