X41 D-Sec GmbH Security Advisory: x41-2024-004-Medico Missing Transport Security for Medico Classic Application Server Connections Severity Rating: High Vector: MitM on local network CVE: Requested by vendor CWE: 319 CVSS Score: 7.1 CVSS Vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N Affected Version: CGM Medico below 29.01.02.01 Patched Versions: CGM Medico 29.01.02.01 and above (according to vendor) Vendor: CGM Clinical Europe GmbH Vendor URL:https://www.cgm.com/deu...|
Niklas Abel and Luc Gommans of X41 discovered a Vulnerability in Medico| X41 D-Sec - Penetration Tests and Source Code Audits
Small tools and notes from X41’s 2025 internal research week| X41 D-Sec - Penetration Tests and Source Code Audits
X41 finished auditing the Backstage platform and releases the resulting report.| X41 D-Sec
Security Audit of nghttp3 and ngtcp2 X41 performed a source code audit of nghttp3, a QUIC implementation, and ngtcp2, an implementation of HTTP/3, sponsored once again by the Open Source Technology Improvement Fund. The report is released now that the development team addressed the issues identified. ngtcp2 implements QUIC, a network protocol aiming to improve the performance of connection-oriented web applications. On top of this, nghttp3 implements HTTP/3, which aims to improve latency and ...|
How can X41 D-Sec help with the new Digital Operational Resilience Act (DORA) framework? The financial sector is facing increasing security threats, making digital resilience a critical requirement. To address these challenges, the Digital Operational Resilience Act (DORA) sets out stringent regulatory requirements for financial institutions. Below, we outline key aspects of DORA and how security services companies can help organizations ensure compliance. What is the Digital Operational Resi...|
Security Audit of RSTUF X41 performed a source code audit of Repository Service for TUF, a collection of components that simplify the adoption of TUF, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the development team addressed the issues identified. Full report of the security audit: https://www.x41-dsec.de/static/reports/X41-OSTIF-RSTUF-Audit-2024-Final-Report-Public.pdf RSTUF Blogpost: https://repository-service-tuf.readthedocs.i...|
X41 D-Sec GmbH Security Advisory: X41-2025-001 Multiple Vulnerabilities in OpenSlides Highest Severity Rating: Medium Confirmed Affected Versions: 4.2.4 Confirmed Patched Versions: 4.2.5 Vendor: Intevation GmbH Vendor URL:https://openslides.com/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL:https://www.x41-dsec.de/lab/advisories/x41-2025-001-OpenSlides/ Summary and Impact X41 identified multiple bugs in OpenSlides, the most severe one being a XSS. Product Description The...|
Intro to Tabletop Exercises (TTX) In cyber security, prevention is only part of the equation—response and preparedness are just as critical. We at X41 D-Sec offer table-top exercises (TTX) to simulate real-world attack scenarios, test your organization’s security posture, and improve your incident response capabilities. A table-top exercise is a structured discussion-based simulation where key stakeholders in your organization are walked through hypothetical attack scenarios by real penet...|
Security Audit of Hickory DNS X41 performed an audit of Hickory DNS which is an open source Rust based DNS client, server, and resolver. We were sponsored by the great folks at OSTIF and supported by Prossimo. The full report of the security audit can be downloaded under the following link: X41 D-Sec GmbH. Hickory DNS Hickory DNS is a collection of DNS libraries implementing a DNS authoritative server, client and recursive resolver. The software may be used as part of the DNS distributed data...|
