Introducing Dynamic API Scanning
Application environments are more complex than ever, with APIs forming the critical connective tissue. But this proliferation has created a vast, often invisible, attack surface. …
Detectify security updates for 16 April
Detectify
For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community.
Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 16 April 2020.
CVE-2020-7961: Liferay Portal Unauthenticated RCE
Liferay is an enterprise portal that allows the use of corporate extranets and intranets. Most recently, a JSON Object deserialization issue has been found that would allow an attacker to execute arbitrary code.
The vulnerability is described further here: https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
Adobe AEM Flush Dispatcher DoS
An interesting report was submitted to the Crowdsource team that showed a very simple way to invalidate or flush cached pages without any rate limiting in Adobe Experience Manager. If done repeatedly, this can lead to Denial of Service attacks.
CVE-2020-8509: Zoho ManageEngine Desktop Central Unauthenticated PDF Servlet Access
Zoho ManageEngine Desktop Central is an endpoint management solution that helps to manage servers, laptops, desktops, smartphones, and tablets from a central location. A Crowdsource researcher, is credited with finding an unauthenticated servlet access vulnerability, which allows unauthenticated users to access PDFGenerationServlet, that can lead to sensitive information disclosure.
Questions or comments on the latest Detectify security updates? Let us know in the comments below.
Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!
Already have an account? Login to check your assets.
Check out more content
Redefining AppSec Testing with Intelligent Scan Recommendations and Asset Classification
The average organization is missing testing 9 out of 10 of their complex web apps that are attacker-attractive targets. To address this, we’re launching new …
