Finding 0-day vulnerabilities in apps using the Red Team approach

1. CVE-2021-44228: Insecure deserialization in Apache Log4j2 allows attackers to execute arbitrary code by sending specially crafted data, leading to potential system compromise.
2. CVE-2023-1389: Command injection vulnerability in TP-Link Archer AX-21 allows attackers to execute commands as root by manipulating the country parameter in requests.
3. CVE-2023-21839: Broken access control in Oracle WebLogic Server enables unauthenticated attackers to gain unauthorized access to sensitive data through network access.
4. CVE-2023-28432: Information disclosure vulnerability in MinIO could allow unauthorized users to access sensitive information stored in the system.
5. CVE-2022-33891: Command injection in Apache Spark occurs when user input is not properly validated, allowing attackers to execute arbitrary shell commands.
6. CVE-2023-0669: Remote code execution vulnerability in Fortra GoAnywhere MFT can be exploited by attackers to execute malicious code on the server.
7. CVE-2022-36804: Command injection in Atlassian Bitbucket allows remote attackers to execute arbitrary code by sending malicious HTTP requests to API endpoints.
8. CVE-2021-39226: Authentication bypass in Grafana enables both unauthenticated and authenticated users to view and delete snapshots, potentially exposing sensitive data.
9. CVE-2022-40684: Authentication bypass in Fortinet FortiOS allows attackers to bypass identity verification, leading to unauthorized access to the system.
10. CVE-2022-24682: Path traversal vulnerability in Zimbra Webmail allows attackers to write files to arbitrary paths, potentially compromising the system.

Views: 0