The ARMR Report – Week of May 13, 2019

By May 17, 2019 May 20th, 2019 ARMR Reports

AppSec News from the Web

  • Ponemon released a research report detailing how much companies hate their Web Application Firewalls. With an average yearly cost of $620K and more than 45 hours a week processing alerts, were not surprised. Read More
  • A major account software provider took clients offline and caused a Twitter uproar. The cause is unknown, but this article reminds us why the software supply chain is so fragile. And why we need to make sure we pay our taxes on time.  Read More
  • Microsoft Sharepoint vulnerability under active exploit Read More

Waratek Blogs & Alerts

  • What is Java Deserialization and what are the challenges in securing?  Our Security Architect Apostolos takes a look in this informative blog. Read more >>

Customer CVE Alert for Week of May 13, 2019

Below is a list of CV’s that were announced last week which are protected by the Waratek ARMR Platform. This list is not comprehensive of all of the CVEs issued and only represents application vulnerabilities. For customers that have questions, please contact your account manager or If you want more information on any of the CVE’s below, please visit the Mitre site here.

Dates are dd/mm.
NVD Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

CVECWEVuln TypePublish DateUpdate DateCVSS ScoreRemotely Exploitable
CVE-2019-10111121XSS15/05/201915/05/20190Not known
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8
CVE-2016-704349015/05/201915/05/20190Not known
It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties
An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the fullname parameter to signup.php.
An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the user_id parameter to signup.php.
An issue was discovered in Bilboplanet 2.0. There is a stored XSS vulnerability when adding a tag via the user/?page=tribes tags parameter.
CVE-2013-728549715/05/201915/05/20190Not known
Xstream API versions up to 1.4.6 and version 1.4.10
CVE-2019-120999Exec Code14/05/201914/05/20190Not known
In PHP-Fusion 9.03.00
/servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection.
CVE-2019-1139790File Inclusion14/05/201914/05/20190Not known
GetFile.aspx in Rapid4 RapidFlows Enterprise Application Builder 4.5M.23 (when used with .NET Framework 4.5) allows Local File Inclusion via the FileDesc parameter.
CVE-2019-1120597XSS14/05/201914/05/20190Not known
The web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace
CVE-2019-8923143Sql14/05/201914/05/20190Not known
XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued.
qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.
qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter.
An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to inject a JavaScript payload that will be stored in the database and then displayed and executed on the same page
CVE-2019-0298330XSS14/05/201914/05/20190Not known
SAP E-Commerce (Business-to-Consumer) application does not sufficiently encode user-controlled inputs
CVE-2019-1204713Exec Code XSS13/05/201913/05/20194.3Remote
Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF
CVE-2019-1168057Exec Code13/05/201914/05/20197.5Remote
KonaKart is vulnerable to Remote Code Execution by uploading a web shell as a product category image.
CVE-2019-1160073Exec Code Sql13/05/201914/05/20196.8Remote
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.
CVE-2019-1142986XSS13/05/201915/05/20193.5Remote (aka CWP) CentOS Web Panel (Free/Open Source Version)
Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title
Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign CMS v6.0.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page
Cross-site scripting (XSS) vulnerability in BIBLIOsoft BIBLIOpac 2008 allows remote attackers to inject arbitrary web script or HTML via the db or action parameter to to bin/wxis.exe/bibliopac/.
CVE-2012-6652498Dir. Trav.13/05/201913/05/20197.5Remote
Directory traversal vulnerability in pageflipbook.php script from index.php in Page Flip Book plugin for WordPress (wppageflip) allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pageflipbook_language parameter.
IBM Business Automation Workflow
IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 148944.
OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
OpenMRS openmrs-module-htmlformentry 3.3.2 is affected by: (Improper Input Validation).
CVE-2019-0226337Dir. Trav.09/05/201910/05/20195.5Remote
Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. User should upgrade to Apache Karaf 4.2.5 or later.
include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
A cross-site scripting (XSS) vulnerability in HumHub 1.3.12 allows remote attackers to inject arbitrary web script or HTML via a /protected/vendor/codeception/codeception/tests/data/app/view/index.php POST request.
Sonatype Nexus Repository Manager 2.x before 2.14.13 allows XSS.
CVE-2019-10869116Exec Code07/05/201910/05/20196.8Remote
Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.
IBM Cram Social Program Management 6.1.1

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek