For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 16 April 2020.
CVE-2020-7961: Liferay Portal Unauthenticated RCE
Liferay is an enterprise portal that allows the use of corporate extranets and intranets. Most recently, a JSON Object deserialization issue has been found that would allow an attacker to execute arbitrary code.
The vulnerability is described further here: https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
Adobe AEM Flush Dispatcher DoS
An interesting report was submitted to the Crowdsource team that showed a very simple way to invalidate or flush cached pages without any rate limiting in Adobe Experience Manager. If done repeatedly, this can lead to Denial of Service attacks.
CVE-2020-8509: Zoho ManageEngine Desktop Central Unauthenticated PDF Servlet Access
Zoho ManageEngine Desktop Central is an endpoint management solution that helps to manage servers, laptops, desktops, smartphones, and tablets from a central location. A Crowdsource researcher, is credited with finding an unauthenticated servlet access vulnerability, which allows unauthenticated users to access PDFGenerationServlet, that can lead to sensitive information disclosure.
Questions or comments on the latest Detectify security updates? Let us know in the comments below.
Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!
Already have an account? Login to check your assets.
Detectify is a continuous web vulnerability scanner service and we release Detectify security updates at least bi-weekly. Detectify offers a crowdsource-powered testbed of 1500+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!