Detectify Security Updates for August 17

Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We have added these tests to the Detectify scanner in the last weeks:

CVE-2021-21985: VMware vCenter RCE
The vSphere Client (HTML5) has a remote code execution vulnerability in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. An attacker can execute arbitrary code on the server.

CVE-2021-27850: Apache Tapestry RCE
The vulnerability is a bypass of the fix for CVE-2019-0195. An unauthenticated attacker can bypass the file extension check and access the file AppModule.class which may contain an HMAC key and sign serialized Java objects to achieve RCE.

CVE-2021-32820: Express Handlebars File Disclosure
This module looks for an LFI vulnerability in Express-handlebars. An attacker can download arbitrary files from the server.

CVE-2020-36289: Atlassian Jira Unauthenticated User Enumeration
This module tries to enumerate usernames in the QueryComponentRendererValue!Default.jspa endpoint. An attacker can use exposed usernames in other attacks against the affected organization.

CVE-2019-11600: OpenProject Unauthentication SQL Injection
OpenProject versions before 8.3.1 has a SQL Injection vulnerability. An attacker can get full access to the underlying database.

CVE-2021-22175: Gitlab SSRF
GitLab prior to versions 10.5 is vulnerable to an SSRF vulnerability on an instance where registration is disabled. On successful exploitation, an unauthencated attacker will be able to send requests on behalf of the affected service. It may be possible to reach systems on the same intranet as the affected application.

CVE-2021-28854: VICIdial Sensitive File Exposure
This module looks for a sensitive file exposure vulnerability in VICIdial’s Web Client. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP’s, User-Agents and non-plain text credentials.

CVE-2021-3021: ISPConfig SQL Injection
This module looks for a SQL injection vulnerability in ISPConfig before version 3.2.2. An attacker can use this flaw to read data stored in the database.

CVE-2021-33564: Argument Injection in Ruby Dragonfly
This module looks for an argument injection in the Ruby Gem “Dragonfly”. An attacker can download arbitrary files from the server.

CVE-2019-7481: Sonicwall SMA 100 SQL Injection
This module looks for an SQL Injection vulnerability in SonicWall SMA100 version 9.0.0.3 and earlier. An attacker can use this flaw to gain read-only access to unauthorized resources.

CVE-2020-3580: Cisco ASA/FTD XSS
This module looks for a reflected XSS vulnerability in Cisco ASA/FTD. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

CVE-2020-11110: Grafana XSS
There is a XSS vulnerability in Grafana before version 6.7.1. User interaction is required to trigger the XSS. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

CVE-2020-24701: OX Appsuite XSS
This module looks for a reflected XSS vulnerability in OX Appsuite before version 7.10.3. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

WooCommerce SQL Injection
This module looks for an SQL injection in WooCommerce. An attacker can use this flaw to read data stored in the database.

CVE-2021-22145: ElasticSearch Memory Disclosure
This module searches for a memory disclosure vulnerability in Elasticsearch’s error reporting. Attackers can read buffers which may contain sensitive information such as Elasticsearch authentication details.

CVE-2021-26475: EPrints 3.4.2 XSS
This module searches for a reflected XSS vulnerability in EPrints. EPrints 3.4.2 exposes a reflected XSS opportunity via a cgi/cal URI. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

CVE-2021-34429: Eclipse Jetty Path Traversal
Requests to a vulnerable application are able to access protected resources within the WEB-INF directory. The web.xml file could contain sensitive information about the implementation of the web application.

Hasura GraphQL Engine PostgreSQL Query Execuction
This module tests for a command injection vulnerability in Hasura. If vulnerable, an attacker will be able to execute arbitrary commands on the application.