Detectify security updates for November 30

Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. For Asset Monitoring, we now push out tests more frequently at record speed within 25 minutes from hacker to scanner. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner from November 16 – November 27.

CVE-2020-14815: Oracle Business Intelligence Enterprise Edition DOM XSS

This module looks for an XSS vulnerability in Oracle Business Intelligence Enterprise Edition versions 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

CVE-2020-8209: Citrix XenMobile Server Path Traversal

This module checks for a path traversal vulnerability in Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6 and Citrix XenMobile Server before 10.9 RP5. An attacker can download arbitrary files from the server and in some cases launch an RCE attack.

CVE-2020-4782: IBM WebSphere Directory Traversal

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system and download arbitrary files, leading to a potential RCE attack in a worst case scenario.

E-Commerce Vulnerabilities

Since November is a month that has some of the highest e-commerce traffic because of Black Friday and Cyber Monday, we have asked our researchers to send in findings for e-commerce related technologies. We have received submissions for technologies such as Modified eCommerce, OXID eShop, Magento, ECShop and JTL-Shop with vulnerabilities ranging from installer disclosures to RCEs.

Atlassian Vulnerabilities

We have continued to have numerous submissions for vulnerabilities in Atlassian Jira apps. Vulnerabilities include improper access control and remote code execution.