How I Found My First CVE

This is a post to illustrate how I discovered my first four CVE’s and how the process is much simpler than I first imagined.

I have always had massive respect for security researchers and the documentation they produce for the community, for education and point of reference purposes. After a few conversations with a friend and colleague of mine, Crawl3r (https://crawl3r.github.io/). We decided to spin up a couple of dedicated boxes for vulnerability research and stack them with windows and nix virtual machines as  testing environments for target software.

For those interested, I used a tiny machine; micro ITX, I3, 12Gb. That was built from old parts I had lying around from builds of the past. This machine was stacked with a free version of ESXI to hold the operating systems. Crawl3r used another old unused machine from days gone.

Our first choice was a revisit of some previously tested software, ERES by Quadbase. ERES also known as Espress Reports ES is web based reporting and dashboard software. Since we are both web application testers by day, this target fits great as a first attempt at discovering some vulnerabilities. Roughly half an hour later we have multiple bugs worth reporting:

  • CSRF to File Upload
  • CSRF to XSS
  • RFI to XSS
  • CSRF to User Email Change
Quadbase dashboard.

These bugs essentially either lead to account takeover, session cookie theft or file upload in the context of a target user. After sending a notification email to Quadbase we submitted CVE ID requests to Mitre and were notified with our reserved ID’s a couple of days later.

I will go into a more technical walkthrough of the vulnerabilities found in another post.

  • CVE-2020-24982
  • CVE-2020-24983
  • CVE-2020-24984
  • CVE-2020-24985

A evenings worth of work lead to subbing my first few CVE’s, something I thought I was a little while off. Since then I have subbed for a load more, ill also write about these in coming months.