The ARMR Report – Week of June 10th, 2019

By June 12, 2019 June 19th, 2019 ARMR Reports

AppSec News from the Web

  • WebLogic vulnerability (CVE-2019-2527) gets a new exploit with Monero. Remember, Waratek customers are protected! Read more….
  • HackerOne reports that cross-site scripting is (still) the most common flaw in web apps. Read more….
  • Bluekeep gets GoldBrute botnet. Read more….

Partner Perspectives:

  • Our friends at Rimini Street talk ERP security. Read more…
  • Microsoft and Oracle join forces to create the most dynamic duo since Sears hooked up with K-Mart. Read more….

Waratek Blogs & Alerts

  • Waratek’s Dr. John Holt on the recent Georgia Tech breach and the risks in HigherEd. Read more….
  • The Digital Enterprise interviews Waratek CEO, John Adams. Read more… 
  • BBB National Programs Podcast with Waratek CTO, John Matthew Holt looks at the ABC of Cyber Security. Listen here…

Customer CVE Alert for Week of June 10th, 2019

Below is a list of CV’s that were announced last week which are protected by the Waratek ARMR Platform. This list is not comprehensive of all of the CVEs issued and only represents application vulnerabilities. For customers that have questions, please contact your account manager or support@waratek.com. If you want more information on any of the CVE’s below, please visit the Mitre site here.

Notes:
Dates are dd/mm.
NVD Disclaimer: The date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

CVE CWE Vuln Type Update Date CVSS Score Remotely Exploitable Detail
CVE-2019-12601 89 Sql 10/06/2019 7.5 Remote SuiteCRM 7.8.x before 7.8.30
CVE-2019-12600 89 Sql 10/06/2019 7.5 Remote SuiteCRM 7.8.x before 7.8.30
CVE-2019-12599 89 Sql 10/06/2019 7.5 Remote SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection.
CVE-2019-12598 89 Sql 10/06/2019 7.5 Remote SuiteCRM 7.8.x before 7.8.30
CVE-2019-9087 89 Sql 09/06/2019 7.5 Remote HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter.
CVE-2019-9086 89 Sql 09/06/2019 7.5 Remote HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter.
CVE-2019-12196 89 Exec Code Sql 07/06/2019 7.5 Remote A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
CVE-2018-20091 89 Sql 10/06/2019 6.5 Remote An SQL injection vulnerability was found in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. This would allow any authenticated user to run arbitrary queries against CDSW's internal database. The database contains user contact information
CVE-2019-11517 352 CSRF 11/06/2019 5.8 Remote WampServer before 3.1.9 has CSRF in add_vhost.php because the synchronizer pattern implemented as remediation of CVE-2018-8817 was incomplete. An attacker could add/delete any vhosts without the consent of the owner.
CVE-2019-4219 200 Unknown 10/06/2019 5 Remote IBM Security Information Queue (ISIQ) 1.0.0
CVE-2019-4162 20 Unknown 10/06/2019 5 Remote IBM Security Information Queue (ISIQ) 1.0.0
CVE-2018-5798 79 XSS 10/06/2019 4.3 Remote This CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager.
CVE-2019-7554 79 XSS 10/06/2019 4.3 Remote An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter.
CVE-2019-7220 79 XSS 10/06/2019 4.3 Remote X-Cart V5 is vulnerable to XSS via the CategoryFilter2 parameter.
CVE-2019-4217 20 Unknown 10/06/2019 4.3 Remote IBM Security Information Queue (ISIQ) 1.0.0
CVE-2018-8047 79 XSS 07/06/2019 4.3 Remote vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).
CVE-2019-12543 79 XSS 06/06/2019 4.3 Remote An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
CVE-2019-12542 79 XSS 06/06/2019 4.3 Remote An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
CVE-2019-12541 79 XSS 06/06/2019 4.3 Remote An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
CVE-2019-12538 79 XSS 06/06/2019 4.3 Remote An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.
CVE-2019-4070 79 XSS 10/06/2019 3.5 Remote IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 157015.
CVE-2019-7553 79 XSS 09/06/2019 3.5 Remote PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.
CVE-2019-7552 79 XSS 09/06/2019 3.5 Remote An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section.
CVE-2019-11226 79 XSS 05/06/2019 3.5 Remote CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
CVE-2019-12732 79 XSS 10/06/2019 2.6 Remote The Chartkick gem through 3.1.0 for Ruby allows XSS.
CVE-2019-4218 200 Unknown 10/06/2019 2.1 Local IBM Security Information Queue (ISIQ) 1.0.0
CVE-2019-4161 200 Unknown 10/06/2019 2.1 Local IBM Security Information Queue (ISIQ) 1.0.0
Waratek

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek
X