Skip to main content

🎉    We recently published 2 CVE's

foo

CVE-2021-35956
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

foo

CVE-2021-3441
Stored cross-site scripting (XSS) in the embedded webserver of certain HP OfficeJet Printers—including the 4630 e-All-in-One Printer and 7110 Wide Format ePrinter— enables remote unauthenticated attackers to introduce arbitrary JavaScript via the printer name and printer location fields.

The Internet Observatory (Obsrva) is a vulnerability research project founded by independent security researcher Tyler Butler. Obsrva engages product vendors in coordinated disclosures, publishes vulnerability advisories, and creates proof of concept exploits.

Coordinated Disclosures

Obsrva engages vendors of hardware, software, and internet-based services in coordinated disclosures after the discovery of vulnerabilities effecting their products. Following industry standards, vendors are provided identification of the vulnerability, statements addressing impact, and mitigation recommendations.

Vulnerability Advisories

Obsrva coordinates with product vendors to publish vulnerability advisories on obsrva.org/advisories. Advisories allow customers, blue and red team operators, and the broader research community to access technical details and research methodology.

  1. CVE-2021-3441
  2. CVE-2021-35956

Proof of Concept Exploits

Obsrva develops proof of concept exploits for discovered vulnerabilities and publishes them on the exploit database (exploit-db.com). PoC’s can also be found on GitHub where PR’s are welcome for the community to collaborate.

  1. HP OfficeJet 4630/7110 MYM1FN2025AR - Stored Cross-Site Scripting (XSS)
  2. AKCP sensorProbe SPX476 - ‘Multiple’ Cross-Site Scripting (XSS)
  3. PHP Timeclock 1.04 - ‘Multiple’ Cross Site Scripting (XSS)
  4. PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection

Research Library

Obsrva maintains the iOT Research Library, a collection of iOT and embedded devices available for loan by independent security researchers. The library provides access to unique, EOL, or other devices no longer under active research by Obsrva.

Connect on Twitter