CVE-2019-9958

BreakdownTarget: EspressReports ES Version 7 Update 7 Vendor: Quadbase Vulnerability: CSRF Brief: POST requests can be made to the server exploiting a CSRF vulnerability. This can lead to unauthenticated attackers or low privileged accounts performing privileged functionality via session surfing. In this write up, we exploit the CSRF vulnerability to…

CVE-2019-9957

BreakdownTarget: EspressReports ES Version 7 Update 7 Vendor: Quadbase Vulnerability: Authenticated Stored XSS Brief: A client side username restriction can be bypassed leading to stored XSS payloads in the username field. The payload is then triggered when accessing the user list node graph. Example Information: Attacker IP - 192.168.…