Recently added crowdsourced vulnerabilities – November 2023

Here is a list of all new modules recently added from our community of ethical hackers. You can find a complete list of new vulnerabilities added to Surface Monitoring and Application Scanning by viewing the “What’s New?” section in-tool.

Latest vulnerabilities:

• CVE-2023-49103: OwnCloud Phpinfo Configuration
• CVE-2023-44150: ProfilePress Sensitive Information Exposure
• CVE-2023-43208: NextGen Healthcare Mirth Connect RCE
• CVE-2023-41339: Geoserver WMS SSR
• CVE-2023-40779: IceWarp Open Redirect
• CVE-2023-39700: IceWarp XSS
• CVE-2023-37728: IceWarp XSS
• CVE-2023-33160: Microsoft Sharepoint RCE
• CVE-2023-22518: Atlassian Confluence Authentication Bypass
• CVE-2023-20198: Cisco WebUI RCE
• CVE-2023-6063: WordPress Plugin “WP Fastest Cache” (wp-fastest-cache) SQL Injection
• CVE-2023-5244: Microweber XSS
• CVE-2023-4966: Citrix NetScaler ADC and Citrix NetScaler Gateway Sensitive Information Disclosure
• CVE-2023-3765: MLflow Local File Inclusion
• CVE-2023-3519: Citrix ADC & Citrix Gateway RCE
• CVE-2023-1719: Bitrix24 Insecure Global Variable Extraction
• CVE-2023-1496: SVG Sanitization Bypass XSS
• CVE-2021-33690: SAP NetWeaver Development Infrastructure SSRF
• CVE-2020-13851: PandoraFMS RCE
• CVE-2020-6950: Directory Traversal in Eclipse Mojarra
• Adobe AEM Misconfigured Replication Servlet
• Adobe AEM Query Debugger Exposure
• BeyondTrust Remote Support XSS
• Bitrix Component XSS via log_cnt
• Centreon Default Credentials
• Content-Security-Policy Bypass via Microsoft
• FusionAuth Installer Exposure
• Github Workflow Disclosure
• JWT Private Key Exposure
• Less History Exposure
• MantisBT Default Credentials
• Office Web Apps Server Full Read SSRF
• RedisInsight Unauthenticated Access
• Shopware Installer Exposure
• Spring Boot Actuator / Configuration Properties
• SugarCRM Installer Exposure
• WordPress Arbitrary Shortcode Execution
• New tests added by Detectify staff:
• Adobe ColdFusion Login Portal
• PHP var_dump Exposure
• Nohup Output Exposure

Changed tests:

• CVE-2023-20198: Cisco WebUI Compromised
• CVE-2021-44228: Log4Shell (log4j) RCE
• CVE-2020-8512: IceWarp XSS
• ActiveAdmin Admin Dasboard Exposure
• Adobe AEM Granite Login Portal
• Adobe AEM JCR Compare Exposure
• Amazon API-Key Disclosure
• Amazon API-Key Disclosure
• Apache .htaccess Exposure
• Apache Struts actionErrors XSS
• Apache Struts actionErrors XSS
• Atom Package Configuration Credentials Exposure
• Atom Package Configuration Exposure
• Caddy Open Redirect
• cPanel WHM Exposed Login Portal
• Drupal Registration Enabled
• Environment Variables Disclosure
• Filezilla Config Exposure
• Generic CI Pipeline Configuration Exposure
• GitLab Public Projects Exposure
• Global.json Exposure
• Jolokia Configuration Exposure
• Jolokia Endpoint Exposure
• Jolokia Path Traversal
• Nagios XI Installer Exposure
• Nano History Exposure
• Nginx Configuration Exposure
• PHP Coding Standards Fixer Cache Exposure
• SH History Exposure
• Sublime SFTP Configuration Exposure
• TYPO3 Install Tool Exposure
• Visual Studio Code Ignore File Disclosure
• Visual Studio Code jsconfig.json Disclosure
• Visual Studio Code Settings Credential Exposure
• Visual Studio Code Settings Exposure
• Visual Studio Code SFTP Configuration Disclosure
• VisualStudio Code Container Configuration Exposure
• WinSCP Configuration Exposure
• WS-FTP Configuration Exposure
• ZSH History Exposure