Product update: Dynamic API Scanning, Recommendations & Classifications, and more
We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications …
Detectify
For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 10 January.
CVE-2018-15961: Adobe ColdFusion Unrestricted File Upload
Adobe Coldfusion lets unauthenticated attackers upload files to ckeditor which will be stored on the server. This is a critical vulnerability and more details are found on Adobe.
CVE-2018-17254: Joomla! JCK-Editor SQL Injection
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter. Authentication is not needed for a successful exploit. Read more here.
Atlassian Jira Route-based Authentication Bypass
By accessing a specific endpoint, it is possible to view employee emails and ticket names.
Nexus Sonatype Default Credentials
The repository manager Nexus is using default credentials.
Response-Proxy DOM XSS
The response-proxy.html file is vulnerable to DOM XSS because it does not validate the value from a URL.
Ghost CMS XSS
The value of the two attributes in the Subscription page are reflected which leads to reflected XSS. Read more.
We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications …
What if we told you that our newly released API Scanner has 922 quintillion payloads for a single type of vulnerability test? A quintillion is …