Below you find a curated list of security advisories published by the Security Operations / Cyber Defense Center team of MGB (Migros-Genossenschafts-Bund) found during penetration tests or red team engagements.
The table below provides a summary of all published advisories, including key details such as dates, identifiers, severity scores, affected vendors, and products.
| Date | MSEC ID | Vendor ID | CVE ID | CVSS 4.0 | Vendor | Product | Vulnerability | Advisory |
|---|---|---|---|---|---|---|---|---|
| 20.05.2025 | MSEC-2025-001 | n/a | CVE-2024-42912 | 8.6 | META-INF | Email This Issue | Stored Cross-Site Scripting | Open |
| 20.05.2025 | MSEC-2025-002 | ODOO-SA-2024-12-23 | CVE-2024-12368 | 8.7 | Odoo | Odoo | Authenticated Account Takeover | Open |
| 04.06.2025 | MSEC-2025-003 | n/a | CVE-2025-5597 | 10.0 | WF Steuerungstechnik GmbH | airleader MASTER | Authentication Bypass | Open |
| 04.06.2025 | MSEC-2025-004 | n/a | CVE-2025-5598 | 9.2 | WF Steuerungstechnik GmbH | airleader MASTER | Path Traversal | Open |
| 26.06.2025 | MSEC-2025-005 | n/a | n/a | 8.6 | SYDECON GmbH | MDM Enterprise Workflow | Stored Cross-Site Scripting | Open |
| 26.02.2026 | MSEC-2026-001 | 3423233 (HackerOne) | Pending | 6.2 | Kubernetes SIG | minikube | Command Injection | Open |
The following figure illustrates the underlying vulnerability disclosure process, outlining the steps for reporting, managing, and resolving security vulnerabilities responsibly.
The figure represents a reference process that serves as a foundational guideline. It can be adapted or modified as needed to ensure responsible and context-appropriate publication.
This work is licensed under a Creative Commons Attribution 4.0 International License (CC BY 4.0).
Please contact damiano.esposito@mgb.ch for issues relating to this repository. Please contact media@migros.ch for press inquiries.