The ARMR Report – Week of May 27, 2019

By May 31, 2019 ARMR Reports

AppSec News from the Web

  • Netsparker talks frame injection via XSS Read more
  • A Vulnerability in IBM WebSphere Application Server Could Allow for Remote Code Execution Read more
  • First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records Read more
  • In a first, Moody’s downgrades Equifax’s rating outlook due to cyberattack Read more

Waratek Blogs & Alerts

  • Can Containerization be the Solution to Legacy Java Security Risk? Read more

Customer CVE Alert for Weeks of May 20 and 27, 2019

Below is a list of CV’s that were announced in the last two weeks which are protected by the Waratek ARMR Platform. This list is not comprehensive of all of the CVEs issued and only represents application vulnerabilities. For customers that have questions, please contact your account manager or support@waratek.com. If you want more information on any of the CVE’s below, please visit the Mitre site here.

Notes:
Dates are dd/mm.
NVD Disclaimer: The date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

CVECWEVuln TypeUpdate DateCVSS ScoreRemotely ExploitableDetail
CVE-2019-7091502Exec Code28/05/201910RemoteColdFusion versions Update 1 and earlier
CVE-2019-4279502Exec Code20/05/201910RemoteIBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.
CVE-2019-7816434Exec Code Bypass28/05/201910RemoteColdFusion versions Update 2 and earlier
CVE-2016-889889Sql28/05/20197.5RemoteExponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.
CVE-2019-1086689Sql24/05/20197.5RemoteIn the Form Maker plugin before 1.13.3 for WordPress
CVE-2016-889789Sql24/05/20197.5RemoteExponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2019-12279Sql22/05/20197.5RemoteNagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form).
CVE-2018-1718189Sql20/05/20197.5RemoteAn issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the portalAudit function in /portal/lib/appsql.class.php.
CVE-2018-1717989Sql20/05/20197.5RemoteAn issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.
CVE-2019-1091389Sql XSS17/05/20197.5RemoteIn Symfony before 2.7.51
CVE-2017-1706027523/05/20197.5RemoteOX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecure Permissions.
CVE-2019-4078264Exec Code23/05/20197.2LocalIBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 could allow a local non privileged user to execute code as an administrator due to incorrect permissions set on MQ installation directories. IBM X-Force ID: 157190.
CVE-2016-10756352CSRF28/05/20196.8RemoteKliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload because module.php?module=upload can be used to configure the uploading of .php files
CVE-2016-10750Exec Code22/05/20196.8RemoteIn Hazelcast before 3.11
CVE-2017-1173889Sql27/05/20196.8RemoteIn Zoho ManageEngine Application Manager 13.1 Build 13100
CVE-2019-593489Exec Code Sql20/05/20196.5RemoteSQL injection vulnerability in the Cybozu Garoon 4.0.0 to 4.10.0 allows attacker with administrator rights to execute arbitrary SQL commands via the Log Search function of application 'logging'.
CVE-2016-1075489Sql29/05/20196.5Remotemodules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
CVE-2019-1225189Sql21/05/20196.5Remotesadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter.
CVE-2019-1223989Sql CSRF21/05/20196.5RemoteThe WP Booking System plugin 1.5.1 for WordPress has no CSRF protection
CVE-2019-12253352CSRF21/05/20195.8Remotemy little forum before 2.4.20 allows CSRF to delete posts
CVE-2019-593622Dir. Trav.20/05/20195.5RemoteDirectory traversal vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to obtain files without access privileges via the application 'Work Flow'.
CVE-2018-1718022Dir. Trav.20/05/20195RemoteAn issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php.
CVE-2019-11231Dir. Trav. Bypass +Info CSRF22/05/20195RemoteAn issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code
CVE-2019-098219DoS20/05/20195RemoteA denial of service vulnerability exists when ASP.NET Core improperly handles web requests
CVE-2019-098119DoS22/05/20195RemoteA denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests
CVE-2019-098019DoS22/05/20195RemoteA denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests
CVE-2019-082020DoS22/05/20195RemoteA denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings
CVE-2017-1155989Sql24/05/20195RemoteAn issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.
CVE-2018-1704889Sql17/05/20195Remoteadmin/Lib/Action/FpluginAction.class.php in FDCMS (aka Fangfa Content Manage System) 4.2 allows SQL Injection.
CVE-2019-712979XSS29/05/20194.3RemoteAdobe Experience Manager Forms versions 6.2
CVE-2019-413779XSS29/05/20194.3RemoteIBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158333.
CVE-2019-1236279XSS28/05/20194.3RemoteEmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doaction.php.
CVE-2019-1234579XSS28/05/20194.3RemoteXSS exists in the Kiboko Hostel plugin before 1.1.4 for WordPress.
CVE-2019-1068579XSS28/05/20194.3RemoteA Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0.
CVE-2019-709279XSS28/05/20194.3RemoteColdFusion versions Update 1 and earlier
CVE-2018-1262479XSS28/05/20194.3RemoteAn issue was discovered in Eventum 3.5.0. /htdocs/post_note.php has XSS via the garlic_prefix parameter.
CVE-2016-1024579XSS29/05/20194.3RemoteInsufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection.
CVE-2017-1503079XSS23/05/20194.3RemoteOpen-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
CVE-2017-1173979XSS27/05/20194.3RemoteIn Zoho ManageEngine Application Manager 13.1 Build 13100
CVE-2017-521379XSS23/05/20194.3RemoteOpen-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).
CVE-2019-3402XSS22/05/20194.3RemoteThe ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
CVE-2017-9808XSS22/05/20194.3RemoteOX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
CVE-2017-5864XSS22/05/20194.3RemoteOpen-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).
CVE-2019-1225079XSS21/05/20194.3RemoteIdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method
CVE-2019-1180979XSS20/05/20194.3RemoteAn issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data
CVE-2019-1007879XSS22/05/20194.3RemoteA carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3
CVE-2019-1007779XSS22/05/20194.3RemoteA carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3
CVE-2019-1007679XSS22/05/20194.3RemoteA carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3
CVE-2019-893779XSS17/05/20194.3RemoteHotelDruid 2.3.0 has XSS affecting the nsextt
CVE-2019-892979XSS17/05/20194.3RemoteAn issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.
CVE-2019-892879XSS17/05/20194.3RemoteAn issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth
CVE-2019-892779XSS17/05/20194.3RemoteAn issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc
CVE-2019-892679XSS17/05/20194.3RemoteAn issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert
CVE-2019-594079XSS17/05/20194.3RemoteCross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Scheduler'.
CVE-2019-593979XSS17/05/20194.3RemoteCross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Portal'.
CVE-2019-593879XSS17/05/20194.3RemoteCross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Mail'.
CVE-2019-592979XSS17/05/20194.3RemoteCross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.6.3 allows remote attackers to inject arbitrary web script or HTML via the application 'Memo'.
CVE-2019-592879XSS17/05/20194.3RemoteCross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.6.3 allows remote attackers to inject arbitrary web script or HTML via Customize Item function.
CVE-2019-1103379XSS17/05/20194.3RemoteApplaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form. This leads to an XSS vulnerability with a payload starting with the <iframe./> substring.
CVE-2019-1236179XSS CSRF28/05/20194.3RemoteEmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.php
CVE-2019-834679XSS CSRF29/05/20194.3RemoteIn Zoho ManageEngine ADSelfService Plus 5.x through 5704
CVE-2019-020127524/05/20194.3RemoteAn issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence
CVE-2019-1230922Dir. Trav.24/05/20194RemotedotCMS before 5.1.0 has a path traversal vulnerability exploitable by an administrator to create files. The vulnerability is caused by the insecure extraction of a ZIP archive.
CVE-2016-1075589Sql29/05/20194RemoteAbanteCart 1.2.8 allows SQL Injection via the source_language parameter to admin/controller/pages/localisation/language.php and core/lib/language_manager.php
CVE-2019-418479XSS29/05/20193.5RemoteIBM Jazz Reporting Service 6.0 through 6.0.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158974.
CVE-2019-413979XSS29/05/20193.5RemoteIBM Cognos Analytics 11.0
CVE-2017-1706179XSS23/05/20193.5RemoteOX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
CVE-2017-1366879XSS23/05/20193.5RemoteOX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
CVE-2017-1156079XSS24/05/20193.5RemoteAn issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application
CVE-2019-1219079XSS21/05/20193.5RemoteXSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir or filename parameter.
CVE-2019-1006779XSS22/05/20193.5RemoteAn issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.
CVE-2019-1006679XSS22/05/20193.5RemoteAn issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6
CVE-2019-594779XSS17/05/20193.5RemoteCross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.10.1 allows remote authenticated attackers to inject arbitrary web script or HTML via the application 'Cabinet'.
CVE-2019-593779XSS17/05/20193.5RemoteCross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to inject arbitrary web script or HTML via the user information.
CVE-2019-593279XSS17/05/20193.5RemoteCross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the application 'Portal'.
CVE-2019-1090979XSS20/05/20193.5RemoteIn Symfony before 2.7.51
CVE-2019-097979XSS20/05/20193.5RemoteA Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input
CVE-2019-096379XSS17/05/20193.5RemoteA cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server
CVE-2019-087279XSS20/05/20193.5RemoteA Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input
CVE-2018-197579XSS21/05/20193.5RemoteIBM Rational DOORS Web Access 9.5.1 through 9.5.2.9
CVE-2019-4039532DoS23/05/20192.1LocalIBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 could allow a local attacker to cause a denial of service within the error log reporting system. IBM X-Force ID: 156163.
CVE-2019-0864119DoS Overflow20/05/20192.1LocalA denial of service vulnerability exists when .NET Framework improperly handles objects in heap memory
CVE-2018-18631XSS29/05/20190Not knownmailboxd component in Synacor Zimbra Collaboration Suite 8.6
CVE-2018-14013XSS29/05/20190Not knownSynacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.
CVE-2019-018828/05/20190Not knownApache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component
CVE-2018-1719829/05/20190Not knownServer-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller 5.2.1
CVE-2019-651321/05/20190Not knownAn issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload
Waratek

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek
X