Search Go hack yourself with Detectify
×

A web security blog from Detectify

Detectify Security Updates May 17

May 17, 2021

Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. For Asset Monitoring, we now push out tests more frequently at record speed within 25 minutes from hacker to scanner. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner in the last weeks:

CVE-2020-35481: Solarwinds Serv-U Macro Injection
This module looks for a macro injection vulnerability SolarWinds Serv-U before 15.2.2. An unauthenticated attacker can get critical information on the target including encrypted credentials from the configuration (SMTP, LDAP) and cleartext credentials of any connected user, thus leading to RCE.

CVE-2021-24278: WordPress Plugin “Redirection for Contact Form 7” (wpcf7-redirect) Arbitrary Nonce Generation
This module searches for an unauthenticated arbitrary nonce generation vulnerability in Redirection for Contact Form 7 prior to versions 2.3.3. Attackers could use this nonce generation vulnerability to exploit other vulnerabilities.

Adobe AEM CRX Package Manager Bypass
This module will try to bypass the AEM dispatcher to list all packages. After that, an attacker can download packages. An unauthenticated attacker will be able to download package which may contain sensitive data.

Concrete5
This module looks for a reflected XSS vulnerability in Concrete5 CMS before version 8.5.2. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

Panabit Console Exposure / Default Credentials
This module tries to find Panabit consoles using default credentials for admin authentication. An attacker will be able to authenticate to Panabit and gain privileges to the service.

CVE-2021-30461: VoIPmonitor RCE
This module looks for a remote code execution vulnerability in VoIPmanager before version 24.61. An attacker can execute arbitrary code on the server.

How can Detectify help?

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!

Already have an account? Login to check your assets.

Detectify is a continuous web vulnerability scanner service and we release Detectify security updates at least bi-weekly. Detectify offers a crowdsource-powered testbed of 2000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Test your website's security with Detectify Sign up for a free trial