AppSec News from the Web
- WebLogic vulnerability (CVE-2019-2527) gets a new exploit with Monero. Remember, Waratek customers are protected! Read more….
- HackerOne reports that cross-site scripting is (still) the most common flaw in web apps. Read more….
- Bluekeep gets GoldBrute botnet. Read more….
- Our friends at Rimini Street talk ERP security. Read more…
- Microsoft and Oracle join forces to create the most dynamic duo since Sears hooked up with K-Mart. Read more….
Waratek Blogs & Alerts
Customer CVE Alert for Week of June 10th, 2019
Below is a list of CV’s that were announced last week which are protected by the Waratek ARMR Platform. This list is not comprehensive of all of the CVEs issued and only represents application vulnerabilities. For customers that have questions, please contact your account manager or firstname.lastname@example.org. If you want more information on any of the CVE’s below, please visit the Mitre site here.
Dates are dd/mm.
NVD Disclaimer: The date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
|CVE||CWE||Vuln Type||Update Date||CVSS Score||Remotely Exploitable||Detail|
|CVE-2019-12601||89||Sql||10/06/2019||7.5||Remote||SuiteCRM 7.8.x before 7.8.30|
|CVE-2019-12600||89||Sql||10/06/2019||7.5||Remote||SuiteCRM 7.8.x before 7.8.30|
|CVE-2019-12599||89||Sql||10/06/2019||7.5||Remote||SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection.|
|CVE-2019-12598||89||Sql||10/06/2019||7.5||Remote||SuiteCRM 7.8.x before 7.8.30|
|CVE-2019-9087||89||Sql||09/06/2019||7.5||Remote||HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter.|
|CVE-2019-9086||89||Sql||09/06/2019||7.5||Remote||HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter.|
|CVE-2019-12196||89||Exec Code Sql||07/06/2019||7.5||Remote||A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.|
|CVE-2018-20091||89||Sql||10/06/2019||6.5||Remote||An SQL injection vulnerability was found in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. This would allow any authenticated user to run arbitrary queries against CDSW's internal database. The database contains user contact information|
|CVE-2019-11517||352||CSRF||11/06/2019||5.8||Remote||WampServer before 3.1.9 has CSRF in add_vhost.php because the synchronizer pattern implemented as remediation of CVE-2018-8817 was incomplete. An attacker could add/delete any vhosts without the consent of the owner.|
|CVE-2019-4219||200||Unknown||10/06/2019||5||Remote||IBM Security Information Queue (ISIQ) 1.0.0|
|CVE-2019-4162||20||Unknown||10/06/2019||5||Remote||IBM Security Information Queue (ISIQ) 1.0.0|
|CVE-2018-5798||79||XSS||10/06/2019||4.3||Remote||This CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager.|
|CVE-2019-7554||79||XSS||10/06/2019||4.3||Remote||An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter.|
|CVE-2019-7220||79||XSS||10/06/2019||4.3||Remote||X-Cart V5 is vulnerable to XSS via the CategoryFilter2 parameter.|
|CVE-2019-4217||20||Unknown||10/06/2019||4.3||Remote||IBM Security Information Queue (ISIQ) 1.0.0|
|CVE-2018-8047||79||XSS||07/06/2019||4.3||Remote||vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).|
|CVE-2019-12543||79||XSS||06/06/2019||4.3||Remote||An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.|
|CVE-2019-12542||79||XSS||06/06/2019||4.3||Remote||An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.|
|CVE-2019-12541||79||XSS||06/06/2019||4.3||Remote||An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.|
|CVE-2019-12538||79||XSS||06/06/2019||4.3||Remote||An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.|
|CVE-2019-7553||79||XSS||09/06/2019||3.5||Remote||PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.|
|CVE-2019-7552||79||XSS||09/06/2019||3.5||Remote||An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section.|
|CVE-2019-11226||79||XSS||05/06/2019||3.5||Remote||CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.|
|CVE-2019-12732||79||XSS||10/06/2019||2.6||Remote||The Chartkick gem through 3.1.0 for Ruby allows XSS.|
|CVE-2019-4218||200||Unknown||10/06/2019||2.1||Local||IBM Security Information Queue (ISIQ) 1.0.0|
|CVE-2019-4161||200||Unknown||10/06/2019||2.1||Local||IBM Security Information Queue (ISIQ) 1.0.0|