Detectify security updates for 02 May


For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

CVE-2019-3799: Spring Cloud Config Directory Traversal

It is possible for an attacker to read the content of local files on the server.

Go to details of this vulnerability.

CVE-2018-19439: Oracle Secure Global Desktop XSS

There is a page that reflects the value of the GET-parameters without properly escaping it.

Read more here.

CVE-2011-4367: Apache MyFaces Directory Traversal

Similarly to the first issue here, this allows an attacker to read the content of files on the server. This is done by passing the filename as “../WEB.INF” in a GET-parameter.

Oracle Discoverer Viewer BI Open Redirect

The server takes the value of a GET-parameter and creates a redirect thereto. This is a very straight-forward open redirect.

 


Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!

Already have an account? Log in to check your assets.

Detectify is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!



Source link