Clickheat 1.13+ Unauthenticated RCE
---
The Clickheat developers have been informed, but have not responded to my
email. The code has not been updated recently and the project seems to be in an
abandoned state.
I have discovered a vulnerability in Clickheat 1.13
This is a follow up to an earlier post, highlighting an XSS and information
disclosure vulnerability in versions of Untangle 9-11
The previous post is shown in full below this post.
Additional un-patched vectors have been discovered that allow for these issues
to be exploited with increased fe
Multiple issues have been discovered in the Untangle NGFW virtual
appliance. The vendor was unresponsive and uncooperative to the researcher.
- Persistent XSS leading to root
Authentication requiredConfirmed in versions 9 and 11 (up to rev r39357)
Throughout
the Untangle user interface there are
