For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
CVE-2020-13662: Drupal Core Open Redirect
In CVE-2020-13662, Drupal versions 7.x to 7.69 are vulnerable to a open redirect vulnerability via the destination-parameter which can be used on different endpoints. For example: http://drupal.site/?destination=/something%3Fq=//example.com. Successful exploitation of this vulnerability would allow an attacker to send a user to a malicious website.
CVE-2020-9757: CraftCMS SEOmatic SSTI
This module checks for a vulnerability in the SEOmatic component before 3.3.0 for Craft CMS. There is a Server-Side Template Injection that leads to remote code execution via malformed data to the metacontainers controller. On successful exploiation, an attacker can execute system commands on the server.
CVE-2020-5902: F5 BIG-IP RCE and LFI
The Traffic Management User Interface on F5 BIG-IP is vulnerable to arbitrary command execution and local file read. A path normalization issue affects the Java backend, allowing an unauthenticated attacker to perform a relative path traversal attack and access sensitive endpoints that will grant further access within the system. On successful exploitation, an attacker will be able to execute arbitrary code on the system.
CVE-2020-4038: Prisma GraphQL Playground XSS
This module checks for a reflected cross-site scripting vulnerability in the GraphQL Playground IDE. The bug was patched a month ago, but all previous versions are vulnerable to this XSS. The vulnerable components of Playground did not sanitize user input, allowing an attacker to embed malicious code in requests such as URL parameters, query parameters, and unsanitized database text strings.