Hidde Smit
Researcher level 3
My passion lies in cybersecurity, where I dedicate myself to discovering zero-day vulnerabilities and ensuring their responsible disclosure through my voluntary work with the Dutch Institute for Vulnerability Disclosure (DIVD). I maintain a full-time career in cybersecurity while also taking on project-based freelance assignments, allowing me to apply my expertise across diverse security challenges.
Featured articles
CSIRT cases
- DIVD-2024-00043 - CyberAudit-Web - SSRF and Authentication bypass CVEs Registered
- DIVD-2024-00024 - Multiple vulnerabilities found in the SOPlanning tool
- DIVD-2024-00011 - Six vulnerabilities in Enphase IQ Gateway devices
- DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution
- DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration
Show more Show less
CVE Records
- Authentication Bypass in CyberAudit-Web
- SSRF in CyberAudit-Web videx-legacy-ssl
- Remote Code Execution through File Upload in SOPlanning before 1.52.02
- Remote Code Execution through File Upload in SOPlanning before 1.52.02
- Insecure Direct Object Reference to export Database in SOPlanning before 1.52.02
Show more Show less
- SQL Injection in SOPlanning before 1.52.02
- Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x
- URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x
- URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225
- Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x
- Insecure File Generation Based on User Input in Enphase IQ Gateway version 4.x to 8.x and < 8.2.4225
- Unauthenticated Path Traversal via URL Parameter in Enphase IQ Gateway version < 8.2.4225
- ITarian - Local privilege escalation in Endpoint Manager agent on Windows
- ITarian - Any user with a valid session token can create and execute agent procedures and bypass mandatory approvals
- ITarian - Session cookie not protected by HttpOnly flag
- Qlik Sense Enterprise Domain User enumeration
- Qlik Sense Enterprise Domain User enumeration
- Authenticated Authenticated reflective XSS in Kaseya VSA <= v9.5.6