Security Research Publications

November, 2021 - Nagios Cross-Platform Agent (NCPA)

---

Product: Nagios Cross-Platform Agent (NCPA)
Vendor: Nagios Enterprises
Affected Version(s): 2.0 to 2.3.1
Author(s): Altion Malka
Reference(s): https://github.com/NagiosEnterprises/ncpa/issues/830, writeup
Security Vulnerabilities:

• CVE-2021-43584 - DOM-based XSS via ‘name’ element of ‘Tail Event Logs’ functionality in Nagios Cross-Platform Agent (NCPA) versions 2.0 to 2.3.1

This vulnerability was introduced in NCPA version 2.0 and it was applicable up until version 2.3.1.

April 5, 2021 - Pentaho Business Analytics

---

Product: Pentaho Business Analytics
Vendor: Hitachi Vantara
Affected Version(s): 9.1.0.0 build 324
Author(s): Alberto Favero (HawSec) & Altion Malka
Reference(s): HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf
Security Vulnerabilities:

• CVE-2021-31599 - Remote Code Execution through Pentaho Report Bundles
• CVE-2021-34684 - Unauthenticated SQL Injection via Dashboard Editor at ‘/api/repos/dashboards/editor’ endpoint
• CVE-2021-31601 - Insufficient Access Control of Data Source Management Service
• CVE-2021-31602 - Authentication Bypass of Spring APIs
• CVE-2021-31600 - Jackrabbit User Enumeration
• CVE-2021-34685 - Bypass of Filename Extension Restrictions at ‘/pentaho/UploadService’ endpoint

May 9, 2017 - deepin-session-ui

---

Product: deepin-session-ui
Vendor: Deepin (Wuhan deepin Technology Co.,Ltd.)
Affected Version(s): 4.0.6
Author(s): Altion Malka
Reference(s): Writeup
Security Vulnerabilities:

• Local Authentication Bypass in deepin-session-ui 4.0.6