Ismail Tasdelen - Security Researcher

Freelancy version 1.0.0 suffers from a remote code execution vulnerability. Exploit Code : # Exploit Title: Freelancy - Freelance Management App v1.0.0 - RCE (Authenticated) Arbitrary File Download # Date: 03-01-2019 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://vaaip.com/ # Software Link: https://codecanyon.net/item/freelancy-freelance-project-management-application/25288636 # Software: Freelancy - Freelance Management App # Product Version: v1.0.0 # Vulernability Type: Code Injection # Vulenrability: Remote Code Execution ( RCE ) # CVE : CVE-2020-5505 # Description : # Freelancy v1.0.0 allows remote command execution via # the "file":"data:application/x-php;base64 substring (in conjunction with # "type":"application/x-php"} to the /api/files/ URI. # RCE Example : https://SERVER/storage/file/FileNAME.php?cmd=cat%20/etc/passwd # HTTP Request : POST /api/files/ HTTP/1.1 Host: SERVER User-Agent: Mozilla/5.0 (X11; Linux x86...

Heatmiser Netmonitor version 3.03 suffers from a hardcoded credential vulnerability. Exploit Code : # Exploit Title: Heatmiser Netmonitor 3.03 - Hardcoded Credentials # Date: 2019-12-22 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.heatmiser.com/en/ # Hardware Link: https://www.zoneregeling.nl/heatmiser/netmonitor-handleiding.pdf # Software: Netmonitor v3.03 # Product Version: Netmonitor v3.03 # CWE : CWE-798 # Vulenrability: Use of Hard-coded Credentials # CVE: N/A # Decription : # Hard-coded Credentials security vulnerability of Netmonitor model v3.03 # from Heatmiser manufacturer has been discovered. With this # vulnerability, the hidFrm form in the source code of the page # anonymously has access to hidden input codes. This information is # contained in the input field of the hidFrm form in the source code # lognm and logpd.    Source : https://packetstormsecurity.com/files/155767/Heatmiser-Netmonitor-3.03-Hardcoded-Credentials.html

Hello everyone, My name is Ismail Tasdelen. As a security researcher. I have found that Apple can remotely access all of its products. I gave my mom the old apple iphone 5s model phone to use. And this device is not connected to icloud. No icloud sessions are active. Let’s start talking. Step by step: { https://developer.apple.com/account/ }In order to search for the vulnerability I wanted to access this site, then came the notification sound from the next room. My mother received a confirmation request on her phone. This is very strange because I’ve format the phone and icloud accounts were not active. Mom phone [iPhone5s] Screenshot : As this device shows, the icloud session is not active. We log in from the login panel below with your Apple ID. login panel page 2. I have 2-step verification as follows. He wants a six-digit verification code from us. verification page 3. We are entering the 6 di...

Schneider Electric Security Notification Security Notification -Embedded Web Servers for Modicon (V3.0) CVE : CVE-2018-7804 CVSS v3.0 Base Score 4.7 | (Medium) | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L A CWE-601: URL Redirection to Untrusted Site vulnerability exists, where a user clicking on a specially crafted link can be redirected to a URL of the attacker’s choosing. Security Researcher : Ismail Tasdelen