Detectify security updates for January 11


Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. For Asset Monitoring, we now push out tests more frequently at record speed within 25 minutes from hacker to scanner. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner from December 28 – January 8.

CVE-2020-10148: Solar Winds Orion Local File Inclusion

The Solar Winds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.

CVE-2020-17519: Apache Flink Path Traversal

Apache Flink is vulnerable to a path traversal vulnerability in JobManager. An unauthenticated attacker can read system files on the server.

CVE-2020-29015: FortiWeb Blind SQL Injection

FortiWeb versions 6.3.7 (or earlier) and 6.2.3 (or earlier) are vulnerable to a blind SQL injection in the user interface of FortiWeb.

Ruby on Rails Open Redirect

Ruby on rails versions 6.0.0 to 6.0.3.2 are vulnerable to an open redirect issue because the request parameter “location” was not validated.

Oracle JD Edwards EnterpriseOne Application Interface Services SSRF

The JD Edwards EnterpriseOne Application Interface Services (AIS) Server is vulnerable to an SSRF vulnerability.

Atlassian Jira Prototype Pollution XSS

The issue navigator in Atlassian Jira is vulnerable to prototype pollution which can be pivoted to an XSS.

Questions or comments on the latest Detectify security updates? Let us know in the comments below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!

Already have an account? Login to check your assets.

Detectify is a continuous web vulnerability scanner service and we release Detectify security updates at least bi-weekly. Detectify offers a crowdsource-powered testbed of 2000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!



Source link