Detectify security updates for February 8

Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. For Asset Monitoring, we now push out tests more frequently at record speed within 25 minutes from hacker to scanner. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner from January 25 – February 5.

CVE-2021-3007: Zend Framework3 Deserialize RCE

Zend Framework had a deserialization vulnerability that can lead to remote code execution if the content is controllable. If vulnerable, an attacker will be able to execute arbitrary commands.

CVE-2021-22122: Fortigate FortiWeb XSS

This module looks for a reflected XSS vulnerability in Fortinet FortiWeb. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

CVE-2020-15081: PrestaShop Information Exposure

This module checks for directory listings in the “upload” directory of PrestaShop. In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed in version 1.7.6.6. A possible workaround is to add an empty index.php file in the upload directory.

CVE-2020-25483: UCMS RCE

This modules searches for a remote code execution vulnerability in UCMS v1.4.8. If exploited, an attacker can execute system commands on the server.

CVE-2020-14005: SolarWinds Orion RCE

This module tests for a command injection vulnerability in SolarWinds. SolarWinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event. If vulnerable, an attacker will be able to execute arbitrary commands on the application.

CVE-2020-9484: Apache Tomcat RCE via Deserialization

This module tests for a command injection vulnerability in Apache Tomcat. When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if:

1. an attacker is able to control the contents and name of a file on the server;
2. the server is configured to use the PersistenceManager with a FileStore;
3. the PersistenceManager is configured with sessionAttributeValueClassNameFilter=”null” (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
4. the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.

Note that all of conditions (1) to (4) must be true for the attack to succeed. If vulnerable, an attacker will be able to execute arbitrary commands on the application.

CVE-2020-12145: Silver-Peak Unity Orchestrator Authentication Bypass

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. An attacker would be able to bypass authentication and delete any files on the server.

CVE-2020-12147: Silver-Peak Unity Orchestrator SQL Injection

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, there is a SQL injection vulnerability. An attacker can use this flaw to execute SQL commands and make arbitrary queries in the database.

SonicWall SSLVPN RCE

This module tests for a command injection vulnerability in SonicWall SSLVPN. If vulnerable, an attacker will be able to execute arbitrary commands on the application.

CVE-2020-14883: WebLogic Console Authentication Bypass

This module tests for an authentication bypass vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. If vulnerable, an attacker will be able to execute arbitrary commands on the application.

CVE-2020-27986: SonarQube Information Disclosure

There is a vulnerability in the SonarQube API that would allow attacker to discover cleartext SMTP, SVN and GitLab credentials.

ECShop SQL Injection

This module looks for an SQL Injection vulnerability in ECShop 4.1.0. An attacker can use this flaw to execute SQL commands and make arbitrary queries in the database.