I reported the following security to the affected company in a responsible disclosure process. Some of them refer to more detailed articles in English or German.
- WebUntis : Stored XSS, CSRF (CVE ongoing)
- to be continued soon…
- Unifi: SMTP vulnerability (CVE-2019-5456)
- Unamed company: CSRF in customer control panel
- MinTec: SQL Injections, Client side overwrite
- Schild NRW: Insecure update mechanism (German)
- TTN Mapper: Stored XSS (German)
- Unamed company: Missing certificate validation for enterprise wireless network (English)
- CASIO: Design flaw in exam mode in fx-cg20 (German)
- Unamed company: Replay attacks on remote controls for German railway infrastructure
I want to thank all companies which support me by exchanging about the issues in a respectful way and/or gave some kind of bug bounty.
There are some issues which have been reported to companies but weren’t published in detail due to my personal decision or law impacts. For some issues I decided not to name the product or the manufacturer to avoid further problems as they might result in legal measures against me.