Zero Science Lab - Macedonian information security research and development laboratory https://www.zeroscience.mk en-us Sunday, 12 Apr 2026 19:35:59 +0200 144400 http://www.zeroscience.mk https://www.zeroscience.mk/images/rss.gif https://www.zeroscience.mk/#/advisories/ZSL-2026-5986 Sunday, 12 Apr 2026 19:35:00 +0200 The application uses unserialize() function on the contents of cache files stored under {PACHNO_PATH}/cache/ during the framework bootstrap sequence, before any authentication, routing, or controller logic is executed. Cache files are created with world-writable permissions (chmod 0666) and use deterministic, predictable filenames derived from a small set of constants. An attacker who can write to the cache directory can inject a serialized PHP object payload that triggers arbitrary code execution on the next HTTP request. https://www.zeroscience.mk/#/advisories/ZSL-2026-5985 Sunday, 12 Apr 2026 19:34:00 +0200 The authorization check in the runSwitchUser() action evaluates the expression !canSaveConfiguration() && !hasCookie('original_username') and only forbids the request when both subexpressions are true. The presence of the original_username cookie is sufficient to satisfy the second condition, and that cookie is fully client-controlled. An authenticated low-privilege user who sets original_username to any value and then issues a request to switch to user ID 1 receives a fresh session token (token authentication) or password hash cookie (password authentication) belonging to the target user. This can be exploited to elevate privileges to administrator and impersonate arbitrary user accounts. https://www.zeroscience.mk/#/advisories/ZSL-2026-5984 Sunday, 12 Apr 2026 19:33:00 +0200 Input passed via wiki table syntax ({|..., |-..., |...||...) and allowed inline tags (<span>, <div>, <blockquote>, etc.) in issue descriptions, comments, and wiki articles is concatenated into XML strings and parsed by simplexml_load_string() in the TextParser helper without setting LIBXML_NONET or otherwise restricting entity resolution. On PHP installations linked against libxml2 < 2.9.0 (where external entity loading is enabled by default), this can be exploited to read arbitrary local files via the file:// scheme, perform server-side request forgery against internal services via the http:// scheme, and exfiltrate the response body through reflected XML attribute values. Successful exploitation requires an authenticated session with permission to create or edit content that is rendered through the wiki parser. On PHP 7.4+ installations with libxml2 >= 2.9.0 the vulnerability is mitigated by the underlying library but the unsafe code pattern remains. https://www.zeroscience.mk/#/advisories/ZSL-2026-5983 Sunday, 12 Apr 2026 19:33:00 +0200 CSRF protection in the application is opt-in via the @CsrfProtected annotation and the csrf_enabled route flag, both of which are absent from a large set of state-changing endpoints including login, registration, logout, file upload, milestone editing, group/role/team/client/user administration, and Livelink commit posting. No same-origin enforcement, anti-CSRF token, or SameSite=Strict cookie attribute is in place to compensate. This can be exploited to perform arbitrary actions in context of an authenticated user, including forced logout, account creation by an admin, role modification, comment injection, and file upload. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. https://www.zeroscience.mk/#/advisories/ZSL-2026-5982 Sunday, 12 Apr 2026 13:37:00 +0200 The multipart file parameter to the /uploadfile endpoint allows authenticated users to upload files directly to the server. File upload must be enabled by an admin, who can also configure the storage path, within a web-accessible /public directory. Extension filtering is ineffective. Although a blacklist exists, it is never used (dead code), allowing arbitrary file types such as .php5 to be uploaded. Files are stored on disk regardless of permission checks. If the upload path is web-accessible, uploaded scripts can be executed, leading to remote code execution. https://www.zeroscience.mk/#/advisories/ZSL-2026-5981 Sunday, 12 Apr 2026 11:30:00 GMT Input passed via the return_to GET/POST parameter to the login endpoint is not properly verified before being used to redirect users. The _getLoginForwardUrl() helper applies htmlentities() to the value which is intended for HTML output encoding and does not validate URL schemes or hosts, and then issues a Location header with the unmodified URL. This can be exploited to redirect a user to an arbitrary external website and conduct phishing attacks. https://www.zeroscience.mk/#/advisories/ZSL-2026-5980 Sunday, 12 Apr 2026 11:24:00 GMT Input passed to the POST parameters value, comment_body, article_content, description and message via multiple controllers is not properly sanitised before being stored in the database and returned to the user. The application explicitly bypasses its own htmlspecialchars() sanitiser by calling Request::getRawParameter() or Request::getParameter($name, null, false). This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5979.php Monday, 02 Mar 2026 00:13:37 GMT The IQ4xx building management controller, manufactured by Honeywell, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System User (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5978.php Tuesday, 24 Feb 2026 16:54:37 GMT The Tattile cameras suffer from an unauthenticated and unauthorized live RTSP video stream access. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5977.php Tuesday, 24 Feb 2026 16:54:37 GMT The Tattile cameras ship with default credentials that remain active after installation and commissioning without enforcing a mandatory password change. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.php Tuesday, 24 Feb 2026 16:54:37 GMT The application suffers an insufficient session expiration. This occurs when the web application permits an attacker to reuse old session credentials or tokens for authorization. Insufficient session expiration increases the device's exposure to attacks that can steal or reuse user's session identifiers. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php Saturday, 14 Feb 2026 22:42:37 GMT The eNet Smart Home system suffers from a privilege escalation vulnerability due to insufficient authorization checks in the JSON-RPC endpoint for user management. A low-privileged user, can exploit the "setUserGroup" method by sending a crafted POST request to /jsonrpc/management, specifying their own username and elevating it to the "UG_ADMIN" group. This bypasses intended access controls, granting the attacker administrative capabilities such as modifying device configurations, network settings, and potentially compromising the entire smart home ecosystem. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5974.php Saturday, 14 Feb 2026 22:42:37 GMT The eNet Smart Home system contains an authorization flaw in the resetUserPassword functionality that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request, an attacker can overwrite existing credentials. This is a a direct account takeover via improper authorization, resulting in full administrative access and persistent privilege escalation. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php Saturday, 14 Feb 2026 22:42:37 GMT The eNet Smart Home system contains an authorization weakness in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce proper role-based access control on this function, allowing a standard user to submit a crafted request specifying another username and have that account removed without elevated permissions or additional confirmation. This enables unauthorized user management actions, leading to denial of service against legitimate users, disruption of operations, and potential concealment of malicious activity. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5972.php Saturday, 14 Feb 2026 22:42:37 GMT The eNet Smart Home system ships with default credentials that remain active after installation and commissioning without enforcing a mandatory password change.