Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. For Asset Monitoring, we now push out tests more frequently at record speed within 25 minutes from hacker to scanner. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner in the last weeks:

CVE-2020-24550: Episerver Open Redirect
This module checks for an open redirect vulnerability that exists in Episerver Find before 13.2.7. A misconfigured instance may allow an attacker to redirect the user to any site of their choice.

Gitlab GraphQL Information Disclosure
This module checks if it is possible to leak private email addresses in Gitlab via graphql. An attacker can get hold of usernames and email addresses and use them in social engineering attacks.

CVE-2020-23517: Aryanic HighMail CMS XSS
This module searches for a reflected XSS vulnerability in Aryanic HighMail CMS. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

CVE-2021-21975: VMWare vRealize Operations Manager API SSRF
The vRealize Operations Manager API prior to version 8.4 is vulnerable to an SSRF vulnerability. On successful exploitation, an unauthenticated attacker will be able to send requests on behalf of the affected service. It may be possible to reach systems on the same intranet as the affected application.

CVE-2020-17453: WSO2 Management Console XSS
This module looks for a reflected XSS vulnerability in WSO2 Management Console. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

PHP “Zerodium” Backdoor RCE
This module looks for an unauthenticated Remote Code Execution in PHP due to a backdoor. An attacker can leverage this to get full control of the server.

CVE-2021-21087: Adobe ColdFusion RCE
ColdFusion versions 2021, 2016 and 2018 are vulnerable to Remote Code Execution (RCE). An attacker can leverage this to get full control of the server.

CVE-2021-22986: F5 Big-IP iControl REST RCE
The F5 iControl REST interface has an unauthenticated remote command execution vulnerability. An attacker can leverage this to get full control of the server.

How can Detectify help?

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!

Already have an account? Login to check your assets.

Detectify is a continuous web vulnerability scanner service and we release Detectify security updates at least bi-weekly. Detectify offers a crowdsource-powered testbed of 2000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Check your website for the latest vulnerabilities with Detectify Run a scan now

Posted by Charlie