How Internal Scanning works: Q&A with Detectify’s product expert
Security doesn’t stop at the perimeter. The “inside” of your network often harbors many overlooked risks. To address this, ealier this year we launched Detectify Internal …
Detectify security updates for 02 May
Detectify
For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 02 May.
CVE-2019-3799: Spring Cloud Config Directory Traversal
It is possible for an attacker to read the content of local files on the server.
Go to details of this vulnerability.
CVE-2018-19439: Oracle Secure Global Desktop XSS
There is a page that reflects the value of the GET-parameters without properly escaping it.
CVE-2011-4367: Apache MyFaces Directory Traversal
Similarly to the first issue here, this allows an attacker to read the content of files on the server. This is done by passing the filename as “../WEB.INF” in a GET-parameter.
Oracle Discoverer Viewer BI Open Redirect
The server takes the value of a GET-parameter and creates a redirect thereto. This is a very straight-forward open redirect.
Check out more content
Introducing PCI ASV Scanning: Continuous attack surface compliance in partnership with Clone Systems
Maintaining a secure external attack surface is no longer just about finding vulnerabilities; it’s about proving your resilience to partners, auditors, and regulatory bodies. Today, …
