Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. For Asset Monitoring, we now push out tests more frequently at record speed within 25 minutes from hacker to scanner. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner in the last weeks:

CVE-2021-30150: Composr XSS
This module looks for a reflected XSS vulnerability in Composr CMS version 10.0.36. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

CVE-2020-5377: Dell OpenManage Administrator Authentication Bypass
This module looks for an authentication bypass vulnerability in Dell OpenManage Administrator in version 9.4 and prior. An unauthenticated attacker could bypass the authentication and access system files.

CVE-2021-28164: Eclipse Jetty Information Disclosure
This module searches for an information disclosure vulnerability in Jetty. This can reveal sensitive information regarding the implementation of a web application.

CVE-2021-27905: Apache Solr Arbitrary File Read
This module is looking for an LFI vulnerability in Apache Solr prior to version 8.8.2. An attacker can download arbitrary files from the server.

CVE-2020-15148: Yii 2 Remote Code Execution
his module looks for remote code execution in Yii 2 before version 2.0.38. An attacker can leverage this to get full control of the server.

CVE-2020-13483: Bitrix Site Manager XSS
This module looks for a reflected XSS vulnerability in The Web Application Firewall in Bitrix24 through versions 20.0.0. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

CVE-2021-3374: Rstudio Shiny Server Directory Traversal
This module searches for a directory traversal vulnerability in Rstudio Shiny Server. Directory traversal in RStudio Shiny Server before 1.5.16 allows attackers to read the application source code, involving an encoded slash. Successful exploitation would allow an attacker to read system files on the server.

CVE-2020-15500: Tileserver GL XSS
This module looks for a reflected XSS vulnerability in Tileserver GL through version 3.0.0. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

EmpireCMS DOM-XSS
This module looks for a reflected XSS vulnerability in EmpireCMS. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

How can Detectify help?

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!

Already have an account? Login to check your assets.

Detectify is a continuous web vulnerability scanner service and we release Detectify security updates at least bi-weekly. Detectify offers a crowdsource-powered testbed of 2000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Check your website for the latest vulnerabilities with Detectify Run a scan now

Posted by Charlie