Detectify security updates for 19 October

For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. This release features 3 high severity exploits. We added these tests to the Detectify scanner tool on 19 October.

CVE-2018-18069: WordPress wpml Stored XSS

Sitepress Multilingual CMS Plugin prior to version 3.6.3 is vulnerable to a stored cross site scripting in the WordPress admin login interface. This could lead to an unauthenticated attacker being able to completely take over a WordPress site.

CVE-2018-2894: Oracle WebLogic RCE

The CVE-2018-2894 which is affecting versions 12.1.3.0, 12.2.1.2 and 12.2.1.3 of Oracle Weblogic is a remote code execution (RCE) which allows unauthenticated attackers to upload arbitrary Java Server Pages-files (JSP) to the server. This could lead to a complete server takeover.

CVE-2018-1673: IBM WebSphere XSS

The CVE-2018-1673 is affecting several versions of IBM WebSphere Portal. The vulnerability is a reflected cross site scripting attack where an attacker can execute arbitrary Javascript in the context of the victim’s browser.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!

Already have an account? Login to check your assets.