Detectify security updates for 21 March


For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

Episerver GetGeoData API Misconfiguration

An API-endpoint where the response does contain the visitor’s IP-address. However, depending on configuration it might instead response with an internal IP-address disclosing some information about server setup.

Jingo XSS

Versions of jingo prior to 1.9.2 do not escape the text put into a wiki-page. Any user could put HTML/Javascript and it would execute.

More info can be found here: https://www.npmjs.com/advisories/750

CVE-2019-5418: Ruby on Rails File Disclosure

There is a vulnerability in Ruby on Rails that allows an attacker to retrieve local files from the target server. More details about the vulnerability can be found here: https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/

An attacker is able to read the content of local files on the server.

CVE-2019-9787: WordPress CSRF / RCE

Last month an authenticated RCE was published in WordPress, meaning that the only people who were able to exploit it were ones with an account on the WordPress installation. A post has now been published on how this could be chained with a CSRF-attack, drastically increasing the risk of it being exploited.

Read more here: https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!

Already have an account? Log in to check your assets.

Detectify is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!



Source link