>> CATEGORY: exploit

@Drive version 2.8 suffers from a local file inclusion vulnerability.

Windows CG APIs, which take encrypted keys, do not limit what encryption or checksum types can be used with those keys. This can result in using weak encryption algorithms which…

Windows Credential guard does not prevent using encrypted Kerberos keys to change a user’s password leading to elevation of privilege.

AirDisk version 7.5.5 suffers from a persistent cross site scripting vulnerability.

mbDrive Lite WiFi Flash Disk version 1.4.0 suffers from a cross site scripting vulnerability.

Online Notice Board 2022 suffers from a remote SQL injection vulnerability.

On Windows, CG API KerbIumCreateApReqAuthenticator can be used to decrypt arbitrary encrypted Kerberos keys leading to information disclosure.

InTouch Access Anywhere Secure Gateway versions 2020 R2 and below suffer from a path traversal vulnerability.

On Windows, the KerbIumGetNtlmSupplementalCredential CG API does not check the encryption key type leading to information disclosure of key material.

On Windows, the Kerberos ticket renewal process can be used with CG to get an unencrypted TGT session key for a currently authenticated user leading to information disclosure.