/cve

cve

This repo is a dump of vulns i want CVE's assigned for that arent good enough to be a blog. in this readme ill mainly include the disclosure timelines of the products i toy arround with.

Comfast CF-WR623N router firmware version V2.3.0.1 and the driver version was 4.1.0.0_CL15074 vulns are silly and not low level, all UI stuff no real code review or reversing anything not posting on blog because vulns are weak. Vendor was given every oppertunity to establish a communication channel.

COMFAST Disclosure timeline

June 16, 2022: Initial discovery
June 16, 2022: Vendor notified about vulnerability disclosed via email
June 17, 2022: Attempted to contact vendor via facebook
June 17, 2022: Attempted to contact vendor via buyer portal
June 22, 2022: Attempted to contact vendor via weibo and wechat
June 25, 2022: Contact Sales Manager via LinkedIn
June 29, 2022: Sales Manager responds & is provided with the technical details to the vulnerability
July 5, 2022: Sales Manager requires clarification & I request my findings be shared with the technical team
July 8, 2022: Attempted contact with the vendor via email
July 11, 2022: Requested a status update from Sales Manager
July 14, 2022: Attempted to contact vendor through AliExpress support
July 19, 2022: Requested update from Sales Manager
September 14, 2022: Reaching back out to all channels previously used (no response)
October 11, 2022: Reaching back out to all channels previously used (no response)
October 22, 2022: Reaching back out to all channels previously used (no response)
November 3, 2022: Reaching back out to all channels previously used (no response)
December 3, 2022: Reaching back out to all channels previously used (no response)
December 12, 2022: Filing for CVE's

TIANJIE CPE906-3 router is the same story... i didnt spend much time on it and actually broke it while dumping the firmware from it

TIANJIE Disclosure timeline

April 12, 2022: initial discovery
April 12, 2022: Attempted 1st contact over multiple communication channels
May 2, 2022: Attempted 2st contact over multiple communication channels
May 15, 2022: Attempted 3st contact over multiple communication channels
July 18, 2022: Attempted 4st contact over multiple communication channels this time over identified wechat and qq numbers and trademark holders
September 7, 2022: Attempted 5st contact over all the previously attempted channels of communication in english and chinese
December 16, 2022: Filing for the CVE