Our global community of hand-picked Detectify Crowdsource ethical hackers are the reason we are able to automate security research so quickly to protect web applications from attack. This past year, we received a record 1300+ submissions from the community including over 180 zero-day vulnerabilities. Every module and security test we build from these hacker-submitted vulnerabilities helps us make the internet more secure. As 2020 comes to a close, we’d like to thank all Crowdsourcers around the world for your hard work and contributions.
We might not be able to recognize everyone individually (we wish we could!) but here’s a list of the top 10 most critical CVEs in order of severity (maximum CVSS Base Score of 10) added to the Detectify scanner in 2020 – and the Crowdsourcers who made it possible!
1. CVE-2020-12720: vBulletin SQL Injection (OWASP 1: Injection)
vBulletin is a proprietary Internet forum software package used to build and manage online community websites. This module searches for a SQL injection vulnerability that would allow an attacker to launch a RCE attack via resetting the admin’s password.
2. CVE-2020-5902: F5 BIG IP RCE and LFI (OWASP 1: Injection)
The Traffic Management User Interface on F5 BIG-IP is vulnerable to arbitrary command execution and local file read. A path normalization issue affects the Java backend, allowing an unauthenticated attacker to perform a relative path traversal attack and access sensitive endpoints that will grant further access within the system. On successful exploitation, an attacker will be able to execute arbitrary code on the system.
3. CVE-2020-15506: MobileIron Core Authentication Bypass (OWASP 2: Broken Authentication)
An authentication bypass vulnerability exists in MobileIron Core and Connector versions 10.6 and earlier that allows remote attackers to bypass the authentication mechanism. This would allow attackers to access services and the admin panel.
4. CVE-2020-14882: Oracle WebLogic RCE (OWASP 1: Injection)
Unpatched Oracle WebLogic servers allow attackers to execute arbitrary commands to download files, log keystrokes, steal sensitive data, and move laterally across a network. The vulnerability can be exploited by simply sending one request to the server.
5. CVE-2020-14750: Oracle WebLogic RCE (OWASP 1: Injection)
This is a Remote Code Execution (RCE) vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. If vulnerable, an attacker will be able to execute arbitrary commands on the application. Similar to CVE-2020-14882 above, the vulnerability can be exploited by simply sending one request to the server.
6. CVE-2020-17530: Apache Struts 2 RCE (OWASP 1: Injection)
Apache Struts (2.5.25 or earlier) is prone to a remote code execution vulnerability. In some cases, some tag attributes could perform a double OGNL evaluation on untrusted user input, which could lead to a remote code execution condition. An attacker would be able to execute system commands on the server.
7. CVE-2020-2551: Oracle WebLogic RCE (OWASP 1: Injection)
This is another vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware affecting versions 10.3.6.0.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0 that grants unauthenticated attackers with network access via IIOP to compromised Oracle WebLogic Servers.
8. CVE-2020-13379: Grafana SSRF (OWASP 3: Broken Access Control)
The avatar feature in Grafana contained a Server-Side Request Forgery (SSRF) vulnerability that permitted any unauthenticated user or client to make Grafana send HTTP requests to any URL and then return the result to the user or client.
9. CVE-2020-1147: Microsoft SharePoint Server RCE (OWASP 1: Injection)
This RCE vulnerability affects .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.
10. CVE-2020-8209: Citrix XenMobile Server Path Traversal (OWASP 3: Broken Access Control)
This is a path traversal vulnerability in Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6, and Citrix XenMobile Server before 10.9 RP5. An attacker can download arbitrary files from the server and in some cases launch an RCE attack.
Honorable Mention: VMware vCenter Unauthenticated Arbitrary File (OWASP 3: Broken Access Control)
This last one was never assigned a CVE but is still noteworthy. VMware vCenter Server version 6.5.0 or earlier allows a remote attacker to arbitrarily read files on the host by accessing the open vCenter console. Attackers can read the vCenter configuration file to obtain the admin account password and then take over the vCenter platform and the virtual machine clusters it manages.
Again, thank you to all the ethical hackers in the Detectify Crowdsource community who are helping us make the internet safer every day!
How can companies benefit from our ethical hacker powered products? Find out here!
Interested in joining Crowdsource? Take our challenge and find out if you got what it takes at https://cs.detectify.com/apply.
Detectify collaborates with ethical hackers to crowdsource security research from the forefront of the industry, so you can check for 2000+ common vulnerabilities. Our testbed includes the OWASP Top 10, security misconfigurations and subdomain takeovers submitted by the Detectify Crowdsource community. Try or buy Detectify. Sign up today for a a 14-day free trial.