Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. For Asset Monitoring, we now push out tests more frequently at record speed within 25 minutes from hacker to scanner. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner from February 23 – March 4.

CVE-2021-21242: OneDev RCE 

This module tests for a deserialization vulnerability in Onedev before version 4.0.3. An attacker can run arbitrary commands on successful exploitation. Submitted by payloadartist.

CVE-2021-21246: OneDev User Access Token Leak

This module looks for access token leaks from Onedev through the /users/{id} endpoint. Attackers can use these access tokens to access the API or clone code through the stolen user account. Submitted by payloadartist.

CVE-2021-26723: Jenzabar XSS

This module looks for an XSS vulnerability in Jenzabar 9.2.x through 9.2.2. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain. Submitted by xelkomy.

CVE-2020-35572: Adminer 4.7.8 XSS

This module searches for a reflected XSS vulnerability in Adminer. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain. Thanks madrobot for the submission.

CVE-2020-7741: hello.js XSS

Another one from madrobot, this module searches for a DOM XSS vulnerability in hello.js. his affects the package hello.js before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1). An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

Posted by Charlie