62 matches found
WordPress Ultimate Category Excluder plugin <= 1.1 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found by SCA AppSec Checkmarx in WordPress Ultimate Category Excluder plugin versions = 1.1. Solution Update the WordPress Ultimate Category Excluder plugin to the latest available version at least 1.2...
GHSA-4Q96-6XHQ-FF43 malicious SVG attachment causing stored XSS vulnerability
Impact An attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Patches Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 ha...
What’s New in InsightAppSec and tCell: Q3 2020 in Review
Here at Rapid7, we’ve been quite busy continuously improving, expanding functionality, and testing new features for feedback with our customers across our application security portfolio. This includes InsightAppSec, our leading DAST solution, tCell by Rapid7, our next-gen cloud WAF and RASP...
CVE-2020-14729
The CVE-2020-14729 issue affects the SuiteCommerce Advanced (SCA) Sites component of Oracle NetSuite . Affected are versions before 2020.1.4. The vulnerability allegedly allows a low-privileged attacker with network access over HTTP to compromise NetSuite SCA, leading to unauthorized creation, de...
CVE-2020-14728
CVE-2020-14728 affects Oracle NetSuite SuiteCommerce Advanced (SCA). Affected SCA versions include Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, 2019.1, 2019.2. The vulnerability is exposed via HTTP with network access, with low privileges and requires UI interaction. Root cause deta...
CVE-2014-2228
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages...
Deserialization of untrusted data
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages...
CVE-2014-2228
The CVE-2014-2228 issue affects the XStream extension in HP Fortify SCA prior to version 2.2 RC3, where unsafe deserialization of XML messages allows remote attackers to execute arbitrary code. The affected component is the XStream extension, with the root cause described as unsafe XML deserializ...
CVE-2014-2228
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages...
CVE-2017-1198
CVE-2017-1198 affects IBM BigFix Compliance 1.7–1.9.91 (TEMA SUAv1 SCA SCM). The underlying issue is that sensitive information is stored in URL parameters, enabling potential information disclosure if URLs are exposed in server logs, referrer headers, or browser history. The NVD entry notes expl...
CVE-2017-1202
CVE-2017-1202 affects IBM BigFix Compliance 1.7–1.9.91 (TEMA SUAv1 SCA SCM). The vulnerability is HTML injection that could allow a remote attacker to inject HTML code, which would execute in the victim’s browser within the hosting site’s security context when viewed. No exploitation details or p...
Qualys Cloud Platform (VM, SCA, PC) 8.14 New Features
This new release of the Qualys Cloud Platform VM, SCA, PC, version 8.14, includes several new feature improvements across the apps such as Wallix AdminBastion support, EC2 scan improvements, VM reporting improvements, ESX/ESXi PC support for vCenter, PC STIG Report, and expanded technology suppor...
Security Bulletin: Incorrect SSL protocol variant in SCA HTTP binding affecting WebSphere Enterprise Service Bus, WebSphere Process Server and IBM Business Process Manager Advanced (CVE-2014-6176)
Summary The HTTP import binding in an SCA module can be configured with a reference to a SSL configuration that exists on the application server. The HTTP binding uses always the SSLv3 protocol variant regardless of the SSL protocol setting in the referenced SSL configuration. Vulnerability Detai...
New multiOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-10706)
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow, proxyOverflow, transferFlaw, ownerAnyone. Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from...
CVE-2018-10706
An integer overflow in the transferMulti function of a smart contract implementation for Social Chain SCA, an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets, aka the "multiOverflow" issue...
Qualys Cloud Platform (VM, PC) 8.13 New Features
This new release of the Qualys Cloud Platform VM, PC, version 8.13, includes several new feature improvements across the apps such as the ability to test authentication records, as well as improvements to UDC’s and report options in Qualys Policy Compliance. Feature Highlights Qualys Cloud Platfo...
CVE-2017-1196
IBM BigFix Compliance (TEMA SUAv1 SCA SCM) 1.9.70 is affected by a weak default password policy (CVE-2017-1196). The issue, documented across multiple sources (NVD/Nessus/CNVD), states that the product does not require strong passwords by default, enabling an attacker to compromise user accounts ...
Code injection
IBM WebSphere Process Server 7.0, WebSphere Enterprise Service Bus 7.0, and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 disregard the SSL setting in the SCA module HTTP import binding and unconditionally select the SSLv3 protocol, which...
IBM WebSphere Application Server Feature Pack for SCA安全绕过漏洞
IBM WebSphere Application Server是一款商业性质的WEB应用服务程序。 IBM WebSphere Application Server Feature Pack for SCA存在一个未明错误,没有被指派为scaAllAuthorizedUsers角色的恶意用户可绕过验证,获得对系统的访问。 IBM WebSphere Application Server Feature Pack for Service Component Architecture SCA 1.x 厂商解决方案 用户可联系供应商获得IBM WebSphere Application...
CVE-2009-0906
The Service Component Architecture SCA feature pack for IBM WebSphere Application Server WAS SCA 1.0 before 1.0.0.3 allows remote authenticated users to bypass intended authentication.transport access restrictions and obtain unspecified access via unknown vectors...