The ARMR Report – Week of June 10th, 2019

By June 12, 2019 June 19th, 2019 ARMR Reports

AppSec News from the Web

  • WebLogic vulnerability (CVE-2019-2527) gets a new exploit with Monero. Remember, Waratek customers are protected! Read more….
  • HackerOne reports that cross-site scripting is (still) the most common flaw in web apps. Read more….
  • Bluekeep gets GoldBrute botnet. Read more….

Partner Perspectives:

  • Our friends at Rimini Street talk ERP security. Read more…
  • Microsoft and Oracle join forces to create the most dynamic duo since Sears hooked up with K-Mart. Read more….

Waratek Blogs & Alerts

  • Waratek’s Dr. John Holt on the recent Georgia Tech breach and the risks in HigherEd. Read more….
  • The Digital Enterprise interviews Waratek CEO, John Adams. Read more… 
  • BBB National Programs Podcast with Waratek CTO, John Matthew Holt looks at the ABC of Cyber Security. Listen here…

Customer CVE Alert for Week of June 10th, 2019

Below is a list of CV’s that were announced last week which are protected by the Waratek ARMR Platform. This list is not comprehensive of all of the CVEs issued and only represents application vulnerabilities. For customers that have questions, please contact your account manager or support@waratek.com. If you want more information on any of the CVE’s below, please visit the Mitre site here.

Notes:
Dates are dd/mm.
NVD Disclaimer: The date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

CVECWEVuln TypeUpdate DateCVSS ScoreRemotely ExploitableDetail
CVE-2019-1260189Sql10/06/20197.5RemoteSuiteCRM 7.8.x before 7.8.30
CVE-2019-1260089Sql10/06/20197.5RemoteSuiteCRM 7.8.x before 7.8.30
CVE-2019-1259989Sql10/06/20197.5RemoteSuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection.
CVE-2019-1259889Sql10/06/20197.5RemoteSuiteCRM 7.8.x before 7.8.30
CVE-2019-908789Sql09/06/20197.5RemoteHotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter.
CVE-2019-908689Sql09/06/20197.5RemoteHotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter.
CVE-2019-1219689Exec Code Sql07/06/20197.5RemoteA SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
CVE-2018-2009189Sql10/06/20196.5RemoteAn SQL injection vulnerability was found in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. This would allow any authenticated user to run arbitrary queries against CDSW's internal database. The database contains user contact information
CVE-2019-11517352CSRF11/06/20195.8RemoteWampServer before 3.1.9 has CSRF in add_vhost.php because the synchronizer pattern implemented as remediation of CVE-2018-8817 was incomplete. An attacker could add/delete any vhosts without the consent of the owner.
CVE-2019-4219200Unknown10/06/20195RemoteIBM Security Information Queue (ISIQ) 1.0.0
CVE-2019-416220Unknown10/06/20195RemoteIBM Security Information Queue (ISIQ) 1.0.0
CVE-2018-579879XSS10/06/20194.3RemoteThis CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager.
CVE-2019-755479XSS10/06/20194.3RemoteAn issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter.
CVE-2019-722079XSS10/06/20194.3RemoteX-Cart V5 is vulnerable to XSS via the CategoryFilter2 parameter.
CVE-2019-421720Unknown10/06/20194.3RemoteIBM Security Information Queue (ISIQ) 1.0.0
CVE-2018-804779XSS07/06/20194.3Remotevtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).
CVE-2019-1254379XSS06/06/20194.3RemoteAn issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
CVE-2019-1254279XSS06/06/20194.3RemoteAn issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
CVE-2019-1254179XSS06/06/20194.3RemoteAn issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
CVE-2019-1253879XSS06/06/20194.3RemoteAn issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.
CVE-2019-407079XSS10/06/20193.5RemoteIBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 157015.
CVE-2019-755379XSS09/06/20193.5RemotePHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.
CVE-2019-755279XSS09/06/20193.5RemoteAn issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section.
CVE-2019-1122679XSS05/06/20193.5RemoteCMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
CVE-2019-1273279XSS10/06/20192.6RemoteThe Chartkick gem through 3.1.0 for Ruby allows XSS.
CVE-2019-4218200Unknown10/06/20192.1LocalIBM Security Information Queue (ISIQ) 1.0.0
CVE-2019-4161200Unknown10/06/20192.1LocalIBM Security Information Queue (ISIQ) 1.0.0
Waratek

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek
X