Vulnerabilities in AgileReporter 21.3 by VERMEG |
Backup from phone with broken screen |
I have performed a grey-box penetration test on an „off-the-shelf” software, AgileReporter 21.3 by VERMEG.
I found an XXE and 2 Stored XSS.
I made an assignment for a client that used this 3rd party software and informed me that they did not modify anything, so I’m pretty sure the vulnerabilities that I found are in the out-of-the-box application.
Unfortunately, I contacted the vendor 2 times but they have not answered for 2 months so far but contacted MITRE for CVE numbers. The software is not open source and I'm still waiting for access to the most recent version from them to test it to figure out if the vulnerabilities are still there.
I found an XXE and 2 Stored XSS.
I made an assignment for a client that used this 3rd party software and informed me that they did not modify anything, so I’m pretty sure the vulnerabilities that I found are in the out-of-the-box application.
Unfortunately, I contacted the vendor 2 times but they have not answered for 2 months so far but contacted MITRE for CVE numbers. The software is not open source and I'm still waiting for access to the most recent version from them to test it to figure out if the vulnerabilities are still there.