Cybersecurity is a constantly evolving field where new threats and increasingly sophisticated challenges emerge daily. To stay ahead and ensure robust protection, We dedicate 25% of my monthly time to studying, deepening technical knowledge, and conducting hands-on research.
During this time, We explore vulnerabilities in systems and identify potential exploits, contributing to the discovery of zero-day threats. This effort helps us to better understand emerging attack techniques and strengthen defenses against them.
Here’s a list of 0day vulnerabilities We’ve discovered in the wild:
PhpSpreadsheet - CVE-2024-48917
XXE via another regex bypass in the new version by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value encoding="UTF-8" to match the wrong regex in the code
PhpSpreadsheet - CVE-2024-47873
XXE via regex bypass by using UCS-4 and encoding guessing
PrestaShop CMS - CVE-2024-21627
Bypassing the Validate::isCleanHTML method leads to obtaining XSS in every input sanitized with that method
KiwiTCMS - CVE-2023-32686
Stored XSS with weak WAF bypass and CSP bypass in KiwiTCMS.
KiwiTCMS - CVE-2023-27489
Another Stored XSS in KiwiTCMS.
KiwiTCMS - CVE-2022-4105
Markdown injection leads to Stored XSS in KiwiTCMS library. Possibility to account takeover and exploitation of various endpoints.